-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Ambiguity what should happen when no kid
parameter is present in header when DID is used as iss
value
#245
Comments
I agree that there should not be any DID method specific exceptions. Even though we know that |
The resolution described in #250 would address this. |
In implementations of DIDs I have worked on, with JWTs, we have required that Handling all the variations of using fragments ( |
I also believe that
In addition, a check should be required to ensure that |
The spec mentions that a
kid
is optional when theiss
value is a DID. The same seems to be true when using JWT Issuer Metadata (although there it mentions it is RECOMMENDED at least). It doesn't describe however what should happen if no KID is present.This has caused some interop issues with implementations not including a
kid
field when a DID is used when e.g.did:key
ordid:jwk
is used as you can infer which key is meant. However this means you have to make exceptions for specific did methods instead of following a general pattern.Is there a specific reason to make the
kid
optional if theiss
value is a DID (and also similarly when JWT Issuer Metadata is used)? If a DID is used, it MUST be signed with a key in the did document right? And it also mentions that "If a recipient cannot validate that the public verification key corresponds to the iss value of the Issuer-signed JWT, the SD-JWT VC MUST be rejected."So I don't see a very good reason here to make the usage of
kid
optional, as it results in ambiguity. If there is a good reason to make it optional, would it be possible to also add the RECOMMENDED to using akid
wheniss
is a DID, that way we can at least promote other implementation to always include akid
when using a DID.The text was updated successfully, but these errors were encountered: