Variant B

Issuance protocol

• The issuer URI to be used as the base URL for metadata fetching is "https://demo.pid-issuer.bundesdruckerei.de/b". The metadata contain the information required to construct the initial authorization request sent by the wallet to start the issuance.
• The variant implements OpenID for Verifiable Credential Issuance Implementers Draft 1 (Draft 13).
• The issuance is performed using the authorization code flow with a scope parameter and can be initiated by the wallet.
• The use of a Pushed Authorization Requests is required.
• The use of Proof Key for Code Exchange (PKCE) is required.
• The use of a Wallet Instance Attestation in the format of a Client Attestation is required in Pushed Authorization as well as Token Requests.
• The use of a Demonstrated Proof of Possession (DPoP) is required.
• Issuance happens at the Credential Endpoint and requires a Relying Party (RP) generated Elliptic Curve P-256 public key, transmitted via the verifier_ka parameter and used for Diffie-Hellman key agreement; for MSO mdoc credentials, additionally a Session Transcript in the session_transcript parameter is required.
• Batch Credential Endpoint, deferred issuance and the Notification Endpoint are not needed and thus unsupported.
• Credentials can be issued using the provided test eID cards.