"to" and "from" are not allowed to contain a keyID fragment but keyID is required for Message Layer Addressing Consistency

[flatorre1]

Hi, i would like to clarify the following:

• to - OPTIONAL. Identifier(s) for recipients. MUST be an array of strings where each element is a valid DID or DID URL (without the fragment component). These values are useful for recipients to know which of their keys can be used for decryption. It is not possible for one recipient to verify that the message was sent to a different recipient.

• from - OPTIONAL when the message is to be encrypted via anoncrypt; REQUIRED when the message is encrypted via authcrypt. Sender identifier. The from attribute MUST be a string that is a valid DID or DID URL (without the fragment component)

But in the 3.2 Message Layer Addressing Consistency is explained:

The from attribute in the plaintext message MUST match the skid attribute in the encryption layer.
The to attribute in the plaintext message MUST contain the kid attribute of an encrypted message.
The from attribute in the plaintext message MUST match the signer’s kid in a signed message.

My understanding is that the keyID attribute is a fragment (did#keyID), so I would like to know if the toand from attributes are just a DID and the resolved DID document should contain the keyID somewhere (could a DID query be used instead of a DID fragment?).

In other hand, the tocan contain several recipients but it is not possible for one recipient to verify that the message was sent to a different recipient...I assume the doc is referring to the public signing keyIDs of the recipients, but as far as I understand all recipients will know both recipients DID and public encryption keyID attributes, because the JWE Per-Recipient Unprotected Headers contains all recipients keyIDs ("kid") and also all recipients DIDs are in the to attribute on the decrypted message payload (plaintext). I will appreciate any comment on this.

Thank you in advance.