[Openid-specs-ab] OpenID Connect Key Binding vs OpenID Connect UserInfo Verifiable Credentials
Brian Campbell
bcampbell at pingidentity.com
Wed Sep 10 19:52:54 UTC 2025
On Fri, Sep 5, 2025 at 2:46 PM Richard Barnes <rlb at ipv.sx> wrote:
> Hi Mike,
>
> To be blunt: The relationship between the two drafts is that the approach
> in the Key Binding draft was considered and rejected by our author team
> before we put forward the VC-based draft.
>
There was also, for a period, if I recall correctly, consideration of an
approach that involved DPoP + a signed userinfo response. For whatever
that's worth.
I totally understand how the authors arrived at this scheme; it's one I
> have proposed myself before. The reason it was abandoned was that Aaron
> Parecki and some others noted that using the ID token here for anything
> other than DPoP-authenticated HTTP requests results in the reuse of the
> DPoP key in different contexts, creating a risk of cross-protocol attacks.
> So for example it would be problematic to do BastionZero-like or
> SigStore-like things with this ID token. The reason we went the VC route
> is that VC are intended to be used in different protocols, and you can mint
> multiple VCs to support different applications.
>
> You are correct that at this point the UserInfo VC draft is basically
> abandoned. But only because there was basically zero OP interest in
> implementing as far as I could tell.
>
We are definitely interested. The perceived lack of interest is due to
other competing factors that I won't bore the list with. But there's
interest. Especially if the very logical move away from VCDM and DIDs was
to be made and the VCI pieces mature and stabilize.
> I still think the approach is correct, and the use cases are valuable
> (including Ethan and Dick's use cases). If OPs were interested, I would be
> excited to consume it in Webex.
>
> If there's new energy here, I would propose we revive the VC draft and
> rebase it on the latest VCI stuff, probably the simpler SD-JWT-VC stuff out
> of OAuth rather than anything from W3C.
>
This seems eminently reasonable. The VCI stuff has undergone some changes
and is nearing a 1.0 finalization. And SD-JWT VC (maybe even just plain
SD-JWT) IMHO is both simpler and more meaningfully feature rich than the
W3C VCDM stuff.
--
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged
material for the sole use of the intended recipient(s). Any review, use,
distribution or disclosure by others is strictly prohibited. If you have
received this communication in error, please notify the sender immediately
by e-mail and delete the message and any file attachments from your
computer. Thank you._
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20250910/c440abb4/attachment.htm>
More information about the Openid-specs-ab
mailing list