Closed bifurcation closed 8 months ago
We want to allow for https://datatracker.ietf.org/doc/draft-ietf-oauth-sd-jwt-vc/ to consistently convey JWTs both with and without selectively disclosable content. Which is does currently with the trailing tilde.
I think there are four cases here:
JWT~
or JWT
JWT~KBJWT
IssuerJWT~Disclosure...Disclosure~
or IssuerJWT~Disclosure...Disclosure
IssuerJWT~Disclosure~...~KBJWT
For point 2 in my list above (Richard's point 2), there is a related issue in sd-jwt vc spec so it should be clarified.
For points 1 and 3 in my list above (Richard's point 1), this is where suggestion not to end with ~ diverges from SD-JWT/SD-JWT VC approaches.
when there is selective disclosure (point 3), in addition to what Brian said, there are ~s between disclosures anyway, so I do not see the advantage in processing whether there is a ~ in the end or not.
so even if there is no selective disclosure (point 1), for the consistency/interop sake, having JWT~
does sound better. But I do agree with Richard that when there is no selective disclosure, it is just a JWT, so the i think it is up to the use-case and implementations to do JWT~
when they think that that JWT may enter verifiable credential ecosystem where JWTs with selective disclosure are also used and not something for the standard to dictate..
For the first case, I think distinguishing an SD-JWT without disclosures and KB-JWT (JWT~
) from a pure JWT (JWT
) is an important feature: It allows a receiver to always unambiguously distinguish the two cases and tell which processing is required. (It's a bad idea to put an SD-JWT into a JWT processor as it may contain SD-JWT specific structures that should be removed before further processing.)
For case three, having the last ~
enables us to distinguish between a presentation with a KB-JWT and a presentation without a KB-JWT without introspecting the last element.
It does not make sense to always mandating disclosing something, or always mandating KB JWT, so SD-JWT without selective disclosure and without KB JWT
is simply a unique case of SD-JWT, so SD-JWT~
makes more sense and as Daniel argues, what came out of and is intended to be consumed by SD-JWT library, it is better from a developer perspective to have ~
and not be consumable by a vanilla JWT library.
@Sakurann I'm a little puzzled that you think the extra ~
is better for developer experience. An SD-JWT without disclosures is literally just a JWT where some of the claims have nonsense values.
But I guess you could argue that that's a reason that an SD-JWT(0) should still not be processed by a vanilla JWT library -- because an SD-JWT will recognize the SD claim values as nonsense, as opposed to trying to interpret them.
Under that theory, I'm OK with closing this.
But I guess you could argue that that's a reason that an SD-JWT(0) should still not be processed by a vanilla JWT library -- because an SD-JWT will recognize the SD claim values as nonsense, as opposed to trying to interpret them.
That is exactly the point why we decided to keep the current form.
An SD-JWT with zero disclosures and no key binding is the same as a JWT -- you can't undo any of the selective disclosures, so you have to take the claims as they are. But with the current document, the two cases are syntactically different: SD-JWT(0) has a
~
character at the end, and a plain JWT doesn't.This mismatch is unfortunate for a couple of reasons. It means that if you're taking one of these objects between SD-aware and non-SD-aware contexts, you have to have a mapping layer that adds and removes the
~
. And it makes it impossible to use the key binding feature as-is with a plain JWT, because the key binding feature assumes that the thing being bound ends with the~
separator.I would suggest refactoring as follows:
IssuerJWT~disclosure~...~disclosure
(no final~
)JWT~KBJWT
(with the intermediate~
, which is absent today)This aligns well with the distinction proposed in #374.