Suggested efficiency update to the verification procedure

[tplooker]

Currently section 6.2 implies that you validate the disclosure is a JSON array of three elements after you have matched it to a digest in the JWT, this would appear less efficient then validating all disclosures prior to checking for matches and substituting values.

[danielfett]

We should keep that as it currently is for the following reasons:

• First matching it in the SD-JWT makes it harder or near impossible to exploit JSON parsing bugs at least for the disclosures, and
• (more importantly) as we will introduce arrays which most likely will use two instead of three elements in the disclosure, it is important to know what to expect first before verifying the disclosure.

[bc-pi]

Only looking at disclosures for which there is a digest in the JWT also helps reduce the likelihood that an implementation will mistakenly use the content of maliciously inserted disclosures.

[tplooker]

Understood, thinking about it again in that light makes sense from a security perspective in effect you are proving issuer integrity over the payload before even attempting to parse the payload as JSON, which is consistent with how vanilla JWT processing works