SD-JWT VC and DIDs

[samuelmr]

The SD-JWT VC draft 13 says the following:

A recipient MUST determine and validate the public verification key for the Issuer-signed JWT using a supported Issuer Signature Mechanism that is permitted for the given Issuer according to policy. This specification defines the following two Issuer Signature Mechanisms:

• JWT VC Issuer Metadata: A mechanism to retrieve the Issuer's public key using web-based resolution. When the value of the iss claim of the Issuer-signed JWT is an HTTPS URI, the recipient obtains the public key using the keys from JWT VC Issuer Metadata as defined in Section 5.
• X.509 Certificates: A mechanism to retrieve the Issuer's public key using the X.509 certificate chain in the SD-JWT header. When the protected header of the Issuer-signed JWT contains the x5c parameter, the recipient uses the public key from the end-entity certificate of the certificates from that x5c parameter and validates the X.509 certificate chain accordingly. In this case, the Issuer of the Verifiable Credential is the subject of the end-entity certificate.

The referenced section 5 says:

The iss MUST be a case-sensitive URL using the HTTPS scheme that contains scheme, host and, optionally, port number and path components, but no query or fragment components." (5. JWT VC Issuer Metadata

The spec does leave the door open for using DIDs as issuer identifiers:

To enable different trust anchoring systems or key resolution methods, separate specifications or ecosystem regulations may define additional Issuer Signature Mechanisms; however, the specifics of such mechanisms are out of scope for this specification.

What would be the reaction of the community to the following proposal:

• DIIP v5 uses plain HTTPS URIs as issuer identifiers for SD-JWT VC credentials
• DIIP v5 uses DIDs as issuer identifiers for W3C VCDM credentials

Just a thought.

This would make it easier to define how OpenID Federation is used (adding the jwt-vc-issuer metadata to the Entity Configuration). It might also improve the interoperability of DIIP-compliant solutions with some EUDI wallets.

There would be downsides as well. This would break backwards compatibility if you could no longer use did:web with SD-JWT VCs. I'm not sure how one would handle key rotation using the SD-JWT VC way. (On the other hand, did:web doesn´t define that either, unlike did:webvh.)

See also #25 (which didn't spark too much discussion...)

[muisit]

I think the DIIP community wants to use DIDs, so the only option is to the second one, which establishes the current practice of putting the issuer DID in the 'iss' claim.
If this, as you say, contradicts the official SD-JWT specification, it should definitely be defined clearly in the DIIPv5 spec.