-
Notifications
You must be signed in to change notification settings - Fork 106
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Normative Reference #513
Comments
where in the data model do you feel such a normative statement would belong? |
In section 6.3,1 where you mention JWKS |
@awoie I believe you may be the best person to address this issue. |
@nadalin, if you could clarify this for me, I would greatly appreciate it. Are you suggesting that any JWT encoded VC must normatively use JWKs? |
@brentzundel yes I am since these are standardized today |
@nadalin @brentzundel RFC 7515 (JWS) defines the use of JWK as optional. RFC 7519 (JWT) does not talk about JWK at all. The way the VC specification is written allows JWK or any other means for key discovery. This would allow existing JWT parsers to use JWK and allows JWT processors with DID support to implement decentralized key discovery.
I don't see any issue with that. |
@awoie Not understanding your point, as you need to use JWS when signing which is where JWK is defined |
@nadalin My point is that the usage of JWK is not mandatory to identify the key to verify the JWS. According to RFC 7517 (6. Key Identification):
Nevertheless, the VC specification section 6.3.1 Proof Formats allows to use JWK:
Does this address your concern? If not are you okay to solve this issue by explicitly mentioning in the VC spec that JWK may be used to obtain the key? |
Although the VC spec does not require DID and DID Documents, implementers could also obtain the verification key via a DID resolution process. In that case no JWK is required. |
@awoie I prefer to leave DIDs out of this discussion, I would prefer the later by explicit mentioning in the VC specification as I'm not sure your casual reader would pick up on this |
A PR was raised for issue #485 that explicitly mentions JWKs in the data model. I do not believe this data model should go further than those RFCs and require something they do not, as we would like to remain compatible with the JWT and JWS standards. |
@brentzundel JWS RFC requires use of JWK its a normative reference, the VC specification should list JWK |
WG resolution: https://www.w3.org/2019/04/02-vcwg-minutes.html#resolution08 Will close 7 days from today if no new concerns or evidence are raised by then in this issue. |
@stonematt To be clear this section is non-normative so there is set no interop and folks can do and use this section as they please, so people reading the spec can do what they want which means there may not be interop |
JSON Web Key RFC 7517 (https://tools.ietf.org/html/rfc7517) should be listed as normative
The text was updated successfully, but these errors were encountered: