Thanks Shawn, I appreciate the review and the acknowledgement of the little touch of humor :)
This PR addresses the editorial comments https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/565 On Mon, Apr 14, 2025 at 12:00 AM Shawn Emery via Datatracker < nore...@ietf.org> wrote: > Document: draft-ietf-oauth-selective-disclosure-jwt > Title: Selective Disclosure for JWTs (SD-JWT) > Reviewer: Shawn Emery > Review result: Has Nits > > I have reviewed this document as part of the security directorate's ongoing > effort to review all IETF documents being processed by the IESG. These > comments were written primarily for the benefit of the security area > directors. > Document editors and WG chairs should treat these comments just like any > other > last call comments. > > This standards track draft specifies a mechanism for disclosing targeted > claims > in a JSON Web Token (JWT). > > This security considerations section does exist and provides examples of > the > consequences of a naive Verifier in relation to the security and > correctness of > the protocol. The section continues with a discussion on salt generation > and > hash algorithm selection. Despite specifying SHA-256 as the default hash > algorithm, the protocol does not appear to be susceptible to length > extension > attacks because the Issuer signs the SD-JWT, which includes each of the > Disclosure hashes. The security implications of the optional key binding > feature (Holder proves authenticity of SDs to Verifier) are also > discussed. > Lastly, the section covers disclosing claim names, validity claims, > verification key life-cycle, credential forwarding, SD-JWT* integrity, and > type > attacks. I believe that this section provides sufficient coverage for the > various types of attacks and procedures to mitigate against such attacks. > > The authors have also included a privacy section, which includes > subsections on > unlinkability, SD-JWT confidentiality in transit and at rest, usage of > digest > decoys, and considerations of identifying Issuers. The privacy section > appears > to be comprehensive and the outlined procedures to protect privacy seems > to be > adequate. > > General Comments: > > Thank you for including examples in each of the pertinent sections of the > draft. > > Editorial Comments: > > s/ecosystem/operating environment/ > > for those who celebrate ;) > > > > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
