- changed status to open
trust_chain JWS header parameter in OpenID4VCI
OpenID Connect Federation Draft 29 has introduced the JWS header parameter trust_chain
and this allows any JWT Issuer to include the Trust Chain related to itself in its issued JWS.
The Trust Chain in the JWS allows a verifier to have the proof that the issuer is part of a federation or compliant to a regulation, such a trust framework, even in offline flows. It also enables key attestation, metadata policies and Trust Marks.
This proposal aims to include the JOSE header trust_chain
in OpenID 4 VCI Section 7.2.1 Proof Types
the proposed changes would be as below
kid: CONDITIONAL. JOSE Header containing the key ID. If the Credential shall be bound to a DID, the kid refers to a DID URL which identifies a particular key in the DID Document that the Credential shall be bound to. It MUST NOT be present if jwk or x5c is present.
trust_chain: CONDITIONAL. JOSE Header containing a OpenID Connect Federation 1.0 Trust Chain. This element MAY be used to convey key attestation, obtaining metadata, dynamic metadata policies, federation Trust Marks and other information of an administrative nature relating to a specific federation. When used for key attestation and signature verification, also one of the header parameter kid or jwk MUST be present.
Comments (4)
-
-
reporter - edited description
-
I also agree that this would make sense.
-
- changed status to resolved
PR #551 merged.
- Log in to comment
SIOP-June-08 call. Taka and some others said this might make sense