Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How should a signed request (JAR) using x509_san_dns but also including a did in the kid be interpreted? #447

Open
TimoGlastra opened this issue Mar 6, 2025 · 0 comments

Comments

@TimoGlastra
Copy link
Member

TimoGlastra commented Mar 6, 2025

E.g for OID4VCI I see for key attestations there's an issue whether x5c, kid and jwk needs to be mutually exclusive (openid/OpenID4VCI#417).

We initially required this approach for JAR as well, however we saw quite some implementations using both x5c and kid, so we loosened it so that kid can be combined with x5c or jwk, but ONLY if kid is not a did.

Now we also ran into implementations that include x5c and kid (which is a did), pointing to the same key, while x509_san_dns is used.

Some guidance would be appreciated. Should the request only include one of these header values? Should we loosen our implementations, and only look at what is described by the client_id_scheme?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant