-
Notifications
You must be signed in to change notification settings - Fork 27
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Make SD-JWT(0) and JWT the same #375
Comments
We want to allow for https://datatracker.ietf.org/doc/draft-ietf-oauth-sd-jwt-vc/ to consistently convey JWTs both with and without selectively disclosable content. Which is does currently with the trailing tilde. |
I think there are four cases here:
For point 2 in my list above (Richard's point 2), there is a related issue in sd-jwt vc spec so it should be clarified. For points 1 and 3 in my list above (Richard's point 1), this is where suggestion not to end with ~ diverges from SD-JWT/SD-JWT VC approaches. |
For the first case, I think distinguishing an SD-JWT without disclosures and KB-JWT ( For case three, having the last |
It does not make sense to always mandating disclosing something, or always mandating KB JWT, so |
@Sakurann I'm a little puzzled that you think the extra But I guess you could argue that that's a reason that an SD-JWT(0) should still not be processed by a vanilla JWT library -- because an SD-JWT will recognize the SD claim values as nonsense, as opposed to trying to interpret them. Under that theory, I'm OK with closing this. |
That is exactly the point why we decided to keep the current form. |
An SD-JWT with zero disclosures and no key binding is the same as a JWT -- you can't undo any of the selective disclosures, so you have to take the claims as they are. But with the current document, the two cases are syntactically different: SD-JWT(0) has a
~
character at the end, and a plain JWT doesn't.This mismatch is unfortunate for a couple of reasons. It means that if you're taking one of these objects between SD-aware and non-SD-aware contexts, you have to have a mapping layer that adds and removes the
~
. And it makes it impossible to use the key binding feature as-is with a plain JWT, because the key binding feature assumes that the thing being bound ends with the~
separator.I would suggest refactoring as follows:
IssuerJWT~disclosure~...~disclosure
(no final~
)JWT~KBJWT
(with the intermediate~
, which is absent today)This aligns well with the distinction proposed in #374.
The text was updated successfully, but these errors were encountered: