On Wed, Dec 4, 2024, 11:30 AM Rohan Mahy <[email protected]> wrote:
> Hi, > I don't think there is anything specific to SD-JWT in Section 3.5. It all > seems like generic JWT handling as profiled by various types of JWTs. Am I > missing something JWT-specific here? > Why wouldn't we just cite the relevant JWT things in this doc then? On my glance at the JWT RFC it seems like we're adding in a bunch of extensions to validation. > Thanks, > -rohan > > On Wed, Dec 4, 2024 at 10:03 AM Watson Ladd <[email protected]> wrote: > >> Some further thoughts: >> >> - Do all issuers need to support both to work with all verifiers? >> - Is there a security risk if we trust issuers based on the iss string >> and someone gets the domain associated and provides metadata while the >> issued credentials used X509? >> >> Sincerely, >> Watson >> >> _______________________________________________ >> OAuth mailing list -- [email protected] >> To unsubscribe send an email to [email protected] >> >
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
