You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: draft-ietf-oauth-selective-disclosure-jwt.md
+9-5Lines changed: 9 additions & 5 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -864,7 +864,7 @@ When receiving an SD-JWT, the Holder MUST do the following:
864
864
865
865
For presentation to a Verifier, the Holder MUST perform the following (or equivalent) steps (in addition to the checks described in (#sd_jwt_verification) performed after receiving the SD-JWT):
866
866
867
-
1. Decide which Disclosures to release to the Verifier, obtaining consent if necessary.
867
+
1. Decide which Disclosures to release to the Verifier, obtaining consent if necessary (note that if and how consent is attained is out of scope for this document).
868
868
2. Verify that each selected Disclosure satisfies one of the two following conditions:
869
869
1. The hash of the Disclosure is contained in the Issuer-signed JWT claims
870
870
2. The hash of the Disclosure is contained in the claim value of another selected Disclosure
@@ -988,7 +988,7 @@ Additionally, as described in (#key_binding_security), the application of Key Bi
988
988
989
989
## Mandatory Signing of the Issuer-signed JWT {#sec-is-jwt}
990
990
991
-
The JWT MUST be signed by the Issuer to protect integrity of the issued
991
+
The JWT MUST be signed by the Issuer to protect the integrity of the issued
992
992
claims. An attacker can modify or add claims if this JWT is not signed (e.g.,
993
993
change the "email" attribute to take over the victim's account or add an
994
994
attribute indicating a fake academic qualification).
@@ -997,9 +997,9 @@ The Verifier MUST always check the signature of the Issuer-signed JWT to ensure
997
997
has not been tampered with since the issuance. The Issuer-signed JWT MUST be rejected if the signature cannot be verified.
998
998
999
999
The security of the Issuer-signed JWT depends on the security of the signature algorithm.
1000
-
Any of the JWS asymmetric digital signature algorithms registered in [@IANA.JWS.Algorithms]
1001
-
that meet the requirements described in the last paragraph of Section 5.2 of [@RFC7515]
1002
-
can be used, including post-quantum algorithms, when they are ready.
1000
+
Per the last paragraph of Section 5.2 of [@RFC7515], it is an
1001
+
application-specific decision to choose the appropriate JWS
1002
+
algorithm from [@IANA.JWS.Algorithms], including post-quantum algorithms, when they are ready.
1003
1003
1004
1004
## Manipulation of Disclosures {#sec-disclosures}
1005
1005
@@ -1986,6 +1986,10 @@ data. The original JSON data is then used by the application. See
0 commit comments