Skip to content

Should we mandate the use field for keys in the JSON Web Key Set in client_metadata #642

Description

@QZHelen

As an observation during an interop testing, the latest spec does not explicitly require use for each JSON Web Key from the request client_metadata.jwks; therefore, test verifiers may not be setting this property their encryption public key.

Given that the spec text suggests that the key may not just be used for encryption purpose, not having use could cause ambiguity when there are two keys of the same type, used for different purposes. The holder could pick a wrong key that is supposed to be used for different purpose to perform the response encryption.

It would be nice to clarify the expectation in the OpenID4VP spec to eliminate such ambiguity. Is it always true that the jwks keys shall always be used for encryption? Otherwise, can we require key use at least for the encryption key, or have some solution on the line to make sure that the holder will always know what key to pick for response encryption?

Metadata

Metadata

Assignees

Type

No type

Fields

No fields configured for issues without a type.

Projects

No projects

Relationships

None yet

Development

No branches or pull requests

Issue actions