[Openid-specs-ab] Issue #1722: Inconsistency in jwk, kid and x5c language (openid/connect)
Oliver Terbu
issues-reply at bitbucket.org
Fri Nov 11 13:01:00 UTC 2022
New issue 1722: Inconsistency in jwk, kid and x5c language
https://bitbucket.org/openid/connect/issues/1722/inconsistency-in-jwk-kid-and-x5c-language
Oliver Terbu:
\(1\) The following is currently normative:
* kid:
> MUST NOT be present if jwk or x5c is present.
* x5c:
> MUST NOT be present if kid or jwk is present.
* jwk
> MUST NOT be present if kid or x5c is present.
\(2\) Furthermore, the following is normative:
> Note: if both jwk and x5c are present, the represented signing key MUST be the same in both.
\(3\) and
> The Credential Issuer MUST validate that the proof is actually signed by a key identified in kid parameter.
If \(1\) is normative, then \(2\) can never occur.
If \(1\) is normative, then \(3\) cannot be done in all cases, since sometimes there is no \`kid\`.
IMO, we should do the following:
* remove \(2\)
* change \(3\) to “If `kid` is present, the Credential Issuer MUST …”
More information about the Openid-specs-ab
mailing list