Thanks for the review Orie. In hopes of expediting discussion towards a resolution to the blocking comments, I'm going to reply separately to the DISCUSS here first. That's inline below.
On Tue, May 20, 2025 at 9:51 AM Orie Steele via Datatracker < [email protected]> wrote: > Orie Steele has entered the following ballot position for > draft-ietf-oauth-selective-disclosure-jwt-19: Discuss > > ---------------------------------------------------------------------- > DISCUSS: > ---------------------------------------------------------------------- > > ## Discuss > > ### Requirements for "aud" in SD-JWT and KB-JWT > > ``` > 869 - aud: REQUIRED. The intended receiver of the Key Binding > JWT. > 870 How the value is represented is up to the protocol used > and out > 871 of scope of this specification. > ``` > > Is there any need to comment on array vs single audience here, or guidance > for > profiles regarding this? > My intuition thus far has been no (which probably explains why there isn't more comment/guidance in the text). But I can't really think of a reasonable reason to use multiple audience values in a KB-JWT. All the usages that I'm aware of (not exhaustive, obviously, but a reasonable sampling) only use a single value. And the text already kinda implies that it's expected to be a single value. So maybe it'd be better to just make that (a single value as a string) an explicit restriction? > > ``` > 1987 * aud (Audience), although issuers MAY allow individual > entries in > 1988 the array to be selectively disclosable > ``` > > Consider addressing the security considerations for "aud" in one place, and > commenting on the guidance for profiles of both SD-JWT and SD-JWT+KBs. > The security considerations around "aud" are sufficiently different that I'd be very hesitant to try and treat them together. The "aud" claim is required in the KB-JWT while being totally optional and unlikely, in most expected cases, to even appear in the SD-JWT. > > Is it safe to allow selective disclosure within the audience claim? > Noting that most/many SD-JWTs won't have an audience claim and that bit of text is in a section talking about validity claims and when they shouldn't be made selectively disclosable at all, I think it is safe. Allowing selective disclosure within the audience claim means that the verifier will see that the audience claim exists and the holder needs to disclose the element that would make it acceptable to the verifier. But cannot conceal the presence of the claim to bypass its intent. > Does the safeness vary between SD-JWT and KB-JWT? It's not allowed and also not possible to make the audience claim selective disclosable in the KB-JWT. So yes, it does vary, but it varies so much that it's not a useful comparison. -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
