[OAUTH-WG] Review of draft-ietf-oauth-selective-disclosure-jwt-10
Michael Jones <michael_b_jones@hotmail.com> Mon, 05 August 2024 03:55 UTC
Return-Path: <michael_b_jones@hotmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 831D8C14F704 for <oauth@ietfa.amsl.com>; Sun, 4 Aug 2024 20:55:24 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.233
X-Spam-Level:
X-Spam-Status: No, score=-1.233 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FORGED_HOTMAIL_RCVD2=0.874, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hotmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u7tAjYved210 for <oauth@ietfa.amsl.com>; Sun, 4 Aug 2024 20:55:19 -0700 (PDT)
Received: from NAM11-CO1-obe.outbound.protection.outlook.com (mail-co1nam11olkn2056.outbound.protection.outlook.com [40.92.18.56]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 996D1C14F5FC for <oauth@ietf.org>; Sun, 4 Aug 2024 20:55:19 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=n6bmx+LtTqPwZjEOWv2rXpKmjYnAjsnHY6TWDv2vQy5vxkMHdSKFY1c6d/Mo9y+uS36cjujx4+VRhL92GmanBC6J2msXVI76pGFjwNFfRSXaQRp+2qg1+Szt72P53wPxJVQC/Q/WpqLXAIoOxgZSMAJs/UNGy1yETRcXQUyu/rR96Fjutm8+lVtUeEfFxHs/9ygJOEg3LGQ5KXJkByVuweq1O+CG9iZXPmg0bvVbm43esKMwMtqU2gaVqMXuJDElGlIwDrXToerHAvc3isbqU+BpyWMZAq+44qs+H8bkPKNAvLFy/+lL9qlW4axpyj/pLtrlMh1pVyqv9l37r3TgUw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=0DcrUr7DkzGBN08++c1gVldXK3Tvvayq2stA647i2yE=; b=R0zx17EOji7VoSohVDcmK/kTpuwOPCVmYsxx9CJ9IvbczmFKbi+RCp3MUhuJJTTK9v3Ma8JWuf354bVBhYgwvN/1ui1TLuIg15D1EtHHyN0k3Z8pv/JMPO0pxcc/9Q3IGzF7O7ce07kcsqY1wOMoqlDrK7iDasRUS3S1B8mOe/T6KY7OTarBovL+wS/NMpkuM2sDNVTt9s17JHebgNSppwK7yn8f8VZ8HrMNsBIg3LLfB+MmICJ8X70r8kJFYi6CcqgENtQ7hIIZsWyfU8ouqVi0cos2h1+cFfO79JYcmAPPyqjsH/4Ej14VfdcSOMnFuT4t4jkXpA1Tg+oJ0tNdfw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=0DcrUr7DkzGBN08++c1gVldXK3Tvvayq2stA647i2yE=; b=bLca315yjZpfcNU8OG4IlvytJGpJ8NR1R12mJEuNAUm6bHlxioo/nPPJZf4LDulYneoVb7m4JKBmOPGlvLLC/IdkJm2e+eIgRAbQTnbaiK3fYEsfO6v8L5OmhmjyOqB/fMWT2L5pisEKqw9iJGF1v7I/pilzDVRkkY6PvvK6wbWktkTjxh08qDIAlAQA0I6Re6GDpB+Dsy95deYWM7aLSHIv7B9XhNxx+pTlwSuHUw7K/9lm55U1K9Kc596JVdHAByAxBUFeSlfxjhr17VZ+t/O2/XsUa56wp+j2Fvj9tJKTFef8tE/DDVCty3lwopjnK0vHrVVUKmSZlT0xdct5PQ==
Received: from SJ0PR02MB7439.namprd02.prod.outlook.com (2603:10b6:a03:295::14) by MN2PR02MB6912.namprd02.prod.outlook.com (2603:10b6:208:1f4::13) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7828.26; Mon, 5 Aug 2024 03:55:16 +0000
Received: from SJ0PR02MB7439.namprd02.prod.outlook.com ([fe80::6394:e79c:c32a:4c6a]) by SJ0PR02MB7439.namprd02.prod.outlook.com ([fe80::6394:e79c:c32a:4c6a%6]) with mapi id 15.20.7828.023; Mon, 5 Aug 2024 03:55:16 +0000
From: Michael Jones <michael_b_jones@hotmail.com>
To: "oauth@ietf.org" <oauth@ietf.org>
Thread-Topic: Review of draft-ietf-oauth-selective-disclosure-jwt-10
Thread-Index: AdrmJhlKUE8Q4FTPQrKmubzf1vit5A==
Date: Mon, 05 Aug 2024 03:55:15 +0000
Message-ID: <SJ0PR02MB7439CC07D6FB13A1DAA664E1B7BE2@SJ0PR02MB7439.namprd02.prod.outlook.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-tmn: [tog2j+159P3AJcu9Gd9reWCaZhWuuGeeurE5r7uXEbfOMj8id5NY5Fw1Sxs6Yk9jqeFGatc3mYE=]
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SJ0PR02MB7439:EE_|MN2PR02MB6912:EE_
x-ms-office365-filtering-correlation-id: 01d860a7-e0fa-4dd9-be3d-08dcb5026a6b
x-microsoft-antispam: BCL:0;ARA:14566002|8060799006|461199028|9400799024|12050799009|19110799003|4302099013|3412199025|440099028|102099032|1602099012;
x-microsoft-antispam-message-info: 6eR8PrHNAeAxlNbe2A48oA09cGdDSvhSc9q8pmABPbO1oTXb/QdJ6FPi7nQ6/LXzda51RLTFpAvT732ciiwfxodgKXvSbhQPYWZraIT0EsH4sBAzxorHNo+bvRm/Ydz5gxVt298EDczCaFooHAHIk87Kb40EDBu1uMLrQxvF05rMbKnhGpeBwmv/RhBs2T+ks5r/Ilc/sMy6+VLXVMTWVUPKZjUrgwLxnYkLFi0zOnbvVppiUVukr9ooEVftgpg2PGy/WlhZsA6+yKrrNEEal7+bNdd/+J8UqwUQ+IvB7Dlxx4fK7bI3uL8Rh0s2XtLSTi6lxyTddbs/bRwI25lP989Y9EQ6HuMw3p+rO3qsOWaykE9emnyQJ4WY7ExG1N5xmFlhWQ510ePO+xlheOj8mJPB7XImH6xNNcmLlpbIHr2ds4feC4OosI4L5yY9c2AMFajSIlMKWE1gOegUeIfQl4tq5DKLk6PWVRlA3Pmb7K79ZcXv+9SDRH1TWbxMHgoRFUji5jxRw2mG9j0AP6ZJrvid9jkk/ahZD4dbuDJX6cs9cv3bI7Q9McyiQJ6/rbr0WP8DrrKgRoTF40XxUOQxdf8uWRHNbiaE/9XQ+B9wH22gG85jxXPMR75GqX0RPvewbZK5dYU+kIit9TDkmaC+vr1c/lrpuhjOy613b+HMogUMsfjsKwwi2BCgOe5E4UEDCm3/Vdrxt9+TSaryxnEZVx9tWQ+JrKgsteydi/kCF7rs6mAq7eeDvynyfgjY39gpqy1mWE7WO8T0iRPboBhrHrcN6aOoh6Y9zXgqFzREC3PudsdA1gIcHitrBiomj3+fQVvbUosY/nW+7/ZQBZcDDQ==
