openid / connect / issues / #1203 - sub_jwk when sub is DID in SIOP — Bitbucket

Issue #1203 resolved

Kristina Yasuda created an issue 2021-02-01

When sub is a DID, keys are retrieved from DID Document, so sub_jwk should be optional. sub_jwk would remain required when sub is jwk thumbprint.

If sub_jwk is included when sub is a DID, it could be used to compare whether verification method from the DID Document matches the kid of sub_jwk, but this is not a must protection.

Comments (6)

Kristina Yasuda reporter
This also leads to a question whether jwk thumbprint should be kept as one of subject identifiers in SIOP given it does not support key rotation and close to no implementations.
- 2021-02-01T07:21:12+00:00
Kristina Yasuda reporter
on 02-08-2021 call, Mike commented that sub_jwk should be kept because they tell RP which keys to use among those that can be found in DID Doc retrieved using DID resolution of a DID in sub
- 2021-02-09T04:53:52+00:00
Kristina Yasuda reporter
- changed status to open
- 2021-02-09T04:55:46+00:00
Kristina Yasuda reporter
giving it further thought, the keys used are included in kid in the JWT header, so I still think there is no need for sub_jwk when DIDs are used in the `sub.`
- 2021-02-09T14:37:56+00:00
David Waite
The proposal I indicated on the 2021-02-15 call (multiple subjects under subs claim) is now ~~#1209~~

‌
- 2021-02-18T03:08:16+00:00
Kristina Yasuda reporter
- changed status to resolved
resolved by merging PR #35
- 2021-07-28T17:29:39+00:00
Log in to comment

Assignee: –

Type: enhancement

Priority: major

Status: resolved

Component: SIOP

Milestone: –

Version: –

Votes: 0

Watchers: 1

Jira Software: the preferred issue tracker for Bitbucket. Join the team!