openid / connect / issues / #1609 - add x5c and jwk to credential_binding_methods_supported — Bitbucket

Issue #1609 resolved

Kristina Yasuda created an issue 2022-08-25

Currently the spec says that A non-exhaustive list of valid (credential_binding_methods_supported) values defined by this specification are `did`, `mso`, and `none`.

@Giuseppe De Marco clarified implementations also need `jwk` and `x5c`, which I agree should be added.

Comments (4)

Kristina Yasuda reporter
PR #292
- 2022-08-25T23:34:31+00:00
Giuseppe De Marco
a signed JWT is a self consistent and verifiable artifact that may envelope a jwk with a x5c/x5c.
I'd consider jwt and jwk only, I’d remove x5c but nothing in contrary to have it anyway
- 2022-08-25T23:47:38+00:00
David W Chadwick
A related issue is how is the issuer, which uses X.509 PKCs to sign the issued VCs, is identified in the issuer field of the VC that is transferred to the iss field of the JWT. I suspect that this will be the RDN in the subject field of the issuer’s PKC in order to bind the PKC and VC together. It almost certainly wont be a DID. The W3C VC DM requires this to be a URI. So the iss/issuer field should be the https URL of the issuer, and the PKC will be a domain validated PKC proving that the issuer owns the domain name in the subject field.

Does our current spec support this? I think it would be very helpful if the implementation section could document this.
- 2022-08-26T08:08:43+00:00
Kristina Yasuda reporter
- changed status to resolved
resolved with a merged PR
- 2022-09-20T06:03:31+00:00
Log in to comment

Assignee: –

Type: bug

Priority: major

Status: resolved

Component: Credential Issuance

Milestone: –

Version: –

Votes: 0

Watchers: 1

Jira: the preferred issue tracker for Bitbucket. Join the team!