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: bNqp9V7MbcqtNLGremhwyAknUWS1YkvtsJ1O2dddLRwn44FCnlBktgNiVwJO7xMag1fpUhZPojNEiO871ovWlm02tQrqEcZl/11PIJhUKTVDzOI3gV6/cWuE3o8rcIcGfM9Kp8yrZUOy+qP/ppTevZ1HxnQeIR1bts8JUY6XCp/o6DncygfeJWuHuMZlU5Db5XHrdXy39RFTSda0pawHyqf78V4iv/T62prvJrYzBuwYTTvjWOEKVtPhhZ7tHyR00BJjlrW0nB4aYA40YjwhvtDJ8FWogwrxNavs/UZZ9P6g/shFfVxEZ32Q0QHKHtqGgnaHyquoBH0WMax9poGc/b/fRA+almpBFNydsEes/9RHji3korQ47rTZx7+PCS16j0Cyn2+43fZGmNgAr9CI0IBw+r7Mzn9+R0IUvxlayA5FmcjRduUlz0ENHJYjQ0fMTcmXYXAzNRtTeJO00b7yQUVuDofw2OBD6HOCw2XYo5GTFcI0MDjskw3DmOCLc1zd3eIxnhjycOMSXGE7FbEGsDyGoC6w7Mux+O/mg/PdrQG7mzxoMMgnkbzcozpSQvGmjvsur1SpYtulonZ3I6EIuLpBQVqCPEqdDyOq2Ug3Zn1UquACyXeVoMYrjrxLu4LAaotmUs75TYGJonfc/AmDEG7ZfP/pMo8A8E72E1YifuiioGBV4pXmpuVugAKTHI4cvViwJNtwolyW7VHezAi4XhjgH6KjPVrTI3j3TuhoWDiZKek82l8D5jJWXwuN9/gKLwpjMSJqA/e5iUrS65qJD7vA/WrZl7JQ0bmxttwOi7wu5Tr7b5b7r4wiHwr6S2Si1EUe4jQsTTA2VVOnCgbLdpBPwHRxVkTgcTHZOp7LOCbZ/mXBmkDRbOcxGQNolprRElom5Zdoahi2ENXa6Ep4TY5ggXppLeIZt5puSLTHKekmTR7CIfOdw1Q7fVEHDT/xEuMrXAQz04XeRY4Yl4yH887gORTOp8ANvtoF2KAYxpqyQkXHpDP7r2xR2DbS9DEfb2meguAHzyouFoPAXzQb4Wc20XS4JSmasxVRnI5Eh1QLmrzAueFQS5MghzSj78JIhswhMEOraPhys+PyEgir1L0+R6zI4wyKOWgTCe946AptfhgxbPfaenyVeJF+QbjtxzD8cTAJ05vQvxVFcm2VvQqmF6IPWgjnYXaQavS4cTbxvA1s1f4bxZ5RtTQZmy1I6l+ESiW1rcdZKOq3Csakv7+515djh086mTikze+Pjcn8d1OYYi5ZZct6tyKsy/HxcmZWJIn7SbK+a2RaQhCb1fl+BTJ38sPhHbGtkpObhBxfGDrSbwMMO/Xlo0qLxAHc
Content-Type: multipart/alternative; boundary="_000_SJ0PR02MB7439CC07D6FB13A1DAA664E1B7BE2SJ0PR02MB7439namp_"
MIME-Version: 1.0
X-OriginatorOrg: sct-15-20-4755-11-msonline-outlook-99c3d.templateTenant
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SJ0PR02MB7439.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: 01d860a7-e0fa-4dd9-be3d-08dcb5026a6b
X-MS-Exchange-CrossTenant-originalarrivaltime: 05 Aug 2024 03:55:15.9752 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR02MB6912
Message-ID-Hash: 27PHJVXAVAGQ6NSA2YDGOXLUX3X4U6V6
X-Message-ID-Hash: 27PHJVXAVAGQ6NSA2YDGOXLUX3X4U6V6
X-MailFrom: michael_b_jones@hotmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Review of draft-ietf-oauth-selective-disclosure-jwt-10
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/5V6nVIfYw3BxsayLg1iY-YRUxdc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
I read https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html in its entirety, resulting in these suggestions. Some are for readability. Some are for consistency with related specifications, including JWT. Some are for security and correctness. The most important comments, including those addressing correctness issues, are in red. Abstract<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#abstract>: In "It encompasses various applications, including but not limited to the selective disclosure of JSON Web Token (JWT) claims.", change "encompasses various" to "can be used for multiple" or "is applicable to multiple". The use of "encompasses" is confusing here, and "various" isn't a strong word. 1. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-1> Introduction<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-introduction>: In "However, that does not preclude the mechanism's applicability to other or more general applications of JWS with JSON payloads.", delete "or more general", since it doesn't add anything but length. 1. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-1> Introduction<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-introduction>: Change "Web Authorization Protocol (oauth) working group" to "Web Authorization Protocol (OAuth) working group". 1. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-1> Introduction<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-introduction>: In "While JWTs with claims describing natural persons are a common use case, the mechanisms defined in this document can be used for other use cases as well." change "can be used for other use cases as well" to "are also applicable other use cases" to tighten the exposition. 1. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-1> Introduction<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-introduction>: The usage of "Holder" in "used a number of times by the user (the "Holder" of the JWT)" inconsistent with its usage in the definitions, which defines "Holder" as being "an entity". The usage here in the introduction makes the holder into a person rather than an entity. Please adjust the language here to not confuse the user who utilizes the holder with the holder itself. 1. