Hi Daniel,
Among the five topics, I picked this one:
*Array Disclosure*
Is this really needed? The only example I saw was for multiple
citizenships. Would the issuer of an SD-JWT that contains a subject's
citizenship not be the country who they are a citizen of? Why would
another country be authoritative that the subject is a citizen of
another country? In the example, it is hard to imagine a
verifier trusting the US to say someone is a DE citizen, or vice
versa. The array of age claims in example A.3 does not need the non
intuitive '...' array mechanism.
Yes, it is needed. First of all, SD-JWT can be used universally, not
just for credentials. Second, even if used for credentials, there are
many types of credentials
where there is a use case for disclosing only some array values. Take
an education credential as an example, where the holder may want to
disclose only relevant courses
and grades. You'll find more use cases in the examples in the appendix.
A bit besides the point, but in the EU context we do in fact plan for
credentials attesting other nationalities (and have good reasons to do
so, here PID credentials derived from the eID card for EU citizens,
see
https://bmi.usercontent.opencode.de/eudi-wallet/eidas-2.0-architekturkonzept/functions/00-pid-issuance-and-presentation/#pid-contents
for details).
1) OpenID Connect for Identity Assurance Claims Registration 1.0" issued
on 9 September 2024 mentions the String array claim "nationalities".
See: https://openid.net/specs/openid-connect-4-ida-claims-1_0-01.html
However, this draft will hopefully be published before the OpenID
Connect document.
Hence, wouldn't it be beneficial to define the String array claim
"nationalities" in this IETF document ?
If it is the case, then the following String array claim should be
registered in section 13 (IANA Considerations):
"nationalities".
2) Shouldn't this document also define in section 13 (IANA
Considerations) the following String array claims:
"age_equal_or_over", and
"age_under" ?
3) "Section 5.2.6 (Recursive Disclosures) provides the following example:
"nationalities": ["DE", "FR", "UK"]
This is a nice example. It would be worthwhile to describe how, using
decoy digests, the Holder can hide the number of nationalities
from an individual,while disclosing, e.g., only two of them. Annex A1
does not allow to clearly understand the mechanism.
Denis
_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-le...@ietf.org
