Are we strict at using 'kid' header parameter?

[l-ko]

As I can see, jose is getting a kid from protected headers in order to verify signature:
https://github.com/square/js-jose/blob/master/dist/jose.js#L1678

However there are situations, where is no kid passed, and I'm getting "Cannot read property 'then' of undefined", so there is no proper error case at the moment.
On the other hand it is not required by JWS spec https://tools.ietf.org/html/draft-ietf-jose-json-web-signature-41#section-4.1.4

[rapropos]

FWIW, I believe you can work around this with the keyfinder parameter to the Verify constructor. Pass in a function that ignores arguments and returns a Promise of whatever key is to be used in verification, it should be assigned to key_promises[undefined], retrieved and used, and I think you'll avoid any errors this way.

[alokmenghrajani]

@rapropos work around seems fine to me. Happy to review a PR if you think something can be improved.