The standard claims (iss, sub, iat, exp, nbf, etc.) in CBOR Web Token largely reference the semantics of the corresponding claims in JSON Web Token, which makes all the claims optional. Which of the standard claims do we want to make mandatory or optional?
Summary of standard claims in SD-CWT and SD-KBT
issuer (iss / 1)
This is currently mandatory in the SD-CWT and optional in the SD-KBT.
subject (sub / 2)
Currently mandatory in the SD-CWT and optional in the SD-KBT.
audience (aud / 3)
Currently optional in the SD-CWT and mandatory in the SD-KBT. Use of an SD-CWT with no audience, or a different/less specific audience than the SD-KBT, is a requirement for use inside MLS credentials.
expiration (exp / 4)
This is currently optional in the SD-CWT, but I think it should be mandatory in both.
not-before (nbf / 5)
Current optional in both.
issued-at (iat / 6)
Currently mandatory in both. I think this is fine, but we could potentially relax this to require either iat or cti
cwt token id (cti / 7)
Currently optional. See comment above.
key confirmation (cnf / 8)
Mandatory in SD-CWT. Not present in SD-KBT.
client nonce (cnonce / 39)
Currently mandatory in SD-KBT and optional in SD-CWT.
disclosures-hash (sd_hash / TBD3)
Currently mandatory in both. Recommend removing from SD-CWT as discussed in issue #10
The standard claims (iss, sub, iat, exp, nbf, etc.) in CBOR Web Token largely reference the semantics of the corresponding claims in JSON Web Token, which makes all the claims optional. Which of the standard claims do we want to make mandatory or optional?
Summary of standard claims in SD-CWT and SD-KBT
issuer (iss / 1)
This is currently mandatory in the SD-CWT and optional in the SD-KBT.
subject (sub / 2)
Currently mandatory in the SD-CWT and optional in the SD-KBT.
audience (aud / 3)
Currently optional in the SD-CWT and mandatory in the SD-KBT. Use of an SD-CWT with no audience, or a different/less specific audience than the SD-KBT, is a requirement for use inside MLS credentials.
expiration (exp / 4)
This is currently optional in the SD-CWT, but I think it should be mandatory in both.
not-before (nbf / 5)
Current optional in both.
issued-at (iat / 6)
Currently mandatory in both. I think this is fine, but we could potentially relax this to require either iat or cti
cwt token id (cti / 7)
Currently optional. See comment above.
key confirmation (cnf / 8)
Mandatory in SD-CWT. Not present in SD-KBT.
client nonce (cnonce / 39)
Currently mandatory in SD-KBT and optional in SD-CWT.
disclosures-hash (sd_hash / TBD3)
Currently mandatory in both. Recommend removing from SD-CWT as discussed in issue #10
disclosures hash algorithm (sd_alg / TBD4)
Mandatory in SD-CWT. Not present in SD-KBT.
Proposed changes