trust_chain JWS header parameter in OpenID4VCI

OpenID Connect Federation Draft 29 has introduced the JWS header parameter trust_chain and this allows any JWT Issuer to include the Trust Chain related to itself in its issued JWS.

The Trust Chain in the JWS allows a verifier to have the proof that the issuer is part of a federation or compliant to a regulation, such a trust framework, even in offline flows. It also enables key attestation, metadata policies and Trust Marks.

This proposal aims to include the JOSE header trust_chain in OpenID 4 VCI Section 7.2.1 Proof Types

the proposed changes would be as below

kid: CONDITIONAL. JOSE Header containing the key ID. If the Credential shall be bound to a DID, the kid refers to a DID URL which identifies a particular key in the DID Document that the Credential shall be bound to. It MUST NOT be present if jwk or x5c is present.

trust_chain: CONDITIONAL. JOSE Header containing a OpenID Connect Federation 1.0 Trust Chain. This element MAY be used to convey key attestation, obtaining metadata, dynamic metadata policies, federation Trust Marks and other information of an administrative nature relating to a specific federation. When used for key attestation and signature verification, also one of the header parameter kid or jwk MUST be present.

‌

Comments (4)