This email is mostly a duplication of the issue #528 that has been added
during the week-end:
Comments and issues raised during the 1rst and the 2nd WGLC have not
been addressed in -14 #528
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/528
However, I have added a new issue (#529) which explains how, it is
possible to implement, in a Holder, a key binding technique
that can be Post-Quantum resistant and which supports the
"Verifier-Verifier unlinkability" property.
See: https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/529
Appendix C. Document History from
draft-ietf-oauth-selective-disclosure-jwt-14 states:
* Address WGLC (part 2) comments
During the second WGLC, I raised forty-one issues on github.
All these issues have been closed by one of the editors without being
discussed.
Hence, the "WGLC (part 2) comments" have not been addressed.
Please, re-open these forty-one issues so that they can be discussed.
The list is below.
1.Make a difference between the Holder which is an *application* and the
individual (i.e. End-User) #482
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/482
2.Indicate that "claims" refers either to object properties (name/value
pairs) and to array elements #483
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/483
3.A Holder does not present a "JWT" to a Verifier but "SD-JWT +
Sel.Claims" #484
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/484
4.Key binding will be ineffective unless the SD-JWT includes an
additional claim that indicates the Holder characteristics: "hchar" #485
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/485
5.The structure called "SD-JWT+KB" should be renamed "SD-JWT+KB-JWT" #486
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/486
6.Difference between "a format extending the JWS Compact Serialization"
and "an alternate format extending the JWS JSON Serialization" ? #487
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/487
7.What is a "facility for associating an SD-JWT with a key pair" ? #488
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/488
8.A (KB-JWT) does not demonstrate a "proof of possession" of private key
#489
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/489
9.The definition of the SD-JWT+KB structure needs to be reworded #490
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/490
10.The definition of the Selectively Disclosable JWT (SD-JWT) would need
to be reworded #491
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/491
11.The definition of "key binding" would need to be reworded #492
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/492
12.The definition of a "key binding JWT" would need to be reworded #493
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/493
13.The definition of an Issuer would need to be reworded #494
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/494
14.The definition of an Holder would need to be reworded #495
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/495
15.The definition of a Verifier would need to be reworded #496
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/496
16.The term End-User should be added to the definitions #497
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/497
17.Figure 1 should be corrected to take into account the existence of an
End-user and to consider KB-JWT instead of KB #498
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/498
18.The format used to carry both the SD-JWT and the Disclosures is
unclear #499
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/499
19.The data elements sent to the Verifier are not correctly defined #500
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/500
20.The benefits of the nonce and of the audience value can be made more
accurate #501
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/501
21.The description of the SD-JWT can be improved #502
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/502
22.The description of the SD-JWT+KB is confusing #503
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/503
23.It would be worth to mention that the Issuer decides which claims are
always disclosed #504
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/504
24.Add an example of using arrays for "age_over" and "age_under" claims
#505
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/505
25.How the Holder key pair is established cannot be placed "out of the
scope of this document" #506
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/506
26.It is important to mention the use of decoy digests and of the
shuffling of the digests included in the SD-JWT payload #507
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/507
27.The iat time at which the Key Binding JWT was issued should not be
REQUIRED #508
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/508
28.Validation steps for the KB-JWT are missing #509
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/509
29.Verification steps for the KB-JWT are missing in section 7.1 #510
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/510
30.The requirement for an Issuer of not providing a SD-JWT+KB-JWT should
be removed #511
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/511
31.Section 7.3 needs to be revised to describe which data structures can
be transmitted #512
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/512
32.Section 9.5 (Key Binding) needs to be revised to consider the case of
a collusion between End-Users #513
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/513
33.A section should be added to consider the case of a presentation of
claims to Verifier that have been issued by different Issuers #514
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/514
34.The term "unlinkability" is overloaded. For more clarity, the wording
"End-user intrackability" should be used in addition #515
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/515
35.A new section about "End-User intrackability" should be added #516
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/516
36.Section 10.2 should be made more general to consider both the storage
of signed and un-signed data #517
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/517
37.Holders SHOULD NOT be required to store SD-JWTs "only in encrypted
form" #518
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/518
38.Since claims always contain privacy-sensitive data section 10.2 would
need to be reworded #519
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/519
39.Section 10.3 (Confidentiality during Transport) should also mention
integrity #520
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/520
40.A new section about "Issuer anonymity" should be added #521
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/521
41.The last paragraph of section 10.5 (Issuer Identifier) can be
removed #522
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/522
An additional issue has been added:
42. Update of Issue #514 (new section 9.12) for the support of
Post Quantum cryptography #529
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/529
Denis
_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-le...@ietf.org
