JAG-UK
commented
6 hours ago Additionally there's a naïve notion that this information should be returned with no auth. This is great from a global verifiability point of view but it needs a balancing statement that allows/encourages auth for things that might contain PII, for example.
The intent statement currently says:
This endpoint is used to discover verification keys, which is the reason that authentication is not required.In use cases where this endpoint is useful, it's often the case that you want more metadata/supporting evidence than purely keys.
A suggestion from the field:
return supporting evidence enabling the client to verify the issuer signature at the time of registration