We need to specify the exact format of DID URL we expect

[TallTed]

_Originally posted by @msporny in https://github.com/w3c/vc-jose-cose/pull/153#discussion_r1326169335_

We need to specify the exact format that we expect here... DID URL -- but is this a relative (fragment-only thing) or a fully qualified DID URL (DID URL + fragment). What issue is dealing w/ this?

---

I opened this fresh issue because it's a better home for this discussion than a comment on a pull request.

[OR13]

I agree this issue blocks CR.

I recommend we say the following:

kid MUST be an absolute URL. kid MUST start with the issuer identifier used in the verifiable credential, or the holder identifier in a verifiable presentation.

I don't believe DIDs should be mentioned at all, since they are not mentioned in https://w3c.github.io/vc-data-integrity/#verification-methods

The value of the id property for a verification method MUST be a string that conforms to the conforms to the [URL] syntax.

[msporny]

Agree with @OR13's suggested normative language above.

[selfissued]

I disagree with the assertion that kid must be an absolute URL. I'm fine with it being an absolute URL when the key is being retrieved from a DID (or more generally, a controller document). But when retrieving keys from JWK Sets, the kid needs to be able to be any string, since the JWK Set authors get to choose their kid values.

[OR13]

@selfissued can you revise your suggestion and address the example in the spec: https://w3c.github.io/vc-data-model/#example-a-simple-example-of-a-verifiable-credential

[OR13]

I think has been handled by:

• https://github.com/w3c/vc-jose-cose/pull/163 which was merged and:
• https://github.com/w3c/did-core/issues/845 which is tracking the remaining issues on URLs vs DID URLs in controller documents.