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-1> Introduction<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-introduction>: The use of the undefined terms "verifiable credential" and "credential" in "One example of a multi-use JWT is a verifiable credential, an Issuer-signed credential that contains the claims about a subject, and whose authenticity can be cryptographically verified." will almost certainly cause people to ask you to define them, and then people will argue about the definitions. Get rid of both terms by changing this to "One example of a multi-use JWT is an Issuer-signed token that contains claims about a subject, and whose authenticity can be cryptographically verified." and save us some grief! (Although I see that "credential" is used later. At least ditch "verifiable credential" here!) 1. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-1> Introduction<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-introduction>: In ""Claims" here refers to both object properties (name-value pairs) as well as array elements." and all other locations in the spec, change "name-value" to "name/value" for consistency with the notation in the "Claim" definition at https://www.rfc-editor.org/rfc/rfc7519.html#section-2. 1. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-1> Introduction<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-introduction>: In ""Claims" here refers to both object properties (name-value pairs) as well as array elements." change "array elements" to "elements in arrays that are the values of name/value pairs" (or something like that). Without saying what the array elements are, readers will be confused about what's being referred to. I'd apply this clarification in 4.1. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-4.1> SD-JWT and Disclosures<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-sd-jwt-and-disclosures> and other applicable locations as well. 1. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-1> Introduction<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-introduction>: In "they hold the private key associated to the SD-JWT", change "associated to" to "associated with". 1. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-1> Introduction<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-introduction>: During IESG and/or RFC Editor review, we're likely going to be asked to add a reference for JSON-LD at "SD-JWT can be used with any JSON-based representation of claims, including JSON-LD." If we don't want that, I'd delete ", including JSON-LD" now. 1.1. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-1.1> Feature Summary<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-feature-summary>: Shorten both uses of "The definition in this document comprises the following:" to "This comprises the following:" to tighten the exposition. 1.1. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-1.1> Feature Summary<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-feature-summary>: In "A format for enabling selective disclosure in nested JSON data structures, supporting selectively disclosable object properties (name-value pairs) and array elements", consider expanding "array elements" in the same manner as the preceding comment to make the meaning more evident. 1.1. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-1.1> Feature Summary<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-feature-summary>: In "A facility for associating an SD-JWT to a key pair", change "to a key pair" to "with a key pair", as it reads more naturally. 1.2. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-1.2> Conventions and Terminology<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-conventions-and-terminology>: I suggest moving the "base64url" definition to the Terms and Definitions section and use a parallel structure to that at https://www.rfc-editor.org/rfc/rfc7519.html#section-2. Specifically, say "The "base64url" term denotes the URL-safe base64 encoding without padding defined in Section 2 of [RFC7515]." Then introduce the rest of the definitions with the phrase "These terms are defined by this specification:" as is done in RFC 7519. The current presentation is fairly jarring. 1.2. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-1.2> Conventions and Terminology<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-conventions-and-terminology>: Change "Selective disclosure" to "Selective Disclosure". 4.3. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-4.3> Optional Key Binding<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-optional-key-binding>: Change "use-case" to "use case". 4.3. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-4.3> Optional Key Binding<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-optional-key-binding>: This disclaimer seems too strong: "Note: How the public key is included in SD-JWT is out of scope of this document. It can be passed by value or by reference.". I suggest changing this to "Means of including or referencing the public key in the SD-JWT are described in 5.1.2. