Does the CDR specify distinct certificates based on the usage? For example, is there a requirement for a two way SSL (Secure Sockets Layer) certificate or a transport certificate to authenticate, and a signing certificate to sign, a JWT (JSON Web Token) in OAuth requests?
Regarding the signing/encryption keys going in to JWKs (JSON Web Keys), should these be PKIX (Public Key Infrastructure) certificates issued by a CA (Certificate Authority), or can we just use a public/private key pair here?
RFC7517, JSON Web Keys, section 4.7, mentions PKIX certificates for the x5c (X.509 Certificate Chain) value in the JWK.
Certificates issued by the CDR CA (Consumer Data Right Certificate Authority) are used only for mTLS (mutual Transport Layer Security).
Other keys, such as the JWKS for JWT signing and encryption, are created by the participant and the public side of the key pair published by their JWKS end point. These keys are not issued by the Register.
As certificates are bound to domain, multiple certificates are issued only if multiple domains are used for base URIs. Certificates are not issued separately based on use or concern.
There is no need to use the certificates provided by the CA for signing or encryption. The certificates and the JWKS are entirely independent.
The algorithm used for signing and encryption is communicated between the ADR (Accredited Data Recipient) and the DH (Data Holder) using the OpenID Discovery protocol, for DH capability, and via the information obtained via dynamic client registration, for ADR capability.