Looks good. Thank you for the update.
On 4/18/25 2:42 PM, Brian Campbell wrote:
Thanks Shawn, I appreciate the review and the acknowledgement of the
little touch of humor :)
This PR addresses the editorial comments
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/565
On Mon, Apr 14, 2025 at 12:00 AM Shawn Emery via Datatracker
<nore...@ietf.org> wrote:
Document: draft-ietf-oauth-selective-disclosure-jwt
Title: Selective Disclosure for JWTs (SD-JWT)
Reviewer: Shawn Emery
Review result: Has Nits
I have reviewed this document as part of the security
directorate's ongoing
effort to review all IETF documents being processed by the IESG.
These
comments were written primarily for the benefit of the security
area directors.
Document editors and WG chairs should treat these comments just
like any other
last call comments.
This standards track draft specifies a mechanism for disclosing
targeted claims
in a JSON Web Token (JWT).
This security considerations section does exist and provides
examples of the
consequences of a naive Verifier in relation to the security and
correctness of
the protocol. The section continues with a discussion on salt
generation and
hash algorithm selection. Despite specifying SHA-256 as the
default hash
algorithm, the protocol does not appear to be susceptible to
length extension
attacks because the Issuer signs the SD-JWT, which includes each
of the
Disclosure hashes. The security implications of the optional key
binding
feature (Holder proves authenticity of SDs to Verifier) are also
discussed.
Lastly, the section covers disclosing claim names, validity claims,
verification key life-cycle, credential forwarding, SD-JWT*
integrity, and type
attacks. I believe that this section provides sufficient coverage
for the
various types of attacks and procedures to mitigate against such
attacks.
The authors have also included a privacy section, which includes
subsections on
unlinkability, SD-JWT confidentiality in transit and at rest,
usage of digest
decoys, and considerations of identifying Issuers. The privacy
section appears
to be comprehensive and the outlined procedures to protect privacy
seems to be
adequate.
General Comments:
Thank you for including examples in each of the pertinent sections
of the draft.
Editorial Comments:
s/ecosystem/operating environment/
for those who celebrate ;)
/CONFIDENTIALITY NOTICE: This email may contain confidential and
privileged material for the sole use of the intended recipient(s). Any
review, use, distribution or disclosure by others is strictly
prohibited. If you have received this communication in error, please
notify the sender immediately by e-mail and delete the message and any
file attachments from your computer. Thank you./
_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-le...@ietf.org
