Merge branch 'main' into danielfett/fix-key-binding-description

oauth-wg · Aug 9, 2023 · 136673c · 136673c
2 parents 5bc77d4 + 841f159
commit 136673c
Showing 1 changed file with 25 additions and 28 deletions.
diff --git a/draft-terbu-oauth-sd-jwt-vc.md b/draft-terbu-oauth-sd-jwt-vc.md
@@ -33,7 +33,7 @@ organization="Authlete Inc. "
 This specification describes data formats as well as validation and processing
 rules to express Verifiable Credentials with JSON payloads based on the Selective Disclosure
 for JWTs (SD-JWT) [@!I-D.ietf-oauth-selective-disclosure-jwt] format.
-It can be used when there are no selective disclosable claims, too.
+It can be used without any selective disclosable claims, too.
 
 {mainmatter}
 
@@ -121,20 +121,20 @@ document are to be interpreted as described in RFC 2119 [@!RFC2119].
 
 ## Terms and Definitions
 
-This specification uses the terms "Holder", "Issuer", "Verifier", defined by
+This specification uses the terms "Holder", "Issuer", "Verifier", "Key Binding JWT" defined by
 [@!I-D.ietf-oauth-selective-disclosure-jwt].
 
 Verifiable Credential (VC):
 :  An Issuer-signed assertion with claims about a Subject.
 
 SD-JWT-based Verifiable Credential (SD-JWT VC):
-: A Verifiable Credential encoded using the Issuance format defined in
+: A Verifiable Credential encoded using the format defined in
 [@!I-D.ietf-oauth-selective-disclosure-jwt]. It may or may not contain
 selectively disclosable claims.
 
-Unsecured payload of an SD-JWT VC:
+Unsecured Payload of an SD-JWT VC:
 : A JSON object containing all selectively disclosable and non-selectively disclosable claims
-of the SD-JWT VC. The unsecured payload acts as the input JSON object to issue
+of the SD-JWT VC. The Unsecured Payload acts as the input JSON object to issue
 an SD-JWT VC complying to this specification.
 
 Status Provider:
@@ -164,12 +164,12 @@ SD-JWT VCs compliant with this specification MUST use the media type
 
 ## Data Format
 
-SD-JWT VCs MUST be encoded using the SD-JWT Combined Format for Issuance as
-defined in Section 5.3. of [@!I-D.ietf-oauth-selective-disclosure-jwt].
+SD-JWT VCs MUST be encoded using the SD-JWT format defined in Section 5 of
+[@!I-D.ietf-oauth-selective-disclosure-jwt]. A presentation of an SD-JWT VC MAY
+contain a Key Binding JWT.
 
-When there are selectively disclosable claims, SD-JWT VCs MUST contain all
-Disclosures corresponding to their SD-JWT component
-except for Decoy Digests as per Section 5.1.1.3. of [@!I-D.ietf-oauth-selective-disclosure-jwt].
+Note that in some cases, an SD-JWT VC MAY have no selectively disclosable
+claims, and therefore the encoded SD-JWT will not contain any Disclosures.
 
 ### Header Parameters
 
@@ -197,18 +197,24 @@ SD-JWT VCs.
 
 #### `type` claim {#type-claim}
 
-This specification defines the JWT claim `type`. The `type` claim is used
-to express the type of the JSON object that is secured by the
-JWT. The `type` value MUST be a case-sensitive `StringOrURI` value.
+This specification defines the JWT claim `type`. The `type` value
+MUST be a case-sensitive `StringOrURI` value serving as an identifier
+for the type of the SD-JWT VC. A type defines which claims may or must appear in the
+Unsecured Payload of the SD-JWT VC and whether they may, must, or must not be
+selectively disclosable. This specification does not define any `type` values; instead
+it is expected that ecosystems using SD-JWT VCs define such values including
+the semantics of the respective claims and associated rules (e.g., policies for issuing and
+validating credentials beyond what is defined in this specification).
 
 The following is a non-normative example of how `type` is used to express
 a type:
 
 ```
 {
-  "type": "SomeType"
+  "type": "IdentityCredential"
 }
 ```
+For example, a type `IdentityCredential` can be defined such that at least the registered JWT claims `given_name`, `family_name`, `birthdate`, and `address` must appear in the Unsecured Payload. Additionally, the registered JWT claims `email` and `phone_number`, and the private claims `is_over_18`, `is_over_21`, and `is_over_65` may be used. The type might also indicate that `given_name`, `family_name`, `birthdate`, `address` can be selectively disclosable.
 
 #### Registered JWT Claims
 
@@ -430,19 +436,7 @@ used.
 This section defines encoding, validation and processing rules for presentations
 of SD-JWT VCs.
 
-## Data Format
-
-A presentation of an SD-JWT VC MUST be encoded using the SD-JWT Combined
-Format for Presentation as defined in Section 5.4. of
-[@!I-D.ietf-oauth-selective-disclosure-jwt].
-
-A presentation of an SD-JWT VC MAY contain a Key Binding JWT as described in
-Section 5.4.1. of [@!I-D.ietf-oauth-selective-disclosure-jwt].
-
-When there are no selectively disclosable claims, a presentation of SD-JWT VC
-does not contain any Disclosures.
-
-### Key Binding JWT
+## Key Binding JWT
 
 If the presentation of the SD-JWT VC includes a Key Binding JWT, the
 following claims are used within the Key Binding JWT:
@@ -482,7 +476,6 @@ Key Binding JWT:
 
 <{{examples/02/sd_jwt_presentation.txt}}
 
-
 # Security Considerations {#security-considerations}
 
 TBD: Verifier provided `nonce`.
@@ -560,6 +553,10 @@ for their contributions (some of which substantial) to this draft and to the ini
 
 # Document History
 
+-01
+
+* Aligned terminology and descriptions with latest version of SD-JWT
+
 -00
 
 * Initial Version