> On 6 Nov 2023, at 16:43, Watson Ladd <watsonbl...@gmail.com> wrote: > > On Mon, Nov 6, 2023 at 5:46 AM Neil Madden <neil.e.mad...@gmail.com> wrote: > >> >> How about the following: >> >> — >> An Issuer MUST NOT allow any security-critical claim to be selectively >> disclosable. The exact list of “security-critical” claims will depend on the >> application, and SHOULD be listed by any application-specific profile of >> SD-JWT. The following is a list of standard claim names that SHOULD be >> considered as security-critical by any SD-JWT Issuer: >> >> * “iss” (Issuer) >> * “aud” (Audience), although issuers may want to allow individual entries in >> the array to be selectively-disclosable >> * “exp” (Expiration Time) >> * “nbf” (Not Before) >> * “iat” (Issued At) >> * “jti” (JWT ID) >> >> In addition, the “cnf” (Confirmation Key) claim MUST NOT be selectively >> disclosable. >> --- >> <snip> > > I think these fields can have significant unanticipated privacy > impacts. Expiry and issuance times can have very high entropy.
Can you expand on what you mean? What privacy threat do you envision? Note that unlinkability is explicitly already not a goal for SD-JWT according to section 12.4. Allowing an attacker to selectively disclose that a token has expired seems problematic to say the least. — Neil _______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
