The correct format with a SD-JWT VC that has no disclosures but has a holder binding JWT

[Sakurann]

received a question. What is the correct format with a SD-JWT VC that has no disclosures but has a holder binding JWT. Is it <SD-JWT VC>~~<HB JWT> (double tilde), or <SD-JWT VC>~<HB JWT> (single tilde) I think it is <SD-JWT VC>~<HB JWT> (single tilde) but the spec could probably clarify.

[AltmannPeter]

The case for ~~ would be that according to SD-JWT section 5 "the serialized format for the SD-JWT is the concatenation of each part delineated with a single tilde ('~') character". And zero disclosures is allowed in the disclosures part.

Double tilde is also consistent with the requirement to have a ~ even with the KB-JWT being an empty string. Thanks for raising the question! Would be great to confirm whether or not it is double or single.

[danielfett]

The intention is certainly just one ~. I think the spec is relatively clear:

An SD-JWT is composed of the following:

• an Issuer-signed JWT,
• zero or more Disclosures, and
• optionally a Key Binding JWT.

The individual parts will be explained in the following subsections. The serialized format for the SD-JWT is the concatenation of each part delineated with a single tilde ('~') character as follows:

So a single ~ between each part.

[AltmannPeter]

The intention is certainly just one ~. ... So a single ~ between each part.

Just one ~, while being the intention, is at odds with a single ~ between each part that the specification requires, no? There are three parts. I add one ~ between the Issuer-Signed JWT and the disclosures set, and then I add another ~ between the disclosures set and the KB-JWT.

[bc-pi]

The intention is definitely just one ~. I also think sec 5 in the spec is relatively clear about it. But perhaps some additional or slightly different text would be more clear?

Just one ~, while being the intention, is at odds with a single ~ between each part that the specification requires, no?

The intent is that each individual Disclosure is a part with each one is preceded by a tilde. No tildes in that area when there are no Disclosures.

Admittedly, as I try to comment here, I can start to see where different readings of that section come from. So there is likely an opportunity to improve that text. I'm not sure how though...

[bc-pi]

FWIW, the following are the various permutations as intended by the current spec (as best I understand anyway).

SD-JWT without disclosures and without KB JWT: <Issuer-signed JWT>~

SD-JWT without disclosures and with KB JWT: <Issuer-signed JWT>~<KB-JWT>

SD-JWT with disclosures and without KB JWT: <Issuer-signed JWT>~<Disclosure 1>~<Disclosure N>~

SD-JWT with disclosures and with KB JWT: <Issuer-signed JWT>~<Disclosure 1>~<Disclosure N>~<KB-JWT>

[bc-pi]

The bit of text starting with "i.e.," here in sec 5.3.1. maybe describes it more succinctly and accurately:

the Issuer-signed JWT, a tilde character, and zero or more Disclosures [...], each followed by a tilde character.

[paulbastian]

FWIW, the following are the various permutations as intended by the current spec (as best I understand anyway).

SD-JWT without disclosures and without KB JWT: <Issuer-signed JWT>~

SD-JWT without disclosures and with KB JWT: <Issuer-signed JWT>~<KB-JWT>

SD-JWT with disclosures and without KB JWT: <Issuer-signed JWT>~<Disclosure 1>~<Disclosure N>~

SD-JWT with disclosures and with KB JWT: <Issuer-signed JWT>~<Disclosure 1>~<Disclosure N>~<KB-JWT>

It could be valuable to list these four basic categories in the specification

[AltmannPeter]

It could be valuable to list these four basic categories in the specification

Agreed. Thanks for the clarification too!

[bc-pi]

This https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/388 PR on the base SD-JWT spec lists those four basic categories and tries to make the language more clear.

[bc-pi]

PR on the base SD-JWT spec was merged.