Closed alenhorvat closed 1 year ago
danielfett
commented
1 year ago Please look up previous issues before opening duplicates.
See https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/277 and https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/291
alenhorvat
commented
1 year ago Thank you for pointing out the existing issues.
It seems that several people raised the same concern. I wasn't aware of #277.
As expressed above, holder binding JWT and protecting the holder-shared SD-JWT can achieve the same so there are 2 methods to achieve the holder binding.
The current design, if my understanding is correct, does not sign the sd-jwt and the disclosures when shared by the holder.
Key binding JWT does not include any binding between the information (sd-jwt + disclosures) and the key binding jwt itself.
JSON serialised JWS can enable the protection of SD-JWT (without disclosures) when shared by the holder since the holder can put the sd-jwt in the payload and sign it.
Key binding JWT is either detached from any payload or needs to be signed along with the payload.
Is there a reason to not sign the holder shared SD-JWT and disclosures? (a simplest attack, removing or adding fake disclosures or modifying any value, simply leads to denial of service)