> > > > No, to prevent this the issuer simply puts these sorts of claims in the > header, which is not subject to selective disclosure, e.g the prover cannot > create a valid proof/presentation without disclosing the original > un-modified header. > > That is a very non-standard use of the header. AFAICT such usage is not > compatible with RFC 7800, and I would guess that it may well lead to > security issues as implementations won’t be looking for these claims in the > header but rather in the claims set. >
That's one of the reasons we're proposing JWP as another specification, it is not compatible with existing JWTs+PoP. Also, a current security assumption baked into the JWP draft is that all presentations are not replayable. While this can be accomplished with a proof-of-possession it is not the only mechanism an algorithm could use, BBS for example supports this without requiring a traditional PoP. Jer
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
