Are we doing credential-by-value wrong?

[chrysn]

The places where ID_CRED_x is used in the plaintexts is described in RFC9528 as ID_CRED_R / bstr / -24..23.

My understanding is that fundamentally, ID_CRED_x is always a 1-element map, and that the bstr / -24..23 are just the shorthands of Section 3.5.3.2 that expand to {4: bstr} (where -24..23 are also translated to bstr, and regular bstr are used as-is). The RFC also registers dedicated keys for that map for kccs and kcwt (we currently only use CCSs).

What we send and parse when doing credential-by-value is that we take the CRED_x value (which is a byte string), encode it as a CBOR byte string, and include it in the plain text. This was recently refactored into IdCred::write_to_message in #267 (while not altering Lakers' behavior).

I believe that this is an error, and that instead of using 482E2E2E2E2E2E2E2E ('........') we should be using A10E2E2E2E2E2E2E2E2E ({/kccs/ 14: '........'}). The RFC9529 traces do not contain an instance of credential-by-value that I could find. Has sending a credential by value ever been plugtested?