On Wed, Dec 4, 2024, 11:30 AM Rohan Mahy <rohan.m...@gmail.com> wrote:

> Hi,
> I don't think there is anything specific to SD-JWT in Section 3.5.  It all
> seems like generic JWT handling as profiled by various types of JWTs. Am I
> missing something JWT-specific here?
>

Why wouldn't we just cite the relevant JWT things in this doc then?

On my glance at the JWT RFC it seems like we're adding in a bunch of
extensions to validation.


> Thanks,
> -rohan
>
> On Wed, Dec 4, 2024 at 10:03 AM Watson Ladd <watsonbl...@gmail.com> wrote:
>
>> Some further thoughts:
>>
>> - Do all issuers need to support both to work with all verifiers?
>> - Is there a security risk if we trust issuers based on the iss string
>> and someone gets the domain associated and provides metadata while the
>> issued credentials used X509?
>>
>> Sincerely,
>> Watson
>>
>> _______________________________________________
>> OAuth mailing list -- oauth@ietf.org
>> To unsubscribe send an email to oauth-le...@ietf.org
>>
>
_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-le...@ietf.org

Reply via email to