Section 2.2 Binding Methods
Issue #1277
open
The draft says:
Public-private key pairs are used by a requesting Credential Holder to establish a means of binding to the resulting credential. A Credential Holder making a Credential Request to a Credential Issuer must prove control over this binding mechanism during the request, this is accomplished through the extended usage of a signed request defined in OpenID Connect Core.
Does this mean the holder can prove control using a signed authentication request? If so, why isn’t the credential provided in the token response?
Comments (3)
-
reporter -
I object to the use of the term “proof of control” here. All that this provides is “proof of access” or perhaps “proof of possession”. Control is MUCH harder to prove.
-
reporter - changed status to open
- Log in to comment
On the Aug 12 call, Adam explained that the identifier that is bond to the key-pair that is controlled by the user is included in the JWT which is signed using the signing key of the key-pair.
While this works for some use cases, it will not work for ZKP/BBS+ cases, so there need to be at least two mechanisms. Potentially, we may want to define an extension point for future methods.
We need to agree on concrete text around it.