[OAUTH-WG] Re: Review of draft-ietf-oauth-selective-disclosure-jwt-10

Michael Jones <michael_b_jones@hotmail.com> Sat, 17 August 2024 18:06 UTC

Return-Path: <michael_b_jones@hotmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8FFBAC14F61D for <oauth@ietfa.amsl.com>; Sat, 17 Aug 2024 11:06:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.231
X-Spam-Level:
X-Spam-Status: No, score=-1.231 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FORGED_HOTMAIL_RCVD2=0.874, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hotmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CjngW0LzE0GB for <oauth@ietfa.amsl.com>; Sat, 17 Aug 2024 11:06:37 -0700 (PDT)
Received: from CY4PR05CU001.outbound.protection.outlook.com (mail-westcentralusazolkn19010006.outbound.protection.outlook.com [52.103.7.6]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 392BDC14F60D for <oauth@ietf.org>; Sat, 17 Aug 2024 11:06:37 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=s7j+VbHJJq+ph0UzE1f+p4xrUFEDkqCCoz6NCU0NVNUFmFyRsfsVvb4V4o94vgZIha0kDRTdb4ouxTLTyQcAeCYWwngJyt26cAMjWUjeX+jfSRr0H5u8rUTCFCc6dHSxEWv9+6fy/fX7ME01N/d0h66d1sAxN7vk0xIbzzDL3y4BbtqmfWaYALaSqiNG/UBor6AuNGSumNivIAL0ej1pobCx19L1lfYmbnMQjozr/Y6EX0dEqbTmdc0/K9Fe+bJch1muRR6AC21PPaO3pB7MdvYDioAUaKrGino85GE6MIvjP6A9xqQ/30/G8xtUue2zLeAv6QgfJUCT9+qulsxXAQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=u7giEPLs9eX2M7SY5c50nPijvvKY+A9IWzmHi4QNpLM=; b=WBhXqvFTDhK+/RadU/iAAO53oiVL6BgDw9kb3htG1dgjLBwvdJf9RMk2rSpfKS6D4G6LwkNkRfGKek2CaJISOWB2N+C44QlKeAUevxdjC4IYCUlQfDGwwH1DvvuEoNqK+IRAp85fQ5vQhlsSxSzn1stzCefsyN62fX2lZkifU1SzJeVdi6tlAK+Mx9Pyvcp6i7pDlx7VGs05sPtF7CSTAjXmHwR7WT/CNn3sLT8R2+9d0QnOinFk01K/PxXeAllCCPGFobBnYRacclPYYrUVmiwdXkGGOdsxkvhvAg2YBemezEI2lZ3DFmoxiMrhON7ItwwcBDBCVB2yFEqmBM+hsw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=u7giEPLs9eX2M7SY5c50nPijvvKY+A9IWzmHi4QNpLM=; b=ZSdDrBVn/Fp4a6mCFtFy4i/jitvry94VfluLRQnhSE6Fcomv1gKil4CpR0jwTLv2bg7QfaSgMASfIlmrXu9wtT5yJHX4LjwgWYF4jggNMOKKcMfIy5XPXhOluFOoSLP+md6TY/YfjWurqpo6ijpxT3tSUoy7f82bK5B1dTr9FaOL+c0GhZgy4jL9n+9akoiKIKo/OePnLoR8T9ZJ6cRZMX5XfhtrLNE8nae0AmsnDOzgtVVm0lnAWZrlUD6byX/rj/s+n0yfWOEpo3ak49fr/tkSHWBtxbDTAqITnc9zsdph9G/1dLcETXzcbpZ+36tdWwLQaInZ9xt3uZqi/G9mOg==
Received: from SA0PR02MB7434.namprd02.prod.outlook.com (2603:10b6:806:e5::8) by CH2PR02MB6742.namprd02.prod.outlook.com (2603:10b6:610:7a::12) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7875.21; Sat, 17 Aug 2024 18:06:34 +0000
