On Wed, Dec 4, 2024, 11:30 AM Rohan Mahy <rohan.m...@gmail.com> wrote:
> Hi, > I don't think there is anything specific to SD-JWT in Section 3.5. It all > seems like generic JWT handling as profiled by various types of JWTs. Am I > missing something JWT-specific here? > Why wouldn't we just cite the relevant JWT things in this doc then? On my glance at the JWT RFC it seems like we're adding in a bunch of extensions to validation. > Thanks, > -rohan > > On Wed, Dec 4, 2024 at 10:03 AM Watson Ladd <watsonbl...@gmail.com> wrote: > >> Some further thoughts: >> >> - Do all issuers need to support both to work with all verifiers? >> - Is there a security risk if we trust issuers based on the iss string >> and someone gets the domain associated and provides metadata while the >> issued credentials used X509? >> >> Sincerely, >> Watson >> >> _______________________________________________ >> OAuth mailing list -- oauth@ietf.org >> To unsubscribe send an email to oauth-le...@ietf.org >> >
_______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org