-
Notifications
You must be signed in to change notification settings - Fork 19
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
iss
in Key Proof, conditionally required or generally optional?
#349
Comments
the intention here was
|
why have an iss at all in the proofs? honest question |
@Sakurann If this is the intention, the current description fits. Then i would agree to @bc-pi question. Is the With the current version we end up with a (worthless?) check on the issuer's side:
|
I think various security-ish issues end up being related and it's quite hard to reason about them all given the amount of optionality in the specification.
#19 proposes an alternate mechanism for that binding that I think would make For what it's worth I agree that |
Currently, VCI doesn't describe when this This creates the following situation: IMHO, |
There were different interpretations during the LSP interop event whether the
iss
element in key proof (both jwt and cwt) is conditionally required or generally optional?In Section 7.2.1.1. (and 7.2.1.3.) it says:
Is there a reason to make it optional in the case the
client_id
is known to the issuer?I would prefer to change it to REQUIRED when ..., MUST NOT ... (as has been done elsewhere)
The text was updated successfully, but these errors were encountered: