Rework JSON Serialization section

[danielfett]

This addresses Issue #403 and #392

Uses this new branch in sd-jwt-python.

Rendered version: https://drafts.oauth.net/oauth-selective-disclosure-jwt/danielfett/new-json-serialization/draft-ietf-oauth-selective-disclosure-jwt.html

[bc-pi]

My first read of this last sentence had me thinking it was only about using the first signature value for constructing the "Issuer-signed JWT" part for input to the sd_hash.

But I think it's also trying to say that, in the case of multiple signatures in the general serialization, the disclosures can only show up (and be used for constructing the sd_hash input) in the header of first of the signatures array. And that the kb_jwt has to be there too.

And now I see that is what is said in the General JSON Serialization subsection below. Sorry!

But a bit more clarity here might still be good? I don't know that this is that much better but maybe:

Suggested change

	one is used.
	one is used for the Disclosures and Key Binding JWT.

Side note: using only the first one feels kinda icky TBH and the general issue was one reason I'd tried to avoid using the unprotected header for the SD-JWT pieces. But it seems a pragmatic way to do this given all the factors and constraints involved.

[danielfett]

Thanks, I think the clarification is useful! If we can come up with a better way than just using the first disclosure, I would be open to that.

[bc-pi]

Yeah, with the General JSON Serialization and wanting to use the unprotected headers for JAdES, I think that going with the first signature element is probably the most reasonable thing to do.

[bc-pi]

This one needs a doc history entry under -09 :)

[danielfett]

This one needs a doc history entry under -09 :)

Added!