[did-configuration] Provide complete JWT examples about .well-known HOT 7 CLOSED

I think the top level JWT should be sign-able by non DIDs.

from .well-known.

Implemented a demo: #2

decided not to sign the top level object.

from .well-known.

Nice! I reviewed the implementation and I was able to run the demo locally

What do you mean by the following?

The demo opens up more questions about what "verification" of claims mean.

from .well-known.

awesome!

The claim in the JWT has a domain field. here is some pseudo code explaining how verification should work.

config = GET JSON ( https://example.com/.well-known/did-configuration )
For each claim in config:
- verify claim was signed by did listed in config (use resolver to get public keys)
- verify that domain in claim matches "example.com"

In the demo provided, there is no check for the last bit.

I would expect the demo to fail or warn when running on localhost.

What should the behavior be?

from .well-known.

Oh I see. What if on the client side it just checked if verified.domain matches window.location.hostname?

from .well-known.

Thats a good idea for self requests, but the client is always going to need to trust its own web server, and this spec should theoretically support CORs, where:

example.com has DIDs and can trust api.example2.com's DIDs.

the origin of a well-known did config should be present in each of the claims as the domain field.

That way 2 servers can use this for mutual auth if they wanted to.

from .well-known.

I'm gonna close this now that the example is merged. Feel free to open new issues with concerns / questions/

from .well-known.