Proposal: use did:jwk for testing dids and vc-jwt in the vc-jwt-test-suite

w3c / vc-jose-cose-test-suite

https://w3c.github.io/vc-jose-cose-test-suite

Other

4 stars 0 forks source link

Proposal: use did:jwk for testing dids and vc-jwt in the vc-jwt-test-suite #10

Open OR13 opened 1 year ago

OR13 commented 1 year ago

Provide example key pairs
Provide example DIDs
Provide example VC signed by DIDs
Provide example VP signed by DIDs

bellebaum commented 1 year ago

The VC-data-model spec was very explicit about DIDs not being a dependency of VCs. Can the test suite be written in a way which nonetheless does not depend on a correct implementation of did:jwk?

OR13 commented 1 year ago

@bellebaum yes, assuming iss / kid -> publicKeyJwk is happening correctly.

The point of using did:jwk would be... that its trivial to show how this mapping should be done.

The problem is not explaining sufficiently how you get verification material...

I propose we cover that concretely for DIDs, URLs, and anything else.

David-Chadwick commented 1 year ago

Our initial implementation tried to avoid using did's altogether. The Issuer uses an X.509 PKC of type domain validated, so that the verifier can make a TLS connection to the domain and pick up the X.509 PKC from there (e.g. in PEM format). The iss is set to the domain name. Registering an IANA well-known for this page would take the verifier straight to the right web page. Alternatively if using OIDC4VCI, the verifier can pick up the metadata of the issuer from its OIDC well known page, and from there the jwks uri parameter in order to get the public key from there. In both cases the kid could be set to did:jwk or the prefix from draft-chadwick-oauth-jwk-uri-00.txt to avoid the use of did's completely. (The method is the same, base64URL encode, but the URL prefix is different that's all).

OR13 commented 1 year ago

To be clear, I am not proposing the test suite only cover DIDs... I am proposing the test suite cover ALL legal "issuer" identifier formats.

I am strongly opposed to "verify with this public key" without describing "how to get this public key".

Sakurann commented 1 year ago

I have nothing against using did:jwk - it should be an option that would have the most utility to the testers while being the least controversial.

just to document... a way to avoid using DIDs would be, for the issuer provide a certificate (how to get this key becomes just use this key) and for the Holder, in the VC pass the pubKey by value using cnf JWT claim defined in RFC7800, and use jwk Header in VP. but I am not sure how widespread and useful this way would be for the testers.

OR13 commented 1 year ago

@Sakurann we can add tests like you suggest after we follow up on w3c/vc-jose-cose#111

OR13 commented 1 year ago

I started work on a test suite here: https://github.com/transmute-industries/vc-jwt-test-suite