RFC 9901: Selective Disclosure for JSON Web Tokens
- D. Fett,
- K. Yasuda,
- B. Campbell
Abstract
This specification defines a mechanism for the selective disclosure of individual elements of a JSON data structure used as the payload of a JSON Web Signature (JWS). The primary use case is the selective disclosure of JSON Web Token (JWT) claims.¶
Status of This Memo
This is an Internet Standards Track document.¶
This document is a product of the Internet Engineering Task Force (IETF). It represents the consensus of the IETF community. It has received public review and has been approved for publication by the Internet Engineering Steering Group (IESG). Further information on Internet Standards is available in Section 2 of RFC 7841.¶
Information about the current status of this document, any
errata, and how to provide feedback on it may be obtained at
https://
Copyright Notice
Copyright (c) 2025 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents
(https://
1. Introduction
The exchange of JSON data between systems is often secured against modification using JSON Web Signatures (JWSs) [RFC7515]. A popular application of JWS is the JSON Web Token (JWT) [RFC7519], a format that is often used to represent a user's identity. An ID Token as defined in OpenID Connect [OpenID.Core], for example, is a JWT containing the user's claims created by the server for consumption by a relying party. In cases where the JWT is sent immediately from the server to the relying party, as in OpenID Connect, the server can select at the time of issuance which user claims to include in the JWT, minimizing the information shared with the relying party who validates the JWT.¶
Another model is emerging that fully decouples the issuance of a JWT from its presentation. In this model, a JWT containing many claims is issued to an intermediate party, who holds the JWT (the Holder). The Holder can then present the JWT to different verifying parties (Verifiers) that each may only require a subset of the claims in the JWT. For example, the JWT may contain claims representing both an address and a birthdate. The Holder may elect to disclose only the address to one Verifier, and only the birthdate to a different Verifier.¶
Privacy principles of minimal disclosure in conjunction with this model demand a mechanism enabling selective disclosure of data elements while ensuring that Verifiers can still check the authenticity of the data provided. This specification defines such a mechanism for JSON payloads of JWSs, with JWTs as the primary use case.¶
Selectively Disclosable JWT (SD-JWT) is based on an approach called "salted hashes": For any data element that should be selectively disclosable, the Issuer of the SD-JWT does not include the cleartext of the data in the JSON payload of the JWS structure; instead, a digest of the data takes its place. For presentation to a Verifier, the Holder sends the signed payload along with the cleartext of those claims it wants to disclose. The Verifier can then compute the digest of the cleartext data and confirm it is included in the signed payload. To ensure that Verifiers cannot guess cleartext values of non-disclosed data elements, an additional salt value is used when creating the digest and sent along with the cleartext when disclosing it.¶
To prevent attacks in which an SD-JWT is presented to a Verifier without the Holder's consent, this specification additionally defines a mechanism for binding the SD-JWT to a key under the control of the Holder (Key Binding).
When Key Binding is enforced, a Holder has to prove possession of a private key belonging to a public key contained in the SD-JWT itself.
It usually does so by signing over a data structure containing transaction
1.1. Feature Summary
This specification defines two primary data formats:¶
1.2. Conventions and Terminology
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.¶
- Base64url:
- Denotes the URL-safe base64 encoding without padding defined in Section 2 of [RFC7515].¶
- Claim:
- In this document, refers generally to object properties (name/value pairs) as well as array elements.¶
- Selective Disclosure:
- Process of a Holder disclosing to a Verifier a subset of claims contained in a JWT issued by an Issuer.¶
- Selectively Disclosable JWT (SD-JWT):
- A composite structure, consisting of an Issuer-signed JWT (JWS; see [RFC7515]) and zero or more Disclosures, which supports selective disclosure as defined in this document. It can contain both regular claims and digests of selectively disclosable claims.¶
- Disclosure:
- A base64url
-encoded string of a JSON array that contains a salt, a claim name (present when the claim is a name/value pair and absent when the claim is an array element), and a claim value. The Disclosure is used to calculate a digest for the respective claim. The term Disclosure refers to the whole base64url -encoded string.¶ - Key Binding:
- Ability of the Holder to prove possession of an SD-JWT by proving control over a private key during the presentation. When utilizing Key Binding, an SD-JWT contains the public key corresponding to the private key controlled by the Holder (or a reference to this public key).¶
- Key Binding JWT (KB-JWT):
- A Key Binding JWT is said to "be tied to" a particular SD-JWT when its payload
is signed using the key included in the SD-JWT payload, and the KB-JWT contains
a hash of the SD-JWT in its
sd_hashclaim. Its format is defined in Section 4.3.¶ - Selectively Disclosable JWT with Key Binding (SD-JWT+KB):
- A composite structure, comprising an SD-JWT and a Key Binding JWT tied to that SD-JWT.¶
- Processed SD-JWT Payload:
- The JSON object resulting from verification and processing of the Issuer-signed SD-JWT, with digest placeholders replaced by the corresponding values from the Disclosures.¶
- Issuer:
- An entity that creates SD-JWTs.¶
- Holder:
- An entity that received SD-JWTs from the Issuer and has control over them. In the context of this document, the term may refer to the actual user, the supporting hardware and software in their possession, or both.¶
- Verifier:
- An entity that requests, checks, and extracts the claims from an SD-JWT with its respective Disclosures.¶
3. Concepts
This section describes SD-JWTs with their respective Disclosures and Key Binding at a conceptual level, abstracting from the data formats described in Section 4.¶
3.1. SD-JWT and Disclosures
An SD-JWT, at its core, is a digitally signed JSON document containing digests over the selectively disclosable claims with the Disclosures outside the document. Disclosures can be omitted without breaking the signature, and modifications to them can be detected. Selectively disclosable claims can be individual object properties (name/value pairs) or array elements.¶
Each digest value ensures the integrity of, and maps to, the respective Disclosure. Digest values are calculated using a hash function over the Disclosures, each of which contains a cryptographical
An SD-JWT MAY also contain cleartext claims that are always disclosed to the Verifier.¶
3.2. Disclosing to a Verifier
To disclose to a Verifier a subset of the SD-JWT claim values, a Holder sends only the Disclosures of those selectively released claims to the Verifier as part of the SD-JWT.¶
3.3. Optional Key Binding
Key Binding is an optional feature. When Key Binding is required by the use case, the SD-JWT MUST contain information about the key material controlled by the Holder.¶
When a Verifier requires Key Binding, the Holder presents an SD-JWT+KB, consisting of an SD-JWT as well as a Key Binding JWT tied to that SD-JWT. The Key Binding JWT encodes a signature by the Holder's private key over¶
Details of the format of Key Binding JWTs are described in Section 4.3.¶
3.4. Verification
At a high level, the Verifier¶
The detailed algorithm is described in Section 7.3.¶
4. SD-JWT and SD-JWT+KB Data Formats
An SD-JWT is composed of¶
An SD-JWT+KB is composed of¶
The Issuer-signed JWT, Disclosures, and Key Binding JWT are explained in Sections 4.1, 4.2, and 4.3, respectively.¶
The compact serialized format for the SD-JWT is the concatenation of each part delineated with a single tilde ('~') character as follows, where "D.1" to "D.N" represent the respective Disclosures:¶
The order of the concatenated parts MUST be the Issuer-signed JWT, a tilde character, zero or more Disclosures each followed by a tilde character, and lastly the optional Key Binding JWT. In the case that there is no Key Binding JWT, the last element MUST be an empty string and the last separating tilde character MUST NOT be omitted.¶
The serialized format for an SD-JWT+KB extends the SD-JWT format by concatenating a Key Binding JWT.¶
The two formats can be distinguished by the final ~ character that is present
on an SD-JWT. A Verifier that expects an SD-JWT MUST verify that the final
tilde-separated component is empty. A Verifier that expects an SD-JWT+KB MUST verify
that its final tilde-separated component is a valid KB-JWT.¶
The Disclosures are linked to the Issuer-signed JWT through the digest values included therein.¶
When issuing to a Holder, the Issuer includes all the relevant Disclosures in the SD-JWT.¶
When presenting to a Verifier, the Holder sends only the selected set of the Disclosures in the SD-JWT.¶
The Holder MAY send any subset of the Disclosures to the Verifier, i.e., none, some, or all Disclosures. For data that the Holder does not want to reveal to the Verifier, the Holder MUST NOT send Disclosures or reveal the salt values in any other way. A Holder MUST NOT send a Disclosure that was not included in the issued SD-JWT or send a Disclosure more than once.¶
To further illustrate the SD-JWT format, the following examples show a few different SD-JWT permutations, both with and without various constituent parts.¶
An SD-JWT without Disclosures:¶
An SD-JWT with Disclosures:¶
An SD-JWT+KB without Disclosures:¶
An SD-JWT+KB with Disclosures:¶
As an alternative illustration of the SD-JWT format, ABNF [RFC5234] for the SD-JWT, SD-JWT+KB, and various constituent parts is provided here (for those who celebrate):¶
4.1. Issuer-Signed JWT
An SD-JWT has a JWT component that MUST be signed using the Issuer's private
key. It MUST NOT use the none algorithm.¶
The payload of an SD-JWT is a JSON object according to the following rules:¶
The same digest value MUST NOT appear more than once in the SD-JWT.¶
Application and profiles of SD-JWT SHOULD be explicitly typed. See Section 9.11 for more details.¶
It is the Issuer who decides which claims are selectively disclosable by the Holder and which are not. Claims MAY be included as plaintext as well, e.g., if hiding the particular claims from the Verifier is not required in the intended use case. See Section 9.7 for considerations on making validityexp selectively disclosable.¶
Claims that are not selectively disclosable are included in the SD-JWT in plaintext just as they would be in any other JSON structure.¶
4.1.1. Hash Function Claim
The claim _sd_alg indicates the hash algorithm used by the Issuer to generate
the digests as described in Section 4.2. When used, this claim MUST
appear at the top level of the SD-JWT payload. It
MUST NOT be used in any object nested within the payload. If the _sd_alg
claim is not present at the top level, a default value of sha-256 MUST be used.¶
This claim value is a case-sensitive string with the hash algorithm identifier. The hash algorithm identifier MUST be a hash algorithm value from the "Hash Name String" column in the "Named Information Hash Algorithm Registry" [Hash.Algs] or a value defined in another specification and/or profile of this specification.¶
To promote interoperabilitsha-256 hash
algorithm.¶
See Section 9 for requirements regarding entropy of the salt, minimum length of the salt, and choice of a hash algorithm.¶
4.1.2. Key Binding
If the Issuer wants to enable Key Binding, it includes a public key
associated with the Holder, or a reference thereto, using the cnf claim as defined in [RFC7800].
The jwk confirmation method, as defined in Section 3.2 of [RFC7800], is
suggested for doing so, however, other confirmation methods can be used.¶
It is outside the scope of this document to describe how the Holder key pair is established. For example, the Holder MAY create a key pair and provide a public key to the Issuer, the Issuer MAY create the key pair for the Holder, or Holder and Issuer MAY use pre-established key material.¶
4.2. Disclosures
Disclosures are created differently depending on whether a claim is an object property (name/value pair) or an array element.¶
4.2.1. Disclosures for Object Properties
For each claim that is an object property and that is to be made selectively disclosable, the Issuer MUST create a Disclosure as follows:¶
The following example illustrates the steps described above.¶
The array is created as follows:¶
The resultant Disclosure is:¶
Wy¶
Note that variations in whitespace, encoding of Unicode characters, ordering of object properties, etc., are allowed
in the JSON representation and no canonicalizatio
However, the digest is calculated over the respective base64url
See Appendix B for some further considerations on the Disclosure format approach.¶
4.2.2. Disclosures for Array Elements
For each claim that is an array element and that is to be made selectively disclosable, the Issuer MUST create a Disclosure as follows:¶
The Disclosure string is created by base64url
For example, a Disclosure for the second element of the nationalities array in the following JWT Claims Set:¶
could be created by first creating the following array:¶
The resultant Disclosure would be:¶
Wy¶
4.2.3. Hashing Disclosures
For embedding references to the Disclosures in the SD-JWT, each Disclosure is hashed using the hash algorithm specified in the _sd_alg claim described in Section 4.1.1, or SHA-256 if no algorithm is specified. The resultant digest is then included in the SD-JWT payload instead of the original claim value, as described next.¶
The digest MUST be computed over the US-ASCII bytes of the base64url
It is important to note that:¶
For example, the base64urlWy
for the family_name claim from Section 4.2.1 above is
X9y.¶
4.2.4. Embedding Disclosure Digests in SD-JWTs
For selectively disclosable claims, the digests of the Disclosures are embedded into the Issuer-signed JWT instead of the claims themselves. The precise way of embedding depends on whether a claim is an object property (name/value pair) or an array element.¶
4.2.4.1. Object Properties
Digests of Disclosures for object properties are added to an array under the new
key _sd in the object. The _sd key MUST refer to an array of strings, each
string being a digest of a Disclosure or a decoy digest as described in Section 4.2.5.
An _sd key can be present at any level of the JSON object hierarchy, including at the top-level,
nested deeper as described in Section 6, or in recursive Disclosures as described in Section 4.2.6.¶
The array MAY be empty in case the Issuer decided not to selectively disclose
any of the claims at that level. However, it is RECOMMENDED to omit the _sd
key in this case to save space.¶
The Issuer MUST hide the original order of the claims in the array. To ensure
this, it is RECOMMENDED to shuffle the array of hashes, e.g., by sorting it
alphanumericall
For example, using the digest of the Disclosure from Section 4.2.3,
the Issuer could create the following SD-JWT payload to make family_name
selectively disclosable:¶
4.2.4.2. Array Elements
Digests of Disclosures for array elements are added to the array in the same
position as the original claim value in the array. For each digest, an object
of the form {"...": "<digest>"} is added to the array. The key MUST always be the
string ... (three dots). The value MUST be the digest of the Disclosure created as
described in Section 4.2.3. There MUST NOT be any other keys in the
object. Note that the string ... was chosen because the ellipsis character, typically entered as three period characters, is commonly used in places where content is omitted from the present context.¶
For example, using the digest of the array element Disclosure created in Section 4.2.2,
the Issuer could create the following SD-JWT payload to make the second element
of the nationalities array selectively disclosable:¶
As described in Section 7.3, Verifiers ignore all selectively
disclosable array elements for which they did not receive a Disclosure. In the
example above, the verification process would output an array with only two
elements, ["DE", "US"], unless the matching Disclosure for the second element is received,
in which case the output would be a three-element array, ["DE", "FR", "US"].¶
4.2.5. Decoy Digests
An Issuer MAY add additional digests to the SD-JWT payload that are not associated with
any claim. The purpose of such "decoy" digests is to make it more difficult for
an adversarial Verifier to see the original number of claims or array elements contained in the SD-JWT. Decoy
digests MAY be added both to the _sd array for objects as well as in arrays.¶
It is RECOMMENDED to create the decoy digests by hashing over a
cryptographical
For decoy digests, no Disclosure is sent to the Holder, i.e., the Holder will see digests that do not correspond to any Disclosure. See Section 10.4 for additional privacy considerations.¶
To ensure readability and replicability, the examples in this specification do not contain decoy digests unless explicitly stated. For an example with decoy digests, see Appendix A.1.¶
4.2.6. Recursive Disclosures
The algorithms above are compatible with "recursive Disclosures", in which one selectively disclosed field reveals the existence of more selectively disclosable fields. For example, consider the following JSON structure:¶
When the Holder has multiple nationalities, the Issuer may wish to conceal the presence of any statement regarding nationalities while also allowing the Holder to reveal each of those nationalities individually. This can be accomplished by first making the entries within the "nationalities" array selectively disclosable, and then making the whole "nationalities" field selectively disclosable.¶
The following shows each of the entries within the "nationalities" array being made selectively disclosable:¶
Content of Disclosures:¶
Followed by making the whole "nationalities" array selectively disclosable:¶
Content of Disclosures:¶
With this set of Disclosures, the Holder could include the Disclosure with hash
PmnlrRj... to disclose only the "DE" nationality, or include both PmnlrRj...
