Closed tplooker closed 1 year ago
We should keep that as it currently is for the following reasons:
Only looking at disclosures for which there is a digest in the JWT also helps reduce the likelihood that an implementation will mistakenly use the content of maliciously inserted disclosures.
Understood, thinking about it again in that light makes sense from a security perspective in effect you are proving issuer integrity over the payload before even attempting to parse the payload as JSON, which is consistent with how vanilla JWT processing works
Currently section 6.2 implies that you validate the disclosure is a JSON array of three elements after you have matched it to a digest in the JWT, this would appear less efficient then validating all disclosures prior to checking for matches and substituting values.