Closed alenhorvat closed 1 year ago
alenhorvat
commented
1 year ago @danielfett this is also related to the question: https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/325
If holder protects the shared SD-JWT, then holder binding JWT is not required.
These are 2 possible approaches for holder binding.
I realised that Section 8 actually introduces a new JSON JWS serialisation by adding additional claims.
Sakurann
commented
1 year ago Adding disclosures to a protected header would make selective disclosure impossible, since there will be no way to remove the disclosures without breaking the issuer's signature, so I don't think it's an option. (it's the Issuer, not the Holder who signs JSON serialized JWS)
Putting Disclosures in an unprotected header might be an option, though my gut reaction is that I do not really like how it encourages the holder to modify the Issuer-created unprotected header. What problem are you are trying to solve by not putting disclosures in the JSON as currently defined?
I realised that Section 8 actually introduces a new JSON JWS serialisation by adding additional claims.
I am not sure I follow what you mean by a new JSON JWS serialisation
Current document introduces a new serialisation for JSON serialised JWS by adding a new claim at the top level (disclosures).
To make it fully compatible with JSON serialised JWS, the claim could be included in the protected or unprotected header, depending on whether the disclosures need to be (explicitly) signed or not.
Would it be possible to move the "disclosures" claim to the protected/unprotected header?
If the disclosures must be signed explicitly, the disclosures must be in the protected header, if the don't have to be signed, they should be in the unprotected header.