[SD-JWT] iat is now disclosable

[peppelinux]

here https://github.com/italia/eudi-wallet-it-docs/blob/versione-corrente/docs/en/pid-eaa-data-model.rst#L78

we have to align to this https://github.com/oauth-wg/oauth-sd-jwt-vc/pull/202

[balanza]

This is a good catch as in some scenarios the iat attribute can reveal something about a user's data. So having it selective-disclosable is good. Nevertheless, benefits are almost nullified because of the exp attribute, which is exposed to the same or worse issues - and we cannot hide its value because is a mandatory field for JWT.

Anyway, I agree it's worth being included in our implementation.

[balanza]

About the methodology: I'm not happy about us following other's pull requests and issues. I know the reference it's still a draft and I see the value of keeping up with the changes.

I think a better approach would be to open the issue once a new version is released. I foresee these possible benefits:

1. We rely upon a complete specification; cherry-picking changes may lead to a partial implementation, which could be unstable and insecure
2. Readers would know exactly which version of the draft we are referencing, making it easier to audit our specifications for bugs or missing stuff
3. It helps the team by cadencing the work into focused actions.
4. We prevent rework, as references' unreleased content may still change (although this is always true for drafts).

What do you guys think? Should we try for the next iterations?

[peppelinux]

our milestone brings as many changes we can to tag our release for our version, the stable release is the one we tag