OpenID4VP icon indicating copy to clipboard operation
OpenID4VP copied to clipboard
verified publisher icon openid

[JARM] Additional clarifications about signed JWT, Nested JWT and encrypted JWT

Open peppelinux opened this issue 1 year ago • 2 comments

Regarding the section Signed and/or Encrypted Responses.

To provide concrete guidance for implementations, I suggest the following change:

To sign, or sign and encrypt the Authorization Response, implementations MAY use JWT Secured Authorization Response Mode for OAuth 2.0 (JARM) [@!JARM].

to

To sign, encrypt, or both sign and encrypt the Authorization Response using a Nested JWT [RFC7519], implementations must utilize the JWT Secured Authorization Response Mode for OAuth 2.0. (JARM) [@!JARM].

In addition to this, I would open a conversation about how a wallet is supposed to provide its public keys to the verifier for the signature validation, when the signed JWT or the Nested JWT is used. I suppose using wallet_metadata and or wallet instance attestation. we need to better clarify this if we agree

peppelinux avatar Jul 15 '24 11:07 peppelinux

please do a PR for your suggested updated text. I thnk it makes sense.

Sakurann avatar Jul 23 '24 19:07 Sakurann

In addition to this, I would open a conversation about how a wallet is supposed to provide its public keys to the verifier for the signature validation, when the signed JWT or the Nested JWT is used. I suppose using wallet_metadata and or wallet instance attestation. we need to better clarify this if we agree

I think we have a separate issue on this?

Sakurann avatar Jul 23 '24 19:07 Sakurann