Credential Encryption Parameter Name Discrepancy

[peppelinux]

In the credential request we have the parameter names for the credential response encryption, defined in the text as follows:

• credential_encryption_jwk
• credential_response_encryption_alg
• credential_response_encryption_enc

credential_encryption_jwk does not include response_ in it. Me and other implementers are wondering if this is intentional and why.

If this is not intentional, WDYT if we change the name to credential_response_encryption_jwk, for naming normalization?

[paulbastian]

Does it make sense to group them together into a separate JSON object?

[Sakurann]

I agree it is cleaner to rename to credential_response_encryption_jwk unless @awoie there was a reason why you chose to omit _response here? less sure about the grouping. it does not seem to be a convention in OAuth/OIDC, so we can probably leave as-is

[awoie]

No specific reason. I think it makes sense to rename it.

[awoie]

Does it make sense to group them together into a separate JSON object?

I used the same pattern that you can find here: https://openid.net/specs/openid-connect-discovery-1_0.html

[paulbastian]

Does it make sense to group them into a single object?

[awoie]

Does it make sense to group them into a single object?

I would support that since the names will get shorter. OAuth2 and OP Metadata took a different path. If there was no technical reason why those aren't Objects, then I'd be in favor of changing this.

[paulbastian]

Proposal:

"credential_response_encryption" : {
    "jwk" : {},
    "alg" : "...",
    "enc" : "..."
}

[Sakurann]

@cobward is Spruce using these in production? Would you be ok with this breaking change? if so, I think we can try get this in before ID-1

[cobward]

We're fine with breaking changes at this point.