Received: from SA0PR02MB7434.namprd02.prod.outlook.com ([fe80::6dc3:8fe2:4dbb:d009]) by SA0PR02MB7434.namprd02.prod.outlook.com ([fe80::6dc3:8fe2:4dbb:d009%6]) with mapi id 15.20.7875.018; Sat, 17 Aug 2024 18:06:33 +0000
From: Michael Jones <michael_b_jones@hotmail.com>
To: Kristina Yasuda <yasudakristina@gmail.com>, Brian Campbell <bcampbell@pingidentity.com>
Thread-Topic: [OAUTH-WG] Re: Review of draft-ietf-oauth-selective-disclosure-jwt-10
Thread-Index: AQHa7krfhfw1XwCYC0yBZeOkhOIEfLIrsd1A
Date: Sat, 17 Aug 2024 18:06:33 +0000
Message-ID: <SA0PR02MB743411EE36263FEC5110C393B7822@SA0PR02MB7434.namprd02.prod.outlook.com>
References: <SJ0PR02MB7439CC07D6FB13A1DAA664E1B7BE2@SJ0PR02MB7439.namprd02.prod.outlook.com> <CA+k3eCQRU95pNKEdRFoAOLaKR=QLZZMYE9NoF2Yeg=_cenF=gw@mail.gmail.com> <CAFje9Pi=V+pHriMwa3wSPT7wHLa6J60KRuN8TYXHZKXrRWe1jQ@mail.gmail.com>
In-Reply-To: <CAFje9Pi=V+pHriMwa3wSPT7wHLa6J60KRuN8TYXHZKXrRWe1jQ@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-tmn: [H1iW5PeNcbBpkv3fPR11esK2dzKaSeWAGFwJ/kyp/jXymzi2J20F//+IUMiKIfjt]
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SA0PR02MB7434:EE_|CH2PR02MB6742:EE_
x-ms-office365-filtering-correlation-id: 0950d8fb-56d3-4e14-a8b7-08dcbee7543a
x-microsoft-antispam: BCL:0;ARA:14566002|15080799003|9400799024|19110799003|12050799009|461199028|8060799006|1602099012|4302099013|3412199025|440099028|102099032;
x-microsoft-antispam-message-info: XGcN5Hg7el0xTI5YXG3KgKBF9aFX1EtPDMSnrrsxd1A2iqynOOfuCsP1gYjLazI6iUACYFmgvRuNObHM5XfaxxDpyS3k2qKgi/ZTwQVB2cYAf44W2dWnG6TWreEUe5Z6MTh1xV7uPbxEwNfoTTWIzGOg8HWLhyhTZBWo02I3CufKshsVeK6LG9x3U5UDV75ybULAwOoEQd58yVtMxkO9HiKLE/S3CiaYqsqVi9PpgaBWG+xhZ0oiz70CLLRoIHFStq/PeMSYEceh2ZoFmm0l8H/qNIGT+2sCjnMFUv0gMhvzUR6QNZXdql6tqZNUAfy2paud7NeCi8Uh6Js7A98MM9t65eft+ENkWc2HFXoUZuMvbOReUe8BzBH29/7mz25TssUX/Q83qYlini6gzGyPYzJLbS+Yjas/SPwYgjbUTb/q3uiHZYHd2C4F6YkKDBgv8ZPDPD2FiwkVdd5pYVOTVHs/EP8PGfTAgvUAjF4D/RgnjV//NbCfmaJQOZQm9Km6te3rxTB4nkrHsP/3sawITIG3FyxzTVOgfUwsLteMF2zzkCVFyWWFU/wJyHkWFvZF0KjkCkdrvtRlerqixFzZm4XDLt5poxtWDWbZ+8ML05i/SRvCsExtHrezS+Y62SQlrVzYB+7IRmcx7SZWliYJcxSUnxt1DoytT35iJzYUrmoJWBhhqy7MTsNhLGvFbk3dgZdLZ+eAqjkWqDsOzLALYgocx/kmDSg0Dw/afv+EV1sTO7rHhRcu069zHtzBluLLkfKJm3af2kjlpxsCqO4fBlykZ4AaQhUwWMGELMzxCe22r9Sf1ZvKtcWfv7pPt2O2M1JaqAZYzpIDyvDEm6ev8G/t4Y5BY2RZQwxzko5wJ+Y=
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: d0nYDwO0iktrWwmMHhWgVPCb0EqGs/DPGA2l4Pu6qtYfrq5TR7TX/svKwRgKhiLKnw1ks73gCP+NYrwxBesQnRPyQvyQZda4Pp80uQV1+lMgmOj18TyvshtrjBckvQvg1SUCyAOjQPY2trm006cNQVi9TobZ8eHyyvQqrqsMAreZ+Nttinh8NyudiSrJYx973edmcbG8gT+SgJpZnvV7vryO3gZFPYdnjfLRhN0VY1XAtCiFwHWJEX2BPJZiXf8gEJgluRN2sBVdoyNCvVHOzYPDGMpdcAs/Ya5JgDo/zzepIBLcWKpuOYi062MYao436xqVKakVwEfqIgWQJZ8nZ1liFMSmBj/JitBKqeDhaN5U1PyxEier2lpEXagE7dwW0UB6NyOXlBhI2M/7wbzp0sJ0jN+KkZ4juZpZ1vHG+0h83p8SJlHkbdaZVcL+qZqnIlQDqZGo/RnvqKTwK0Xooxj14Eg5ouMe049DyY1Z0tUwWR7ofymp70tbjKvrCF11WTvUgzddj6t0IpRcz3EI9Im8sLkd3JVxchZUUqQsnX/RIvRmqarmm7zyiJSShzC2vsptBL9LdEZ24AvPsoFkz/w9YBvHxOvP1jWcGBMjr8lrUaK2IG4XrlNwHeqnlEPPb69jEcizRPzw0MaQWcKDKObwSvAOdY2vHhgFrzGdk1+ihyiwFhBf7TOHhfC+CY0aI2z/s4O8DXEudK5cwirOZ7qlHyyh1kT0eYIVywTtI6tKg2EyJOGb7i9vQcfMMmaSSbMziZPdYqwJ9tV8NljGR+ulF0P/hoXX19rBleyAkYkLsPhrNoUYT92KluaKIBPAAMJvkNmNcwBeHgeTSjS+SX0NGhMoOXiNYwGqBt5Y1YRSotIliIanG1PyMjqhtLUBHuiZY2QNGekZq4Ihu95FAh0eDdPKupK+zO2s3rHqfcOdDP5a4iV1Rq//zv2xYGY3E1UvzjBTcYDvW2PzKkdcPWIL4N0XFEN2U89oK1fm6ZzOM+9pEdJukCadpupPLRUDrhRzEIpMLVYw2K9qyq9umzpLp0NFebFDq5eu4loaOhAKBUNu7hvqwHLSdpPxi2BjN0MIBX9gr0CMs0Aru5Q/C97PsmWAOjZTgl3nM///6ToodejtvE+UTTmyqbnqJiTmh/bNjCwLJRKA/ATmpfF6clkPHtmA5RX4uZSC4OzUYbXwX8P3NrMXQza/rCk47q6yReCqqoD26CJfSdfEoLQxLga/gitkDUAnRAwMPrfjy4R8mAr4Azgt8VIEvjqafmKKoRJRTVY3NtdmudyW9phtXJbzigPNPlAkBKyN4JqqBnw=
Content-Type: multipart/alternative; boundary="_000_SA0PR02MB743411EE36263FEC5110C393B7822SA0PR02MB7434namp_"
MIME-Version: 1.0
X-OriginatorOrg: sct-15-20-7719-20-msonline-outlook-0f88b.templateTenant
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SA0PR02MB7434.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: 0950d8fb-56d3-4e14-a8b7-08dcbee7543a
X-MS-Exchange-CrossTenant-originalarrivaltime: 17 Aug 2024 18:06:33.9057 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR02MB6742
Message-ID-Hash: 5CWDCLGBKS4CRWAUVURE3HPZUUQ6NLBU
X-Message-ID-Hash: 5CWDCLGBKS4CRWAUVURE3HPZUUQ6NLBU
X-MailFrom: michael_b_jones@hotmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "oauth@ietf.org" <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: Review of draft-ietf-oauth-selective-disclosure-jwt-10
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ulgKG6F-_RU6S2TaocZpbqEFgzs>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Thanks very much for addressing the majority of my comments and for replying to the rest of them.  I’m replying inline to the remaining ones that I believe should still be addressed.  I’ve deleted the ones from this thread that I’m satisfied with the responses to.

