As someone with some experience in this space, I believe it's reasonable to
acknowledge that the layering within JWS/JWT is not perfectly clean.
Consequently, reasonable sounding arguments can be made for placing the
"_sd_hash" either in the header or the payload. Ultimately, this is
somewhat subje
Dick,
I would like to point out that `_sd` won't just be present at the top
level. It could be present arbitrarily deep in the object hierarchy. There
is an excellent chance that some hierarchy of JWTs already has an `sd`
claim (claims deeper than the top level are not currently covered by an
IANA
I have a few points here as well:
1) the hash algorithm should be in the header. It is not a claim. It
describes how to process the rest of the text in the token. People parse
the header to learn what to do with the rest of the string. That was a key
decision in this format.
2) underscores typica