Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fetch vct from URL or from registry #256

Closed
alenhorvat opened this issue Sep 18, 2024 · 1 comment · Fixed by #272
Closed

Fetch vct from URL or from registry #256

alenhorvat opened this issue Sep 18, 2024 · 1 comment · Fixed by #272
Assignees
@danielfett

Comments

@alenhorvat
Copy link

https://www.ietf.org/archive/id/draft-ietf-oauth-sd-jwt-vc-05.html#section-6.3.1

Is defining that if vct is an https:// it should check the metadata under the well known (at least the 2nd part of the text reads like this:

i.e., by inserting /.well-known/vct after the authority part of the URL.)

Many registries are, and will be accessible via URLs, hence the metadata type is expressed via an URL; Adding or maintaining a .well-known might not fit in the existing API designs. Also note that .well-known has well-known issues with multi-tenancy. Most use cases will delegate the hosting of the information to registries.

Also

URL https:///.well-known/vct/, i.e., by inserting /.well-known/vct after the authority part of the URL.

Questions:

  • if schema is https, should the full URL be provided? (no ambiguity with .well-known, you can host schema on github, ...)
  • metadata retrieval category re-consideration:

  1. Fetch vct from a remote source:
    a) URL: HTTPS schema -> full URL that points to a schema
    b) URN: domain-defined URN that MUST be understood by the wallet; The URN method defines how to map the URN to URL and retrieve the data

  2. Fetch vct the metadata locally
    a) local cache
    b) Signature (signed or unsigned header); Whether or not metadata is shared in the (un)protected header is defined by the signature format, hence out of scope of this document.

2b: point to consider for the OID4VP: should there be a flag: "archival mode" or similar, that would flag that the wallet needs to provide all the referenced content in an unprotected JWS header?
@danielfett danielfett self-assigned this Oct 1, 2024
@danielfett danielfett added the discuss Discuss label Oct 8, 2024
@danielfett danielfett mentioned this issue Oct 15, 2024
Closed
@danielfett danielfett mentioned this issue Nov 14, 2024
Merged
@danielfett
Copy link
Member

#272 removes the requirement to insert .well-known (discussion in #264)

@bc-pi bc-pi linked a pull request Nov 18, 2024 that will close this issue
Remove .well-known for vcts #272
Merged
@awoie awoie removed the discuss Discuss label Nov 26, 2024
@bc-pi bc-pi closed this as completed in #272 Dec 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@danielfett danielfett

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Remove .well-known for vcts oauth-wg/oauth-sd-jwt-vc
3 participants
@danielfett @alenhorvat @awoie