                                                                Best wishes,
                                                                -- Mike

From: Kristina Yasuda <yasudakristina@gmail.com>
Sent: Wednesday, August 14, 2024 6:07 AM
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>
Cc: Michael Jones <michael_b_jones@hotmail.com>; oauth@ietf.org
Subject: Re: [OAUTH-WG] Re: Review of draft-ietf-oauth-selective-disclosure-jwt-10

Thank you very much, Mike.

Majority of your comments have been incorporated in this PR https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/452, which has been merged.
Below, in bold, please find explanations for the points that have not been reflected.

We appreciate your review.

Best,
Kristina

1. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-1> Introduction<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-introduction>:  The usage of “Holder” in “used a number of times by the user (the "Holder" of the JWT)” inconsistent with its usage in the definitions, which defines “Holder” as being “an entity”.  The usage here in the introduction makes the holder into a person rather than an entity.  Please adjust the language here to not confuse the user who utilizes the holder with the holder itself.
-> Holder is defined as an entity and a person can be considered an entity. We also have a phrase "the user (the "Holder" of the JWT)" in the introduction. Hence the editors consider the current wording to be sufficient.

Since “Holder” is sometimes used in the spec to refer to the Wallet software and sometimes used to refer to the person using the Wallet, I believe that readers would be well served to make a clear terminological distinction between the two.
 1. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-1> Introduction<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-introduction>:  In “"Claims" here refers to both object properties (name-value pairs) as well as array elements.” change “array elements” to “elements in arrays that are the values of name/value pairs” (or something like that).  Without saying what the array elements are, readers will be confused about what’s being referred to.  I’d apply this clarification in 4.1. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-4.1> SD-JWT and Disclosures<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-sd-jwt-and-disclosures> and other applicable locations as well.
->  There is a misunderstanding. the intended meaning here is exactly what the text says: "each element in the array (regardless if it is a name/value pair or not, an array element as a string counts too) can be selectively disclosed".

The fact that a misunderstanding is possible and occurred leads me to believe that a clarification of this phrase is needed.  Readers won’t necessarily know where the “array elements” being referred to occur in the data structures.  That was certainly my experience, hence my initial comment.  Possible wording that’s simpler than my initial proposed wording could be “array elements occurring within Claim values”.  Or clarify it with different wording of your choosing.
1.1. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-1.1> Feature Summary<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-feature-summary>:  In “A format for enabling selective disclosure in nested JSON data structures, supporting selectively disclosable object properties (name-value pairs) and array elements”, consider expanding “array elements” in the same manner as the preceding comment to make the meaning more evident.
->  same as above. There is a misunderstanding. the intended meaning here is exactly what the text says: "each element in the array (regardless if it is a name/value pair or not, an array element as a string counts too) can be selectively disclosed".

Same response as my previous comment.
 1.2. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-1.2> Conventions and Terminology<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-conventions-and-terminology>:  I suggest moving the “base64url” definition to the Terms and Definitions section and use a parallel structure to that at https://www.rfc-editor.org/rfc/rfc7519.html#section-2.  Specifically, say “The “base64url” term denotes the URL-safe base64 encoding without padding defined in Section 2 of [RFC7515].”  Then introduce the rest of the definitions with the phrase “These terms are defined by this specification:” as is done in RFC 7519.  The current presentation is fairly jarring.
-> Current text already points to Section 2 of RFC7515. The editors consider the current definition sufficient and clear enough.

Yes, the definition is clear, but it’s in the wrong place.  Definitions belong in the Terms and Definitions section.  The current location leaves it strangely hang in a different section by itself, separate from the other definitions in the spec.
5.3. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-5.3> Key Binding JWT<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-key-binding-jwt>:  Change “MUST NOT be none.” to “It MUST NOT be "none".”.
-> Changed to “It MUST NOT be `none`.”. it is exactly the same wording as in DPoP RFC.

The current wording is a sentence fragment – not a complete sentence.  The fact that that error slipped through in DPoP isn’t a reason not to correct it here.
 5.3.2. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-5.3.2> Validating the Key Binding JWT<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-validating-the-key-binding->:  In “if the SD-JWT contains a cnf value with a jwk member, the Verifier could parse the provided JWK and use it to verify the Key Binding JWT.”, change “could” to “MUST”.  Make this normative to increase interoperability!
-> the sentence you point at is an example, so we cannot add a normative statement here. We changed "should" to "would" to reflect the intent behind the suggestion.

