SIOPv2: Clarify "bare" JWK in sections 13 & 13.1
The current sub_jwk
spec says it MUST be a “bare” key in JWK format.
https://openid.net/specs/openid-connect-self-issued-v2-1_0-06.html#name-self-issued-id-token
I was wondering about what that means in practice. I’m also unsure how to interpret the “not an X.509 certificate value”. Is this to mean a JWK with only the mandatory"kty" and those params that define the public key material? Are SIOP and RP expected to check the key for certain things to make sure it conforms with this definition of “bare”?
Comments (6)
-
-
- changed component to SIOP
-
reporter Thanks for the clarification! If there’s no imperative to have a “bare” JWK, then my suggestion is to simply remove that qualifier from the definition.
(whether it stays
sub_jwk
or becomes acnf.jwk
or JWTjwk
header) -
- changed milestone to Implementer's Draft
-
I am not sure what would be a use case for the user to use X.509 to sign a self-Issued ID Token.
-
- changed status to resolved
Migrated to GitHub
- Log in to comment
good call-out. I think what was originally meant was
sub_jwk
is a JWK withoutx5c
,x5u
,x5t
parameters. However, I don’t see the reason not to allow X.509 certificate values if the issuer/wallet is able to manage a cert per user. I am inclined to definesub_jwk
in SIOP as a JWK. or replace it with RFC7800cnf
(Issue#1540)