According to https://datatracker.ietf.org/doc/html/draft-ietf-oauth-selective-disclosure-jwt#section-10.5-3, as well as cryptography folklore, it makes sense to match the collision resistance strength of used hash functions and signature algorithms. In the context of SD-JWT, this applies to:
The Issuer’s signing algorithm and the hash function used to create hash pointers to disclosures,
The Holder’s signing algorithm for key binding and the hash function used to compute sd_hash (which is already required by the standard to be the exact same as the Issuer’s hash function).
This is, however, a very minor detail, assuming the caller isn’t experimenting with exotic combinations of crypto primitives.
Feel free to contact @kristijantbtl and/or @m4t1j4 for any further questions/concerns.
According to https://datatracker.ietf.org/doc/html/draft-ietf-oauth-selective-disclosure-jwt#section-10.5-3, as well as cryptography folklore, it makes sense to match the collision resistance strength of used hash functions and signature algorithms. In the context of SD-JWT, this applies to:
The Issuer’s signing algorithm and the hash function used to create hash pointers to disclosures,
The Holder’s signing algorithm for key binding and the hash function used to compute sd_hash (which is already required by the standard to be the exact same as the Issuer’s hash function).
This is, however, a very minor detail, assuming the caller isn’t experimenting with exotic combinations of crypto primitives.
Feel free to contact @kristijantbtl and/or @m4t1j4 for any further questions/concerns.