On Mon, Nov 6, 2023 at 5:46 AM Neil Madden <[email protected]> wrote:
> > How about the following: > > — > An Issuer MUST NOT allow any security-critical claim to be selectively > disclosable. The exact list of “security-critical” claims will depend on the > application, and SHOULD be listed by any application-specific profile of > SD-JWT. The following is a list of standard claim names that SHOULD be > considered as security-critical by any SD-JWT Issuer: > > * “iss” (Issuer) > * “aud” (Audience), although issuers may want to allow individual entries in > the array to be selectively-disclosable > * “exp” (Expiration Time) > * “nbf” (Not Before) > * “iat” (Issued At) > * “jti” (JWT ID) > > In addition, the “cnf” (Confirmation Key) claim MUST NOT be selectively > disclosable. > --- > <snip> I think these fields can have significant unanticipated privacy impacts. Expiry and issuance times can have very high entropy. > > Best wishes, > > Neil > > _______________________________________________ > OAuth mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/oauth -- Astra mortemque praestare gradatim _______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
