kid
Registry Context
`kid` identifies a proof-of-possession key by key identifier instead of embedding or referencing the key material directly.
Technical Summary
Within a JWT `cnf` claim, `kid` is an application-specific key identifier. It is usable when the recipient can obtain the identified proof-of-possession key from that identifier and then cryptographically confirm the presenter's possession of the key.
When Used
Used when the issuer and recipient have an application-specific way to resolve a key identifier to the proof-of-possession key.
Normative Requirements
An implementation
RFC 7800 - Section 3.1
ignore confirmation members it does not understand..
Condition: In the absence of application-specific requirements for processing those members.
all confirmation members that are not understood by implementations MUST be ignored
The `cnf` claim value
RFC 7800 - Section 3.1
represent only one proof-of-possession key, with at most one of `jwk`, `jwe`, and `jku` present..
Condition: When a JWT contains a `cnf` claim.
The "cnf" claim value MUST represent only a single proof-of-possession key
Validation Guidance
Reject or flag a `cnf` object containing two or more of `jwk`, `jwe`, and `jku`.
Absent application-specific requirements, ignore unrecognized confirmation members rather than rejecting the JWT because of them.
Verify that the recipient can resolve `cnf.kid` to the intended proof-of-possession key before relying on the confirmation claim.
Security Notes
RFC 7800 - Section 3.4
`kid` is application specific; accepting it without a trusted key-resolution mechanism does not establish proof-of-possession semantics.
Reference
Details
- Entry Id
kid- Confirmation Method Value
kid- Confirmation Method Description
Key Identifier- Change Controller
IESG- Reference
RFC7800 - Section 3.4