You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardexpand all lines: draft-ietf-oauth-sd-jwt-vc.md
+6-5
Original file line number
Diff line number
Diff line change
@@ -333,10 +333,9 @@ verification key for the Issuer-signed JWT corresponds to the `iss` value:
333
333
334
334
- JWT VC Issuer Metadata: If a recipient supports JWT VC Issuer Metadata and if the `iss` value contains an HTTPS URI, the recipient MUST
335
335
obtain the public key using JWT VC Issuer Metadata as defined in (#jwt-vc-issuer-metadata).
336
-
- X.509 Certificates: If the recipient supports X.509 Certificates, the recipient MUST obtain the public key from the leaf X.509 certificate defined by the `x5c` JWT header parameters of the Issuer-signed JWT and validate the X.509
337
-
certificate chain in the following cases:
338
-
- If the `iss` value contains a DNS name encoded as a URI using the DNS URI scheme [@RFC4501], the DNS name MUST match a `dNSName` Subject Alternative Name (SAN) [@RFC5280] entry of the leaf certificate.
339
-
- In all other cases, the `iss` value MUST match a `uniformResourceIdentifier` SAN entry of the leaf certificate.
336
+
- X.509 Certificates: If the recipient supports X.509 Certificates and the `iss` value contains an HTTPS URI, the recipient MUST
337
+
1. obtain the public key from the end-entity certificate of the certificates from the `x5c` header parameter of the Issuer-signed JWT and validate the X.509 certificate chain accordingly, and
338
+
2. ensure that the `iss` value matches a `uniformResourceIdentifier` SAN entry of the end-entity certificate or that the domain name in the `iss` value matches the `dNSName` SAN entry of the end-entity certificate.
340
339
- DID Document Resolution: If a recipient supports DID Document Resolution and if the `iss` value contains a DID [@W3C.DID], the recipient MUST retrieve the public key from the DID Document resolved from the DID in the `iss` value. In this case, if the `kid` JWT header parameter is present, the `kid` MUST be a relative or absolute DID URL of the DID in the `iss` value, identifying the public key.
341
340
342
341
Separate specifications or ecosystem regulations MAY define rules complementing the rules defined above, but such rules are out of scope of this specification. See (#ecosystem-verification-rules) for security considerations.
@@ -1153,9 +1152,11 @@ for their contributions (some of which substantial) to this draft and to the ini
1153
1152
1154
1153
* update reference to IETF Status List
1155
1154
* Include Type Metadata
1155
+
* Include schema Type Metadata
1156
1156
* Editorial changes
1157
1157
* Updated terminology to clarify digital signatures are one way to secure VCs and presentations
0 commit comments