cert team query: Use of jwk/kid/x5c in jwt proof type

[jogu]

As far as I can see, https://openid.github.io/OpenID4VCI/openid-4-verifiable-credential-issuance-1_1-wg-draft.html#appendix-F.1 says that kid, jwk or x5c may be used to pass the key in a jwt proof (though an attestation must be included as well.

HAIP ( https://openid.github.io/OpenID4VC-HAIP/openid4vc-high-assurance-interoperability-profile-wg-draft.html#section-4.5.1 ) doesn't appear to narrow that any further.

Is the correct interpretation that issuers need to accept whichever of kid/jwk/x5c the wallet uses?

[charsleysa]

Is the correct interpretation that issuers need to accept whichever of kid/jwk/x5c the wallet uses?

My understanding is that an issuer does not need to accept whichever as it may not be possible for it to understand all options (for example DIDs in kid). However, validation is required so it must fail if the issuer cannot understand the chosen method. I would reason that most if not all issuers would understand jwk at a minimum.

[jogu]

My understanding is that an issuer does not need to accept whichever as it may not be possible for it to understand all options (for example DIDs in kid). However, validation is required so it must fail if the issuer cannot understand the chosen method. I would reason that most if not all issuers would understand jwk at a minimum.

I agree DIDs don't make sense in the HAIP context - but if the key in the key attestation has a kid, using the kid for that key would make sense I think?

[charsleysa]

but if the key in the key attestation has a kid, using the kid for that key would make sense I think?

To clarify, do you mean a JWT proof using kid, and the JWT proof contains key_attestation, and the key attestation contains a key inside the attested_keys array with a matching kid?

[jogu]

To clarify, do you mean a JWT proof using kid, and the JWT proof contains key_attestation, and the key attestation contains a key inside the attested_keys array with a matching kid?

Exactly, yes. I believe that's currently legal in HAIP.

[charsleysa]

To clarify, do you mean a JWT proof using kid, and the JWT proof contains key_attestation, and the key attestation contains a key inside the attested_keys array with a matching kid?

Exactly, yes. I believe that's currently legal in HAIP.

My understanding is that there isn't any requirement for the Issuer to support that particular configuration. Only that an issuer must validate the JWT proof signature using a key identified by either kid, jwk, or x5c.

I believe with the number of possible configurations, requiring every issuer to support every possible configuration would be counter productive. For example, DIDs or OpenID Federation may not be used in some ecosystems.

It may be necessary for HAIP to specify a baseline of configurations that should be supported.

[jogu]

Discussed in today's WG call:

kind of an expectation that when you use HAIP the jwk option makes most sense.

[fkj]

I think HAIP should specify a baseline config for JWK and allow issuers to fail on other methods that they don't understand. But willing to be persuaded otherwise if someone has a non-JWK config that makes sense in the HAIP context.