[Openid-specs-ab] OpenID4VCI: jwt proof-of-possession and exclusivity between 'kid' and 'jwk'
Pedro Felix
pedro.felix at curity.io
Wed Apr 19 08:50:15 UTC 2023
Hi,
On https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-11.html#name-proof-types
('jwt' proof type) it is stated that:
- "kid: (...) MUST NOT be present if jwk or x5c is present"
- "jwk: (...) MUST NOT be present if kid or x5c is present"
>From this I conclude that 'kid' and 'jwk' cannot both be present in
the header of a proof-of-possession JWT.
However there is at least a DID format where a DID URL present in the
'kid' is not enough to provide all information about the verification
key. That example is the EBSI (European Blockchain Services
Infrastructure) "Natural Person" (NP) DID format -
https://ec.europa.eu/digital-building-blocks/wikis/display/EBSIDOC/EBSI+DID+Method#EBSIDIDMethod-DIDDocumentforEBSIDIDNP.
Note how that document states "To be able to validate any DID NP, the
holder must always use jwk field in JWT Header to carry the public key
materials."
Given this, should the OpenID4VCI be less restrictive regarding the
presence of both 'kid' and 'jwk', eventually defining when having both
these fields is allowed and the conditions that must hold (i.e. the
'jwk' must be compatible with the 'kid')?
Thanks.
Regards,
Pedro
More information about the Openid-specs-ab
mailing list