JWT exp claim #39
Comments
|
If I understand your proposal here - you are saying that the JOSE
If I have that right, this feels a little weird and a slightly different interpretation than currently defined in VCDM. But, if I talk this out -
|
|
@sbutterfield Not quite. Please read what I proposed again "the exp claim should be set to the earliest of this [signing library] configuration time and the expirationDate from the vc claim if it is present". |
|
I see. Thanks, I have selective reading syndrome at times. So, in your example:
If we were to implement |
|
The reason that cryptographic signatures have an expiry time is that cryptographic algorithms do not last forever and are continually being enhanced and replaced. They become vulnerable to brute force and other attacks. So if a verifier were to receive a VC or VP with exp in the past, then the signature is no longer conceptually verifiable as it has expired (although of course the crypto can still be technically verified, but one must bear in mind that the algorithm might now be easy to break and the signature could have been forged). It is then a business decision (also called validation) as to whether to accept this expired signature or not. Our verification engine reports expired signatures to the application so that a business level decision can be made as to whether it should be accepted or not |
|
As I commented on w3c/vc-data-model#965 (comment), I think the simplest would be to say that iat/exp of VC-JWT are validity of the VC-JWT signature and are different from ValifFrom/ValidUntil that are validity of the data in the Credential. so what would have to change in VC-JWT spec would be
|
|
Is this still relevant assuming we merge #88 ? I think its resolved then. |
|
Related PR: w3c/vc-data-model#1149 removing the pending close label. |
|
The issue was discussed in a meeting on 2023-09-14
View the transcript6.10. JWT exp claim (issue vc-jose-cose#39)See github issue vc-jose-cose#39. Michael Jones: this one has a PR too, we agreed to merge that. |
|
This was addressed by PR #151 |
RFC 7519 states that the exp JWT claim "(expiration time) claim identifies the expiration time on or after which the JWT MUST NOT be accepted for processing".
This is fundamentally different to the expirationDate of a W3C credential. The latter is the date that the credential (vc claim) expires and is optional e.g. a birth certificate and degree certificate never expire so they will never have an expirationDate property. My original UK driving license expired 50 years after it was issued. Clearly none of these can or should be mapped into the JWT exp claim. But the current text says that they should.
I contend that a JWT MUST always have an exp claim when it is used to proof a W3C credential, as the JWT crypto will not last forever, unlike some W3C credentials. Thus the current mapping rules are wrong, in that they state that the exp should be set to the expirationDate of the credential.
Proposal. The issuer's JWT signing library should be configured with a cryptographic expiry time, and the exp claim should be set to the earliest of this configuration time and the expirationDate from the vc claim if it is present.
The text was updated successfully, but these errors were encountered: