sub_jwk when sub is DID in SIOP
When sub is a DID, keys are retrieved from DID Document, so sub_jwk should be optional. sub_jwk would remain required when sub is jwk thumbprint.
If sub_jwk is included when sub is a DID, it could be used to compare whether verification method from the DID Document matches the kid of sub_jwk, but this is not a must protection.
Comments (6)
-
reporter -
reporter on 02-08-2021 call, Mike commented that sub_jwk should be kept because they tell RP which keys to use among those that can be found in DID Doc retrieved using DID resolution of a DID in
sub
-
reporter - changed status to open
-
reporter giving it further thought, the keys used are included in kid in the JWT header, so I still think there is no need for sub_jwk when DIDs are used in the `sub.`
-
The proposal I indicated on the 2021-02-15 call (multiple subjects under
subs
claim) is now#1209
-
reporter - changed status to resolved
resolved by merging PR #35
- Log in to comment
This also leads to a question whether jwk thumbprint should be kept as one of subject identifiers in SIOP given it does not support key rotation and close to no implementations.