search

oauth-wg / oauth-sd-jwt-vc

draft-terbu-sd-jwt-vc
Creative Commons Zero v1.0 Universal
20 stars 12 forks source link

Consider making iat optional #199

Closed oed closed 10 months ago

oed commented 11 months ago

Using iat is not the only, and not always the desired way to specify when something was issued.

The use case I'm considering would make use of an "after" field the value of which would be set to a recent block hash (e.g. from a blockchain like Bitcoin or Ethereum). This approach would provide a more rigorous way to determine when something was issued since it would be impossible to create a claim that points to a time in the future.

If iat is required, it would be completely redundant to the "after" field in my example.

bc-pi commented 10 months ago

I'm generally supportive of allowing iat to be optional (and selectively disclosable as suggested in #200). It's informational content that may not be necessary for all cases and might have privacy implications. Specific vcts could mandate it as appropriate but I think requiring it in sd-jwt-vc is too inflexible.

awoie commented 10 months ago

I'm also supportive.