Hi Nikos,
this question comes up from time to time, so I'll quote myself
<https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/357>:
"We thought a lot about pointer-based approaches like the one you
propose in the beginning, but there are some drawbacks:
1. The Verifier can re-assemble the document without checking the
hashes. This is dangerous (see the second paragraph of
https://drafts.oauth.net/oauth-selective-disclosure-jwt/draft-ietf-oauth-selective-disclosure-jwt.html#name-manipulation-of-disclosures).
2. The current design in the draft allows to send smaller
presentations if only a few claims are disclosed and recursive
disclosures are used.
3. There is no need to discuss corner cases, for example, where a
child element is disclosed, but not the parent element. From my
experience, the design the we currently have is slightly easier to
implement (fewer special cases)."
I think the first point is particularly important for the security of
SD-JWT.
That said, JSONPath is a query syntax and its misuse as pointers must
stop :-) (Also, it is somewhat dangerous.) JSONPointers would be
appropriate here.
-Daniel
Am 07.02.24 um 15:52 schrieb Nikos Fotiou:
I was wondering if ever occured to use a JSON path-like approach as
disclosure name. This will result in a single top level _sd key and
will remove the need for sperating discolsures that conern objects vs
those that concern arrays. If this has been disussed in the past, what
are its disadvantages? A version of example in 6.1 using this
hypothetical approach follows.
SD-JWT payload (the difference is in the "nationalities" key, the hash
values have been moved to the _sd claim . Note that the hash values
are not correct )
{
"_sd": [
"CrQe7S5kqBAHt-nMYXgc6bdt2SH5aTY1sU_M-PgkjPI",
"JzYjH4svliH0R3PyEMfeZu6Jt69u5qehZo7F7EPYlSE",
"PorFbpKuVu6xymJagvkFsFXAbRoc2JGlAUA2BA4o7cI",
"TGf4oLbgwd5JQaHyKVQZU9UdGE0w5rtDsrZzfUaomLo",
"XQ_3kPKt1XyX7KANkqVR6yZ2Va5NrPIvPYbyMvRKBMM",
"XzFrzwscM6Gn6CJDc6vVK8BkMnfG8vOSKfpPIZdAfdE",
"gbOsI4Edq2x2Kw-w5wPEzakob9hV1cRD0ATN3oQL9JM",
"jsu9yVulwQQlhFlM_3JlzMaSFzglhQG0DpfayQwLUK4",
"pFndjkZ_VCzmyTa6UjlZo3dh-ko8aIKQc9DlGzhaVYo",
"7Cf6JkPudry3lcbwHgeZ8khAv1U1OSlerP0VkBJrWZ0"
],
"iss": "https://issuer.example.com",
"iat": 1683000000,
"exp": 1883000000,
"sub": "user_42",
"nationalities": [],
"_sd_alg": "sha-256",
"cnf": {
"jwk": {
"kty": "EC",
"crv": "P-256",
"x": "TCAER19Zvu3OHF4j4W4vfSVoHIP1ILilDls7vCeGemc",
"y": "ZxjiWWbZMQGHVWKVQ4hbSIirsVfuecCE6t4jT9F2HZQ"
}
}
}
Disclosures for nationalities
Contents: ["lklxF5jMYlGTPUovMNIvCA", $['nationalities'][0],"US"]
Contents: ["nPuoQnkRFq3BIeAm7AnXFA", $['nationalities'][1],"DE"]
Each attribute of the streat address can be easily represented as a
different disclosure
Contents: ["6Ij7tM-a5iVPGboS5tmvVA", $['address']['region'],
"Sachsen-Anhalt"]
Contents: ["6Ij7tM-a5iVPGboS5tmvVA", $['address']['country'], "DE"]
Best,
Nikos
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth