Hi! Here's my review/feedback of draft-ietf-oauth-sd-jwt-vc-13.
Overall, it looks great! A few general feedback items and some nits. An example of a VCT that is versioned would be helpful (e.g. https://betelgeuse.example.com/education_credential/v1 or something similar) Should "Verifiable Credential(s)" be lowercase throughout (e.g. verifiable credentials), to avoid confusion with W3C Verifiable Credentials? Another alternative would be to use "verifiable digital credentials" which has been used lately in many circles to refer to the higher level "thing" for exactly this reason. 6.3.1 The Type Metadata is retrieved using the HTTP GET method. The response MUST be a JSON object as defined in Section 6.2. Should this also mention the content type and expected HTTP code? (application/json & 200 OK) 11.3 If such behaviour is detected, Verifiers are advised to reject SD-JWT VCs issued by those Issuers. Should this also say that verifiers should not fetch the issuer metadata in cases where this is detected? Holders are advised to reject SD-JWT VCs if they contain easily correlatable information in the Issuer identifier. I found this text to be a bit out of place, as it seems to be making recommendations to holders, which are not the audience of this spec. I think reframing this to be something actionable for a credential manager might make more sense (e.g. credential managers may want to surface a warning and let the holder reject). Nits 1.1 In the so-called Issuer-Holder-Verifier Model, Issuers I think it would be useful to say "also sometimes referred to as the 'three party model'". 3.4 It depends on the Verifier policy to reject or accept a presentation of a SD-JWT VC based on the status of the Verifiable Credential. Proposed alternate text: “Verifier policy decides whether to reject or accept a presentation of a SD-JWT VC based on the status of the Verifiable Credential.” 6.1 Note: The hash of the Type Metadata document I think this could benefit from a "See"-type reference to section 7 (document integrity) 8.1.2.2 Consuming application MUST preprocess The consuming..." or "Consuming applications" 11.1 The Privacy Considerations in Section 10.1 of [I-D.ietf-oauth-selective-disclosure-jwt] apply especially to the cnf claim. Add comma after "apply"
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