and r823HFN... to disclose both the "DE" and "FR" nationalities, but hide the
"UK" nationality. In either case, the Holder would also need to include the
Disclosure with hash 5G1srw3... to disclose the nationalities field that
contains the respective elements.¶
Note that making recursive redactions introduces dependencies between the
Disclosure objects in an SD-JWT. The r823HFN... Disclosure cannot be used
without the 5G1srw3... Disclosure; since a Verifier would not have a matching
hash that would tell it where the content of the r823HFN... Disclosure should
be inserted. If a Disclosure object is included in an SD-JWT, then the SD-JWT
MUST include any other Disclosure objects necessary to process the first
Disclosure object. In other words, any Disclosure object in an SD-JWT must
"connect" to the claims in the issuer-signed JWT, possibly via an intermediate
Disclosure object. In the above example, it would be illegal to include any one
of the PmnlrRj..., r823HFN..., nP5GYjw... Disclosure objects without also
including the 5G1srw3... Disclosure object.¶
4.3. Key Binding JWT
This section defines the Key Binding JWT, which encodes a signature over an SD-JWT by the Holder's private key.¶
The Key Binding JWT MUST be a JWT according to [RFC7519], and it MUST contain the following elements:¶
The general extensibility model of JWT means that additional claims and header parameters can be added to the Key Binding JWT.
However, unless there is a compelling reason, this SHOULD be avoided, as it may harm interoperabilit
4.3.1. Binding to an SD-JWT
The hash value in the sd_hash claim binds the KB-JWT to the specific SD-JWT.
The sd_hash value MUST be computed over the US-ASCII bytes of the
encoded SD-JWT, i.e.,
the Issuer-signed JWT, a tilde character, and zero or more Disclosures selected
for presentation to the Verifier, each followed by a tilde character:¶
The bytes of the digest MUST then be base64url encoded.¶
The same hash algorithm as for the Disclosures MUST be used (defined by
the _sd_alg element in the Issuer-signed JWT or the default value, as defined
in Section 4.1.1).¶
4.3.2. Validating the Key Binding JWT
Whether to require Key Binding is up to the Verifier's policy, based on the set of trust requirements (such as trust frameworks) it belongs to. See Section 9.5 for security considerations.¶
If the Verifier requires Key Binding, the Verifier MUST ensure that the key with which it validates the signature on
the Key Binding JWT is the key specified in the SD-JWT as the Holder's public
key. For example, if the SD-JWT contains a cnf value with a jwk member, the
Verifier would parse the provided JWK and use it to verify the Key Binding JWT.¶
Details of the validation process are defined in Section 7.3.¶
5. Example SD-JWT
In this example, a simple SD-JWT is demonstrated. This example is split into issuance and presentation.¶
5.1. Issuance
The following data about the user comprises the input JWT Claims Set used by the Issuer:¶
In this example, the following decisions were made by the Issuer in constructing the SD-JWT:¶
The following payload is used for the SD-JWT:¶
The respective Disclosures, created by the Issuer, are listed below.
In the text below and in other locations in this specification,
the label "SHA-256 Hash:" is used as a shorthand for the label "Base64url
The payload is then signed by the Issuer to create the following Issuer-signed JWT:¶
Adding the Disclosures produces the SD-JWT:¶
5.2. Presentation
The following non-normative example shows an SD-JWT+KB as
it would be sent from the Holder to the Verifier. Note that it consists of six
tilde-separated parts, with the Issuer-signed JWT as shown above in the beginning,
four Disclosures (for the claims given_name, family_name, address, and one of the
nationalities) in the middle, and the Key Binding JWT as the last element.¶
The following Key Binding JWT payload was created and signed for this presentation by the Holder:¶
If the Verifier did not require Key Binding, then the Holder could have presented the SD-JWT with selected Disclosures directly, instead of encapsulating it in an SD-JWT+KB.¶
After validation, the Verifier will have the following Processed SD-JWT Payload available for further handling:¶
6. Considerations on Nested Data in SD-JWTs
Being JSON, an object in an SD-JWT payload MAY contain name/value pairs where the value is another object or objects MAY be elements in arrays. In SD-JWT, the Issuer decides for each claim individually, on each level of the JSON, whether or not the claim should be selectively disclosable. This choice can be made on each level independent of whether keys higher in the hierarchy are selectively disclosable.¶
From this it follows that the _sd key containing digests MAY appear multiple
times in an SD-JWT, and likewise, there MAY be multiple arrays within the
hierarchy with each having selectively disclosable elements. Digests of
selectively disclosable claims MAY even appear within other Disclosures.¶
The following examples illustrate some of the options an Issuer has. It is up to the Issuer to decide which structure to use, depending on, for example, the expected use cases for the SD-JWT, requirements for privacy, size considerations, or operating environment requirements. For more examples with nested structures, see Appendices A.1 and A.2.¶
The following input JWT Claims Set is used as an example throughout this section:¶
6.1. Example: Flat SD-JWT
The Issuer can decide to treat the address claim as a block that can either be disclosed completely or not at all. The following example shows that in this case, the entire address claim is treated as an object in the Disclosure.¶
The Issuer would create the following Disclosure referenced by the one hash in the SD-JWT:¶
6.2. Example: Structured SD-JWT
The Issuer may instead decide to make the address claim contents selectively disclosable individually:¶
In this case, the Issuer would use the following data in the Disclosures for the address sub-claims:¶
The Issuer may also make one sub-claim of address permanently disclosed and hide only the other sub-claims:¶
In this case, there would be no Disclosure for country, since it is provided in the clear.¶
6.3. Example: SD-JWT with Recursive Disclosures
The Issuer may also decide to make the address claim contents selectively disclosable recursively, i.e., the address claim is made selectively disclosable as well as its sub-claims:¶
The Issuer first creates Disclosures for the sub-claims and then includes their digests in the Disclosure for the address claim:¶
7. Verification and Processing
7.1. Verification of the SD-JWT
Upon receiving an SD-JWT, either directly or as a component of an SD-JWT+KB, a Holder or Verifier needs to ensure that:¶
The Holder or the Verifier MUST perform the following checks when receiving an SD-JWT to validate the SD-JWT and extract the payload:¶
If any step fails, the SD-JWT is not valid, and processing MUST be aborted. Otherwise, the JSON document resulting from the preceding processing and verification steps, herein referred to as the "Processed SD-JWT Payload", can be made available to the application to be used for its intended purpose.¶
7.2. Processing by the Holder
The Issuer provides the Holder with an SD-JWT, not an SD-JWT+KB. If the Holder receives an SD-JWT+KB, it MUST be rejected.¶
When receiving an SD-JWT, the Holder MUST do the following:¶
For presentation to a Verifier, the Holder MUST perform the following (or equivalent) steps (in addition to the checks described in Section 7.1 performed after receiving the SD-JWT):¶
7.3. Verification by the Verifier
Upon receiving a presentation from a Holder, in the form of either an SD-JWT or an SD-JWT+KB, in addition to the checks described in Section 7.1, Verifiers need to ensure that¶
To this end, Verifiers MUST follow the following steps (or equivalent):¶
If any step fails, the presentation is not valid and processing MUST be aborted.¶
Otherwise, the Processed SD-JWT Payload can be passed to the application to be used for the intended purpose.¶
8. JWS JSON Serialization
This section describes an alternative format for SD-JWTs and SD-JWT+KBs using the JWS JSON Serialization from [RFC7515]. Supporting this format is OPTIONAL.¶
8.1. New Unprotected Header Parameters
For both the General and Flattened JSON Serialization, the SD-JWT or SD-JWT+KB is represented as a JSON object according to Section 7.2 of [RFC7515]. The following new unprotected header parameters are defined:¶
-
disclosures: - An array of strings where each element is an individual Disclosure as described in Section 4.2.¶
-
kb_jwt: - Present only in an SD-JWT+KB, the Key Binding JWT as described in Section 4.3.¶
In an SD-JWT+KB, kb_jwt MUST be present when using the JWS JSON Serialization,
and the digest in the sd_hash claim MUST be computed over the SD-JWT as described
in Section 4.3.1. This means that even when using
the JWS JSON Serialization, the representation as a regular SD-JWT Compact Serialization MUST be
created temporarily to calculate the digest. In detail, the SD-JWT Compact Serialization part is built
by concatenating the protected header, the payload, and the signature of the JWS
JSON serialized SD-JWT using a . character as a separator, and using the
