Will HAIP mandate the use of the `jwk` for `cryptographic_binding_methods_supported`?

[pmhsfelix]

Will HAIP mandate the use of the jwk for cryptographic_binding_methods_supported? I could not locate any restriction on the latest draft, meaning that any method could be used (as long as supported by the three-parties), namely DID based methods. Is this intended or will jwk be required in a future HAIP draft version?

[Sakurann]

HAIP already says in this section https://openid.github.io/oid4vc-haip-sd-jwt-vc/openid4vc-high-assurance-interoperability-profile-sd-jwt-vc-wg-draft.html#section-7-5.5, which should be clear enough.

The cnf claim [RFC7800] MUST conform to the definition given in [I-D.ietf-oauth-sd-jwt-vc]. Implementations conforming to this profile MUST include the JSON Web Key [RFC7517] in the jwk sub claim.

I think your question might lead to a fact that cryptographic_binding_methods_supported parameter in VCI needs to be better defined/clarified. would suggest opening an issue in VCI.

[pmhsfelix]

I was assuming that the fact that a JWK is used as the proof of possession on the KB-JWT, does necessarily imply that a JWK needs to be used on the proof-token. For instance, the proof-token could use a kid, which the credential issuer would then resolve to a JWK and add it to the cnf claims of the KB-JWT.

Perhaps we could add the following on https://openid.github.io/oid4vc-haip-sd-jwt-vc/openid4vc-high-assurance-interoperability-profile-sd-jwt-vc-wg-draft.html#section-4.4

• "The JWT proof must include the jwk parameter in the JOSE header"