Denis: As I noted when closing the issue, the threat is out of scope for the JWT BCP.
On Mon, Nov 17, 2025 at 3:47 PM Denis <[email protected]> wrote: > Hello Dick, > > Why not saying what you wrote into the document ? > > The threat exists (and should not be ignored). While this document > describes implementation considerations, > the way to counter this threat is not described in this document. > > Selective disclosure deployment of SD-JWTs will be insecure until / unless > counter-measures will be taken. > These counter-measures are thus critical. > > At the moment, people reading the draft might believe that following all > these best practices will mean > a safe and secure implementation. However, this will not be the case. > > Denis > > PS. I switched to the mailing list as you closed the issue without > allowing me to respond on github. > > *dickhardt* left a comment (oauth-wg/draft-ietf-oauth-rfc8725bis#15) > <https://github.com/oauth-wg/draft-ietf-oauth-rfc8725bis/issues/15#issuecomment-3542433019> > > @Denisthemalice <https://github.com/Denisthemalice> > > Thanks for raising this. The scenario you describe is absolutely a > real-world threat, but it results from key-management and TEE isolation > failures, not from any behavior specific to JWTs or JOSE. > > The JWT BCP focuses narrowly on how to create, validate, and use JWTs > safely (algorithm verification, claim validation, confusion/substitution > prevention, cryptographic parameter limits, etc.). > > The TEE scenario is an operational/platform issue: multiple applications > are allowed to use the same signing key. JWTs (or any other token type) > cannot defend against a compromised or overly-permissive key environment. > > Therefore this threat is out of scope for this document, and I am closing > this issue. It is better covered by platform security guidance, > key-attestation requirements, or the SD-JWT deployment BCP rather than the > JWT BCP. > > — > Reply to this email directly, view it on GitHub > <https://github.com/oauth-wg/draft-ietf-oauth-rfc8725bis/issues/15#issuecomment-3542433019>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AHYQLP4MNV6RBJ56UX4EWVT35HSCTAVCNFSM6AAAAACBR7BMIKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTKNBSGQZTGMBRHE> > . > You are receiving this because you were mentioned.Message ID: > <oauth-wg/draft-ietf-oauth-rfc8725bis/issues/15/[email protected]> > > >
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
