Closed troyronda closed 8 months ago
I think we need to wait for a resolution on https://github.com/w3c/vc-data-model/issues/914 before we merge this PR
I disagree, option 1 is a security issue and inconsistent with other usages of JWT, we should only be using option 2.
Could we please add more text on safer way for absolute url processing. and to add text wrt security context behind the text
The security issue with allowing absolute url's in the kid field is that an implementation can easily forget to check the did portion of the kid field to the iss value by just verifying the JWT based on the kid field. Failing to do that leads to the verifier to believe the JWT was signed by an issuer it was not. By using a relative URL in the kid field, the verifier has to use both the iss and kid values to resolve the public key required to validate the JWT therefore removing the possibility of the scenario described above.
@troyronda can you separate this out for the v0.1 release that we discussed last week?
@jischr @Sakurann @tplooker I created a note describing the current situation.
Summary:
kid
URI in VCs.
Part of #44