Key resolution options: require x509_hash, remove web based key resolution #178
Conversation
c2bo
requested review from
Sakurann,
awoie,
bc-pi,
jogu,
martijnharing,
paulbastian and
tlodderstedt
Co-authored-by: Kristina <52878547+Sakurann@users.noreply.github.com>
| This profile supports one mandatory way to represent and resolve the key required to validate the issuer signature of an SD-JWT VC, x.509 certificates. This MUST be supported by all entities (Issuer, Wallet, Verifier): | ||
|
|
||
| * Web-based key resolution: The key used to validate the Issuer’s signature on the SD-JWT VC MUST be obtained from the SD-JWT VC issuer's metadata as defined in Section 5 of [@!I-D.ietf-oauth-sd-jwt-vc]. The JOSE header `kid` MUST be used to identify the respective key. | ||
| * x.509 certificates: the SD-JWT VC contains the issuer's certificate along with a trust chain in the `x5c` JOSE header. In this case, the `iss` value MUST be an URL with a FQDN matching a `dNSName` Subject Alternative Name (SAN) [@!RFC5280] entry in the leaf certificate. |
There was a problem hiding this comment.
I think we need to see something about 'MUST validate against a root certificate but how you get the root certificate is out of scope' ?
There was a problem hiding this comment.
We have this in the "out of scope" descrptiont:
Trust Management refers to authorization of an Issuer to issue certain types of credentials, authorization of the Wallet to be issued certain types of credentials, authorization of the Verifier to receive certain types of credentials. Although X.509 PKI is extensively utilized in this profile, the methods for establishing trust or obtaining root certificates are out of the scope of this specification.
I think that is enough, maybe it would be worth it to link there?
There was a problem hiding this comment.
Ah, thanks. That's probably fine then.
| Support for web-based key resolution is RECOMMENDED: | ||
|
|
||
| * Web-based key resolution: The key used to validate the Issuer’s signature on the SD-JWT VC MUST be obtained from the SD-JWT VC issuer's metadata as defined in Section 5 of [@!I-D.ietf-oauth-sd-jwt-vc]. The JOSE header `kid` MUST be used to identify the respective key. |
There was a problem hiding this comment.
I'm not 100% sure I understand how this works. It seems to conflict with the requirement to support x5c.
I suspect the text referred to has been moved to section 3.5 ( https://www.ietf.org/archive/id/draft-ietf-oauth-sd-jwt-vc-08.html#section-3.5 ) but also I think it's been renamed or something as I'm not clear which method in that section needs to be used.
There was a problem hiding this comment.
I'm also not sure how this works, and if it's required to support X5C why support this other option, since you can't rely on it? Also since the Status List MUST use x5c, you then get like this weird combination of using web based key resolution vs X509 based.
Co-authored-by: Joseph Heenan <joseph@authlete.com> Co-authored-by: Kristina <52878547+Sakurann@users.noreply.github.com>
There was a problem hiding this comment.
Just flagging that mandating x509_hash as the only option for HAIP could introduce challenges for RP certificate rotation, particularly if the identifier is intended to serve as a long-term reference for the RP or is referenced by external entities or systems.
For example, this could impact trusted lists maintained by EU Member States, such as those involving registration or access certificates.
@cre8 What do you think? I would expect RP signer certificates to be rotated every 1–3 years, depending on compliance requirements. In such cases, all references would need to be updated, introducing overhead and increasing the risk of inconsistencies or broken links.
This is because the RP's identifier would effectively change with each certificate rotation.
| ## Issuer identification and key resolution to validate an issued Credential {#issuer-key-resolution} | ||
|
|
||
| This profile supports two ways to represent and resolve the key required to validate the issuer signature of an SD-JWT VC, the web PKI-based key resolution and the x.509 certificates. | ||
| This profile supports one mandatory way to represent and resolve the key required to validate the issuer signature of an SD-JWT VC, x.509 certificates. This MUST be supported by all entities (Issuer, Wallet, Verifier): |
There was a problem hiding this comment.
This MUST be supported by all entities (Issuer, Wallet, Verifier):
Does this mean that existing issuers utilizing web-based key resolution are no longer HAIP compatible? I disgree that web-based key resolution should be considered HAIP incompatible.
There was a problem hiding this comment.
My current interpretation would be: Every entity has to support the x.509 based key resolution / trust establishment for sd-jwt vc to be HAIP compatible. The different entities might also support other ways like web-based key resolution, but for interop we have to mandate support for at least one mechanism everyone implements.
|
With With
|
| * Authorization Request MUST be sent using the `request_uri` parameter as defined in JWT-Secured Authorization Request (JAR) [@!RFC9101]. | ||
| * The Client Identifier Scheme as introduced in Section 5.10 of [@!OIDF.OID4VP] MUST be either `x509_san_dns` or `verifier_attestation`. The Wallet MUST support both. The Verifier MUST support at least one. | ||
| * To obtain the issuer's public key for verification, verifiers MUST support Web-based key resolution, as defined in Section 5 of [@!I-D.ietf-oauth-sd-jwt-vc]. The JOSE header `kid` MUST be used to identify the respective key. | ||
| * For Client Identifier Schemes as introduced in Section 5.9 of [@!OIDF.OID4VP], `x509_hash` MUST be supported by the Wallet and used by the Verifier. |
There was a problem hiding this comment.
| * For Client Identifier Schemes as introduced in Section 5.9 of [@!OIDF.OID4VP], `x509_hash` MUST be supported by the Wallet and used by the Verifier. | |
| * For Client Identifier Prefixes as introduced in Section 5.9 of [@!OIDF.OID4VP], `x509_hash` MUST be supported by the Wallet and used by the Verifier. |
|
WG discussion. maybe mention that client id prefix x509_hash changes when the x509 cert changes, so the same client may have multiple client ids |
Co-authored-by: Brian Campbell <71398439+bc-pi@users.noreply.github.com>
Co-authored-by: Joseph Heenan <joseph@authlete.com>
Co-authored-by: Brian Campbell <71398439+bc-pi@users.noreply.github.com>
jogu
changed the title
|
I believe this closes #102 as well, so I've added that to the first comment. |
Co-authored-by: Joseph Heenan <joseph@authlete.com>
A bit late to the party but: lifetime of the RP signer certificates (known as access certificates) will be defined by the policies. Based on the fact that these certificates can be renewed automatically, the lifetime will not be longer than two years (maybe just some months?) |
Closes #43
closes #102
closes #35