Re: [OAUTH-WG] Presenting Selective Disclosure JWT (SD-JWT)

Hi Nikos, Regarding the example 4, the way vc-data-model v1.1 has defined mapping of a data-model into a JWT (https://www.w3.org/TR/vc-data-model/#json-web-token), there are (roughly) three types of claims in a JWT-VC. 1) newly defined `vc` claim that includes all properties of the vc-data-mode

Re: [OAUTH-WG] Presenting Selective Disclosure JWT (SD-JWT)

Hi David, The RP will know the schema of the received credential regardless of the number of credential types the Issuer is capable of issuing given each credential type has individual schema. What am I missing? I think it heavily depends on the use-case and it is not clear cut when and how mu

Re: [OAUTH-WG] Presenting Selective Disclosure JWT (SD-JWT)

Hi, You are saying "merge payload". But how? In example 4 of section A.3, "given_name", "family_name", "birthdate" must be moved inside the "vc" claim to produce a valid payload. But nothing indicates that. Best, Nikos -- Nikos Fotiou - http://pages.cs.aueb.gr/~fotiou Researcher - Mobile Multi

Re: [OAUTH-WG] Presenting Selective Disclosure JWT (SD-JWT)

Hi Nikos, Am 28.06.22 um 13:22 schrieb Nikos Fotiou: Hi Daniel, I just want to reverse your arguments and I will stop spamming. I will focus on your “sub” example. When a VC is encoded as a JWT, and according to specs (https://www.w3.org/TR/vc-data-model/#proof-formats) “sub MUST represen

Re: [OAUTH-WG] Presenting Selective Disclosure JWT (SD-JWT)

Hi Daniel, I just want to reverse your arguments and I will stop spamming. I will focus on your “sub” example. When a VC is encoded as a JWT, and according to specs (https://www.w3.org/TR/vc-data-model/#proof-formats) “sub MUST represent the id property contained in the credentialSubject

Re: [OAUTH-WG] Presenting Selective Disclosure JWT (SD-JWT)

Hi Nikos, the requirement for putting the claims into a separate structure becomes more obvious from your example. On the surface, you can see that the data types don't match the specifications - the email address is not an email address, the phone number is not a phone number, the address e

Re: [OAUTH-WG] Presenting Selective Disclosure JWT (SD-JWT)

> On 28 Jun 2022, at 10:28, Neil Madden wrote: > > >> On 28 Jun 2022, at 08:37, Daniel Fett > > wrote: >> >> […] >> >>> >>> The fact that HASH(SALT | CLAIM-VALUE) is vulnerable to length extension >>> attacks is also troubling, even if I can’t see

Re: [OAUTH-WG] Presenting Selective Disclosure JWT (SD-JWT)

> On 28 Jun 2022, at 08:37, Daniel Fett > wrote: > > […] > >> >> The fact that HASH(SALT | CLAIM-VALUE) is vulnerable to length extension >> attacks is also troubling, even if I can’t see an immediate attack. But it’s >> a weird property that Bob, for example, could make a commitment to som

Re: [OAUTH-WG] Presenting Selective Disclosure JWT (SD-JWT)

Hi Daniel, > If the SD-JWT-R does not contain all claim names, the verifier might not be > able to tell whether a particular claim is an SD claim or a plain-text claim. It is not obvious (at least to me) why the verifier needs to know that. Moreover, I agree that this approach is unambigu

Re: [OAUTH-WG] Presenting Selective Disclosure JWT (SD-JWT)

Hi Neil, thanks for your feedback! The security considerations are certainly far from complete in this first draft (and didn't intend to be). Your comments will help us to improve this part of the draft. Am 23.06.22 um 20:52 schrieb Neil Madden: I’m not entirely sure the OAuth WG is a suitabl

Re: [OAUTH-WG] Presenting Selective Disclosure JWT (SD-JWT)

Hi Nikos, Am 24.06.22 um 16:16 schrieb Nikos Fotiou: Hi, I was wondering what is the reason for introducing the sd_digests claim. I think it complicates integration with existing systems. For example, I am pretty sure that the VC included in Example 4 is wrong. Since the verifier can learn fr