Hi Watson Just to respond to the suggested text:
> > "When disclosures include information easily understood to be > identifying, users intuitive view of what they are revealing largely > matches the underlying technical reality. In cases where the > information being disclosed is not identifying, SD-JWT > MUST NOT be used as this confusion leads to users making the wrong > choices. This sentence is really hard to make sense of and I don’t think implementors will understand it. I’m not convinced I understand it even with the extra context from the threads. I think a MUST NOT is far too strong too, and saying ’SD-JWT’ in particular must not be used it too strong as an SD-JWT where everything is disclosed (or no selective disclosures are present in the issued credential in the first place) is no different to other credentials formats that don’t have selective disclosure. > Applications cannot assume Verifiers behave properly (RFC > 3514) and MUST analyze the consequences for such linkage with each > credential that could be used." This ‘MUST’ is practically impossible for some implementors - for example, it is impractical for a wallet to make this kind of judgement for each issued credential. Thanks Joseph _______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