Disclosures from the disclosures member of the unprotected header.¶
Unprotected headers other than disclosures are not covered by the digest, and
therefore, as usual, are not protected against tampering.¶
8.2. Flattened JSON Serialization
In the case of Flattened JSON Serialization, there is only one unprotected header.¶
The following is a non-normative example of a JWS JSON serialized SD-JWT as issued using the Flattened JSON Serialization:¶
The following is an SD-JWT+KB with two Disclosures:¶
8.3. General JSON Serialization
In the case of General JSON Serialization, there are multiple unprotected
headers (one per signature). If present, disclosures and kb_jwt MUST be
included in the first unprotected header and MUST NOT be present in any
following unprotected headers.¶
The following is a non-normative example of a presentation of a JWS JSON serialized SD-JWT, including a Key Binding JWT using the General JSON Serialization:¶
8.4. Verification of the JWS JSON Serialized SD-JWT
Verification of the JWS JSON serialized SD-JWT follows the rules defined in Section 3.4, except for the following aspects:¶
9. Security Considerations
The security considerations help achieve the following properties:¶
- Selective Disclosure:
- An adversary in the role of the Verifier cannot obtain information from an SD-JWT about any claim name or claim value that was not explicitly disclosed by the Holder unless that information can be derived from other disclosed claims or sources other than the presented SD-JWT.¶
- Integrity:
-
A malicious Holder cannot modify names or values of selectively disclosable claims without detection by the Verifier.¶
Additionally, as described in Section 9.5, the application of Key Binding can ensure that the presenter of an SD-JWT credential is the Holder of the credential.¶
9.1. Mandatory Signing of the Issuer-Signed JWT
The JWT MUST be signed by the Issuer to protect the integrity of the issued claims. An attacker can modify or add claims if this JWT is not signed (e.g., change the "email" attribute to take over the victim's account or add an attribute indicating a fake academic qualification).¶
The Verifier MUST always check the signature of the Issuer-signed JWT to ensure that it has not been tampered with since its issuance. The Issuer-signed JWT MUST be rejected if the signature cannot be verified.¶
The security of the Issuer-signed JWT depends on the security of the signature algorithm.
Per the last paragraph of Section 5.2 of [RFC7515], it is an
application
9.2. Manipulation of Disclosures
Holders can manipulate the Disclosures by changing the values of the claims before sending them to the Verifier. The Verifier MUST check the Disclosures to ensure that the values of the claims are correct, i.e., the digests of the Disclosures are actually present in the signed SD-JWT.¶
A naive Verifier that extracts all claim values from the Disclosures (without checking the hashes) and inserts them into the SD-JWT payload is vulnerable to this attack. However, in a structured SD-JWT, without comparing the digests of the Disclosures, such an implementation could not determine the correct place in a nested object where a claim needs to be inserted. Therefore, the naive implementation would not only be insecure, but also incorrect.¶
The steps described in Section 7.3 ensure that the Verifier checks the Disclosures correctly.¶
9.3. Entropy of the Salt
The security model that conceals the plaintext claims relies on the high entropy
random data of the salt as additional input to the hash function. The randomness
ensures that the same plaintext claim value does not produce the same digest value. It also
makes it infeasible to guess the preimage of the digest (thereby learning the
plaintext claim value) by enumerating the potential value
space for a claim into the hash function to search for a matching digest value.
It is therefore vitally important that unrevealed salts cannot be learned or guessed,
even if other salts have been revealed. As such, each salt MUST be created
in such a manner that it is cryptographical
The RECOMMENDED minimum length of the randomly generated portion of the salt is 128 bits.¶
The Issuer MUST ensure that a new salt value is chosen for each claim,
including when the same claim name occurs at different places in the
structure of the SD-JWT. This can be seen in the example in Appendix A.2,
where multiple claims with the name type appear, but each of them has
a different salt.¶
9.4. Choice of a Hash Algorithm
To ensure privacy of claims that are selectively disclosable but are not being disclosed in a given presentation, the hash function MUST ensure that it is infeasible to calculate any portion of the three elements (salt, claim name, claim value) from a particular digest. This implies the hash function MUST be preimage resistant and should also not allow an observer to infer any partial information about the undisclosed content. In the terminology of cryptographic commitment schemes, the hash function needs to be computationally hiding.¶
To ensure the integrity of selectively disclosable claims, the hash function MUST be second-preimage resistant. That is, for any combination of salt, claim name, and claim value, it is infeasible to find a different combination of salt, claim name, and claim value that results in the same digest.¶
The hash function SHOULD also be collision resistant. Although not essential to the anticipated uses of SD-JWT, without collision resistance an Issuer may be able to find multiple Disclosures that have the same hash value. In which case, the signature over the SD-JWT would not then commit the Issuer to the contents of the JWT. The collision resistance of the hash function used to generate digests SHOULD match the collision resistance of the hash function used by the signature scheme. For example, use of the ES512 signature algorithm would require a Disclosure hash function with at least 256-bit collision resistance, such as SHA-512.¶
Inclusion in the "Named Information Hash Algorithm Registry" [Hash.Algs]
alone does not indicate a hash algorithm's suitability for use in SD-JWT (it contains several
heavily truncated digests, such as sha-256-32 and sha-256-64, which are unfit for security
applications).¶
9.5. Key Binding
Key Binding aims to ensure that the presenter of an SD-JWT credential is actually the Holder of the credential. An SD-JWT compatible with Key Binding contains a public key, or a reference to a public key, that corresponds to a private key possessed by the Holder. The Verifier requires that the Holder prove possession of that private key when presenting the SD-JWT credential.¶
Without Key Binding, a Verifier only gets the proof that the credential was issued by a particular Issuer, but the credential itself can be replayed by anyone who gets access to it. This means that, for example, after the credential was leaked to an attacker, the attacker can present the credential to any Verifier that does not require a binding. Also, a malicious Verifier to which the Holder presented the credential can present the credential to another Verifier if that other Verifier does not require Key Binding.¶
Verifiers MUST decide whether Key Binding is required for a particular use case before verifying a credential. This decision can be informed by various factors including but not limited to the following: business requirements, the use case, the type of binding between a Holder and its credential that is required for a use case, the sensitivity of the use case, the expected properties of a credential, the type and contents of other credentials expected to be presented at the same time, etc.¶
It is important that a Verifier not make its security policy decisions based on data that can be influenced by an attacker. For this reason, when deciding whether or not Key Binding is required, Verifiers MUST NOT take into account whether the Holder has provided an SD-JWT+KB or a bare SD-JWT; otherwise, an attacker could strip the KB-JWT from an SD-JWT+KB and present the resultant SD-JWT.¶
Furthermore, Verifiers should be aware that Key Binding information may have been added to an SD-JWT in a format that they do not recognize and therefore may not be able to tell whether or not the SD-JWT supports Key Binding.¶
If a Verifier determines that Key Binding is required for a particular use case and the Holder presents either a bare SD-JWT or an SD-JWT+KB with an invalid Key Binding JWT, then the Verifier will reject the presentation when following the verification steps described in Section 7.3.¶
9.6. Concealing Claim Names
SD-JWT ensures that names of claims that are selectively disclosable are always concealed unless the claim's value is disclosed. This prevents an attacker from learning the names of such claims. However, the names of the claims that are permanently disclosed are not hidden. This includes the keys of objects that themselves are not concealed, but contain concealed claims. This limitation needs to be taken into account by Issuers when creating the structure of the SD-JWT.¶
9.7. Selectively Disclosable Validity Claims
An Issuer MUST NOT allow any content to be selectively disclosable that is critical for evaluating the
SD-JWT's authenticity or validity.
