Inconsistency in jwk, kid and x5c language
Issue #1722
resolved
(1) The following is currently normative:
- kid:
MUST NOT be present if jwk or x5c is present.
- x5c:
MUST NOT be present if kid or jwk is present.
- jwk
MUST NOT be present if kid or x5c is present.
(2) Furthermore, the following is normative:
Note: if both jwk and x5c are present, the represented signing key MUST be the same in both.
(3) and
The Credential Issuer MUST validate that the proof is actually signed by a key identified in kid parameter.
If (1) is normative, then (2) can never occur.
If (1) is normative, then (3) cannot be done in all cases, since sometimes there is no `kid`.
IMO, we should do the following:
- remove (2)
- change (3) to “If
kid
is present, the Credential Issuer MUST …”
Comments (2)
-
-
- changed status to resolved
- Log in to comment
I agree with the proposed actions. paraphrased to “
The Credential Issuer MUST validate that the `proof` is actually signed by a key identified in the JWT header.
“PR #370