From e37833551916171cf19f72577069eac9bfea3e77 Mon Sep 17 00:00:00 2001
From: Oliver Terbu <oliver.terbu@mattr.global>
Date: Mon, 2 Dec 2024 13:59:48 +0100
Subject: [PATCH 1/4] fix: reverted changes in PR#251

---
 draft-ietf-oauth-sd-jwt-vc.md | 42 ++++++++++++++++++++++++++++++++---
 1 file changed, 39 insertions(+), 3 deletions(-)

diff --git a/draft-ietf-oauth-sd-jwt-vc.md b/draft-ietf-oauth-sd-jwt-vc.md
index 28f59cf..49c0949 100644
--- a/draft-ietf-oauth-sd-jwt-vc.md
+++ b/draft-ietf-oauth-sd-jwt-vc.md
@@ -343,7 +343,7 @@ obtain the public key using JWT VC Issuer Metadata as defined in (#jwt-vc-issuer
 - X.509 Certificates: If the recipient supports X.509 Certificates and the `iss` value contains an HTTPS URI, the recipient MUST
      1. obtain the public key from the end-entity certificate of the certificates from the `x5c` header parameter of the Issuer-signed JWT and validate the X.509 certificate chain accordingly, and
      2. ensure that the `iss` value matches a `uniformResourceIdentifier` SAN entry of the end-entity certificate or that the domain name in the `iss` value matches the `dNSName` SAN entry of the end-entity certificate.
-
+- DID Document Resolution: If a recipient supports DID Document Resolution and if the `iss` value contains a DID [@W3C.DID], the recipient MUST retrieve the public key from the DID Document resolved from the DID in the `iss` value. In this case, if the `kid` JWT header parameter is present, the `kid` MUST be a relative or absolute DID URL of the DID in the `iss` value, identifying the public key.
 Separate specifications or ecosystem regulations MAY define rules complementing the rules defined above, but such rules are out of scope of this specification. See (#ecosystem-verification-rules) for security considerations.
 
 If a recipient cannot validate that the public verification key corresponds to the `iss` value of the Issuer-signed JWT, the SD-JWT VC MUST be rejected.
@@ -1207,6 +1207,43 @@ recommendations in (#robust-retrieval) apply.
     </front>
 </reference>
 
+<reference anchor="W3C.DID" target="https://www.w3.org/TR/did-core/">
+    <front>
+        <author initials="M." surname="Sporny" fullname="Manu Sporny">
+            <organization>
+                <organizationName>Digital Bazaar</organizationName>
+            </organization>
+        </author>
+        <author initials="D." surname="Longley" fullname="Dave Longley">
+            <organization>
+                <organizationName>Digital Bazaar</organizationName>
+            </organization>
+        </author>
+        <author initials="M." surname="Sabadello" fullname="Markus Sabadello">
+            <organization>
+                <organizationName>Danube Tech</organizationName>
+            </organization>
+        </author>
+        <author initials="D." surname="Reed" fullname="Drummond Reed">
+            <organization>
+                <organizationName>Evernym/Avast</organizationName>
+            </organization>
+        </author>
+        <author initials="O." surname="Steele" fullname="Orie Steele">
+            <organization>
+                <organizationName>Transmute</organizationName>
+            </organization>
+        </author>
+        <author initials="C." surname="Allen" fullname="Christopher Allen">
+            <organization>
+                <organizationName>Blockchain Commons</organizationName>
+            </organization>
+        </author>
+        <title>Decentralized Identifiers (DIDs) v1.0</title>
+        <date day="19" month="July" year="2022"/>
+    </front>
+</reference>
+
 <reference anchor="W3C.VCDM" target="https://www.w3.org/TR/vc-data-model-2.0/">
     <front>
         <author initials="M." surname="Sporny" fullname="Manu Sporny">
@@ -1534,12 +1571,11 @@ for their contributions (some of which substantial) to this draft and to the ini
 # Document History
 
 -07
-
+* Add guidance on using DIDs for issuer key discovery
 
 -06
 
 * Update the anticipated media type registration request from `application/vc+sd-jwt` to `application/dc+sd-jwt`
-* Tightened the exposition of the Issuer-signed JWT Verification Key Validation section
 * Add the “Status” field for the well-known URI registration per IANA early review
 
 -05

From 0485c0a0493facfdf9a086af4a5900a9ecd5aec0 Mon Sep 17 00:00:00 2001
From: Oliver Terbu <oliver.terbu@mattr.global>
Date: Mon, 2 Dec 2024 14:19:04 +0100
Subject: [PATCH 2/4] fix: change doc history entry

---
 draft-ietf-oauth-sd-jwt-vc.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/draft-ietf-oauth-sd-jwt-vc.md b/draft-ietf-oauth-sd-jwt-vc.md
index 49c0949..02ef666 100644
--- a/draft-ietf-oauth-sd-jwt-vc.md
+++ b/draft-ietf-oauth-sd-jwt-vc.md
@@ -1571,7 +1571,7 @@ for their contributions (some of which substantial) to this draft and to the ini
 # Document History
 
 -07
-* Add guidance on using DIDs for issuer key discovery
+* Revert change from previous release
 
 -06
 

From 12f74362e06e5f73b0c0bbf927daf926f019d223 Mon Sep 17 00:00:00 2001
From: Oliver Terbu <o.terbu@gmail.com>
Date: Mon, 2 Dec 2024 14:36:01 +0100
Subject: [PATCH 3/4] Update draft-ietf-oauth-sd-jwt-vc.md

Co-authored-by: Daniel Fett <fett@danielfett.de>
---
 draft-ietf-oauth-sd-jwt-vc.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/draft-ietf-oauth-sd-jwt-vc.md b/draft-ietf-oauth-sd-jwt-vc.md
index 02ef666..652f352 100644
--- a/draft-ietf-oauth-sd-jwt-vc.md
+++ b/draft-ietf-oauth-sd-jwt-vc.md
@@ -1571,7 +1571,7 @@ for their contributions (some of which substantial) to this draft and to the ini
 # Document History
 
 -07
-* Revert change from previous release
+* Revert change from previous release that removed explicit mention of DIDs in the Issuer-signed JWT Verification Key Validation section
 
 -06
 

From 458615a490a74b2cb1ef68f075689c349f41413a Mon Sep 17 00:00:00 2001
From: Oliver Terbu <o.terbu@gmail.com>
Date: Mon, 2 Dec 2024 14:36:58 +0100
Subject: [PATCH 4/4] Update draft-ietf-oauth-sd-jwt-vc.md

---
 draft-ietf-oauth-sd-jwt-vc.md | 1 +
 1 file changed, 1 insertion(+)

diff --git a/draft-ietf-oauth-sd-jwt-vc.md b/draft-ietf-oauth-sd-jwt-vc.md
index 652f352..38ba3f8 100644
--- a/draft-ietf-oauth-sd-jwt-vc.md
+++ b/draft-ietf-oauth-sd-jwt-vc.md
@@ -1576,6 +1576,7 @@ for their contributions (some of which substantial) to this draft and to the ini
 -06
 
 * Update the anticipated media type registration request from `application/vc+sd-jwt` to `application/dc+sd-jwt`
+* Tightened the exposition of the Issuer-signed JWT Verification Key Validation section
 * Add the “Status” field for the well-known URI registration per IANA early review
 
 -05