The exact list of such content will depend on the application
and SHOULD be listed by any application
Issuers will typically include claims controlling the validity of the SD-JWT
in plaintext in the SD-JWT payload, but there is no guarantee they will do so. Therefore, Verifiers cannot
reliably depend on that and need to operate as though security
Verifiers therefore MUST ensure that all claims they deem necessary for checking the validity of an SD-JWT in the given context are present (or disclosed, respectively) during validation of the SD-JWT. This is implemented in the last step of the verification defined in Section 7.1.¶
The precise set of required validity claims will typically be defined by
operating environment rules, an application
9.8. Distribution and Rotation of Issuer Signature Verification Key
This specification does not define how signature verification keys of
Issuers are distributed to Verifiers. However, it is RECOMMENDED that
Issuers publish their keys in a way that allows for efficient and secure
key rotation and revocation, for example, by publishing keys at a
predefined location using the JSON Web Key Set (JWKS) format [RFC7517].
Verifiers need to ensure that they are not using expired or revoked keys
for signature verification using reasonable and appropriate means for the given
key
9.9. Forwarding Credentials
Any entity in possession of an SD-JWT (including an SD-JWT extracted from an SD-JWT+KB) can forward it to any third party that does not enforce Key Binding. When doing so, that entity may remove Disclosures such that the receiver learns only a subset of the claims contained in the original SD-JWT.¶
For example, a device manufacturer might produce an SD-JWT containing information about upstream and downstream supply chain contributors. Each supply chain party can verify only the claims that were selectively disclosed to them by an upstream party, and they can choose to further reduce the disclosed claims when presenting to a downstream party.¶
In some scenarios, this behavior could be desirable; if it is not, Issuers need to support and Verifiers need to enforce Key Binding.¶
9.10. Integrity of SD-JWTs and SD-JWT+KBs
With an SD-JWT, the Issuer-signed JWT is integrity protected by the Issuer's signature, and the values of the Disclosures are integrity protected by the digests included therein. The specific set of Disclosures, however, is not integrity protected; the SD-JWT can be modified by adding or removing Disclosures and still be valid.¶
With an SD-JWT+KB, the set of selected Disclosures is integrity protected. The signature in the Key Binding JWT covers a specific SD-JWT, with a specific Issuer-signed JWT and a specific set of Disclosures. Thus, the signature on the Key Binding JWT, in addition to proving Key Binding, also assures the authenticity and integrity of the set of Disclosures the Holder disclosed. The set of Disclosures in an SD-JWT+KB is the set that the Holder intended to send; no intermediate party has added, removed, or modified the list of Disclosures.¶
9.11. Explicit Typing
Section 3.11 of [RFC8725] describes the use of explicit typing as one mechanism to prevent confusion attacks
(described in Section 2.8 of [RFC8725]) in which one kind of JWT is mistaken for another. SD-JWTs are also potentially
subject to such confusion attacks, so in the absence of other techniques, it is RECOMMENDED that application profiles of SD-JWT specify an explicit type
by including the typ header parameter when the SD-JWT is issued, and that Verifiers check this value.¶
When explicit typing using the typ header is employed for an SD-JWT, it is RECOMMENDED that a media type name of the format
"applicationtyp in Section 4.1.9 of [RFC7515] recommends that the "application/" prefix be omitted, so
"example+sdtyp header parameter.¶
Use of the cty content type header parameter to indicate the content type of the SD-JWT payload can also be used to distinguish different types of JSON objects or different kinds of JWT Claim Sets.¶
9.12. Key Pair Generation and Lifecycle Management
Implementations of SD-JWT rely on asymmetric cryptographic keys and must therefore ensure that key pair generation, handling, storage, and lifecycle management are performed securely.¶
While the specific mechanisms for secure key management are out of scope for this document, implementers
should follow established best practices, such as those outlined in NIST SP 800-57 Part 1 [NIST
Appropriate key management is essential, as any compromise can lead to unauthorized disclosure or forgery of SD-JWTs.¶
10. Privacy Considerations
10.1. Unlinkability
Unlinkability is a property whereby adversaries are prevented from correlating credential presentations of the same user beyond the user's consent. Without unlinkability, an adversary might be able to learn more about the user than the user intended to disclose, for example:¶
The following types of unlinkability are discussed below:¶
In all cases, unlinkability is limited to cases where the disclosed claims do not contain information that directly or indirectly identifies the user. For example, when a taxpayer identification number is contained in the disclosed claims, the Issuer and Verifier can easily link the user's transactions. However, when the user only discloses a birthdate to one Verifier and a postal code to another Verifier, the two Verifiers should not be able to determine that they were interacting with the same user.¶
Issuer/Verifier unlinkability with a careless, colluding, compromised, or coerced Verifier cannot be achieved in salted hash-based selective disclosure approaches, such as SD-JWT, as the issued credential with the Issuer's signature is directly presented to the Verifier, who can forward it to the Issuer. To reduce the risk of revealing the data later on, Section 10.2 defines requirements to reduce the amount of data stored.¶
In considering Issuer/Verifier unlinkability, it is important to note the potential for an asymmetric power dynamic between Issuers and Verifiers. This dynamic can compel an otherwise Honest Verifier into collusion. For example, a governmental Issuer might have the authority to mandate that a Verifier report back information about the credentials presented to it. Legal requirements could further enforce this, explicitly undermining Issuer/Verifier unlinkability. Similarly, a large service provider issuing credentials might implicitly pressure Verifiers into collusion by incentivizing participation in their larger operating environment. Deployers of SD-JWT must be aware of these potential power dynamics, mitigate them as much as possible, and/or make the risks transparent to the user.¶
Contrary to that, Issuer/Verifier unlinkability with an Honest Verifier can generally be achieved. However, a callback from the Verifier to the Issuer, such as a revocation check, could potentially disclose information about the credential's usage to the Issuer. Where such callbacks are necessary, they need to be executed in a manner that preserves privacy and does not disclose details about the credential to the Issuer (the mechanism described in [TSL] is an example of an approach that discloses minimal information towards the Issuer). It is important to note that the timing of such requests could potentially serve as a side channel.¶
Verifieriat, exp, and nbf, MUST either be randomized within a
time period considered appropriate (e.g., randomize iat within the last 24
hours and calculate exp accordingly) or rounded (e.g., rounded down to the
beginning of the day).¶
