Skip to content

Attempt to clarify intro text about key attestations #524

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Attempt to clarify intro text about key attestations #524

wants to merge 2 commits into from

Conversation

jogu
Copy link
Contributor

@jogu jogu commented May 28, 2025

The singular "key" was being used in a way that could be confusing given a single key attestation can be used to attest multiple keys.

closes #463

@jogu
Attempt to clarify intro text about key attestations
edf2ec9 
The singular "key" was being used in a way that could be confusing given
a single key attestation can be used to attest multiple keys.

closes #463
@jogu jogu mentioned this pull request May 28, 2025
Open
@jogu jogu added the editorial Things that are not normative changes label May 28, 2025
Sakurann
Sakurann reviewed May 28, 2025
View reviewed changes
openid-4-verifiable-credential-issuance-1_0.md
@@ -919,10 +919,10 @@ This specification defines the following proof types:

There are two ways to convey key attestations (as defined in (#keyattestation)) of the cryptographic key material during Credential issuance:

- The Wallet uses the `jwt` proof type in the Credential Request to create a proof of possession of the key and adds the key attestation in the JOSE header.
- The Wallet uses the `attestation` proof type in the Credential Request with the key attestation without a proof of possession of the key itself.
- The Wallet uses the `jwt` proof type in the Credential Request to create a proof of possession for one of the attested keys and adds the key attestation in the JOSE header.
Copy link
Collaborator

@Sakurann Sakurann May 28, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

i think this is super important

Suggested change
- The Wallet uses the `jwt` proof type in the Credential Request to create a proof of possession for one of the attested keys and adds the key attestation in the JOSE header.
- The Wallet uses the `jwt` proof type in the Credential Request to create a proof of possession for one of the attested keys and adds the key attestation with all of the attested keys in the JOSE header.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not too keen on this wording, I think it becomes a bit ambiguous and could be read as saying to add the JWKs to the JOSE header in addition to the attestation. I do think it's important to make clear that the key attestation can contain multiple keys though - would adding that just before the list, or in the paragraph below the list work for you? I've made a suggestion for adding it below.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree with @jogu, that suggestion is clearer than this proposed language.

Sakurann
Sakurann reviewed May 28, 2025
View reviewed changes
openid-4-verifiable-credential-issuance-1_0.md
- The Wallet uses the `jwt` proof type in the Credential Request to create a proof of possession of the key and adds the key attestation in the JOSE header.
- The Wallet uses the `attestation` proof type in the Credential Request with the key attestation without a proof of possession of the key itself.
- The Wallet uses the `jwt` proof type in the Credential Request to create a proof of possession for one of the attested keys and adds the key attestation in the JOSE header.
- The Wallet uses the `attestation` proof type in the Credential Request to provide a key attestation without a proof of possession of any of the keys.
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- The Wallet uses the `attestation` proof type in the Credential Request to provide a key attestation without a proof of possession of any of the keys.
- The Wallet uses the `attestation` proof type in the Credential Request to provide a key attestation for all of the attested keys without a proof of possession of any of those keys.

Sakurann
Sakurann reviewed May 28, 2025
View reviewed changes
@Sakurann Sakurann added this to the Final 1.0 milestone May 28, 2025
jogu
jogu commented May 28, 2025
View reviewed changes
openid-4-verifiable-credential-issuance-1_0.md

Depending on the Wallet's implementation, the `attestation` may avoid unnecessary End-User interaction during Credential issuance, as the key itself does not necessarily need to perform signature operations.
Depending on the Wallet's implementation, the `attestation` may avoid unnecessary End-User interaction during Credential issuance, as the key to which the Credential will be bound does not necessarily need to perform signature operations.
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
Depending on the Wallet's implementation, the `attestation` may avoid unnecessary End-User interaction during Credential issuance, as the key to which the Credential will be bound does not necessarily need to perform signature operations.
Depending on the Wallet's implementation, the `attestation` may avoid unnecessary End-User interaction during Credential issuance, as the key(s) to which the Credential(s) will be bound does not necessarily need to perform signature operations, and one key attestation can be used to attest multiple keys.

openid-4-verifiable-credential-issuance-1_0.md
@@ -919,10 +919,10 @@ This specification defines the following proof types:

There are two ways to convey key attestations (as defined in (#keyattestation)) of the cryptographic key material during Credential issuance:

- The Wallet uses the `jwt` proof type in the Credential Request to create a proof of possession of the key and adds the key attestation in the JOSE header.
- The Wallet uses the `attestation` proof type in the Credential Request with the key attestation without a proof of possession of the key itself.
- The Wallet uses the `jwt` proof type in the Credential Request to create a proof of possession for one of the attested keys and adds the key attestation in the JOSE header.
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm not too keen on this wording, I think it becomes a bit ambiguous and could be read as saying to add the JWKs to the JOSE header in addition to the attestation. I do think it's important to make clear that the key attestation can contain multiple keys though - would adding that just before the list, or in the paragraph below the list work for you? I've made a suggestion for adding it below.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tplooker tplooker tplooker left review comments

@Sakurann Sakurann Sakurann left review comments

@c2bo c2bo c2bo approved these changes

Assignees
No one assigned
Labels
editorial Things that are not normative changes
Projects
None yet
Milestone
Final 1.0
Development

Successfully merging this pull request may close these issues.

Clarification about use of key attestations in JWT proofs
4 participants
@jogu @c2bo @tplooker @Sakurann