How should a signed request (JAR) using x509_san_dns but also including a did in the kid be interpreted?

[TimoGlastra]

E.g for OID4VCI I see for key attestations there's an issue whether x5c, kid and jwk needs to be mutually exclusive (openid/OpenID4VCI#417).

We initially required this approach for JAR as well, however we saw quite some implementations using both x5c and kid, so we loosened it so that kid can be combined with x5c or jwk, but ONLY if kid is not a did.

Now we also ran into implementations that include x5c and kid (which is a did), pointing to the same key, while x509_san_dns is used.

Some guidance would be appreciated. Should the request only include one of these header values? Should we loosen our implementations, and only look at what is described by the client_id_scheme?

[babisRoutis]

Dear @TimoGlastra

For what is worth, we took the "permissive" approach to our OpenId4VP wallet implementation.

That is, depending on the client_id_scheme used by the verifier, check whether the JAR header contains the appropriate mandatory header, but not requiring the absence of other related headers.

• x509_san_dns -> x5c
• x509_san_uri -> x5c
• did -> kid must be present and must contain a DID
• verifier_attestation -> jwt

On the verifier's side we populate only the mandatory JOSE header per client_id_scheme used

Yet, I also share the same concerns.

[Sakurann]

there is nothing in the spec that prevents "permissive" approach to our OpenId4VP wallet implementation, right? if so, this can be clarified in 1.1