Clarify clause re duplicate digests

[danielfett]

From the mailing list

Hi Jacob,

the intention was to cover the first case you listed. We should clarify this.

-Daniel Am 20.10.23 um 15:02 schrieb Jacob Ward:

Hello again,

On a similar note to my previous email, could I get some clarity on a step in the SD-JWT verification process?

4. If any digests were found more than once in the previous step, the SD-JWT MUST be rejected.

Step 4 in Section 6.1 (as shown above) could have multiple meanings in my opinion:

• The digest was found multiple times (for example in an "_sd" array and as an array element).
• More than one Disclosure have the same digest.

On first reading of this I assumed that this step only covered the first of those two cases, but it has been pointed out to me by a colleague that it could cover both. If it is the case that both cases are covered by this step, then I think it would be helpful to clarify this in the text.

Cheers,

Jacob

[bc-pi]

my 2 cents at/from https://mailarchive.ietf.org/arch/msg/oauth/czsBV_b64F07mLEnyUlIvg3nDvM/

Agree that it should be clarified. Being precise with language around this stuff is tricky. But my understanding of the intent was to ensure that no digest value is repeated in the whole of the SD-JWT - either in the payload directly or recursively in any Disclosure. Because of the trickiness of language, I'm not sure if we disagree or not about the intent...

[bc-pi]

Also... um, wouldn't "More than one Disclosure have[ing] the same digest" imply a collision in the hash function? And therefore infeasible to actually happen.