Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[SD-JWT] iat is now disclosable #196

Closed
peppelinux opened this issue Jan 18, 2024 · 3 comments · Fixed by #201
Closed

[SD-JWT] iat is now disclosable #196

peppelinux opened this issue Jan 18, 2024 · 3 comments · Fixed by #201
Assignees
@peppelinux @fmarino-ipzs
Labels
issuance
Milestone
0.6.0

Comments

@peppelinux
Copy link
Member

here https://github.com/italia/eudi-wallet-it-docs/blob/versione-corrente/docs/en/pid-eaa-data-model.rst#L78

we have to align to this oauth-wg/oauth-sd-jwt-vc#202
@peppelinux peppelinux added this to the 0.6.0 milestone Jan 18, 2024
@fmarino-ipzs fmarino-ipzs mentioned this issue Feb 2, 2024
Merged
5 tasks
@balanza
Copy link
Contributor

balanza commented Feb 2, 2024

This is a good catch as in some scenarios the iat attribute can reveal something about a user's data. So having it selective-disclosable is good. Nevertheless, benefits are almost nullified because of the exp attribute, which is exposed to the same or worse issues - and we cannot hide its value because is a mandatory field for JWT.

Anyway, I agree it's worth being included in our implementation.

@balanza
Copy link
Contributor

balanza commented Feb 2, 2024

About the methodology: I'm not happy about us following other's pull requests and issues. I know the reference it's still a draft and I see the value of keeping up with the changes.

I think a better approach would be to open the issue once a new version is released. I foresee these possible benefits:

  1. We rely upon a complete specification; cherry-picking changes may lead to a partial implementation, which could be unstable and insecure
  2. Readers would know exactly which version of the draft we are referencing, making it easier to audit our specifications for bugs or missing stuff
  3. It helps the team by cadencing the work into focused actions.
  4. We prevent rework, as references' unreleased content may still change (although this is always true for drafts).

What do you guys think? Should we try for the next iterations?

@peppelinux
Copy link
Member Author

our milestone brings as many changes we can to tag our release for our version, the stable release is the one we tag

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@peppelinux peppelinux

@fmarino-ipzs fmarino-ipzs

Labels
issuance
Projects
EUDI Wallet IT Technical Specifications
Status: Done
Milestone
0.6.0
Development

Successfully merging a pull request may close this issue.

Iat disclosable italia/eudi-wallet-it-docs
3 participants
@balanza @peppelinux @fmarino-ipzs