oauth2.dev

_sd_alg

IETF

Registry Context

The `_sd_alg` claim identifies the hash algorithm used for SD-JWT Disclosure digests and, for SD-JWT+KB, the `sd_hash` digest. If omitted, the algorithm defaults to `sha-256`.

Technical Summary

An optional top-level SD-JWT payload claim containing a case-sensitive hash algorithm identifier. The identifier is taken from the Named Information Hash Algorithm Registry or defined by another specification or profile. Implementations must support `sha-256`.

When Used

When issuing or processing SD-JWTs, including SD-JWT+KB presentations, that use selectively disclosed claims.

Normative Requirements

Implementations

MUST
1
  1. RFC 9901 - Section 4.1.1

    Implementations MUST support the `sha-256` hash algorithm..

    Condition: For interoperability

    implementations MUST support the sha-256 hash algorithm

Unspecified actor

MUST
12
  1. RFC 9901 - Section 4.1.1

    The effective hash algorithm MUST default to `sha-256`..

    Condition: If `_sd_alg` is absent at the top level

    a default value of sha-256 MUST be used

  2. RFC 9901 - Section 4.1.1

    The hash algorithm identifier MUST be a value from the `Hash Name String` column of the Named Information Hash Algorithm Registry or a value defined by another specification or profile..

    Condition: When `_sd_alg` is present

    MUST be a hash algorithm value from the "Hash Name String" column

  3. RFC 9901 - Section 4.2.3

    A Disclosure digest MUST be computed over the US-ASCII bytes of the base64url-encoded Disclosure..

    Condition: When computing a Disclosure digest

    digest MUST be computed over the US-ASCII bytes

  4. RFC 9901 - Section 4.2.3

    The bytes of a Disclosure digest MUST be base64url encoded..

    Condition: After computing a Disclosure digest

    bytes of the digest MUST then be base64url encoded

  5. RFC 9901 - Section 4.2.3

    The input to the hash function MUST be the base64url-encoded Disclosure, not the decoded bytes represented by that string..

    Condition: When computing a Disclosure digest

    input to the hash function MUST be the base64url-encoded Disclosure

  6. RFC 9901 - Section 4.2.3

    The raw output bytes of the hash function MUST be base64url encoded, rather than a hexadecimal representation..

    Condition: When encoding a Disclosure digest

    bytes of the output of the hash function MUST be base64url encoded

  7. RFC 9901 - Section 4.3.1

    The `sd_hash` value MUST be computed over the US-ASCII bytes of the encoded SD-JWT presentation..

    Condition: When computing `sd_hash` for a KB-JWT

    sd_hash value MUST be computed over the US-ASCII bytes

  8. RFC 9901 - Section 4.3.1

    The bytes of the `sd_hash` digest MUST be base64url encoded..

    Condition: After computing the `sd_hash` digest

    bytes of the digest MUST then be base64url encoded

  9. RFC 9901 - Section 4.3.1

    The `sd_hash` digest MUST use the same hash algorithm used for Disclosures, as selected by `_sd_alg` or its default..

    Condition: When computing `sd_hash` for a KB-JWT

    same hash algorithm as for the Disclosures MUST be used

  10. RFC 9901 - Section 9.4

    The hash function MUST make it infeasible to calculate any portion of the salt, claim name, or claim value from a digest..

    Condition: When selecting a hash algorithm for SD-JWT

    hash function MUST ensure that it is infeasible to calculate any portion

  11. RFC 9901 - Section 9.4

    The hash function MUST be preimage resistant..

    Condition: When selecting a hash algorithm for SD-JWT

    hash function MUST be preimage resistant

  12. RFC 9901 - Section 9.4

    The hash function MUST be second-preimage resistant..

    Condition: When selecting a hash algorithm for SD-JWT

    hash function MUST be second-preimage resistant

SHOULD
2
  1. RFC 9901 - Section 9.4

    The hash function SHOULD be collision resistant..

    Condition: When selecting a hash algorithm for SD-JWT

    hash function SHOULD also be collision resistant

  2. RFC 9901 - Section 9.4

    The collision resistance of the Disclosure hash function SHOULD match that of the signature scheme's hash function..

    Condition: When selecting a hash algorithm for SD-JWT

    collision resistance of the hash function used to generate digests SHOULD match

Issuer

MUST NOT
1
  1. RFC 9901 - Section 4.1.1

    The `_sd_alg` claim MUST NOT be used in an object nested within the SD-JWT payload..

    Condition: When constructing an SD-JWT payload

    MUST NOT be used in any object nested within the payload

MUST
1
  1. RFC 9901 - Section 4.1.1

    The `_sd_alg` claim MUST appear at the top level of the SD-JWT payload..

    Condition: When the claim is used

    this claim MUST appear at the top level

Validation Guidance

error

Reject an SD-JWT if `_sd_alg` appears anywhere other than the top level of its payload.

error

If `_sd_alg` is omitted at the top level, resolve the effective algorithm to `sha-256`.

error

When present, verify that `_sd_alg` is a case-sensitive string identifying an algorithm from the registry's `Hash Name String` column or one defined by an applicable specification or profile.

error

Verify that the implementation supports `sha-256`; do not warn merely because another permitted algorithm is selected.

error

Compute Disclosure digests from the US-ASCII bytes of each base64url-encoded Disclosure, using `_sd_alg` or `sha-256` when omitted.

error

Base64url-encode the raw Disclosure digest bytes, not a hexadecimal representation.

error

Compute `sd_hash` over the US-ASCII bytes of the encoded SD-JWT presentation and base64url-encode the resulting digest bytes.

error

Use the same effective hash algorithm for `sd_hash` and Disclosure digests.

error

Reject algorithms unsuitable for computational hiding, preimage resistance, or second-preimage resistance.

warning

Prefer a collision-resistant algorithm whose collision resistance matches that of the signature scheme.

Security Notes

RFC 9901 - Section 9.4

The selected hash function must computationally hide undisclosed claim material and provide preimage and second-preimage resistance; collision resistance is also recommended.

RFC 9901 - Section 9.4

Presence in the Named Information Hash Algorithm Registry alone does not establish suitability for SD-JWT; the registry includes truncated digests that are unfit for security applications.

Reference

Details

Entry Id
_sd_alg
Claim Name
_sd_alg
Claim Description
Hash algorithm used to generate Disclosure digests and digest over presentation
Change Controller
IETF
Reference
RFC9901 - Section 4.1.1