Hi Daniel, Hi Kristina, Hi Brian, Hi all, Reading through draft-ietf-oauth-selective-disclosure-jwt I was wondering why the document defines new terminology for roles that already exist in OAuth. For example:
* Issuer = AS * Holder = Client * Verifier = RS I assume that was done intentionally. What was the rational was. You write: " One of the common use cases of a signed JWT is representing a user's identity. " In classical OAuth this use case should not be common. We bragged about the fact that you could to delegated authorization without having to rely on identity information. I think it would help to expand this statement a bit and explain what the use case is. You write: " As long as the signed JWT is one-time use, it typically only contains those claims the user has consented to disclose to a specific Verifier. However, there is an increasing number of use cases where a signed JWT is created once and then used a number of times by the user (the "Holder" of the JWT). In such cases, the signed JWT needs to contain the superset of all claims the user of the signed JWT might want to disclose to Verifiers at some point. The ability to selectively disclose a subset of these claims depending on the Verifier becomes crucial to ensure minimum disclosure and prevent Verifiers from obtaining claims irrelevant for the transaction at hand. " Using the same access token with multiple resource servers is not good security practice not only from a privacy point of view but also from a security point of view. >From reading the introduction I get the impression that you create your own >problem that is subsequently solved in the document. Since I believe you are >too clever to do this, I believe the document needs to provide more text to >explain how this use case emerged. You mention "verifiable credential" as the >"use case" but it is a technology rather than a use case. Ciao Hannes IMPORTANT NOTICE: The contents of this email and any attachments are confidential and may also be privileged. If you are not the intended recipient, please notify the sender immediately and do not disclose the contents to any other person, use it for any purpose, or store or copy the information in any medium. Thank you.
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth