On Thu, Sep 5, 2024 at 8:18 AM Judith Kahrer <judith.kahrer= 40curity...@dmarc.ietf.org> wrote:
> I gave the -12 revision a read. Thanks for the great work Brian, Kristina > and Dr. Fett. > Thanks for the thanks Judith. And also thanks for using the proper salutation for Daniel. > One thing that I find confusing is the term “Issuer-signed JWT”. Isn’t it > self-evident that a signed JWT is signed by its Issuer (that is its creator > as defined in the spec)? I think, the spec would read just fine if > “Issuer-signed JWT” was replaced by “signed JWT”. Section 5.1 called > “Issuer-signed JWT” could be renamed to “SD-JWT payload”, that’s after all > what it’s about. Also, I noticed that currently the term “Issuer-signed > JWT” is never formally specified. > Well, we do have the term Issuer more formally defined at https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-12.html#section-2-1.14 and there's another siged JWT, the key binding JWT, in the context of this draft. Having distinguishing terminology seemed useful (still does) and “Issuer-signed JWT” kind of emerged. Having said all that though, I take your point at a general level and suspect that usage of terminology in this area could probably be cleaned up a bit. I'll take a pass at doing so for the next revision. > > Speaking of terminology, I noticed that the TOC contains both “1.2 > Conventions and Terminology” and “2. Terms and Definitions”. What’s the > difference between terminology and terms? I suggest to rename the sections > or merge them. > Yeah, agree, I think merging them is probably the way to go. > > On the subject of terminology, Disclosure is defined as > > > Disclosure: A JSON array containing a combination of a salt, a cleartext > claim name (present when the claim is a name/value pair and absent when the > claim is an array element), and a cleartext claim value, which is > base64url-encoded and used to calculate a digest for the respective claim. > The term Disclosure refers to the whole base64url-encoded string. > > I instinctively read “a cleartext claim value, which is base64url-encoded” > and not the array being base64url-encoded. I suggest to emphasize the > “base64url-encoded string” in the definition. For example, a Disclosure > could be "A base64url-encoded string of a JSON array that contains a > salt, a claim name (present when the claim is a name/value pair and absent > when the claim is an array element), and a claim value. The Disclosure is > used to calculate a digest for the respective claim.” > Yeah, I can see how it'd be read that way and why that's problematic. Will update that to something more along the lines of your suggestion. > > Typo in 4.1 SD-JWT and Disclosures: > > An SD-JWT MAY also contain clear-text claims that are always disclosed > to the Verifier. > “clear-text” should say “cleartext”. > Yup. Will fix. > Regards, > Judith > > On 3 Sep 2024, at 17:04, Brian Campbell <bcampbell= > 40pingidentity....@dmarc.ietf.org> wrote: > > Thanks Rifaat & Hannes, > > In an effort to make the most up-to-date content available for the WGLC > period, a -12 revision was just recently published, which contains a number > of editorial improvements. > > > https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-12.html > > Respectfully, > Brian, Kristina, and Dr. Fett > > > > On Tue, Sep 3, 2024 at 4:40 AM Rifaat Shekh-Yusef <rifaat.s.i...@gmail.com> > wrote: > >> All, >> >> As per the discussion in Vancouver, this is a WG Last Call for the *SD-JWT >> *document. >> >> https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-11.html >> >> Please, review this document and reply on the mailing list if you have >> any comments or concerns, by *Sep 17th*. >> >> Regards, >> Rifaat & Hannes >> _______________________________________________ >> OAuth mailing list -- oauth@ietf.org >> To unsubscribe send an email to oauth-le...@ietf.org >> > > *CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you.*_______________________________________________ > OAuth mailing list -- oauth@ietf.org > To unsubscribe send an email to oauth-le...@ietf.org > > > _______________________________________________ > OAuth mailing list -- oauth@ietf.org > To unsubscribe send an email to oauth-le...@ietf.org > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
