After Verification, Verifiers SHOULD NOT store the Issuer-signed JWT
or the respective Disclosures if they contain privacy-sensitive data.
It may be sufficient to store the result of the verification and any
End-User data that is needed for the application.
In practice, a SD-JWT contains regular claims and hash-values of selectively disclosable claims
while Disclosures are sent separately. In practice, any received data can be considered to be
"privacy-sensitive". After verification, a Verifier may need to store any End-User data that is needed
for the application.
Change into:
After Verification, Verifiers SHOULD NOT store the SD-JWT, nor the
KB-JWT. However, it may be necessary to store End-User data or
other claims contained in the SD-JWT, including regular claims and
Disclosures as needed for the application. However, there exist cases
where such requirement SHOULD NOT be followed, in particular
to allow national authorities to fight against crime or money
laundering.
Section 10.2 states:
In practice, a SD-JWT contains regular claims and hash-values of selectively disclosable claims while Disclosures are sent separately. In practice, any received data can be considered to be "privacy-sensitive". After verification, a Verifier may need to store any End-User data that is needed for the application.
Change into: