[OAUTH-WG] Array Disclosure (was SD-JWT architecture feedback)

Mon, 23 Sep 2024 00:08:40 -0700 

Hi Daniel,

Among the five topics, I picked this one:
*Array Disclosure*

Is this really needed? The only example I saw was for multiple 
citizenships. Would the issuer of an SD-JWT that contains a subject's 
citizenship not be the country who they are a citizen of? Why would 
another country be authoritative that the subject is a citizen of 
another country? In the example, it is hard to imagine a 
verifier trusting the US to say someone is a DE citizen, or vice 
versa. The array of age claims in example A.3 does not need the non 
intuitive '...' array mechanism.

Yes, it is needed. First of all, SD-JWT can be used universally, not 
just for credentials. Second, even if used for credentials, there are 
many types of credentials
where there is a use case for disclosing only some array values. Take 
an education credential as an example, where the holder may want to 
disclose only relevant courses

and grades. You'll find more use cases in the examples in the appendix.


A bit besides the point, but in the EU context we do in fact plan for 
credentials attesting other nationalities (and have good reasons to do 
so, here PID credentials derived from the eID card for EU citizens, 
see 
https://bmi.usercontent.opencode.de/eudi-wallet/eidas-2.0-architekturkonzept/functions/00-pid-issuance-and-presentation/#pid-contents 
for details).

1) OpenID Connect for Identity Assurance Claims Registration 1.0" issued 
on 9 September 2024 mentions the String array claim "nationalities".

    See: https://openid.net/specs/openid-connect-4-ida-claims-1_0-01.html


    However, this draft will hopefully be published before the OpenID 
Connect document.
    Hence, wouldn't it be beneficial to define the String array claim 
"nationalities" in this IETF document ?
    If it is the case, then the following String array claim should be 
registered in section 13 (IANA Considerations):

       "nationalities".


2)  Shouldn't this document also define in section 13 (IANA 
Considerations) the following String array claims:

       "age_equal_or_over", and
       "age_under" ?

3) "Section 5.2.6 (Recursive Disclosures) provides the following example:

       "nationalities": ["DE", "FR", "UK"]


This is a nice example. It would be worthwhile to describe how, using 
decoy digests, the Holder can hide the number of nationalities
from an individual,while disclosing, e.g., only two of them. Annex A1 
does not allow to clearly understand the mechanism.

Denis

_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-le...@ietf.org
























					Reply via email to