Appreciate the review Tim. I just want to give an initial acknowledgement and thanks. We'll work to address nits and respond to questions/comments.
On Mon, Dec 1, 2025 at 2:26 PM Tim Cappalli <timcappalli= [email protected]> wrote: > Hi! > > Here's my review/feedback of draft-ietf-oauth-sd-jwt-vc-13. > > Overall, it looks great! A few general feedback items and some nits. > > > An example of a VCT that is versioned would be helpful (e.g. > https://betelgeuse.example.com/education_credential/v1 or something > similar) > > Should "Verifiable Credential(s)" be lowercase throughout (e.g. verifiable > credentials), to avoid confusion with W3C Verifiable Credentials? Another > alternative would be to use "verifiable digital credentials" which has been > used lately in many circles to refer to the higher level "thing" for > exactly this reason. > > > 6.3.1 > > The Type Metadata is retrieved using the HTTP GET method. The response > MUST be a JSON object as defined in Section 6.2. > > Should this also mention the content type and expected HTTP code? > (application/json & 200 OK) > > > 11.3 > > If such behaviour is detected, Verifiers are advised to reject SD-JWT VCs > issued by those Issuers. > > Should this also say that verifiers should not fetch the issuer metadata > in cases where this is detected? > > Holders are advised to reject SD-JWT VCs if they contain easily > correlatable information in the Issuer identifier. > > I found this text to be a bit out of place, as it seems to be making > recommendations to holders, which are not the audience of this spec. I > think reframing this to be something actionable for a credential manager > might make more sense (e.g. credential managers may want to surface a > warning and let the holder reject). > > > *Nits* > > 1.1 > > In the so-called Issuer-Holder-Verifier Model, Issuers > > I think it would be useful to say "also sometimes referred to as the > 'three party model'". > > > 3.4 > > It depends on the Verifier policy to reject or accept a presentation of a > SD-JWT VC based on the status of the Verifiable Credential. > > > Proposed alternate text: “*Verifier policy decides whether to reject or > accept a presentation of a SD-JWT VC based on the status of the Verifiable > Credential.*” > > 6.1 > > Note: The hash of the Type Metadata document > > > I think this could benefit from a "See"-type reference to section 7 > (document integrity) > > > 8.1.2.2 > > Consuming application MUST preprocess > > The consuming..." or "Consuming applications" > > 11.1 > > The Privacy Considerations in Section 10.1 > of [I-D.ietf-oauth-selective-disclosure-jwt] apply especially to > the cnf claim. > > Add comma after "apply" > _______________________________________________ > OAuth mailing list -- [email protected] > To unsubscribe send an email to [email protected] > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
