OID4VCI - Passing Key instead of Key URL
Issue #1711
wontfix
The current text states
kid: CONDITIONAL. JWT header containing the key ID. If the Credential shall be bound to a DID, the kid refers to a DID URL which identifies a particular key in the DID Document that the Credential shall be bound to.
However if the DID is did:key or did:jwk then the kid is the key itself, rather than a key ID. Thus there is no need to refer to a DID URL. Can we add the following note
Note. If the DID is a direct encoding of a key e.g. did:key or did:jwk, then the kid refers to the key itself.
Comments (4)
-
-
Agree with Niels here, just because some DID URL’s are actually an encoded key, doesn’t mean we should break with the process of consistently processing them. Big -1 to allowing just a DID in the KID header.
-
there does not seem to be consensus to make this change. open for more than half a year. pending close.
-
- changed status to wontfix
more than a week since marked pending close. no objections. marking wontfix
- Log in to comment
- Assignee
- –
- Type
- Priority
- Status
- wontfix
- Component
- Credential Issuance
- Milestone
- –
- Version
- –
- Votes
- 0
- Watchers
- 1
I would really object to this. This is going to create interop problems. DIDs simply rely on the fact that a Verification Method is expressed as a DID-url with a fragment. This is going to create exceptions to what is well-defined in DID resolution.
If you really want to support plain DIDs for for instance did:key/jwk, in your implementation(s), simply ignore everything after the fragment for the respective methods. At least then you do not get interop problems with the rest of the world, or people all of a sudden thinking that using a DID as kid value can be used for all DID methods.