The default behavior for JWT/JWS verification is to extract an array of possible signers from the DID document of the iss and then verify each signer to check for a signature match.

This can be improved by also looking for a kid property in the header and only using that one for verification.

For this to work, kid (if present) must be a DID URL with a #fragment, that dereferences to a VerificationMethod from the DID document of the iss.

• if kid is present, kid and iss DID must match
• if kid is present, apply the filter as early as possible, to avoid expensive cryptographic operations.

This sounds like a great improvement! We are already verifying JWS objects by kid in our dids package, but would love for that functionality to move into this library! Ref verifyJWS. In this method we also have a way to verify that a JWS is valid if the key used to sign it has been revoked, e.g. the DID URL contains a version-id parameter.

it's worth constraining kid to be a DID URL, not a DID... this would mean it is distinguishable from didDocument.id and verificationMethod.controller, both of which would align with iss.

Isn't a DID technically a subset of a DID URL?

I'd suggest supporting the path query parameter as well here. See this discussion in did-core for better explanantion:

w3c/did-core#708

I've personally found the ? query parameter unnecessarily useful for identifying keys but wouldn't be surpised if it emerged eventually. Right now we've got two known patterns though so I'd suggest supporting at least # and / for now.

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

Bad stalebot!