ssi
ssi copied to clipboard
JWK in JWT-VC for PKH issuers
Currently, ssi
cannot issue JWT VCs for issuers that are based on public key hashes (e.g. did:tz
and did:pkh
, where the verification method contains a hash of the public key rather than the actual public key), unless either the public key is Secp256k1 and a recoverable signature is used, or the public key is passed as input somehow during the verification process. A solution for non-recoverable signature types is to put the public key in the payload. This is what we are doing for the VC data integrity proof (linked data proof) types mentioned in #152: putting the publicKeyJwk
in the proof object. In VC-JWT, the proof object is replaced by a combination of JOSE header parameters and claims. There is a "jwk" header parameter defined that could be used for this: https://www.rfc-editor.org/rfc/rfc7515.html#section-4.1.3
Sidetree also has a pattern of including a JWT's signing key in its payload; the jws_decode_verify_inner function defined for that is general to the claim name, and could be moved into ssi::jws
(and changed to use ssi::jwk::JWK
) for this purpose.