Skip to content

Rework key resolution/validation for x5c (tryin' to fix #232) #239

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 6 commits into from
Jul 8, 2024
Merged

Rework key resolution/validation for x5c (tryin' to fix #232) #239

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
4baf016
Rework key resolution/validation for x5c (tryin' to fix #232)
bc-pi Jul 1, 2024
2e6e35e
add "and the `iss` value contains an HTTPS URI"
bc-pi Jul 2, 2024
e413816
The
bc-pi Jul 3, 2024
133e8b3
'To avoid any ambiguity around the "it" in the second sentence and ma…
bc-pi Jul 8, 2024
c33d19f
Merge branch 'main' into bc-iss-not-dns-uri-scheme-wtf-x5t-kid-url-ff…
bc-pi Jul 8, 2024
12ac5d2
Merge branch 'main' into bc-iss-not-dns-uri-scheme-wtf-x5t-kid-url-ff…
bc-pi Jul 8, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
11 changes: 6 additions & 5 deletions draft-ietf-oauth-sd-jwt-vc.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -333,10 +333,9 @@ verification key for the Issuer-signed JWT corresponds to the `iss` value:

- JWT VC Issuer Metadata: If a recipient supports JWT VC Issuer Metadata and if the `iss` value contains an HTTPS URI, the recipient MUST
obtain the public key using JWT VC Issuer Metadata as defined in (#jwt-vc-issuer-metadata).
- X.509 Certificates: If the recipient supports X.509 Certificates, the recipient MUST obtain the public key from the leaf X.509 certificate defined by the `x5c` JWT header parameters of the Issuer-signed JWT and validate the X.509
certificate chain in the following cases:
- If the `iss` value contains a DNS name encoded as a URI using the DNS URI scheme [@RFC4501], the DNS name MUST match a `dNSName` Subject Alternative Name (SAN) [@RFC5280] entry of the leaf certificate.
- In all other cases, the `iss` value MUST match a `uniformResourceIdentifier` SAN entry of the leaf certificate.
- X.509 Certificates: If the recipient supports X.509 Certificates and the `iss` value contains an HTTPS URI, the recipient MUST
1. obtain the public key from the end-entity certificate of the certificates from the `x5c` header parameter of the Issuer-signed JWT and validate the X.509 certificate chain accordingly, and
2. ensure that the `iss` value matches a `uniformResourceIdentifier` SAN entry of the end-entity certificate or that the domain name in the `iss` value matches the `dNSName` SAN entry of the end-entity certificate.
- DID Document Resolution: If a recipient supports DID Document Resolution and if the `iss` value contains a DID [@W3C.DID], the recipient MUST retrieve the public key from the DID Document resolved from the DID in the `iss` value. In this case, if the `kid` JWT header parameter is present, the `kid` MUST be a relative or absolute DID URL of the DID in the `iss` value, identifying the public key.

Separate specifications or ecosystem regulations MAY define rules complementing the rules defined above, but such rules are out of scope of this specification. See (#ecosystem-verification-rules) for security considerations.
Expand Down Expand Up @@ -1153,9 +1152,11 @@ for their contributions (some of which substantial) to this draft and to the ini

* update reference to IETF Status List
* Include Type Metadata
* Include schema Type Metadata
* Editorial changes
* Updated terminology to clarify digital signatures are one way to secure VCs and presentations
* Include schema Type Metadata
* Rework key resolution/validation for x5c


-03

Expand Down