SD-JWT only conceals the value of claims that are not revealed. It does not meet the security properties for anonymous credentials [CL01]. In particular, colluding Verifiers and Issuers can know when they have seen the same credential no matter what fields have been disclosed, even when none have been disclosed. This behavior may not align with what users naturally anticipate or are guided to expect from user-interface interactions, potentially causing them to make decisions they might not otherwise make. Workarounds such as batch issuance, as described above, help with keeping Verifiers from linking different presentations, but cannot work for Issuer/Verifier unlinkability. This issue applies to all salted hash-based approaches, including mDL/mDoc [ISO.18013-5] and SD-CWT [SD-CWT].¶
10.2. Storage of User Data
Wherever user data is stored, it represents a potential target for an attacker. This target can be of particularly high value when the data is signed by a trusted authority like an official national identity service. For example, in OpenID Connect [OpenID.Core], signed ID Tokens can be stored by Relying Parties. In the case of SD-JWT, Holders have to store SD-JWTs, and Issuers and Verifiers may decide to do so as well.¶
Not surprisingly, a leak of such data risks revealing private data of users to third parties. Signed user data, the authenticity of which can be easily verified by third parties, further exacerbates the risk. As discussed in Section 9.5, leaked SD-JWTs may also allow attackers to impersonate Holders unless Key Binding is enforced and the attacker does not have access to the Holder's cryptographic keys.¶
Due to these risks, and the risks described in Section 10.1, systems implementing SD-JWT SHOULD be designed to minimize the amount of data that is stored. All involved parties SHOULD NOT store SD-JWTs longer than strictly necessary, including in log files.¶
After Issuance, Issuers SHOULD NOT store the Issuer-signed JWT or the respective Disclosures.¶
Holders SHOULD store SD-JWTs only in encrypted form, and, wherever possible, use hardware-backed encryption in particular for the private Key Binding key. Decentralized storage of data, e.g., on user devices, SHOULD be preferred for user credentials over centralized storage. Expired SD-JWTs SHOULD be deleted as soon as possible.¶
After Verification, Verifiers SHOULD NOT store the Issuer-signed JWT or the respective Disclosures. It may be sufficient to store the result of the verification and any user data that is needed for the application.¶
Exceptions from the rules above can be made if there are strong requirements to do so (e.g., functional requirements or legal audit requirements), secure storage can be ensured, and the privacy impact has been assessed.¶
10.3. Confidentiality During Transport
If an SD-JWT or SD-JWT+KB is transmitted over an insecure channel during issuance or presentation, an adversary may be able to intercept and read the user's personal data or correlate the information with previous uses.¶
Usually, transport protocols for issuance and presentation of credentials are designed to protect the confidentiality of the transmitted data, for example, by requiring the use of TLS.¶
This specification therefore considers the confidentiality of the data to be provided by the transport protocol and does not specify any encryption mechanism.¶
Implementers MUST ensure that the transport protocol provides confidentiality if the privacy of user data or correlation attacks by passive observers are a concern.¶
To encrypt an SD-JWT or SD-JWT+KB during transit over potentially insecure or leakage-prone channels, implementers MAY use JSON Web Encryption (JWE) [RFC7516], encapsulating the SD-JWT or SD-JWT+KB as the plaintext payload of the JWE. Especially, when an SD-JWT is transmitted via a URL and information may be stored/cached in the browser or end up in web server logs, the SD-JWT SHOULD be encrypted using JWE.¶
10.4. Decoy Digests
The use of decoy digests is RECOMMENDED when the number of claims (or the existence of particular claims) can be a side channel disclosing information about otherwise undisclosed claims. In particular, if a claim in an SD-JWT is present only if a certain condition is met (e.g., a membership number is only contained if the user is a member of a group), the Issuer SHOULD add decoy digests when the condition is not met.¶
Decoy digests increase the size of the SD-JWT. The number of decoy digests (or whether to use them at all) is a trade-off between the size of the SD-JWT and the privacy of the user's data.¶
10.5. Issuer Identifier
An Issuer issuing only one type of SD-JWT might have privacy implications, because if the Holder has an SD-JWT issued by that Issuer, its type and claim names can be determined.¶
For example, if a cancer research institute only issued SD-JWTs with cancer registry information, it is possible to deduce that the Holder owning its SD-JWT is a cancer patient.¶
Moreover, the Issuer identifier alone may reveal information about the user.¶
For example, when a military organization or a drug rehabilitation center issues a vaccine credential, Verifiers can deduce that the Holder is a military member or may have a substance use disorder.¶
To mitigate this issue, a group of issuers may elect to use a common Issuer identifier. A group signature scheme outside the scope of this specification may also be used, instead of an individual signature.¶
11. IANA Considerations
11.1. JSON Web Token Claims Registration
IANA has registered the following Claims in the "JSON Web Token Claims" registry [JWT.Claims] established by [RFC7519].¶
- Claim Name:
-
_sd¶ - Claim Description:
- Digests of Disclosures for object properties¶
- Change Controller:
- IETF¶
- Specification Document(s):
- Section 4.2.4.1 of RFC 9901¶
- Claim Name:
-
...¶ - Claim Description:
- Digest of the Disclosure for an array element¶
- Change Controller:
- IETF¶
- Specification Document(s):
- Section 4.2.4.2 of RFC 9901¶
- Claim Name:
-
_sd_alg¶ - Claim Description:
- Hash algorithm used to generate Disclosure digests and digest over presentation¶
- Change Controller:
- IETF¶
- Specification Document(s):
- Section 4.1.1 of RFC 9901¶
- Claim Name:
-
sd_hash¶ - Claim Description:
- Digest of the SD-JWT to which the KB-JWT is tied¶
- Change Controller:
- IETF¶
- Specification Document(s):
- Section 4.3 of RFC 9901¶
11.2. Media Type Registrations
IANA has registered the following media types [RFC2046] in the "Media Types" registry [MediaTypes] in the manner described in [RFC6838].¶
11.2.1. SD-JWT Content
To indicate that the content is an SD-JWT:¶
- Type name:
- application¶
- Subtype name:
- sd-jwt¶
- Required parameters:
- n/a¶
- Optional parameters:
- n/a¶
- Encoding considerations:
- binary; application
/sd -jwt values are a series of base64url -encoded values (some of which may be the empty string) separated by period ('.') and tilde ('~') characters.¶ - Security considerations:
- See the Security Considerations sections of RFC 9901, [RFC7519], and [RFC8725].¶
- Interoperability considerations:
- n/a¶
- Published specification:
- RFC 9901¶
- Applications that use this media type:
- Applications requiring selective disclosure of integrity
-protected content.¶ - Fragment identifier considerations:
- n/a¶
- Additional information:
-
- Person & email address to contact for further information:
- Daniel Fett, mail
@danielfett .de¶ - Intended usage:
- COMMON¶
- Restrictions on usage:
- none¶
- Author:
- Daniel Fett, mail
@danielfett .de¶ - Change Controller:
- IETF¶
11.2.2. JWS JSON Serialized SD-JWT Content
To indicate that the content is a JWS JSON serialized SD-JWT:¶
- Type name:
- application¶
- Subtype name:
- sd-jwt+json¶
- Required parameters:
- n/a¶
