Mike Bishop has entered the following ballot position for draft-ietf-oauth-selective-disclosure-jwt-19: No Objection
When responding, please keep the subject line intact and reply to all email addresses included in the To and CC lines. (Feel free to cut this introductory paragraph, however.) Please refer to https://www.ietf.org/about/groups/iesg/statements/handling-ballot-positions/ for more information about how to handle DISCUSS and COMMENT positions. The document, along with other ballot positions, can be found here: https://datatracker.ietf.org/doc/draft-ietf-oauth-selective-disclosure-jwt/ ---------------------------------------------------------------------- COMMENT: ---------------------------------------------------------------------- Thank you for your work on this document. It looks solid; my comments below are intended to improve the document and can be incorporated at the discretion of the authors and the responsible AD. As others have noted, introduce the term SD-JWT in the Introduction and fully expand it in the title of the document. It also feels slightly strange that the title of the document is only one of the two primary formats defined within it. Is there a title that would encompass both? SD-JWT and KB-JWT probably don't need definitions in the Terminology section, as they've already been introduced in 1.1 and the entire document is their definition. Section 3: - "For data that the Holder does not want to reveal to the Verifier, the Holder MUST NOT send Disclosures or reveal the salt values in any other way." This isn't a normative requirement, it's a statement of what this specification enabled. For data that the Holder does not want to reveal to the Verifier, it can withhold the associated Disclosure and the Verifier will not be able to recover the content from the JWT. - Remove "(for those who celebrate)" Section 4.1: The payload here is specifically a JWT, not just a "JSON structure" or "JSON object", no? Use that more specific term, if so. _______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
