I am trying to make a few points. My reference to the BCP was on the recommendation to do explicit typing. I'm suggesting that the sd-jwt document state that include "typ" is a requirement, and to be explicit in what that value should be.
I would suggest that value be "sd-jwt" The "application+" mechanism was already deployed when we wrote the BCP -- too late to change that. But sd-jwt is a new token format and can learn from implementation challenges in the past. On Sat, Sep 21, 2024 at 9:17 PM Michael Jones <michael_b_jo...@hotmail.com> wrote: > Actually, the JWT BCP (which we were both authors of) does not recommend > using a single media type. Rather, it recommends using a specific media > type suffix in the “typ” values > <https://www.rfc-editor.org/rfc/rfc8725.html#name-use-explicit-typing>: > > When explicit typing is employed for a JWT, it is *RECOMMENDED* that a > media type name of the format "application/example+jwt" be used, where > "example" is replaced by the identifier for the specific kind of JWT. > > > > SD-JWT is doing the same thing, recommending the use of the media type > suffix “+sd-jwt”. > > > > This enables more fine-grained explicit typing. For instance, when doing > explicit typing for an SD-JWT in the Example use case, the “typ” value > would be “example+sd-jwt”. This can then be distinguished from an SD-JWT > for the Other use case, which would use the “typ” value “other+sd-jwt” – > meeting the goal of explicit typing. > > > > -- Mike > > > > *From:* Dick Hardt <dick.ha...@gmail.com> > *Sent:* Saturday, September 21, 2024 9:16 AM > *To:* Daniel Fett <m...@danielfett.de> > *Cc:* oauth@ietf.org; krist...@sfc.keio.ac.jp > *Subject:* [OAUTH-WG] Re: SD-JWT architecture feedback > > > > … > > > > *Explicit Typing* > > Why leave the typing in the header to be determined by the application > (10.11), and not just be 'sd-jwt' and be REQUIRED? > > We had extensive discussions around typing, please refer to the following > issues: > > - https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/267 > > - https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/327 > > - https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/345 > > > > Those issues don't really address the point. > > > > Per RFC 8725: JSON Web Token Best Current Practices (rfc-editor.org) > <https://www.rfc-editor.org/rfc/rfc8725.html#name-use-explicit-typing> -- > the best practice would be to have a single type that would allow a library > to know it is an SD-JWT. If additional context is needed, perhaps that > should be a different header property? >
_______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