- Optional parameters:
- n/a¶
- Encoding considerations:
- binary; application
/sd -jwt+json values are represented as a JSON Object.¶ - Security considerations:
- See the Security Considerations sections of RFC 9901 and [RFC7515].¶
- Interoperability considerations:
- n/a¶
- Published specification:
- RFC 9901¶
- Applications that use this media type:
- Applications requiring selective disclosure of content protected by ETSI JAdES compliant signatures.¶
- Fragment identifier considerations:
- n/a¶
- Additional information:
-
- Person & email address to contact for further information:
- Daniel Fett, mail
@danielfett .de¶ - Intended usage:
- COMMON¶
- Restrictions on usage:
- none¶
- Author:
- Daniel Fett, mail
@danielfett .de¶ - Change Controller:
- IETF¶
11.2.3. Key Binding JWT Content
To indicate that the content is a Key Binding JWT:¶
- Type name:
- application¶
- Subtype name:
- kb+jwt¶
- Required parameters:
- n/a¶
- Optional parameters:
- n/a¶
- Encoding considerations:
- binary; A Key Binding JWT is a JWT; JWT values are encoded as a series of base64url
-encoded values separated by period ('.') characters.¶ - Security considerations:
- See the Security Considerations sections of RFC 9901, [RFC7519], and [RFC8725].¶
- Interoperability considerations:
- n/a¶
- Published specification:
- RFC 9901¶
- Applications that use this media type:
- Applications utilizing a JWT-based proof
-of -possession mechanism.¶ - Fragment identifier considerations:
- n/a¶
- Additional information:
-
- Person & email address to contact for further information:
- Daniel Fett, mail
@danielfett .de¶ - Intended usage:
- COMMON¶
- Restrictions on usage:
- none¶
- Author:
- Daniel Fett, mail
@danielfett .de¶ - Change Controller:
- IETF¶
11.3. Structured Syntax Suffixes Registration
IANA has registered "+sd-jwt" in the "Structured Syntax Suffixes" registry [StructuredSuffix] in the manner described in [RFC6838], which can be used to indicate that the media type is encoded as an SD-JWT.¶
- Name:
- SD-JWT¶
- +suffix:
- +sd-jwt¶
- References:
- RFC 9901¶
- Encoding considerations:
- binary; SD-JWT values are a series of base64url
-encoded values (some of which may be the empty string) separated by period ('.') or tilde ('~') characters.¶ - Interoperability considerations:
- n/a¶
- Fragment identifier considerations:
- n/a¶
- Security considerations:
- See the Security Considerations sections of RFC 9901, [RFC7519], and [RFC8725].¶
- Contact:
- Daniel Fett, mail
@danielfett .de¶ - Author/Change controller:
- IETF¶
12. References
12.1. Normative References
- [RFC2119]
-
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10
.17487 , , <https:///RFC2119 www >..rfc -editor .org /info /rfc2119 - [RFC5234]
-
Crocker, D., Ed. and P. Overell, "Augmented BNF for Syntax Specifications: ABNF", STD 68, RFC 5234, DOI 10
.17487 , , <https:///RFC5234 www >..rfc -editor .org /info /rfc5234 - [RFC6838]
-
Freed, N., Klensin, J., and T. Hansen, "Media Type Specifications and Registration Procedures", BCP 13, RFC 6838, DOI 10
.17487 , , <https:///RFC6838 www >..rfc -editor .org /info /rfc6838 - [RFC7515]
-
Jones, M., Bradley, J., and N. Sakimura, "JSON Web Signature (JWS)", RFC 7515, DOI 10
.17487 , , <https:///RFC7515 www >..rfc -editor .org /info /rfc7515 - [RFC7516]
-
Jones, M. and J. Hildebrand, "JSON Web Encryption (JWE)", RFC 7516, DOI 10
.17487 , , <https:///RFC7516 www >..rfc -editor .org /info /rfc7516 - [RFC7519]
-
Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token (JWT)", RFC 7519, DOI 10
.17487 , , <https:///RFC7519 www >..rfc -editor .org /info /rfc7519 - [RFC7800]
-
Jones, M., Bradley, J., and H. Tschofenig, "Proof
-of , RFC 7800, DOI 10-Possession Key Semantics for JSON Web Tokens (JWTs)" .17487 , , <https:///RFC7800 www >..rfc -editor .org /info /rfc7800 - [RFC8174]
-
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10
.17487 , , <https:///RFC8174 www >..rfc -editor .org /info /rfc8174 - [RFC8725]
-
Sheffer, Y., Hardt, D., and M. Jones, "JSON Web Token Best Current Practices", BCP 225, RFC 8725, DOI 10
.17487 , , <https:///RFC8725 www >..rfc -editor .org /info /rfc8725
12.2. Informative References
- [CL01]
-
Camenisch, J. and A. Lysyanskaya, "An Efficient System for Non
-Transferable Anonymous Credentials with Optional Anonymity Revocation" , Cryptology ePrint Archive, Paper 2001/019, , <https://eprint >..iacr .org /2001 /019 .pdf - [Hash.Algs]
-
IANA, "Named Information Hash Algorithm Registry", <https://
www >..iana .org /assignments /named -information - [ISO.18013-5]
-
ISO/IEC, "Personal identification - ISO-compliant driving license - Part 5: Mobile driving license (mDL) application", ISO/IEC 18013-5:2021, , <https://
www >..iso .org /standard /69084 .html - [JWS.Algs]
-
IANA, "JSON Web Signature and Encryption Algorithms", <https://
www >..iana .org /assignments /jose - [JWT.Claims]
-
IANA, "JSON Web Token Claims", <https://
www >..iana .org /assignments /jwt - [MediaTypes]
-
IANA, "Media Types", <https://
www >..iana .org /assignments /media -types - [NIST
.SP .800 -57pt1r5] -
Barker, E., "Recommendation for Key Management: Part 1 - General", NIST SP 800-57pt1r5, DOI 10
.6028 , , <https:///NIST .SP .800 -57pt1r5 nvlpubs >..nist .gov /nistpubs /Special Publications /NIST .SP .800 -57pt1r5 .pdf - [OIDC.IDA]
-
Lodderstedt, T., Fett, D., Haine, M., Pulido, A., Lehmann, K., and K. Koiwai, "OpenID Connect for Identity Assurance 1.0", , <https://
openid >..net /specs /openid -connect -4 -identity -assurance -1 _0 .html - [OpenID.Core]
-
Sakimura, N., Bradley, J., Jones, M., de Medeiros, B., and C. Mortimore, "OpenID Connect Core 1.0 incorporating errata set 2", , <https://
openid >..net /specs /openid -connect -core -1 _0 .html - [RFC2046]
-
Freed, N. and N. Borenstein, "Multipurpose Internet Mail Extensions (MIME) Part Two: Media Types", RFC 2046, DOI 10
.17487 , , <https:///RFC2046 www >..rfc -editor .org /info /rfc2046 - [RFC4086]
-
Eastlake 3rd, D., Schiller, J., and S. Crocker, "Randomness Requirements for Security", BCP 106, RFC 4086, DOI 10
.17487 , , <https:///RFC4086 www >..rfc -editor .org /info /rfc4086 - [RFC7517]
-
Jones, M., "JSON Web Key (JWK)", RFC 7517, DOI 10
.17487 , , <https:///RFC7517 www >..rfc -editor .org /info /rfc7517 - [RFC8785]
-
Rundgren, A., Jordan, B., and S. Erdtman, "JSON Canonicalizatio
n Scheme (JCS)" , RFC 8785, DOI 10.17487 , , <https:///RFC8785 www >..rfc -editor .org /info /rfc8785 - [SD-CWT]
-
Prorock, M., Steele, O., Birkholz, H., and R. Mahy, "Selective Disclosure CBOR Web Tokens (SD-CWT)", Work in Progress, Internet-Draft, draft
-ietf , , <https://-spice -sd -cwt -05 datatracker >..ietf .org /doc /html /draft -ietf -spice -sd -cwt -05 - [SD-JWT-VC]
-
Terbu, O., Fett, D., and B. Campbell, "SD-JWT-based Verifiable Credentials (SD-JWT VC)", Work in Progress, Internet-Draft, draft
-ietf , , <https://-oauth -sd -jwt -vc -13 datatracker >..ietf .org /doc /html /draft -ietf -oauth -sd -jwt -vc -13 - [Structured
Suffix] -
IANA, "Structured Syntax Suffixes", <https://
www >..iana .org /assignments /media -type -structured -suffix - [TSL]
-
Looker, T., Bastian, P., and C. Bormann, "Token Status List (TSL)", Work in Progress, Internet-Draft, draft
-ietf , , <https://-oauth -status -list -13 datatracker >..ietf .org /doc /html /draft -ietf -oauth -status -list -13 - [VC_DATA_v2.0]
-
Sporny, M., Ed., Thiboeau, T., Ed., Jones, M. B., Ed., Cohen, G., Ed., and I. Herman, Ed., "Verifiable Credentials Data Model 2.0", W3C Recommendation, , <https://
www >..w3 .org /TR /vc -data -model -2 .0 /
Appendix A. Additional Examples
The following examples are not normative and are provided for illustrative purposes only. In particular, neither the structure of the claims nor the selection of selectively disclosable claims is normative.¶
