Some of those pesky details of life came up again and it took me longer to get to this than I'd hoped but this pull request has this work: https://github.com/oauth-wg/oauth-sd-jwt-vc/pull/316
Copied from the PR description, here are some highlights of this proposed change: - Renames 'Issuer-signed JWT Verification Key Validation' to 'Issuer Signature Mechanisms' and reworks some text accordingly. - Provides a web-based metadata resolution mechanism and an inline x509 mechanism. - A DID-based mechanism is not explicitly provided but still possible via profile/extension. - Is more explicit that the employed Issuer Signature Mechanism has to be one that is permitted for the Issuer according to policy. - Is more clear that one permitted Issuer Signature Mechanism is sufficient. On Fri, Apr 25, 2025 at 4:28 PM Brian Campbell <bcampb...@pingidentity.com> wrote: > While not new, the subject of how an issuer signs an SD-JWT VC and how a > verifier properly finds the public key and checks the signature has come > more into focus recently. Slides 7 and 8 of the SD-JWT VC presentation at > the Friday WG session > <https://datatracker.ietf.org/meeting/122/materials/slides-122-oauth-sessb-sd-jwt-vc-00> > of the last IETF were about PRs/issues/ideas in the area. During the > session I'd indicated intent to work towards generally what was presented > there. However, after the session some of the pesky details of life came up > and I'd not gotten to acting on that intent. In the meantime, Oliver > proposed some thoughts on the same topic in this google doc > <https://docs.google.com/document/d/1rROkQ8V0azVpXrab7M2CmVkh5EKZxrm4rwYSlNbI2MY/edit?usp=sharing> > that could pretty much obviate what I was otherwise planning on doing. > While I did add a metric junkload of comments to that document, I do think > it's conceptually the right direction and am now planning on working from > the content and discussion therein as the basis for upcoming changes. > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
