> On 13 May 2025, at 12:52, Stefan Santesson <[email protected]> wrote: > > Hi, > > We just submitted the following issue on JD JWT GitHub page detailing this > request. > > https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/574 > > Providing the final stage of this document, we would only do this because it > is very important, is non breaking and our initial contacts with editors > suggests that this could be accepted.
I agree with Brian’s points in his other message. I’d also point out that there are some technical issues with the proposal. Most importantly is that it uses the nonce as the salt input to HKDF, but nothing in the spec says where this nonce comes from or how/whether it is authenticated. See section 3.4 of RFC 5869: " In particular, an application needs to make sure that salt values are not chosen or manipulated by an attacker. As an example, consider the case (as in IKE) where the salt is derived from nonces supplied by the parties in a key exchange protocol. Before the protocol can use such salt to derive keys, it needs to make sure that these nonces are authenticated as coming from the legitimate parties rather than selected by the attacker” Generally any kind of challenge value should go in the info not the salt input to HKDF. Secondly, there is no “HKDF” function defined in that RFC, only individual HKDF-Extract and HKDF-Expand functions. — Neil _______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
