Fix EWC-consortium#34: Public key resolution for kid specified in a…

… JWT Signed-off-by: George J Padayatti <[email protected]>
albertescotealvarez · Feb 29, 2024 · 89b5475 · 89b5475
1 parent bf48310
commit 89b5475
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 0 deletions.
diff --git a/ewc-rfc001-issue-verifiable-credential.md b/ewc-rfc001-issue-verifiable-credential.md
@@ -43,6 +43,7 @@
 - [5.0	Implementors](#50implementors)
 - [Open issues](#open-issues)
 - [6.0	Reference](#60reference)
+- [Appendix A: Public key resolution](#appendix-a-public-key-resolution)
 
 
 # 1.0	Summary
@@ -919,3 +920,12 @@ The table below summarises the success/error responses that can be used:
 4. OAuth 2.0 Rich Authorization Requests, Available at: [https://datatracker.ietf.org/doc/html/draft-ietf-oauth-rar-11](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-rar-11) (Accessed: February 01, 2024)
 5. Proof Key for Code Exchange by OAuth Public Clients, Available at: [https://datatracker.ietf.org/doc/html/rfc7636](https://datatracker.ietf.org/doc/html/rfc7636) (Accessed: February 01, 2024)
 6. OpenID4VC High Assurance Interoperability Profile with SD-JWT VC - draft 00, Available at [https://openid.net/specs/openid4vc-high-assurance-interoperability-profile-sd-jwt-vc-1_0.html](https://openid.net/specs/openid4vc-high-assurance-interoperability-profile-sd-jwt-vc-1_0.html) (Accessed: February 16, 2024)
+
+# Appendix A: Public key resolution
+
+For a JWT there are multiple ways for resolving the public key using the `kid` header claim:
+
+* If the key identifier is a DID then use a DID resolver to obtain the public key
+* If the key identifier is not a DID, then resolve the JWKs endpoint in the AS configuration and match the public key from the JWK set using the key identifier.
+
+Additionally, it is possible to specify JWK directly in the header using `jwk` header claim.
diff --git a/ewc-rfc002-present-verifiable-credentials.md b/ewc-rfc002-present-verifiable-credentials.md
@@ -31,6 +31,7 @@
 - [4.0	Alternate response format](#40alternate-response-format)
 - [5.0	Implementors](#50implementors)
 - [6.0	Reference](#60reference)
+- [Appendix A: Public key resolution](#appendix-a-public-key-resolution)
 
 # 1.0	Summary
 
@@ -318,3 +319,12 @@ Some of the identifier deviations from success responses are as given:
 2. European Commission (2023) The European Digital Identity Wallet Architecture and Reference Framework (2023-04, v1.1.0)  [Online]. Available at: [https://github.com/eu-digital-identity-wallet/eudi-doc-architecture-and-reference-framework/releases](https://github.com/eu-digital-identity-wallet/eudi-doc-architecture-and-reference-framework/releases) (Accessed: October 16, 2023).
 3. RFC 9101 OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR) [https://www.rfc-editor.org/rfc/rfc9101.html#name-request-using-the-request_u](https://www.rfc-editor.org/rfc/rfc9101.html#name-request-using-the-request_u)  (Accessed: February 05, 2024)
 4. DIF Presentation Exchange:  [https://identity.foundation/presentation-exchange](https://identity.foundation/presentation-exchange)  (Accessed: February 07, 2024)
+
+# Appendix A: Public key resolution
+
+For a JWT there are multiple ways for resolving the public key using the `kid` header claim:
+
+* If the key identifier is a DID then use a DID resolver to obtain the public key
+* If the key identifier is not a DID, then resolve the JWKs endpoint in the AS configuration and match the public key from the JWK set using the key identifier.
+
+Additionally, it is possible to specify JWK directly in the header using `jwk` header claim.