[Openid-specs-ab] Issue #1707: cryptographic_binding_methods_supported Support for listing specific DID methods? (openid/connect)
nklomp
issues-reply at bitbucket.org
Tue Nov 1 11:48:07 UTC 2022
New issue 1707: cryptographic_binding_methods_supported Support for listing specific DID methods?
https://bitbucket.org/openid/connect/issues/1707/cryptographic_binding_methods_supported
Niels Klomp:
The spec states:
* `cryptographic_binding_methods_supported`: OPTIONAL. Array of case sensitive strings that identify how the Credential is bound to the identifier of the End-User who possesses the Credential as defined in [Section 8.1](https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#credential-binding). A non-exhaustive list of valid values defined by this specification are `did`, `jwk`, and `mso`.
Right now it can contain the value `did` indicating DID support for the issuer. In the JFF plugfest we are now encountering the problem that some issuers support only DID key, whilst others support DID JWK for instance. As a wallet we cannot know up front without hardcoding which methods they support when we create our Proof of Possession. So we would get an error back from the issuers and would have to try again, which isn't really a solution of course.
In SIOPv2 there is `subject_syntax_types_supported` which allows for only the value `did` , indicating that the RP supports multiple DID methods. But it also allows to specifically list for instance an array containing `did:jwk, did:key` . I think it would make sense to have issuers signal their supported DID methods in the `cryptographic_binding_methods_supported` field, so that a wallet can choose which DID method to use for thier PoP and thus subject value.
More information about the Openid-specs-ab
mailing list