Mikko Ylinen

> > Would it be OK to aim fixing #519 with PR too? > > Probably not. Currently it is hard for KBS to detect the JWT type (CoCoAS/ITA or...

> > Could `kid`/x5*`header fields be used to map to what trust anchors we have configured. ITA token has`kid`and we use it to search the corresponding JWK in the JwkSet....

> @mythi Adds the change that you suggested. I think it is good to have some internal defined paths together with user defined extra paths. thanks! I personally feel it's...

> Well as they are different things. One is jwkset and the other is root pem certs If the take this path, we might need a third one for "OpenID...

> Before this patch the config item `trusted_certs_paths` is actually used in a wrong way, at least not a good name, because it is JwkSet for ITA rather than certs....

I agree that their content is very different. My only comment has been that for the user they are still both "token verification collateral" which is why I also asked:...

> I see no real benefit in having fewer config entries, especially if doing so could cause confusion. I was mainly thinking user experience but ok. For some users it...

This PR was not ready for merging. For example, you still have `insecure_key: true` in place.

> Before this commit, the insecure key option is always true logically although there is not such a config item. This was not the case for `attestation_token_type = "Jwk"` since...

Fair enough, the functionality seems fine. My original comment was related to unresolved conversations that were not addressed.