OpenID4VCI icon indicating copy to clipboard operation
OpenID4VCI copied to clipboard
verified publisher icon openid

editorial: Credential response Encrypted, is it possibile having a nested JWT?

Open peppelinux opened this issue 2 years ago • 5 comments

The response is an encrypted json and not a Netsted JWT, signed and then encrypted.

Is there any possibility that implementers look for having a Nested JWT? Probably not.

I would give more clarification, as OIDC with the userinfo response (or id token) made:

If the UserInfo Response is signed and/or encrypted, then the Claims are returned in a JWT and the content-type MUST be application/jwt. The response MAY be encrypted without also being signed. If both signing and encryption are requested, the response MUST be signed then encrypted, with the result being a Nested JWT, as defined in [JWT].

@sakimura @selfissued ^

Originally posted by @peppelinux in https://github.com/openid/OpenID4VCI/pull/136#discussion_r1421476039

peppelinux avatar Dec 15 '23 08:12 peppelinux

https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0-12.html#name-credential-response already describes unencrypted JSON responses and encrypted JWT responses.

The only reason you might have a nested JWT in my mind would be if the response is signed. But that isn't described in the spec, nor have I heard a request to be able to do so. The credentials themselves, are of course signed.

It would be OK to be 100% clear that for encrypted responses, the JSON response body is the JWT Claims Set. That currently seems to be implied but not explicitly stated.

selfissued avatar Dec 31 '23 21:12 selfissued

@selfissued you words exactly explain the purpose of this issue that aims to introduce in the current document some explicit text about this.

peppelinux avatar Jan 09 '24 19:01 peppelinux

@peppelinux are you asking for an explicit text that Credential response cannot be a nested JWT because entire response is encrypted and signed credentials are contained as claims in the encrypted payload?

Sakurann avatar Feb 20 '24 06:02 Sakurann

Do we need a whole section in VCI on how to encrypt credential response without signing the whole payload again?

something like only encrypted JARM in VP? https://openid.github.io/OpenID4VP/openid-4-verifiable-presentations-wg-draft.html#section-8.3-2

cc @bc-pi

Sakurann avatar Jan 22 '25 13:01 Sakurann

Do we need a whole section in VCI on how to encrypt credential response without signing the whole payload again?

That's what is already there as far as I understand.

something like only encrypted JARM in VP? https://openid.github.io/OpenID4VP/openid-4-verifiable-presentations-wg-draft.html#section-8.3-2

no

cc @bc-pi

I'm honestly having a hard time understanding why this issue exists or what is being asked.

bc-pi avatar Jan 22 '25 17:01 bc-pi