OpenID4VCI icon indicating copy to clipboard operation
OpenID4VCI copied to clipboard
verified publisher icon openid

Content of signed_metadata vs REQUIRED fields in unsigned metadata

Open jtalir opened this issue 1 year ago • 2 comments

It is written in signed_metadata description that "If the Credential Issuer wants to enforce use of signed metadata, it omits the respective metadata parameters from the unsigned part of the Credential Issuer metadata". However, there are 3 attributes marked as REQUIRED in unsigned part (credential_issuer, credential_endpoint and credential_configurations_supported) so it is not possible to omit them without potentially breaking some metadata validators.

Maybe solution would be to clarify that these 3 attributes are "REQUIRED if signed_metadata attribute is not present"?

jtalir avatar Jan 13 '25 11:01 jtalir

I believe that with relation to #448, if singed_metadata is primary feature for issuer authentication, it should be also clear how to implement it from the beginning. Is it expected that signed_metadata can be the only attribute in metadata json? Would it break something? Or is it a MUST that at least credential_issuer must be present both in signed_metadata and also at top level?

jtalir avatar Jan 31 '25 09:01 jtalir

I think https://github.com/openid/OpenID4VCI/pull/520 will resolve this.

jogu avatar Jun 22 '25 14:06 jogu