Line breaks have been added for readability.¶
A.1. Simple Structured SD-JWT
In this example, in contrast to Section 5, the Issuer decided to create a structured object for the address claim, allowing individual members of the claim to be disclosed separately.¶
The following data about the user comprises the input JWT Claims Set used by the Issuer:¶
The Issuer also decided to add decoy digests to prevent the Verifier from deducing the true number of claims.¶
The following payload is used for the SD-JWT:¶
The digests in the SD-JWT payload reference the following Disclosures:¶
The following decoy digests are added:¶
The following is a presentation of the SD-JWT that discloses only region
and country of the address property:¶
After validation, the Verifier will have the following Processed SD-JWT Payload available for further handling:¶
A.2. Complex Structured SD-JWT
In this example, an SD-JWT with a complex object is represented. The data structures defined in OpenID Connect for Identity Assurance [OIDC.IDA] are used.¶
The Issuer is using the following user data as the input JWT Claims Set:¶
The following payload is used for the SD-JWT:¶
The digests in the SD-JWT payload reference the following Disclosures:¶
The following is a presentation of the SD-JWT:¶
The Verifier will have this Processed SD-JWT Payload available after validation:¶
A.3. SD-JWT-Based Verifiable Credentials (SD-JWT VC)
This example shows how the artifacts defined in this specification could be used in the context of SD-JWT-based Verifiable Credentials (SD-JWT VC) [SD-JWT-VC] to represent a hypothetical identity credential with the data of a fictional German citizen.¶
Key Binding is applied
using the Holder's public key passed in a cnf claim in the SD-JWT.¶
The following citizen data is the input JWT Claims Set:¶
The following is the issued SD-JWT:¶
The following payload is used for the SD-JWT:¶
The digests in the SD-JWT payload reference the following Disclosures:¶
The following is an example of an SD-JWT+KB that discloses only nationality and the fact that the person is over 18 years old:¶
This is the payload of the corresponding Key Binding JWT:¶
After validation, the Verifier will have the following Processed SD-JWT Payload available for further handling:¶
A.4. W3C Verifiable Credentials Data Model v2.0
This non-normative example illustrates how the artifacts defined in this specification could be used to express a W3C Verifiable Credentials Data Model v2.0 payload [VC_DATA_v2.0].¶
Key Binding is applied
using the Holder's public key passed in a cnf claim in the SD-JWT.¶
The following is the input JWT Claims Set:¶
The following is the issued SD-JWT:¶
The following payload is used for the SD-JWT:¶
The digests in the SD-JWT payload reference the following Disclosures:¶
This is an example of an SD-JWT+KB that discloses only type, medicinal, atcCode of the vaccine, type of the recipient, type, order, and date:¶
After the validation, the Verifier will have the following Processed SD-JWT Payload available for further handling:¶
A.5. Elliptic Curve Key Used in the Examples
The following Elliptic Curve public key, represented in JWK format, can be used to validate the Issuer signatures in the above examples:¶
The public key used to validate a Key Binding JWT can be found in the examples as the content of the cnf claim.¶
Appendix B. Disclosure Format Considerations
As described in Section 4.2, the Disclosure structure is JSON containing a salt and the
cleartext content of a claim, which is base64url encoded. The encoded value is the input used to calculate
a digest for the respective claim. The inclusion of digest value in the signed JWT ensures the integrity of
the claim value. Using encoded content as the input to the integrity mechanism is conceptually similar to the
approach in JWS and particularly useful when the content, like JSON, can have different representations but is semantically equivalent, thus avoiding canonicalizatio
When receiving an SD-JWT, a Verifier must be able to recompute digests of the disclosed claim values and, given the same input values, obtain the same digest values as signed by the Issuer.¶
Usually, JSON-based formats transport claim values as simple properties of a JSON object such as this:¶
However, a problem arises when computation over the data needs to be performed and verified, like signing or computing digests. Common signature schemes require the same byte string as input to the signature verification as was used for creating the signature. In the digest approach outlined above, the same problem exists: for the Issuer and the Verifier to arrive at the same digest, the same byte string must be hashed.¶
JSON, however, does not prescribe a unique encoding for data, but allows for variations in the encoded string. The data above, for example, can be encoded as¶
or as¶
The two representations of the value in family_name are very different on the byte level, but they yield
equivalent objects. The same is true for the representations of address, which vary in white space and order of elements in the object.¶
The variations in white space, ordering of object properties, and encoding of Unicode characters are all allowed by the JSON specification, including further variations, e.g., concerning floating-point numbers, as described in [RFC8785]. Variations can be introduced whenever JSON data is serialized or deserialized and unless dealt with, will lead to different digests and the inability to verify signatures.¶
There are generally two approaches to deal with this problem:¶
Mixed approaches are conceivable, i.e., transferring both the original JSON data
and a string suitable for computing a digest, but such approaches can easily lead to
undetected inconsistencies resulting in time
In this specification, the source string hardening approach is used, as
it allows for simple and reliable interoperabilit
A Verifier can then easily check the digest over the source string before extracting the original JSON data. Variations in the encoding of the source string are implicitly tolerated by the Verifier, as the digest is computed over a predefined byte string and not over a JSON object.¶
It is important to note that the Disclosures are neither intended nor suitable for direct consumption by an application that needs to access the disclosed claim values after the verification by the Verifier. The Disclosures are only intended to be used by a Verifier to check the digests over the source strings and to extract the original JSON data. The original JSON data is then used by the application. See Section 7.3 for details.¶
Acknowledgements
We would like to thank Alen Horvat, Alex Hodder, Anders Rundgren, Arjan Geluk, Chad Parry, Christian Bormann, Christian Paquin,
Dale Bowie, Dan Moore, David Bakker, David Waite, Deb Cooley, Fabian Hauck, Filip Skokan, Giuseppe De Marco, Jacob Ward, Jeffrey Yasskin, John Preuß Mattsson, Joseph Heenan, Justin Richer, Kushal Das, Martin Thomson, Matthew Miller, Michael Fraser, Michael B. Jones, Mike Prorock, Nat Sakimura, Neil Madden, Oliver Terbu, Orie Steele, Paul Bastian, Peter Altmann, Pieter Kasselman, Richard Barnes, Rohan Mahy, Roman Danyliw, Ryosuke Abe, Sami Rosendahl, Shawn Butterfield, Shawn Emery, Simon Schulz, Takahiko Kawasaki, Tobias Looker, Torsten Lodderstedt,
Vittorio Bertocci, Watson Ladd,
and Yaron Sheffer for their contributions (some of which
were substantial) to this document and to the initial set of implementations
The work on this document was started at the OAuth Security Workshop 2022 in Trondheim, Norway.¶