On Tue, Dec 3, 2024 at 2:16 PM Brian Campbell <bcampb...@pingidentity.com> wrote: > > > > On Tue, Dec 3, 2024 at 12:03 PM Watson Ladd <watsonbl...@gmail.com> wrote: >> >> What exactly does one do with an iss that has an HTTPS URL? Seems like >> we say two different things must happen. > > > Do you mean what is said in this issue > https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/281, which I assume was > inspired by your question here?
Maybe! My point was that if we have iss "https://example.com"; then it could be either VC issuer metadata or the second paragraph. Then I find the second paragraph confusing. Are we sure there isn't a typo there where iss was supposed to be something else? What is the Issuer-Signed JWT that second bullet talks about and how does it relate to the HTTPS url? On looking at the reference it's the outside structure, but isn't that exactly the SD-JWT? Here's what I think we meant to say, and I'll let the author of that issue speak for themselves on the confusion and if I when deconfused agree with them. - iss is a URI - There may be an x5c claim in the JWT - If there is, then apply the X509 validation with the URI being either a domain name or a URL - If not, it's a pointer to issuer metadata. Is this what we meant to express? Sincerely, Watson > >> >> >> I'm also fuzzy on where the x5c appears. Is it a claim that has the >> X509 certificate chain? More needs to be said about verification and >> construction for interoperability, probably through a few references. > > > Yeah, x5c is a jose header that has an X509 certificate chain. The x5c header > parameter is defined in/at > https://datatracker.ietf.org/doc/html/rfc7515#section-4.1.6 which is kinda > implicitly included here. But that's not really obvious unless it's known > already. Would an explicit reference to it suffice for your question? > > > > >> >> >> Sincerely, >> Watson >> >> _______________________________________________ >> OAuth mailing list -- oauth@ietf.org >> To unsubscribe send an email to oauth-le...@ietf.org > > > CONFIDENTIALITY NOTICE: This email may contain confidential and privileged > material for the sole use of the intended recipient(s). Any review, use, > distribution or disclosure by others is strictly prohibited. If you have > received this communication in error, please notify the sender immediately by > e-mail and delete the message and any file attachments from your computer. > Thank you. -- Astra mortemque praestare gradatim _______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
