sub_jwk when sub is DID in SIOP

Issue #1203 resolved
Kristina Yasuda created an issue

When sub is a DID, keys are retrieved from DID Document, so sub_jwk should be optional. sub_jwk would remain required when sub is jwk thumbprint.

If sub_jwk is included when sub is a DID, it could be used to compare whether verification method from the DID Document matches the kid of sub_jwk, but this is not a must protection.

Comments (6)

  1. Kristina Yasuda reporter

    This also leads to a question whether jwk thumbprint should be kept as one of subject identifiers in SIOP given it does not support key rotation and close to no implementations.

  2. Kristina Yasuda reporter

    on 02-08-2021 call, Mike commented that sub_jwk should be kept because they tell RP which keys to use among those that can be found in DID Doc retrieved using DID resolution of a DID in sub

  3. Kristina Yasuda reporter

    giving it further thought, the keys used are included in kid in the JWT header, so I still think there is no need for sub_jwk when DIDs are used in the `sub.`

  4. Log in to comment