> On 28 Jul 2022, at 16:47, Jeremie Miller <[email protected]> wrote:
>>
>> > No, to prevent this the issuer simply puts these sorts of claims in the
>> > header, which is not subject to selective disclosure, e.g the prover
>> > cannot create a valid proof/presentation without disclosing the original
>> > un-modified header.
>>
>> That is a very non-standard use of the header. AFAICT such usage is not
>> compatible with RFC 7800, and I would guess that it may well lead to
>> security issues as implementations won’t be looking for these claims in the
>> header but rather in the claims set.
>
> That's one of the reasons we're proposing JWP as another specification, it is
> not compatible with existing JWTs+PoP.
>
> Also, a current security assumption baked into the JWP draft is that all
> presentations are not replayable. While this can be accomplished with a
> proof-of-possession it is not the only mechanism an algorithm could use, BBS
> for example supports this without requiring a traditional PoP.
>
So I guess then why do this in the JOSE working group if the work has little in
common with existing JOSE specs and semantics? Different algorithms, different
formats, different processing rules. It’s not clear if JWP could even reuse the
IANA JWT Claims registry if you’re saying that it’s not compatible with some of
them (eg cnf).
The proposed new charter says:
“The current JOSE and JWT specifications are not sufficiently general to enable
use of these newer techniques. The reconstituted JSON Object Signing and
Encryption (JOSE) working group will build on what came before but also rectify
these shortcomings.”
But from these discussions it seems that JWP is really its own separate thing.
(Indeed the JOSE specs are already criticised for trying to be too general).
— Neil
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
