From 89b5475c9c230e4b99316df7cb75853412e41ca1 Mon Sep 17 00:00:00 2001 From: George J Padayatti Date: Tue, 27 Feb 2024 16:32:00 +0530 Subject: [PATCH] Fix #34: Public key resolution for `kid` specified in a JWT Signed-off-by: George J Padayatti --- ewc-rfc001-issue-verifiable-credential.md | 10 ++++++++++ ewc-rfc002-present-verifiable-credentials.md | 10 ++++++++++ 2 files changed, 20 insertions(+) diff --git a/ewc-rfc001-issue-verifiable-credential.md b/ewc-rfc001-issue-verifiable-credential.md index 6564f24..3f2daf3 100644 --- a/ewc-rfc001-issue-verifiable-credential.md +++ b/ewc-rfc001-issue-verifiable-credential.md @@ -43,6 +43,7 @@ - [5.0 Implementors](#50implementors) - [Open issues](#open-issues) - [6.0 Reference](#60reference) +- [Appendix A: Public key resolution](#appendix-a-public-key-resolution) # 1.0 Summary @@ -919,3 +920,12 @@ The table below summarises the success/error responses that can be used: 4. OAuth 2.0 Rich Authorization Requests, Available at: [https://datatracker.ietf.org/doc/html/draft-ietf-oauth-rar-11](https://datatracker.ietf.org/doc/html/draft-ietf-oauth-rar-11) (Accessed: February 01, 2024) 5. Proof Key for Code Exchange by OAuth Public Clients, Available at: [https://datatracker.ietf.org/doc/html/rfc7636](https://datatracker.ietf.org/doc/html/rfc7636) (Accessed: February 01, 2024) 6. OpenID4VC High Assurance Interoperability Profile with SD-JWT VC - draft 00, Available at [https://openid.net/specs/openid4vc-high-assurance-interoperability-profile-sd-jwt-vc-1_0.html](https://openid.net/specs/openid4vc-high-assurance-interoperability-profile-sd-jwt-vc-1_0.html) (Accessed: February 16, 2024) + +# Appendix A: Public key resolution + +For a JWT there are multiple ways for resolving the public key using the `kid` header claim: + +* If the key identifier is a DID then use a DID resolver to obtain the public key +* If the key identifier is not a DID, then resolve the JWKs endpoint in the AS configuration and match the public key from the JWK set using the key identifier. + +Additionally, it is possible to specify JWK directly in the header using `jwk` header claim. \ No newline at end of file diff --git a/ewc-rfc002-present-verifiable-credentials.md b/ewc-rfc002-present-verifiable-credentials.md index c8e2df6..c2c73a0 100644 --- a/ewc-rfc002-present-verifiable-credentials.md +++ b/ewc-rfc002-present-verifiable-credentials.md @@ -31,6 +31,7 @@ - [4.0 Alternate response format](#40alternate-response-format) - [5.0 Implementors](#50implementors) - [6.0 Reference](#60reference) +- [Appendix A: Public key resolution](#appendix-a-public-key-resolution) # 1.0 Summary @@ -318,3 +319,12 @@ Some of the identifier deviations from success responses are as given: 2. European Commission (2023) The European Digital Identity Wallet Architecture and Reference Framework (2023-04, v1.1.0) [Online]. Available at: [https://github.com/eu-digital-identity-wallet/eudi-doc-architecture-and-reference-framework/releases](https://github.com/eu-digital-identity-wallet/eudi-doc-architecture-and-reference-framework/releases) (Accessed: October 16, 2023). 3. RFC 9101 OAuth 2.0 Authorization Framework: JWT-Secured Authorization Request (JAR) [https://www.rfc-editor.org/rfc/rfc9101.html#name-request-using-the-request_u](https://www.rfc-editor.org/rfc/rfc9101.html#name-request-using-the-request_u) (Accessed: February 05, 2024) 4. DIF Presentation Exchange: [https://identity.foundation/presentation-exchange](https://identity.foundation/presentation-exchange) (Accessed: February 07, 2024) + +# Appendix A: Public key resolution + +For a JWT there are multiple ways for resolving the public key using the `kid` header claim: + +* If the key identifier is a DID then use a DID resolver to obtain the public key +* If the key identifier is not a DID, then resolve the JWKs endpoint in the AS configuration and match the public key from the JWK set using the key identifier. + +Additionally, it is possible to specify JWK directly in the header using `jwk` header claim. \ No newline at end of file