SID-HARD-06 — Wallet Attestation and Environment Integrity
| Property | Value |
|---|---|
| Owner | platform |
| Category | technical |
| CSF Function | identify |
| Group | System Hardening Controls |
Description
Wallet Instance Attestation (WIA) and Wallet Unit Attestation (WUA) verify that the wallet application is genuine, unmodified, and running on a secure platform with current security updates.
WIA: Backend endpoint issues signed WIA tokens after verifying platform attestation evidence (App Attest iOS, Play Integrity Android, or goFF for browser). Wallet instance stores WIA securely, does not possess the private key, decrypts only when needed.
WUA: Wallet unit constructs WUA, validated after each unlock and before any transaction. Revoked WUA triggers wallet deactivation.
Environment integrity: OS version checking against vendor security update status; prompt user to update outdated OS or wallet version; terminate on unsupported OS. Genuine app verification at startup. Environment reporting to wallet provider for integrity assessment. Minimum version enforcement preventing outdated clients from connecting.
Currently: goFF app attestation provides partial coverage. Full WIA/WUA and OS version enforcement not yet implemented.
Components
Source References
Framework Requirements
EUDI Security Requirements: WPS-8.1.1-Sec-01, WPS-8.1.1-Sec-02, WIN-8.4.3-Sec-05, CS-I.3-WI
FitCEM Wallet Instance: FIT-AR-01, FIT-AR-02, FIT-AU-01, FIT-AU-02, FIT-PI-02, FIT-SR-01, FIT-FR-01, FIT-FR-02, FIT-FR-03