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-5.1.2> Key Binding<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-key-binding>." 5.2.1. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-5.2.1> Disclosures for Object Properties<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-disclosures-for-object-prop>: In "It is RECOMMENDED to base64url-encode minimum 128 bits of cryptographically secure random data", insert "a" before "minimum". Also, consider moving "See Section 10.3<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#salt-entropy> for security considerations." to the end of the paragraph. 5.2.1. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-5.2.1> Disclosures for Object Properties<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-disclosures-for-object-prop>: In "The value MAY be of any type that is allowed in JSON, including numbers, strings, booleans, arrays, and objects.", consider adding "null". Likewise in 5.2.2. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-5.2.2> Disclosures for Array Elements<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-disclosures-for-array-eleme>. 5.2.1. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-5.2.1> Disclosures for Object Properties<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-disclosures-for-object-prop>: In "US-ASCII [RFC0020<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#RFC0020>]", consider changing "RFC0020" to the more readable and standard "RFC20", matching the reference identifier used at https://www.rfc-editor.org/rfc/rfc7519.html#section-13.1. 5.2.2. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-5.2.2> Disclosures for Array Elements<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-disclosures-for-array-eleme>: Some readers and implementers will be confused at this point because the array disclosure doesn't indicate what Claim Name the disclosed array element corresponds to. Please say here how the Claim Name information is communicated. At the very least, add a forward reference saying that the way the array element disclosure is associated with the Claim Name is described in 5.2.4.2. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-5.2.4.2> Array Elements<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-array-elements>. 5.2.3. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-5.2.3> Hashing Disclosures<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-hashing-disclosures>: Consider changing "(often used)" to "(sometimes used)". 5.2.3. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-5.2.3> Hashing Disclosures<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-hashing-disclosures>: Change "For example, the SHA-256 digest of the Disclosure" to "For example, the base64url-encoded SHA-256 digest of the Disclosure" . And add "base64url-encoded" to the second example as well (for correctness). 5.2.4.1. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-5.2.4.1> Object Properties<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-object-properties>: Change "family_name" to "given_name" to match the example. 5.2.4.2. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-5.2.4.2> Array Elements<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-array-elements>: I suggest adding an example also enabling disclosing a second array element, so that the syntax will be clear to readers. In other words, show what "unless a matching Disclosure for the second element is received" would look like. Or add a forward reference showing a place that it's done. 5.2.6. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-5.2.6> Recursive Disclosures<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-recursive-disclosures>: Change "conceal presence" to "conceal the presence". 5.3. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-5.3> Key Binding JWT<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-key-binding-jwt>: Change "MUST NOT be none." to "It MUST NOT be "none".". 5.3.2. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-5.3.2> Validating the Key Binding JWT<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-validating-the-key-binding->: In "if the SD-JWT contains a cnf value with a jwk member, the Verifier could parse the provided JWK and use it to verify the Key Binding JWT.", change "could" to "MUST". Make this normative to increase interoperability! 6.1. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-6.1> Issuance<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-issuance>: In "The Issuer is using the following input claim set:", consider changing "claim set" to "JWT Claims Set", so that you're using the standard JWT claims terminology. Or at least, change "claim set" to "Claims Set" (plural) wherever "claim set" is currently used, such as also in 7. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-7> Considerations on Nested Data in SD-JWTs<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-considerations-on-nested-da>. 6.1. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-6.1> Issuance<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-issuance>: There are many places from here on where the label "SHA-256 Hash" is used, for instance "SHA-256 Hash: jsu9yVulwQQlhFlM_3JlzMaSFzglhQG0DpfayQwLUK4". Change all of these to "Base64url-Encoded SHA-256 Hash" for correctness. 6.1. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-6.1> Issuance<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-issuance>: Change "The payload is then signed by the Issuer to create a JWT like the following:" to "The payload is then signed by the Issuer to create the JWT:" 6.1. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-6.1> Issuance<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-issuance>: Change "The issued SD-JWT might look as follows:" to "The issued SD-JWT would be as follows:" or "The issued SD-JWT would be:". 6.1. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-6.1> Issuance<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-issuance>: Change "The following Key Binding JWT payload was created and signed for this presentation by the Holder:" to "The following Key Binding JWT Claims Set was created and signed for this presentation by the Holder:", again, to use the standard JWT claims terminology. 7. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-7> Considerations on Nested Data in SD-JWTs<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-considerations-on-nested-da>: Change "Important: The following examples" to "Note that the following examples". It's more standard exposition and less jarring. 7.2. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-7.2> Example: Structured SD-JWT<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-example-structured-sd-jwt>: Change "In this case there would be no Disclosure for country since it is provided in the clear." to "In this case, there would be no Disclosure for country, since it is provided in the clear." (adding the two missing commas). 8.1. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-8.1> Verification of the SD-JWT<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-verification-of-the-sd-jwt>: Delete "nbf" from "claims such as nbf, iat, and exp" and everywhere else in the spec, other than in 10.7. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-10.7> Selectively-Disclosable Validity Claims<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-selectively-disclosable-val>, where both "iat" and "nbf" should be listed, as described in my comment there. "iat" (Issued At) is a standard validity claim in JWT tokens (for instance, ID Tokens), whereas "nbf" (Not Before) is rarely used, since it is only useful when future-dating tokens, which is rare. 8.2. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-8.2> Processing by the Holder<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-processing-by-the-holder>: In "If the Holder receives an SD-JWT+KB, it SHOULD be rejected.", change "SHOULD" to "MUST". Make it normative and thereby more secure. 9.1. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-9.1> New Unprotected Header Parameters<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-new-unprotected-header-para>: Change "the representation as a regular SD-JWT MUST be created temporarily" to "the representation as a regular SD-JWT where the JWT uses the JWS Compact Serialization MUST be created temporarily" or something similar. The key point is to indicate that the regular SD-JWT being referenced uses the JWS Compact Serialization for the JWT in the SD-JWT. You also may want to rework this to also eliminate the somewhat ambiguous "using a . character as a separator" language in favor of describing the result as using the JWS Compact Serialization. 10.1. