Add support for JWKS

[awoie]

JOSE/IETF specifications often use URIs that point to JSON Web Key Sets (JWKS), e.g., OpenID Connect. It would be great if we could find a way that allows a DID URL to be used in such a way. This could be either done by using matrix parameters, or something similar.

We could also limit the scope by just including public keys that have the publicKeyJWK type.

Is there a way to use DID URLs in such a way already?

[awoie]

My did:example method specification could always say that an additional jwks section will be created and that all publicKeyJwk entries should be included in that section as follows:

{ 
   "@context":[ 
      "https://www.w3.org/2019/did/v1",
      "https://w3id.org/security/v1"
   ],
   "id":"did:example:123456789abcdefghi",
   "publicKey":[ 
      { 
         "id":"did:example:123456789abcdefghi#keys-1",
         "type":"RsaVerificationKey2018",
         "controller":"did:example:123456789abcdefghi",
         "publicKeyJwk": ...
      }
   ],
   "jwks":{ 
      "id":"did:example:123456789abcdefghi#jwks",
      "keys":[ 
         { 
            "alg":"RS256",
            "kty":"RSA",
            "use":"sig",
            "x5c":[ 
               "MIIC+DCCAeCgAwIBAgIJBIGjYW6hFpn2MA0GCSqGSIb3DQEBBQUAMCMxITAfBgNVBAMTGGN1c3RvbWVyLWRlbW9zLmF1dGgwLmNvbTAeFw0xNjExMjIyMjIyMDVaFw0zMDA4MDEyMjIyMDVaMCMxITAfBgNVBAMTGGN1c3RvbWVyLWRlbW9zLmF1dGgwLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMnjZc5bm/eGIHq09N9HKHahM7Y31P0ul+A2wwP4lSpIwFrWHzxw88/7Dwk9QMc+orGXX95R6av4GF+Es/nG3uK45ooMVMa/hYCh0Mtx3gnSuoTavQEkLzCvSwTqVwzZ+5noukWVqJuMKNwjL77GNcPLY7Xy2/skMCT5bR8UoWaufooQvYq6SyPcRAU4BtdquZRiBT4U5f+4pwNTxSvey7ki50yc1tG49Per/0zA4O6Tlpv8x7Red6m1bCNHt7+Z5nSl3RX/QYyAEUX1a28VcYmR41Osy+o2OUCXYdUAphDaHo4/8rbKTJhlu8jEcc1KoMXAKjgaVZtG/v5ltx6AXY0CAwEAAaMvMC0wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUQxFG602h1cG+pnyvJoy9pGJJoCswDQYJKoZIhvcNAQEFBQADggEBAGvtCbzGNBUJPLICth3mLsX0Z4z8T8iu4tyoiuAshP/Ry/ZBnFnXmhD8vwgMZ2lTgUWwlrvlgN+fAtYKnwFO2G3BOCFw96Nm8So9sjTda9CCZ3dhoH57F/hVMBB0K6xhklAc0b5ZxUpCIN92v/w+xZoz1XQBHe8ZbRHaP1HpRM4M7DJk2G5cgUCyu3UBvYS41sHvzrxQ3z7vIePRA4WF4bEkfX12gvny0RsPkrbVMXX1Rj9t6V7QXrbPYBAO+43JvDGYawxYVvLhz+BJ45x50GFQmHszfY3BR9TPK8xmMmQwtIvLu1PMttNCs7niCYkSiUv2sc2mlq1i3IashGkkgmo="
            ],
            "n":"yeNlzlub94YgerT030codqEztjfU_S6X4DbDA_iVKkjAWtYfPHDzz_sPCT1Axz6isZdf3lHpq_gYX4Sz-cbe4rjmigxUxr-FgKHQy3HeCdK6hNq9ASQvMK9LBOpXDNn7mei6RZWom4wo3CMvvsY1w8tjtfLb-yQwJPltHxShZq5-ihC9irpLI9xEBTgG12q5lGIFPhTl_7inA1PFK97LuSLnTJzW0bj096v_TMDg7pOWm_zHtF53qbVsI0e3v5nmdKXdFf9BjIARRfVrbxVxiZHjU6zL6jY5QJdh1QCmENoejj_ytspMmGW7yMRxzUqgxcAqOBpVm0b-_mW3HoBdjQ",
            "e":"AQAB",
            "kid":"NjVBRjY5MDlCMUIwNzU4RTA2QzZFMDQ4QzQ2MDAyQjVDNjk1RTM2Qg",
            "x5t":"NjVBRjY5MDlCMUIwNzU4RTA2QzZFMDQ4QzQ2MDAyQjVDNjk1RTM2Qg"
         }
      ]
   }
}

Then, I will be able to resolve did:example:123456789abcdefghi#jwks to the final jwks. Is that correct @peacekeeper ?

[awoie]

Of course one downside would be interoperability. Service providers that rely on that feature would need to know which DID methods support JWKS but the same holds true for any other publicKey type.

[awoie]

If the example query above is not correct, could you provide an example of how the query could look like to get the jwks section in the DID Document?

[awoie]

We could think about introducing DID method decorators. One such decorator could be to add this jwks section based on the publicKey section in the DID document. In this way, we could achieve some sort of interoperability. I could imagine that other decorators could make sense as well. Every DID method author could choose which decorators are supported by their DID method.

[peacekeeper]

Coming back to this topic, there has been an extension DID parameter called "transformKeys" for a while that can convert verification methods in DID documents to JWK, or an entire DID document to JWKS: https://github.com/decentralized-identity/did-spec-extensions/blob/main/parameters/transform-keys.md