Why HAIP implies that there are temporal validation rules for iat when it has none, and at the same time does not mention nbf at all?

[joelposti]

Currently section ‘Validity Period of the Signature and the Claim Values’ has this to say about iat claim:

iat and exp JWT claims express both the validity period of both the signature and the claims about the subject, unless there is a separate claim used to express the validity of the claims.

Why is it implied that iat claim has temporal validation rules? The JWT standard does not define any rules for iat in section 4.1.6. "iat" (Issued At) Claim.

Meanwhile, the JWT standard has temporal validation rules for nbf claim in section 4.1.5. "nbf" (Not Before) Claim, but HAIP does not mention that claim.

I created a pull request #165 that proposes adding nbf to the claims table in section ‘SD-JWT VCs’ and replacing iat in section ‘Validity Period of the Signature and the Claim Values’ with nbf.

[selfissued]

nbf is only useful if tokens are going to be future-dated and not valid when issued. That doesn't match our use cases. Therefore, we should not add or mention nbf.

For what it's worth, the validation logic for iat in OpenID Connect ID Tokens is:

10. The iat Claim can be used to reject tokens that were issued too far away from the current time, limiting the amount of time that nonces need to be stored to prevent attacks. The acceptable range is Client specific.

We could add similar language to this spec.