OK.  Please address this then by adding this normative sentence at an appropriate place in the specification.  “When the SD-JWT contains a cnf value with a jwk member, this key MUST be used to very the Key Binding JWT.”
 6.1. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-6.1> Issuance<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-issuance>:  There are many places from here on where the label “SHA-256 Hash” is used, for instance “SHA-256 Hash: jsu9yVulwQQlhFlM_3JlzMaSFzglhQG0DpfayQwLUK4”.  Change all of these to “Base64url-Encoded SHA-256 Hash” for correctness.
-> Editors consider it to be sufficiently clear from the specification text that it is a base64url-endoded hash. This would also require changes to the tooling and might unintentionally make the examples harder to read.

The fact remains that the current wording is factually incorrect and therefore needs to be corrected.  If this can be done by updating the tooling, that’s actually good, since it means that it will be consistently corrected everywhere the error occurs.
8.1. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-8.1> Verification of the SD-JWT<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-verification-of-the-sd-jwt>:  Delete “nbf” from “claims such as nbf, iat, and exp” and everywhere else in the spec, other than in 10.7. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-10.7> Selectively-Disclosable Validity Claims<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-selectively-disclosable-val>, where both “iat” and “nbf” should be listed, as described in my comment there.  “iat” (Issued At) is a standard validity claim in JWT tokens (for instance, ID Tokens), whereas “nbf” (Not Before) is rarely used, since it is only useful when future-dating tokens, which is rare.
-> "nbf" is used merely as an example here. the fact that it might be used rarely does not mean it cannot be used as an example, since it is a registered claim in JWT RFC.

Sure, it’s an example, but the examples should nonetheless reflect best practices.  Please delete “nbf” here.
 10.7. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-10.7> Selectively-Disclosable Validity Claims<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-selectively-disclosable-val>:  Add “iat (Issued At) to the validity claims list before “nbf”, and change “nbf (Not Before)” to “nbf (Not Before) (if present)”.  “iat” (Issued At) is a standard validity claim in JWT tokens (for instance, ID Tokens), whereas “nbf” (Not Before) is rarely used, since it is only useful when future-dating tokens, which is rare.  Change all uses of “nbf” to “iat” elsewhere in the spec.
-> same as above. "nbf" is used merely as an example here. the fact that it might be used rarely does not mean it cannot be used as an example, since it is a registered claim in JWT RFC.

As above, the examples should reflect best practices.  Please at least add “iat” to this list, even if you choose to retain “nbf”.
Everywhere:  Consider changing the name “…” to something more indicative of its function, such as “_sd_element” or “_sd_item”.  Or alternatively, at least provide rationale for why that non-obvious name was chosen.
-> we have extensively bikeshedded this claim name, and this one was chosen because it is concise and natural since '...' is what is used when something is omitted in a list. there seems to have been some misunderstanding how disclosure in the arrays work, so hopefully with the clarifications above, this claim also feels more appropriate than before.

I wouldn’t say that there’s a misunderstanding in how disclosure in arrays work.  Rather, I’d say that the current exposition of array disclosure can leave readers wondering what is meant, and could be improved by the suggested clarifications above.

Thank you for explaining that “…” is intended to be understood as the ellipsis character, and the intuition behind it.  Its usage in that way is slightly odd, since the ellipsis character is used in place of omitted content, whereas in this case it’s used with the opposite meaning to introduce content that is NOT omitted (content that is disclosed).

Be that as it may, I understand very well the reasons for keeping the claim name as it is.  Nonetheless, I think it would be helpful to readers to add a comment when the claim name is introduced about why this otherwise non-obvious claim name was chosen.  The sentence you add could be something like “The claim name “…” was chosen because the ellipsis character, typically entered as three period characters, is used in contexts where content is omitted (not disclosed).”  Or choose your own wording.  Give readers the intuition behind the choice.

Finally, this comment was incompletely addressed:
Section 11.1. <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#section-11.1> Storage of Signed User Data<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-storage-of-signed-user-data>:  Please change “OpenID Connect” to “OpenID Connect [OpenID.Core]” (adding the missing citation).

                                                                Best wishes,
                                                                -- Mike