An Issuer MUST NOT allow any security-critical claim to be selectively disclosable. The exact list of “security-critical” claims will depend on the application, and SHOULD be listed by any application-specific profile of SD-JWT. The following is a list of standard claim names that SHOULD be considered as security-critical by any SD-JWT Issuer:
“iss” (Issuer)
“aud” (Audience), although issuers may want to allow individual entries in the array to be selectively-disclosable
“exp” (Expiration Time)
“nbf” (Not Before)
“iat” (Issued At)
“jti” (JWT ID)
In addition, the “cnf” (Confirmation Key) claim MUST NOT be selectively disclosable.
from this thread https://mailarchive.ietf.org/arch/msg/oauth/5A1kXMNiIm2DBEcXCadCwUpMhgI/ Neil Madden has suggested some text (below) for the Selectively-Disclosable Validity Claims section. I think we can replace and/or augment and/or merge what's there with this suggestion and arrive at something reasonable that's a bit stronger about not making claims that control the validity of the SD-JWT selectively disclosable.