_ sd_ alg
Registry Context
The `_sd_alg` claim identifies the hash algorithm used for SD-JWT Disclosure digests and, for SD-JWT+KB, the `sd_hash` digest. If omitted, the algorithm defaults to `sha-256`.
Technical Summary
An optional top-level SD-JWT payload claim containing a case-sensitive hash algorithm identifier. The identifier is taken from the Named Information Hash Algorithm Registry or defined by another specification or profile. Implementations must support `sha-256`.
When Used
When issuing or processing SD-JWTs, including SD-JWT+KB presentations, that use selectively disclosed claims.
Normative Requirements
Implementations
RFC 9901 - Section 4.1.1
Implementations MUST support the `sha-256` hash algorithm..
Condition: For interoperability
implementations MUST support the sha-256 hash algorithm
Unspecified actor
RFC 9901 - Section 4.1.1
The effective hash algorithm MUST default to `sha-256`..
Condition: If `_sd_alg` is absent at the top level
a default value of sha-256 MUST be used
RFC 9901 - Section 4.1.1
The hash algorithm identifier MUST be a value from the `Hash Name String` column of the Named Information Hash Algorithm Registry or a value defined by another specification or profile..
Condition: When `_sd_alg` is present
MUST be a hash algorithm value from the "Hash Name String" column
RFC 9901 - Section 4.2.3
A Disclosure digest MUST be computed over the US-ASCII bytes of the base64url-encoded Disclosure..
Condition: When computing a Disclosure digest
digest MUST be computed over the US-ASCII bytes
RFC 9901 - Section 4.2.3
The bytes of a Disclosure digest MUST be base64url encoded..
Condition: After computing a Disclosure digest
bytes of the digest MUST then be base64url encoded
RFC 9901 - Section 4.2.3
The input to the hash function MUST be the base64url-encoded Disclosure, not the decoded bytes represented by that string..
Condition: When computing a Disclosure digest
input to the hash function MUST be the base64url-encoded Disclosure
RFC 9901 - Section 4.2.3
The raw output bytes of the hash function MUST be base64url encoded, rather than a hexadecimal representation..
Condition: When encoding a Disclosure digest
bytes of the output of the hash function MUST be base64url encoded
RFC 9901 - Section 4.3.1
The `sd_hash` value MUST be computed over the US-ASCII bytes of the encoded SD-JWT presentation..
Condition: When computing `sd_hash` for a KB-JWT
sd_hash value MUST be computed over the US-ASCII bytes
RFC 9901 - Section 4.3.1
The bytes of the `sd_hash` digest MUST be base64url encoded..
Condition: After computing the `sd_hash` digest
bytes of the digest MUST then be base64url encoded
RFC 9901 - Section 4.3.1
The `sd_hash` digest MUST use the same hash algorithm used for Disclosures, as selected by `_sd_alg` or its default..
Condition: When computing `sd_hash` for a KB-JWT
same hash algorithm as for the Disclosures MUST be used
RFC 9901 - Section 9.4
The hash function MUST make it infeasible to calculate any portion of the salt, claim name, or claim value from a digest..
Condition: When selecting a hash algorithm for SD-JWT
hash function MUST ensure that it is infeasible to calculate any portion
RFC 9901 - Section 9.4
The hash function MUST be preimage resistant..
Condition: When selecting a hash algorithm for SD-JWT
hash function MUST be preimage resistant
RFC 9901 - Section 9.4
The hash function MUST be second-preimage resistant..
Condition: When selecting a hash algorithm for SD-JWT
hash function MUST be second-preimage resistant
RFC 9901 - Section 9.4
The hash function SHOULD be collision resistant..
Condition: When selecting a hash algorithm for SD-JWT
hash function SHOULD also be collision resistant
RFC 9901 - Section 9.4
The collision resistance of the Disclosure hash function SHOULD match that of the signature scheme's hash function..
Condition: When selecting a hash algorithm for SD-JWT
collision resistance of the hash function used to generate digests SHOULD match
Issuer
RFC 9901 - Section 4.1.1
The `_sd_alg` claim MUST NOT be used in an object nested within the SD-JWT payload..
Condition: When constructing an SD-JWT payload
MUST NOT be used in any object nested within the payload
RFC 9901 - Section 4.1.1
The `_sd_alg` claim MUST appear at the top level of the SD-JWT payload..
Condition: When the claim is used
this claim MUST appear at the top level
Validation Guidance
Reject an SD-JWT if `_sd_alg` appears anywhere other than the top level of its payload.
If `_sd_alg` is omitted at the top level, resolve the effective algorithm to `sha-256`.
When present, verify that `_sd_alg` is a case-sensitive string identifying an algorithm from the registry's `Hash Name String` column or one defined by an applicable specification or profile.
Verify that the implementation supports `sha-256`; do not warn merely because another permitted algorithm is selected.
Compute Disclosure digests from the US-ASCII bytes of each base64url-encoded Disclosure, using `_sd_alg` or `sha-256` when omitted.
Base64url-encode the raw Disclosure digest bytes, not a hexadecimal representation.
Compute `sd_hash` over the US-ASCII bytes of the encoded SD-JWT presentation and base64url-encode the resulting digest bytes.
Use the same effective hash algorithm for `sd_hash` and Disclosure digests.
Reject algorithms unsuitable for computational hiding, preimage resistance, or second-preimage resistance.
Prefer a collision-resistant algorithm whose collision resistance matches that of the signature scheme.
Security Notes
RFC 9901 - Section 9.4
The selected hash function must computationally hide undisclosed claim material and provide preimage and second-preimage resistance; collision resistance is also recommended.
RFC 9901 - Section 9.4
Presence in the Named Information Hash Algorithm Registry alone does not establish suitability for SD-JWT; the registry includes truncated digests that are unfit for security applications.
Reference
Details
- Entry Id
_sd_ alg - Claim Name
_sd_ alg - Claim Description
Hash algorithm used to generate Disclosure digests and digest over presentation- Change Controller
IETF- Reference
RFC9901 - Section 4.1.1