bifurcation
commented
1 year ago Yeah, I had a brief panic that we had two sub claims, but technically there's no conflict -- the VC data model says that the top-level sub claim maps to credentialSubject.id, so it doesn't conflict with credentialSubject.sub. And unfortunately, I think we're stuck using sub / credentialSubject.id for the subject public key binding, because that's where the VC data model says to put it. I agree this is uncomfortable / confusing.
That said, we could use credentialSubject.id instead of the top-level sub field. That way, there would be no top-level sub claim; there would be only one sub claim, the one inside credentialSubject, with the same semantic as always. That seems pretty unlikely to break JWT libraries (AFAIK?), and if it does, it's more likely to fail closed ("Error: Missing sub claim") than to result in a misinterpretation.
Now:
{
"vc": {
"credentialSubject": {
"sub": "248289761001",
// ...
}
// ...
},
"sub": "urn:ietf:params:oauth:jwk-thumbprint:QAbVMm39bb3gXkK5Gv1HFt_UKA56sKWG2h94CJMD5OY",
"aud": "bOx8R44XhIHi3A965zBEn",
"iat": 1667575982,
"iss": "https://server.example.com"
}Proposed:
{
"vc": {
"credentialSubject": {
"id": "urn:ietf:params:oauth:jwk-thumbprint:QAbVMm39bb3gXkK5Gv1HFt_UKA56sKWG2h94CJMD5OY",
"sub": "248289761001",
// ...
}
// ...
},
// no "sub" here, it became "id" above
"aud": "bOx8R44XhIHi3A965zBEn",
"iat": 1667575982,
"iss": "https://server.example.com"
}
I wonder if we need a different claim than "sub" to represent the key that was bound to the user to avoid potential confusion and even implementation errors.