Closed PieterKas closed 1 year ago
Yeah, I had a brief panic that we had two sub
claims, but technically there's no conflict -- the VC data model says that the top-level sub
claim maps to credentialSubject.id
, so it doesn't conflict with credentialSubject.sub
. And unfortunately, I think we're stuck using sub
/ credentialSubject.id
for the subject public key binding, because that's where the VC data model says to put it. I agree this is uncomfortable / confusing.
That said, we could use credentialSubject.id
instead of the top-level sub
field. That way, there would be no top-level sub
claim; there would be only one sub
claim, the one inside credentialSubject
, with the same semantic as always. That seems pretty unlikely to break JWT libraries (AFAIK?), and if it does, it's more likely to fail closed ("Error: Missing sub
claim") than to result in a misinterpretation.
Now:
{
"vc": {
"credentialSubject": {
"sub": "248289761001",
// ...
}
// ...
},
"sub": "urn:ietf:params:oauth:jwk-thumbprint:QAbVMm39bb3gXkK5Gv1HFt_UKA56sKWG2h94CJMD5OY",
"aud": "bOx8R44XhIHi3A965zBEn",
"iat": 1667575982,
"iss": "https://server.example.com"
}
Proposed:
{
"vc": {
"credentialSubject": {
"id": "urn:ietf:params:oauth:jwk-thumbprint:QAbVMm39bb3gXkK5Gv1HFt_UKA56sKWG2h94CJMD5OY",
"sub": "248289761001",
// ...
}
// ...
},
// no "sub" here, it became "id" above
"aud": "bOx8R44XhIHi3A965zBEn",
"iat": 1667575982,
"iss": "https://server.example.com"
}
I wonder if we need a different claim than "sub" to represent the key that was bound to the user to avoid potential confusion and even implementation errors.