Indicate supported curves for encryption in Credential Issuer metadata

[awoie]

Currently, we have enc_values_supported and alg_values_supported but those don't define what key types (e.g., curves) are supported by the Credential Issuer to encrypt the Credential Response. This is needed by the wallet to provide the right public keys in the request for key agreement or asymmetric encryption in general. Normally, we would use something like jwks or jwks_uri for this purpose. Perhaps we should do that here as well. I would have expected the issuer to create an ephemeral key pair and use the wallet key from the request as a static key in ECDH-ES. Perhaps that assumption is wrong.

Otherwise, The following would be a rough proposal how this can be indicated by adding a parameter to credential_response_encryption:

  * `jwk_values_supported`: REQUIRED. Array containing a list of objects describing the supported JWK values by the Credential and/or Batch Credential Endpoint to encode the Credential or Batch Credential Response in a JWT [@!RFC7519]. Each object MUST contain a (`kty` value) [@!RFC7517] and an OPTIONAL (`crv` value) [@!RFC8037]. For example, to indicate the issuer supports ECDH-ES with curve P-256, `jwk_values_supported` includes the following object: `{ "kty":"EC", "crv":"P-256" }`.

For example:

"jwk_values_supported": [
    { "kty": "EC", "crv": "P-256" },
    { "kty": "OKP", "crv": "X25519" },
    { "kty": "RSA" }            
]

Originally posted by @awoie in #153 (comment)

[selfissued]

The OAuth and OpenID way to do this is to publish lists of supported alg values for signing and lists of supported alg and enc values supported for encryption. Examples are token_endpoint_auth_signing_alg_values_supported from https://www.rfc-editor.org/rfc/rfc8414.html and request_object_encryption_alg_values_supported and request_object_encryption_enc_values_supported from https://openid.net/specs/openid-connect-discovery-1_0.html. All of these metadata values (and many similar ones) are registered at https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml. Search there for _alg and _enc and you'll find numerous examples using this pattern.

"But wait, what about polymorphic algorithm identifiers, like EdDSA that fail to specify the curve they're to be used with?", you might fairly ask. The solution to that is to create fully-specified algorithm identifiers for these functions that do. That's exactly what https://www.ietf.org/archive/id/draft-jones-jose-fully-specified-algorithms-02.html does, and there's broad support for it, including for the JOSE working group to adopt it. (See the minutes from IETF 118. It's also an explicit deliverable in the updated JOSE charter that our AD Roman created.)

We shouldn't be inventing an ad-hoc solution to a problem that the IETF is solving in a general way. This issue should be closed on that basis.

cc: @ve7jtb

[awoie]

The OAuth and OpenID way to do this is to publish lists of supported alg values for signing and lists of supported alg and enc values supported for encryption. Examples are token_endpoint_auth_signing_alg_values_supported from https://www.rfc-editor.org/rfc/rfc8414.html and request_object_encryption_alg_values_supported and request_object_encryption_enc_values_supported from https://openid.net/specs/openid-connect-discovery-1_0.html. All of these metadata values (and many similar ones) are registered at https://www.iana.org/assignments/oauth-parameters/oauth-parameters.xhtml. Search there for _alg and _enc and you'll find numerous examples using this pattern.

"But wait, what about polymorphic algorithm identifiers, like EdDSA that fail to specify the curve they're to be used with?", you might fairly ask. The solution to that is to create fully-specified algorithm identifiers for these functions that do. That's exactly what https://www.ietf.org/archive/id/draft-jones-jose-fully-specified-algorithms-02.html does, and there's broad support for it, including for the JOSE working group to adopt it. (See the minutes from IETF 118. It's also an explicit deliverable in the updated JOSE charter that our AD Roman created.)

We shouldn't be inventing an ad-hoc solution to a problem that the IETF is solving in a general way. This issue should be closed on that basis.

cc: @ve7jtb

I agree with @selfissued that "JOSE fully specified algorithms" is the way to go.

[Sakurann]

marking 1.1 since what is proposed can be added post 1.0 in a backward compatible manner