Below is my feedback about draft-ietf-oauth-selective-disclosure-jwt-17,
grouped into four categories (A to D).
Six issues have been opened about 3 weeks ago, but no reply has been
posted on them on github. There are still open.
A – *KB-JWT replay detection*
a) About KB-JWT replay detection in section 4.3 #547
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/547
The current description is incorrect and may lead to insecure
implementations
b) KB-JWT replay detection is not correctly described: sections 4.3 and
7.3 should be revised.
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/548
The current description is incorrect and incomplete and may lead to
insecure implementations
*B – Checking SD-JWT suspension or revocation is missing in section 7.1
(Verification of the SD-JWT) *
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/546
*C - Re-introduction of a reference to ISO 29100 and further
implementation and architectural consequences*
1. In draft -14, ISO 29100 was mentioned in section 10 but has been
removed in draft -15 #550
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/550
- In Section 1.2, the term End-User should be defined as it is a
fundamental entity in ISO 29100 #557
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/557
- In Section 1.2, make the difference between an application and an
End-User #558
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/558
- Figure 1 should illustrate the presence of an End-User and be closer
to the data structures that are exchanged #559
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/559
- The definition of an Issuer would need to be polished #560
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/560
- Proposed rewording in Section 1.1 about SD-JWT+KB #561
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/561
*D. Minor change proposals*
- Editorial change. In section 10.3, both confidentiality and integrity
during Transport are essential #551
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/551
- Add the wording "one-time use digital credentials" in the context of
"batches of credentials" #562
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/562
Denis
Internet-Draft draft-ietf-oauth-selective-disclosure-jwt-17.txt is now
available. It is a work item of the Web Authorization Protocol (OAUTH) WG of
the IETF.
Title: Selective Disclosure for JWTs (SD-JWT)
Authors: Daniel Fett
Kristina Yasuda
Brian Campbell
Name: draft-ietf-oauth-selective-disclosure-jwt-17.txt
Pages: 96
Dates: 2025-03-01
Abstract:
This specification defines a mechanism for the selective disclosure
of individual elements of a JSON-encoded data structure used as the
payload of a JSON Web Signature (JWS). The primary use case is the
selective disclosure of JSON Web Token (JWT) claims.
The IETF datatracker status page for this Internet-Draft is:
https://datatracker.ietf.org/doc/draft-ietf-oauth-selective-disclosure-jwt/
There is also an HTML version available at:
https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-17.html
A diff from the previous version is available at:
https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-selective-disclosure-jwt-17
Internet-Drafts are also available by rsync at:
rsync.ietf.org::internet-drafts
_______________________________________________
OAuth mailing list --oauth@ietf.org
To unsubscribe send an email tooauth-le...@ietf.org
_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-le...@ietf.org
