[Openid-specs-ab] OpenID4VCI: jwt proof-of-possession and exclusivity between 'kid' and 'jwk'
Kristina Yasuda
Kristina.Yasuda at microsoft.com
Tue Apr 25 01:05:57 UTC 2023
Hi Pedro,
Thank you for the question!
If I understand correctly, with EBSI DID NP, you will only use jwk JOSE header and will not use kid JOSE header, so there is no contradiction with the spec text there, because those header parameters are to communicate the key material, not the subject's identifier.
The problem you are raising is how to communicate the actual DID that will be the subject's identifier of a VC. I think we should probably introduce an additional claim in a JWT body for that purpose. I could imagine other use-cases when the key material provided in the header is not equal to the subject's identifier that the wallet would like the issuer to use in the issued credential. With the current design, there will be cases when the subject's identifier will be up to the Issuer to assign - for example, when the key material is provided using jwk JOSE header is subject's identifier a DID like in your case or is it only a vanilla JWT thumbprint or random string managed by the issuer? But maybe I misunderstood the issue.
Best,
Kristina
-----Original Message-----
From: Openid-specs-ab <openid-specs-ab-bounces at lists.openid.net> On Behalf Of Pedro Felix via Openid-specs-ab
Sent: Wednesday, April 19, 2023 1:50 AM
To: Artifact Binding/Connect Working Group <openid-specs-ab at lists.openid.net>
Cc: Pedro Felix <pedro.felix at curity.io>
Subject: [Openid-specs-ab] OpenID4VCI: jwt proof-of-possession and exclusivity between 'kid' and 'jwk'
Hi,
On https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-11.html#name-proof-types
('jwt' proof type) it is stated that:
- "kid: (...) MUST NOT be present if jwk or x5c is present"
- "jwk: (...) MUST NOT be present if kid or x5c is present"
>From this I conclude that 'kid' and 'jwk' cannot both be present in the header of a proof-of-possession JWT.
However there is at least a DID format where a DID URL present in the 'kid' is not enough to provide all information about the verification key. That example is the EBSI (European Blockchain Services
Infrastructure) "Natural Person" (NP) DID format - https://ec.europa.eu/digital-building-blocks/wikis/display/EBSIDOC/EBSI+DID+Method#EBSIDIDMethod-DIDDocumentforEBSIDIDNP.
Note how that document states "To be able to validate any DID NP, the holder must always use jwk field in JWT Header to carry the public key materials."
Given this, should the OpenID4VCI be less restrictive regarding the presence of both 'kid' and 'jwk', eventually defining when having both these fields is allowed and the conditions that must hold (i.e. the 'jwk' must be compatible with the 'kid')?
Thanks.
Regards,
Pedro
_______________________________________________
Openid-specs-ab mailing list
Openid-specs-ab at lists.openid.net
https://lists.openid.net/mailman/listinfo/openid-specs-ab
More information about the Openid-specs-ab
mailing list