What is SD-JWT (Selective Disclosure JWT)?

A Selective Disclosure JWT (SD-JWT) is a specialized form of JSON Web Token designed to enhance user privacy by allowing selective sharing of specific pieces of information without revealing the full dataset. SD-JWT leverages cryptographic techniques to provide strong assurances that the disclosed data is authentic and untampered, without unnecessarily exposing sensitive details.

Key aspects of SD-JWT include:

• Selective Disclosure: Enables users to reveal only required attributes, protecting privacy.
• Cryptographic Assurance: Uses digital signatures to guarantee authenticity and data integrity.
• Standards-based: Built on JWT/JWS concepts (RFC 7519), but introduces new data formats and processing requirements for handling selective disclosure.
• Privacy-by-design: Aligns with modern data privacy regulations, like GDPR.

SD-JWTs are particularly valuable in scenarios like identity verification, digital credentials, and access management, allowing secure and controlled sharing of user attributes.

---

SD-JWT extends traditional JWTs to allow selective disclosure of claims (user attributes) by employing cryptographic techniques such as hashing and digital signatures. Here's a simplified overview:

• Claims: Information about a user or entity encoded within the token (e.g., name, date of birth, citizenship status).
• Disclosure: Users or holders decide which claims they reveal to third parties, protecting sensitive data.
• Hash Commitments: Each claim is hashed individually, allowing selective revelation without exposing the entire dataset.

• Digital Signatures: Issuers digitally sign the token, enabling verification of authenticity and preventing tampering.
• Hashing: Claims are cryptographically hashed to ensure hidden claims remain secure, even when others are disclosed.
• Key Binding (KB-JWT): An optional but important security mechanism where a Key Binding JWT can be used to bind the SD-JWT presentation to a cryptographic key controlled by the holder. This prevents a party other than the intended holder from presenting the SD-JWT, protecting against presentation attacks. When key binding is used (SD-JWT+KB mode), the holder proves possession of their key during presentation.

SD-JWT is particularly useful in various practical scenarios:

• Digital Identity Verification: Imagine presenting proof of age without sharing your exact birthdate. If the issuer has included a predicate claim (e.g., "age_equal_or_over": {"18": true}) in the SD-JWT at issuance, you can selectively disclose that claim to verify you're over a certain age threshold without exposing your actual date of birth.

• Financial Services: Sharing your verified income bracket for loan approvals without revealing detailed salary history or employment details.

• Healthcare: Providing proof of vaccination without exposing unrelated medical history.

Using SD-JWT brings both technical and regulatory advantages:

• Enhanced Privacy: Minimizes unnecessary data disclosure, reducing identity theft risks.
• Compliance with GDPR and Similar Regulations: Aligns well with principles of data minimization and user consent.
• Interoperability: Builds upon established JWT/JWS concepts (RFC 7519), though implementing SD-JWT requires updates to processing logic and systems to handle the new presentation format and disclosure mechanisms.

When implementing SD-JWT in your system, consider:

• Issuer Infrastructure: Ensure a robust and secure system for issuing and managing cryptographic keys and digital signatures.

• Verification Processes: Develop seamless verification processes, supporting verification across multiple applications and platforms.

• User Experience: Prioritize an intuitive user interface to clearly communicate the selective disclosure options available, ensuring users understand and manage their data sharing effectively.

Selective Disclosure JWT is increasingly adopted due to its effectiveness in balancing data security, user privacy, and regulatory compliance. Its widespread applicability in secure credential management and digital identity ecosystems positions SD-JWT as a pivotal technology for privacy-centric solutions.

SD-JWT is used to selectively disclose specific attributes or claims from a digital token, preserving privacy and limiting data exposure.

SD-JWT enhances privacy by allowing users to disclose only essential data required for verification, keeping sensitive or unnecessary information confidential.

SD-JWT builds on standard JWT/JWS concepts (RFC 7519), but requires implementation updates to handle the new presentation format, disclosure processing, and verification steps. It is not a drop-in replacement for systems that only expect standard compact JWTs.

Industries like finance, healthcare, digital identity verification, and regulated sectors benefit significantly by reducing data exposure while maintaining compliance.

SD-JWT uses cryptographic hashing and digital signatures to guarantee authenticity, integrity, and protection against tampering of selectively disclosed data.