There is still some residual confusion around the use of nbf that should be clarified.
The spec currently mentions that
When the iat and/or exp JWT claims are present, they represent the issuance and expiration
time of the signature, respectively. Note that these are different from the validFrom and
validUntil properties defined in Validity Period, which represent the validity of the data that
is being secured.
I think nbf should be mentioned in this paragraph as well, as the same interoperability concern exists here as there may be some discrepancies between how verifiers handle nbf vs how validFrom is treated.
There is still some residual confusion around the use of
nbf
that should be clarified.The spec currently mentions that
I think
nbf
should be mentioned in this paragraph as well, as the same interoperability concern exists here as there may be some discrepancies between how verifiers handlenbf
vs how validFrom is treated.