Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Issuers/Verifiers choice for either x5c or jwt-vc issuer metadata is not clear #102

Open
paulbastian opened this issue May 16, 2024 · 8 comments
Open

Issuers/Verifiers choice for either x5c or jwt-vc issuer metadata is not clear #102

paulbastian opened this issue May 16, 2024 · 8 comments
Assignees
@paulbastian @Sakurann
Labels
ready-for-PR

Comments

@paulbastian
Copy link
Collaborator

It is not clear whether the Issuer or the Verifier has the choice for the two key management options. Clearly define who's choice it is
@awoie
Copy link

awoie commented May 16, 2024

SD-JWT VC currently says, if iss value is a HTTPS URI, do JWT Issuer Metadata, if it is not, then look at the x5c header and try to match one of the SAN values against the iss value.

Ecosystems can add additional rules as per SD-JWT VC.

@OR13
Copy link

OR13 commented May 16, 2024
edited
Loading

In SCITT, we did something similar. When x5t is present, check for x5c (could be in unprotected header in cose). We did not require a specific SAN to match the iss field, as of the latest draft.

When only iss is present, somehow figure out how to get to a key, and if that key contains a chain, optionally verify the chain as well... x5c can show up in JWK, but does not show up in COSE Key.

@paulbastian
Copy link
Collaborator Author

Why should I do an HTTP call if the absence of kid can tell me that I shouldn't?

@OR13
Copy link

OR13 commented May 16, 2024

Are you saying either kid is present or x5t is present?

@awoie
Copy link

awoie commented May 16, 2024

Why should I do an HTTP call if the absence of kid can tell me that I shouldn't?

If there is a x5c header, why would you do an HTTP call?

@henkbirkholz
Copy link

When x5t is present, check for x5c (could be in unprotected header in cose)

If there is a x5c header, why would you do an HTTP call?

The x5c could have been tempered with.

@awoie
Copy link

awoie commented May 16, 2024

When x5t is present, check for x5c (could be in unprotected header in cose)

If there is a x5c header, why would you do an HTTP call?

The x5c could have been tempered with.

For JWTs compact, this is not the case because there are only protected headers, for JWTs JSON serialization, you could still put the x5c in the protected header, or put the x5t in the protected which secures the x5c.

@Sakurann
Copy link
Contributor

as I said in #103 (comment), the intention of HAIP was that the issuer has to issue using two key resolution mechanisms - web-based key resolution (.well-known/jwt_vc_issuer with or without openid federation) or x509, and the verifier has to support only one of those. (which is also why the intention was to be able to use the same iss value for both key resolution mechanisms.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@paulbastian paulbastian

@Sakurann Sakurann

Labels
ready-for-PR
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@OR13 @henkbirkholz @paulbastian @awoie @Sakurann