initial-state and length of identifiers

Daniel Hardman

Today we discussed whether we can use an initial-state matrix parameter on DIDs to pass info in a DIDComm message in the JSON field where a recipient is identified (where a simple DID would sometimes go). One of the concerns I raised was that we might change the length of these fields, from ~100-ish characters to maybe several KB. The consensus on the call was that this wasn't necessarily problematic.

However, I was reading the OIDC spec soon after we spoke, and reviewing the fields in the id token that it sends to authenticate someone. This is what it says about one of its required fields (see section 2 in

REQUIRED. Subject Identifier. A locally unique and never reassigned identifier within the Issuer for the End-User, which is intended to be consumed by the Client, e.g., 24400320 or AItOawmwtWwcT0k51BayewNvutrJUqsvl6qs7A4. It MUST NOT exceed 255 ASCII characters in length. The sub value is a case sensitive string.

In other words, the longest identifier we can use in OIDC identity tokens is 255 characters.

This does not necessarily mean our discussion was wrong. It's not clear that the DID+matrix-parameters values we want to pass in DIDComm should flow directly into OIDC id tokens. However, I think it's a useful cautionary note; there are definitely specs in the identity space, that we might want to interoperate with, that impose limits we should be aware of. I'm not sure a huge initial-state value is super smart.