add option to have signed Credential Issuer metadata, remove signed_metadata from Credential Issuer metadata
#520
Conversation
…metadata` from Credential Issuer metadata
To give a bit more context on this: Paul and I had a bit of a discussion if we need to support multiple signatures similar to what was introduced in OpenID4VP. We came to the conclusion that starting with a JWT seems to be the more pragmatic choice and if we realise we need to support that feature, we could probably introduce it rather simple with a new media type (jose+json based). Using JWT and different Issuer deployments for different trust ecosystems seems reasonable to me. |
Co-authored-by: Tobias Looker <[email protected]>
Co-authored-by: Christian Bormann <[email protected]>
Co-authored-by: Tobias Looker <[email protected]>
Co-authored-by: Christian Bormann <[email protected]>
|
Discussed on the WG call, I would suggest we update the PR to clarify the following. If the credential issuer supports metadata, it MUST support returning that in an unsigned form 'application/json' and MAY support returning it in a signed form 'application/jwt' which translates to if the accept header is absent or set to 'application/json' the credential issuer MUST always return JSON however when its set to 'application/jwt' it MAY instead return JSON if it doesn't support signed metadata. |
Co-authored-by: lj-raidiam <[email protected]>
|
I tried to permutate all possible configurations. There seem to be:
In option 5, do we recommend signed_metadata or do we leave it up to the issuer? I would suggest leave it open in VCI, but no strong opinion |
|
Another argumentation could be that previously support for |
|
WG discussion:
|
|
As I understand, one of the reasons behind this change is because of a concern that I think that would be easily solvable by mandating that all metadata (except If unsigned metadata support will be mandatory anyway, I don't see the need to have different methods of requesting signed metadata. |
|
I like the Accept/content-Type approach. In addition to the aforementioned arguments, as discussed in #528 (comment), this would allow for wallet apps and issuers to support multiple trust frameworks at the same time. E.g. using https://openid.net/specs/openid-4-verifiable-presentations-1_0.html#name-jws-json-serialization as in OID4VP. |
|
I like the approach to decide based on Accept-Header about delivering signed or unsigned metadata more, than the mechanism described in RFC8414. It feels more natural to have the same resource available in different formats, instead of having the signed format embedded into the unsigned one. This way of doing it in RFC8414 seems odd. This together with the option to later add other formats or use multiple signatures, makes it the better option. Concerning
I think this is not an issue. If the wallet really does not care, it can send the request accepting both formats and the issuer will decide. If it needs a specific format it can request only jwt or only json. Or it can request a jwt to get a jwt if possible and send another request with Accept:json if a 406 error has been received or use a quality factor, to specify the priority of the formats. |
Co-authored-by: Andres Olave <[email protected]>
|
I'm happy with the approach and concur that "Wallet operates in both(Accept:json+jwt), Issuer supports both" should not be defined in the spec |
| * `iat`: REQUIRED. Integer for the time at which the Credential Issuer Metadata was issued using the syntax defined in [@!RFC7519]. | ||
| * `exp`: OPTIONAL. Integer for the time at which the Credential Issuer Metadata is expiring, using the syntax defined in [@!RFC7519]. | ||
|
|
||
| The Wallet SHOULD establish trust in the signer of the metadata, and obtain the keys to validate the signature before processing the metadata, e.g. using JOSE header parameters like `x5c`, `kid` or `trust_chain` to convey the public key. The concrete mechanisms how to do that are out of scope of this specification. |
There was a problem hiding this comment.
Would HAIP then define how exactly the binding works for e.g., x5c?
Co-authored-by: Tobias Looker <[email protected]>
danielfett
left a comment
danielfett
left a comment
There was a problem hiding this comment.
Looks good, left some comments.
c2bo
left a comment
c2bo
left a comment
There was a problem hiding this comment.
Agree with Daniel's suggestions and added a few more comments
Co-authored-by: Daniel Fett <[email protected]>
Co-authored-by: Joseph Heenan <[email protected]>
Co-authored-by: Tobias Looker <[email protected]>
| The signed metadata MUST be secured using a JSON Web Signature (JWS) [@!RFC7515] and contain the following elements: | ||
|
|
||
| * in the JOSE header, | ||
| * `alg`: REQUIRED. A digital signature algorithm identifier such as per IANA "JSON Web Signature and Encryption Algorithms" registry [@IANA.JOSE]. It MUST NOT be `none` or an identifier for a symmetric algorithm (MAC). |
There was a problem hiding this comment.
Question: is there a way for a client requesting signed metadata to check if the server’s supported signing algorithms would match the former’s capabilities, and potentially negotiate preferences?
There was a problem hiding this comment.
I think we wanted to keep it simple to start with (that's how the oauth signed metadata and federation work too I believe) - it is possible that we could define a future mechanism using a header or where the issuer returns a json serialised response with multiple signatures.
Co-authored-by: Christian Bormann <[email protected]> Co-authored-by: Dimitar A. Stoikov <[email protected]>
Closes #202