Confusion regarding KeyPairResource#id and KeyPairResource#keyId

[thomasrutger]

I am confused on the purpose of each. The behavior of these concepts was recently changed: #369.

The DidDocumentServiceImpl uses KeyPairResource#id when building the verification method.

The documentation for KeyPairResource#getKeyIdsays: A String that should be used when referencing this key material in e.g. a JWT.

But using KeyPairResource#keyId when referencing a key in a JWT and then using KeyPairResource#id in a DidDocument seems like a problem if these are not the same.

My guess is that KeyPairResource#id is tied to a specific key as a reference to that key, while KeyPairResource#keyId may stay the same across key rotations. But I am not too sure, because it seems strange then that Did documents use KeyPairResource#id and not
KeyPairResource#keyId.

[paullatzelsperger]

generally, the id is a unique internal id of the resource (think: primary key in a database) and should never be used outside of IH, other than when managing keys, of course.
The keyId on the other hand is the publicly visible ID of the key that would be used for example in the kid header of a JWT, or should be put in DID documents.

If the id is used in a DidDocument, that's a bug for sure.

Rotating or revoking keys would create another KeyPairResource, thus also changing the id. It would also most likely change the keyId, because typically rotated keys have a grace period during which the old key is still resolvable for verification, but doesn't get used for signing anymore.

[edit]: this #380 should fix the bug.

[paullatzelsperger]

@thomasrutger if this answers your question, would you mind marking it as such?