Closed bifurcation closed 2 months ago
Such a field was removed in -06,kb_jwt
in PR https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/344, when it became more evident that that the folks wanting to use JSON serialization were intending to do key binding by other means - some kind of enveloping rather than a separate KB JWT. That along with the introduction of the _sd_hash to the KB JWT (which is much trickier than you've suggested esp wrt to the General JWS JSON Serialization) motivated the removal of the field.
That just further emphasizes that we need to address #374 and separate "SD-JWT without KB" and "SD-JWT with KB", since the JSON serialization folks want to use the former and not the latter. If we have that separation, this section can just have a JSON format for "SD-JWT without KB" and there's no mismatch.
@danielfett will open a separate ticket with specific mechanisms to address this based on the implementation experience
The discussion about KB JWT in JSON-serialized JWS came up in the EUDI Wallet context as well, so we plan to fix it: https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/403
As in #383, 9. JWS JSON Serialization invokes specification by magic:
If we are defining a format for SD-JWT, that format needs to include all of the parts of the SD-JWT. Unless #374 gets fixed, that means the format needs an optional key binding field.
But I think that this issue is actually a symptom #374. The document doesn't define a format for "SD-JWT with KB" because it is actually substantively different thing from "SD-JWT without KB". Putting it in JSON just highlights the difference more clearly than
~
-delimited text.The current syntax seems fine to me for "SD-JWT without KB". For "SD-JWT with KB", I would think you would want something like:
Here the
sd_jwt
field MUST hash tosd_hash
, after serialization to the~
compact form.