SID-KEY-03 — FIDO WSCD via Sign Extension (previewSign)
| Property | Value |
|---|
| Status | to_do |
| Owner | platform |
| Category | technical |
| CSF Function | protect |
| Group | Key Management Controls |
Description
Wallet Secure Cryptographic Device implemented using FIDO authenticators
with the sign extension (previewSign). Signing keys are generated and
held inside the FIDO authenticator hardware; they never enter browser
memory. Each signing operation requires an explicit user gesture with
transaction data preview, providing per-operation WSCA/WSCD
authentication. Certified FIDO security keys (e.g. YubiKey 5) can
satisfy AVA_VAN.5 attack potential requirements. The authenticator
serves as both the WSCD (secure key storage) and WSCA (cryptographic
application) component of the EUDI wallet architecture.
Components
- Wallet Frontend
- FIDO Authenticator
- WSCA / HSM
Source References
Audit Findings
| Finding | Severity | Status |
|---|
| EN-P-2 — WSCD/WSCA via FIDO sign extension | critical | in progress |
| EN-P-5 — Partial user authentication and session controls | high | in progress |
| EN-P-6 — Partial key management and credential operations | medium | in progress |