Hi, The reopened JOSE WG which I am co-chairing has in its charter to sync with the Selective Disclosure JWT work in Oauth WG. I therefore did a review of draft-ietf-oauth-selective-disclosure-jwt-02.
Comments: - I think the document should explicitly say that it cannot be used with JWTs protected with MACs. - Why would HOLDER-PUBLIC-KEY not be a claim? e.g., "cnf" or something else? - The salts need to be secret. Otherwise, an attacker can guess and verify claims. - The salts need to be independent of each other. Otherwise, a Verifier can guess claims. - 128-bit entropy salts are needed to get 128-bit confidentiality. JOSE currently has a minimum 128-bit confidentiality, I don't think SD-JWT should change that. Salts with 128-bit entropy should be a MUST. - Salt is not a suitable name for the secret random strings. I think the name should be changed to key or secret. - HASH(SALT, CLAIM-NAME, CLAIM-VALUE) is a keyed hash. When this construction is used with SHA2, length extension attacks are trivial. Length extensions of ["9KNM1LVqMOUtzFObHUxCbw", "given_name", "John"] would probably be detected by the JSON parser but moving cryptographic functionality to the JSON parsing is not good. Inventing new keyed hash algorithms is not good. I think the document should be changed to use an approved keyed hash function like HMAC or KMAC. Cheers, John
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