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-10.1> Mandatory Signing of the Issuer-signed JWT<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-mandatory-signing-of-the-is>: Change "Any of the JWS asymmetric digital signature algorithms registered in [IANA.JWS.Algorithms<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#IANA.JWS.Algorithms>] can be used, including post-quantum algorithms, when they are ready." to "Any of the JWS asymmetric digital signature algorithms registered in [IANA.JWS.Algorithms<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#IANA.JWS.Algorithms>] meeting the security requirements of the application, as described in the last paragraph of Section 5.2 of [RFC7515], can be used." It's NOT, in general, the case that any registered algorithm can be used. That's up to the application. For instance, "ES512" might be acceptable to the application whereas "RS256" isn't. Also, the post-quantum language seems superfluous and non-actionable, so I'd delete it. 10.3. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-10.3> Entropy of the salt<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-entropy-of-the-salt>: Change "salt" to "Salt" in the title. 10.7. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-10.7> Selectively-Disclosable Validity Claims<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-selectively-disclosable-val>: Add "iat (Issued At) to the validity claims list before "nbf", and change "nbf (Not Before)" to "nbf (Not Before) (if present)". "iat" (Issued At) is a standard validity claim in JWT tokens (for instance, ID Tokens), whereas "nbf" (Not Before) is rarely used, since it is only useful when future-dating tokens, which is rare. Change all uses of "nbf" to "iat" elsewhere in the spec. 10.7. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-10.7> Selectively-Disclosable Validity Claims<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-selectively-disclosable-val>: Change "application-specific profile" to "application-specific profiles". 10.10. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-10.10> Integrity of SD-JWTs and SD-JWT+KBs<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-integrity-of-sd-jwts-and-sd>: In "The specific set of Disclosures, however, is not integrity-protected - the SD-JWT can be modified by adding or removing Disclosures and still be valid.", change the dash to a period or semicolon. 11.1. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-11.1> Storage of Signed User Data<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-storage-of-signed-user-data>: Change "OpenID Connect" to "OpenID Connect [OpenID.Core]" and add the following reference to the specification: <reference anchor="OpenID.Core" target=https://openid.net/specs/openid-connect-core-1_0.html> <front> <title>OpenID Connect Core 1.0</title> <author fullname="Nat Sakimura" initials="N." surname="Sakimura"> <organization abbrev="NAT.Consulting (was at NRI)">NAT.Consulting</organization> </author> <author fullname="John Bradley" initials="J." surname="Bradley"> <organization abbrev="Yubico (was at Ping Identity)">Yubico</organization> </author> <author fullname="Michael B. Jones" initials="M.B." surname="Jones"> <organization abbrev="Self-Issued Consulting (was at Microsoft)">Self-Issued Consulting</organization> </author> <author fullname="Breno de Medeiros" initials="B." surname="de Medeiros"> <organization abbrev="Google">Google</organization> </author> <author fullname="Chuck Mortimore" initials="C." surname="Mortimore"> <organization abbrev="Disney (was at Salesforce)">Disney</organization> </author> <date day="15" month="December" year="2023"/> </front> </reference> 12. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-12> Acknowledgements<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-acknowledgements>: Please change "Mike Jones" to "Michael B. Jones". (Lots of people share my name so I include my middle initial for disambiguation in professional contexts.) 12. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-12> Acknowledgements<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-acknowledgements>: Consider sorting the acknowledgements alphabetically by last name, which is the usual convention. 13.2. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-13.2> Media Type Registration<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-media-type-registration> and 13.3. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-13.3> Structured Syntax Suffix Registration<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-structured-syntax-suffix-re>: In all the Encoding Considerations, change "separated by period ('.') or tilde ('~') characters" to "separated by period ('.') and tilde ('~') characters". 14.2. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-14.2> Informative References<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-informative-references>: Add the missing date to the reference "[EUDIW.ARF]". And if isn't the most current public ARF reference, please update to the latest one. 14.2. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-14.2> Informative References<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-informative-references>: Update the reference "[I-D.ietf-oauth-sd-jwt-vc]" to https://datatracker.ietf.org/doc/html/draft-ietf-oauth-sd-jwt-vc-04. 14.2. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-14.2> Informative References<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-informative-references>: Update the reference "[OIDC.IDA]" to https://openid.net/specs/openid-connect-4-identity-assurance-1_0-14.html and be sure to include the (currently missing) date. 14.2. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-14.2> Informative References<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-informative-references>: Update the reference "[VC_DATA_v2.0]" to use the current editor list and date. (For instance, Orie resigned.) Appendix A. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#appendix-A> Additional Examples<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-additional-examples>: Consider changing "Important: The following examples" to "Note that the following examples". "Important" is unnecessarily jarring. A.1. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#appendix-A.1> Simple Structured SD-JWT<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-simple-structured-sd-jwt>: Change "allowing to separately disclose individual members of the claim" to "allowing separate disclosure of individual members of the claim". A.1. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#appendix-A.1> Simple Structured SD-JWT<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-simple-structured-sd-jwt>: Change "The following is how a presentation of the SD-JWT that discloses only region and country of the address property could look like:" to "The following is a presentation of the SD-JWT that discloses only region and country of the address:". Similarly, excise other uses of the extra verbiage "could look like" elsewhere in the specification. A.5. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#appendix-A.5> Elliptic Curve Key Used in the Examples<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-elliptic-curve-key-used-in->: Change "The public key used to validate a Key Binding JWT can be found in the examples as the content of the cnf claim." to "The public key used to validate a Key Binding JWT can be found in the examples as the value of the jwk member of the cnf claim." Appendix B. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#appendix-B> Disclosure Format Considerations<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-disclosure-format-considera>: Change "particularly useful when the content, like JSON, can have differences but be semantically equivalent." to "particularly useful when the content, like JSON, can have different representations but is semantically equivalent, thus avoiding canonicalization." Appendix B. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#appendix-B> Disclosure Format Considerations<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-disclosure-format-considera>: Change "computation over the data need to be performed and verified" to "computation over the data needs to be performed and verified". Appendix B. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#appendix-B> Disclosure Format Considerations<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-disclosure-format-considera>: At the end of the paragraph introduced by "1. Canonicalization", consider adding the sentence "Canonicalization schemes have a long history of creating interoperability problems in practice." Everywhere: Consider changing the name "..." to something more indicative of its function, such as "_sd_element" or "_sd_item". Or alternatively, at least provide rationale for why that non-obvious name was chosen. I hope that you find this review helpful in improving the specification. I look forward to its publication as an RFC and its widespread use! -- Mike
- [OAUTH-WG] Review of draft-ietf-oauth-selective-d… Michael Jones
- [OAUTH-WG] Re: Review of draft-ietf-oauth-selecti… Brian Campbell
- [OAUTH-WG] Re: Review of draft-ietf-oauth-selecti… Kristina Yasuda
- [OAUTH-WG] Re: Review of draft-ietf-oauth-selecti… Denis
- [OAUTH-WG] Re: Review of draft-ietf-oauth-selecti… Giuseppe De Marco
- [OAUTH-WG] Re: Review of draft-ietf-oauth-selecti… Michael Jones
- [OAUTH-WG] Re: Review of draft-ietf-oauth-selecti… Brian Campbell