You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
E.g for OID4VCI I see for key attestations there's an issue whether x5c, kid and jwk needs to be mutually exclusive (openid/OpenID4VCI#417).
We initially required this approach for JAR as well, however we saw quite some implementations using both x5c and kid, so we loosened it so that kid can be combined with x5c or jwk, but ONLY if kid is not a did.
Now we also ran into implementations that include x5c and kid (which is a did), pointing to the same key, while x509_san_dns is used.
Some guidance would be appreciated. Should the request only include one of these header values? Should we loosen our implementations, and only look at what is described by the client_id_scheme?
The text was updated successfully, but these errors were encountered:
E.g for OID4VCI I see for key attestations there's an issue whether
x5c
,kid
andjwk
needs to be mutually exclusive (openid/OpenID4VCI#417).We initially required this approach for JAR as well, however we saw quite some implementations using both
x5c
andkid
, so we loosened it so thatkid
can be combined withx5c
orjwk
, but ONLY ifkid
is not a did.Now we also ran into implementations that include
x5c
andkid
(which is a did), pointing to the same key, whilex509_san_dns
is used.Some guidance would be appreciated. Should the request only include one of these header values? Should we loosen our implementations, and only look at what is described by the
client_id_scheme
?The text was updated successfully, but these errors were encountered: