Hi David,
Thank you for the feedback.
Blinding claim names has been considered.
Here is the issue:
https://github.com/oauthstuff/draft-selective-disclosure-jwt/issues/3
We made a choice not to hash claim names because SD-JWT already reveals
information about the issuer and the schema, and
I’m not entirely sure the OAuth WG is a suitable venue for this kind of
document. It should at least get some review from CFRG, to get feedback on the
crypto aspects.
I have some initial comments about the cryptography being used.
Commitments to claim values are of the form HASH(SALT |
Hi Daniel
Whilst I commend your initial efforts at SD, I find that the
current draft is too privacy invasive since it reveals to the RP
every property type that the user possesses, even though it does
not reveal the property values. Revealing property types might
Hi Daniel,
The key sentence from the introduction is the following sentence:
However, when a signed JWT is intended to be multi-use, it needs to
contain the superset of all claims
the user might want to release to verifiers at some point.
Before diving into the proposed solution, it
All,
Kristina and I would like to bring to your attention a new draft that we
have been working on with many others over the past weeks. "Selective
Disclosure JWT (SD-JWT)" describes a format for signed JWTs that support
selective disclosure (SD-JWT), enabling sharing only a subset of the