Key resolution for status list

[c2bo]

Section 7.1. defines supported key resolution mechanisms to validate issued credentials. We do not define a mechanism to validate the status list with currently.

Imho, we should re-use the same key resolution mechanism that is used by the issuer - makes things easier to manage and implement. If people agree with this, I will create a PR to add a small text stating to re-use the same mechanism for status list validation.

[Sakurann]

looks like we need to say that

• digital signatures must be used to sign the status list (not MAC)
• both jwt and cwt are mandatory for the wallet, optional to the issuer
• either "Issuer MUST use the same mechanism to sign the status list as it uses to sign the credential (basically same requirements as iss in the credential apply to status list)", that would be a downside for the issuers that support multiple mechanisms to sign the credential. another way is to mandate x5c for status list always.
• define algs

[tlodderstedt]

I would suggest to add text to the spec requiring the issuer to use the same key resolution mechanism for a certain status list it uses for the respective credential. That makes the key resolution methods to be supported depending on the requirements for the respective credential format. Additionally, it also makes the life of the RP developer easier as it does not need to support arbitrary combinations of key resolution methods.

[jogu]

We recently added this text:

The public key used to validate the signature on the Status List Token MUST be included in the x5c JOSE header of the Token.

( https://openid.github.io/oid4vc-haip/openid4vc-high-assurance-interoperability-profile-wg-draft.html#section-7 )

I think this resolves the main problem described in this issue, and also effectively means MAC can't be used.

From the points Kristina mentioned:

both jwt and cwt are mandatory for the wallet, optional to the issuer

This is not resolved, but is also separate topic from key resolution.

and:

define algs

This is also not related to key resolution, but can be resolved by expanding the scope of https://openid.github.io/oid4vc-haip/openid4vc-high-assurance-interoperability-profile-wg-draft.html#section-8 to include the token list as well I think.

[Sakurann]

at least for the status list in the credential, I think mdocs ended up mandating cwt status list, so effectively it is
support cwt if you are using HAIP with mdoc and support jwt if you use HAIP with sd-jwt vc ? do we need to make this explicit?

[Sakurann]

wg discussion:

• this is resolved with adding The public key used to validate the signature on the Status List Token MUST be included in the x5c JOSE header of the Token.
• for crypto, let's discuss it in consider adding MTI crypto suites  #112
• add a text on jwt type must be supported in profiling of status list #218
• per what is revocation/status management mechanism for mdocs? #109 (comment), status list for mdocs is out of scope