Document: draft-ietf-oauth-selective-disclosure-jwt
Title: Selective Disclosure for JWTs (SD-JWT)
Reviewer: Tirumaleswar Reddy
Review result: "Ready with issues"

Hi,

I have reviewed this document as part of the Ops area directorate's
ongoing effort to review all IETF documents being processed by the IESG.
These comments were written primarily for the benefit of the Ops area
directors. Document editors and WG chairs should treat these comments just
like any other last-call comments.

The draft is well-written and addresses an important need for a
privacy-preserving solution. I like the clarity of the document, its
structure and examples provided. That said, I have a few operational and
deployment-related comments that may help improve the document:

My comments below:

1. It would be helpful to include discussion on the computational and
network overhead associated with SD-JWT, especially in constrained
environments.
2. In environments with multiple parties involved (e.g., issuer, holder,
verifier), failures may be hard to identify. It would be useful to describe
how error reporting and troubleshooting can be handled in a
privacy-preserving way.
3. Section 10.3 needs to be updated to discuss the need to use a PQ/T or PQ
KEM scheme to prevent "harvest now decrypt later attack" for both TLS and
JWE.
4. Since SD-JWT relies on JWS, it would be useful to mention that
traditional JWS signature algorithms (e.g., ECDSA) will be vulnerable to
CRQCs attack in the future.
5. Section 9.8 provides good initial guidance on issuer key distribution
and rotation via JWKS but it does not discuss holder key rotation.
6. It is unclear how the verifier would identify a replay attack where the
JWT has not yet expired.

Cheers,
-Tiru