Hi Daniel,

Among the five topics, I picked this one:

*Array Disclosure*
Is this really needed? The only example I saw was for multiple citizenships. Would the issuer of an SD-JWT that contains a subject's citizenship not be the country who they are a citizen of? Why would another country be authoritative that the subject is a citizen of another country? In the example, it is hard to imagine a verifier trusting the US to say someone is a DE citizen, or vice versa. The array of age claims in example A.3 does not need the non intuitive '...' array mechanism.

Yes, it is needed. First of all, SD-JWT can be used universally, not just for credentials. Second, even if used for credentials, there are many types of credentials where there is a use case for disclosing only some array values. Take an education credential as an example, where the holder may want to disclose only relevant courses
and grades. You'll find more use cases in the examples in the appendix.

A bit besides the point, but in the EU context we do in fact plan for credentials attesting other nationalities (and have good reasons to do so, here PID credentials derived from the eID card for EU citizens, see https://bmi.usercontent.opencode.de/eudi-wallet/eidas-2.0-architekturkonzept/functions/00-pid-issuance-and-presentation/#pid-contents for details).

1) OpenID Connect for Identity Assurance Claims Registration 1.0" issued on 9 September 2024 mentions the String array claim "nationalities".
    See: https://openid.net/specs/openid-connect-4-ida-claims-1_0-01.html

    However, this draft will hopefully be published before the OpenID Connect document.     Hence, wouldn't it be beneficial to define the String array claim "nationalities" in this IETF document ?     If it is the case, then the following String array claim should be registered in section 13 (IANA Considerations):

       "nationalities".

2)  Shouldn't this document also define in section 13 (IANA Considerations) the following String array claims:

       "age_equal_or_over", and
       "age_under" ?

3) "Section 5.2.6 (Recursive Disclosures) provides the following example:

       "nationalities": ["DE", "FR", "UK"]

This is a nice example. It would be worthwhile to describe how, using decoy digests, the Holder can hide the number of nationalities from an individual,while disclosing, e.g., only two of them. Annex A1 does not allow to clearly understand the mechanism.

Denis
_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-le...@ietf.org

Reply via email to