danielfett
commented
1 year ago PR - please review: https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/336
Closed peppelinux closed 11 months ago
danielfett
commented
1 year ago PR - please review: https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/336
Sakurann
commented
11 months ago PR merged
In the section 10.1 "Storage of signed user data" we read
Issuers SHOULD NOT store SD-JWTs after issuanceAnd this is concerning because I assume that single parts of the SD-JWT, such as the issuer signed JWT, may not contain any personal data, and then they should be stored without the disclosure documents.
This interpretation focuses on the distinction between the issuer signed JWT and its disclosure documents, together (with KB-JWT as well) they forms the SD-JWT and the recommendation would be to not store the Entire the SD-JWT for privacy/data-retention reasons; while the issuer signed JWT, when it does not contain any disclosed user data, it could be stored without any limitation.
the implementation consideration about the requirement to store an issuer signed jwt leds to the requirement to store any signed artifacts until their expiration and also manage its revocation list.