bc-pi
commented
10 months ago I'm generally supportive of allowing iat to be selectively disclosable (and being optional as suggested in #199). It's informational content that may not be necessary for all cases and might have privacy implications. Specific vcts could mandate it as appropriate but I think requiring it in sd-jwt-vc is too inflexible.
I propose making the iat (issued at) claim name selectively disclosable. This is because for certain types of tokens, credentials, or personal data, the creation or issuance date could potentially reveal sensitive information.
For instance, consider a credential verifying that my age is over 18. In most cases, a user would request this credential on their birthday, which would mean that the iat value would coincide with their birth date.