search

oauth-wg / oauth-selective-disclosure-jwt

https://datatracker.ietf.org/doc/draft-ietf-oauth-selective-disclosure-jwt/
Other
56 stars 29 forks source link

W3C VC Example lacks cnf #320

Closed OR13 closed 11 months ago

OR13 commented 1 year ago

https://datatracker.ietf.org/doc/html/draft-ietf-oauth-selective-disclosure-jwt-05#appendix-A.4

compared to https://datatracker.ietf.org/doc/html/draft-ietf-oauth-selective-disclosure-jwt-05#section-5.5

expected to see this:

{
  "iss": "https://example.com/issuer",
  "iat": 1683000000,
  "exp": 1883000000,
  "@context": [
    "https://www.w3.org/2018/credentials/v1",
    "https://w3id.org/vaccination/v1"
  ],
  "type": [
    "VerifiableCredential",
    "VaccinationCertificate"
  ],
  "issuer": "https://example.com/issuer",
  "issuanceDate": "2023-02-09T11:01:59Z",
  "expirationDate": "2028-02-08T11:01:59Z",
  "name": "COVID-19 Vaccination Certificate",
  "description": "COVID-19 Vaccination Certificate",
  "credentialSubject": {
    "vaccine": {
      "type": "Vaccine",
      "atcCode": "J07BX03",
      "medicinalProductName": "COVID-19 Vaccine Moderna"
    },
    "recipient": {
      "type": "VaccineRecipient"
    },
    "type": "VaccinationEvent",
    "order": "3/3",
    "dateOfVaccination": "2021-06-23T13:40:12Z"
  },
  "_sd_alg": "sha-256",
  // this part needs to be added.
  "cnf": {
    "jwk": {
      "kty": "EC",
      "crv": "P-256",
      "x": "TCAER19Zvu3OHF4j4W4vfSVoHIP1ILilDls7vCeGemc",
      "y": "ZxjiWWbZMQGHVWKVQ4hbSIirsVfuecCE6t4jT9F2HZQ"
    }
  }
}
alenhorvat commented 1 year ago

VC can be signed with JWS only without JWT claims or cnf. I guess both examples could/should be presented. One would be securing using JWS, other would be securing using JWT.

OR13 commented 1 year ago

@alenhorvat your comment seems not relevant to the issue... the issue is that the text suggests cnf will be present in the example, but it is not.

VC can be signed with JWS only without JWT claims or cnf.

In w3c vcdm v1.1 typ MUST be JWT. In w3c vcdm v2, see https://github.com/w3c/vc-jose-cose

I don't think your statement is accurate currently, regarding w3c vcdm... but it could be accurate regarding "other things called vcs".

I guess both examples could/should be presented. One would be securing using JWS, other would be securing using JWT.

I would expect the SD-JWT repo to only have examples that are sd-jwt.... regardless of if they have a typ value set that follows the JWT BCP.

I would not expect JWS to be relevant to this repo, even if its used internally by JWT or SD-JWT.

alenhorvat commented 1 year ago

@OR13 thank you for the corrections.

Agree.

bc-pi commented 1 year ago

Yeah, it does say "Key Binding is applied using the Holder's public key passed in a cnf claim in the SD-JWT." right there at https://datatracker.ietf.org/doc/html/draft-ietf-oauth-selective-disclosure-jwt-05#appendix-A.4 so a cnf claim should be in the example that follows. It'll show up in the example SD-JWT payload as it does in other examples.

bc-pi commented 1 year ago

PR #339 adds cnf to example 4b

see, for example, https://drafts.oauth.net/oauth-selective-disclosure-jwt/bc-cnf-to-ex4b/draft-ietf-oauth-selective-disclosure-jwt.html#appendix-A.4-8

bc-pi commented 11 months ago

339 merged