Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

OpenID4VCI metadata parameter jwks #13

Open
peppelinux opened this issue Aug 17, 2024 · 4 comments
Open

OpenID4VCI metadata parameter jwks #13

peppelinux opened this issue Aug 17, 2024 · 4 comments
Labels
dcp-wg

Comments

@peppelinux
Copy link
Owner

Each entity within wallet ecosystems may need to sign requests, responses, and more stringently, credentials, assertions, attestations, etc. Currently, OpenID4VCI does not include public keys for signature verification within the metadata, which ideally should be available in other types of metadata (e.g., SD-JWT VC). This omission creates confusion among implementers and in particular a gap for implementers that needs to issue other credential data formats, not sd-jwt vc.

This evidence can be partially found in the conversation started within the issue below:
openid/OpenID4VCI#324

other issues will be found if existing and tracked within this thread.
@jogu
Copy link

jogu commented Aug 19, 2024

I think it's important to separate out the different key uses.

openid/OpenID4VCI#324 is about encryption keys, which are often ephemeral and hence would NOT be put into metadata.

openid/OpenID4VCI#62 is actually the most relevant one for verifying credential signatures, at least for mdoc, but there is definitely no consensus that this is a good idea.

@selfissued
Copy link
Collaborator

I agree with the need to know whether a key is used for signing or encryption. Both https://openid.net/specs/openid-connect-discovery-1_0.html#ProviderMetadata and https://openid.net/specs/openid-connect-registration-1_0.html#ClientMetadata include this language in their jwks_uri parameter definitions:

When both signing and encryption keys are made available, a use (public key use) parameter value is REQUIRED for all keys in the referenced JWK Set to indicate each key's intended usage.

We should probably do the same.

@jogu
Copy link

jogu commented Aug 19, 2024

Yes, I agree - but that doesn't change the fundamental issue that many people want signing keys to be pretty static and encryption keys to be per-wallet-instance and short lived (and as far as I can see, putting short lived per-instance keys into the federation metadata is a complete non-starter practically - if I've missed something that means having 1000s of wallets updating an entity statement during 60 seconds is a concept that will actually work well please do correct me!).

@peppelinux
Copy link
Owner Author

@jogu I have misunderstood your comment for sure, I try to put the following schema:

  • wallet instance cryptographic public keys should be ephemeral, the VCI that wants to encrypt something will use one of those of the wallet instance and for the scope of a single protocol exchange

  • openid4vci metadata cryptographic public keys should be in the metadata

wallet instance that needs confidentiality with the vci uses vci's public crypto keys to encrypt stuffs for the vci.
May I ask what about the use cases of having them ephemerals?

@peppelinux peppelinux mentioned this issue Sep 3, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
dcp-wg
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jogu @peppelinux @selfissued