Is defining that if vct is an https:// it should check the metadata under the well known (at least the 2nd part of the text reads like this:
i.e., by inserting /.well-known/vct after the authority part of the URL.)
Many registries are, and will be accessible via URLs, hence the metadata type is expressed via an URL; Adding or maintaining a .well-known might not fit in the existing API designs. Also note that .well-known has well-known issues with multi-tenancy. Most use cases will delegate the hosting of the information to registries.
Also
URL https:///.well-known/vct/, i.e., by inserting /.well-known/vct after the authority part of the URL.
Questions:
if schema is https, should the full URL be provided? (no ambiguity with .well-known, you can host schema on github, ...)
metadata retrieval category re-consideration:
1) Fetch vct from a remote source:
a) URL: HTTPS schema -> full URL that points to a schema
b) URN: domain-defined URN that MUST be understood by the wallet; The URN method defines how to map the URN to URL and retrieve the data
2) Fetch vct the metadata locally
a) local cache
b) Signature (signed or unsigned header); Whether or not metadata is shared in the (un)protected header is defined by the signature format, hence out of scope of this document.
2b: point to consider for the OID4VP: should there be a flag: "archival mode" or similar, that would flag that the wallet needs to provide all the referenced content in an unprotected JWS header?
danielfett
commented
1 week ago
https://www.ietf.org/archive/id/draft-ietf-oauth-sd-jwt-vc-05.html#section-6.3.1
Is defining that if vct is an https:// it should check the metadata under the well known (at least the 2nd part of the text reads like this:
Many registries are, and will be accessible via URLs, hence the metadata type is expressed via an URL; Adding or maintaining a .well-known might not fit in the existing API designs. Also note that .well-known has well-known issues with multi-tenancy. Most use cases will delegate the hosting of the information to registries.
Also
Questions:
1) Fetch vct from a remote source: a) URL: HTTPS schema -> full URL that points to a schema b) URN: domain-defined URN that MUST be understood by the wallet; The URN method defines how to map the URN to URL and retrieve the data
2) Fetch vct the metadata locally a) local cache b) Signature (signed or unsigned header); Whether or not metadata is shared in the (un)protected header is defined by the signature format, hence out of scope of this document.
2b: point to consider for the OID4VP: should there be a flag: "archival mode" or similar, that would flag that the wallet needs to provide all the referenced content in an unprotected JWS header?