Dear all, I'd like to propose the following edit to resolve the concerns I have around endorsing dangerous applications of SD-JWT:
Delete last two lines of https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/451/files in 1338 and 1339 Add new paragraph right before the end of the section. "When disclosures include information easily understood to be identifying, users intuitive view of what they are revealing largely matches the underlying technical reality. In cases where the information being disclosed is not identifying, SD-JWT MUST NOT be used as this confusion leads to users making the wrong choices. Applications cannot assume Verifiers behave properly (RFC 3514) and MUST analyze the consequences for such linkage with each credential that could be used." I think this agrees with many of the comments made about my initially stronger edit, while addressing the core danger. Also, it seems this section only really treats issuer/verifier despite promising more. Do we need to rework it? Sincerely, Watson Ladd -- Astra mortemque praestare gradatim _______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
