[Openid-specs-ab] OpenID4VCI: relation between the metadata's credential_issuer and the issuer of an issued verifiable credential

[Pedro Felix]

Hi all,

I've a question about the OpenID4VCI draft specification and the relation
between credential issuers and the `credential_issuer` field on both the
metadata and the credential offer.
According to OpenID4VCI draft 10, `credential_issuer` needs to be an URL
and there is a discovery process dependent on that fact. However, the
issuer on a concrete verifiable credential (VC) may not be an URL.
For instance, the W3C VC data model allows the `issuer` field to be an URI,
namely a DID based URI. Due to this, the `credential_issuer` metadata field
may not match the `issuer` field on a W3C VC issued by that issuer, which
seems strange. Wouldn't that be similar to having an ID token with an `iss`
that doesn't match the metadata `issuer`?
Note that some VC profiles may mandate the VC issuer to be a DID with a
specific method (e.g. EBSI), so the issuer doesn't have the freedom to use
a URL instead.
This also relates to the `aud` to use on a JWT proof token, sent on a
credential request, which I presume should match the metadata
`credential_issuer` but may not match the issued VC `issuer`.
So,
1) Is it OK to have a mismatch between the metadata `credential_issuer` and
the issued VC `issuer` field?
2) If not, could this be addressed by adding more information in the
metadata, allowing a non-URL issuer to be announced there, eventually
scoped to each `credentials_supported` entry?

Thanks.
Regards,
Pedro
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20230109/e7dee306/attachment.html>