[OAUTH-WG] Re: [media-types] Re: Request for registering media types and structured suffixes defined by W3C VCWG candidate recommendations

Orie Steele <orie@transmute.industries> Fri, 21 June 2024 19:41 UTC

Return-Path: <orie@transmute.industries>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A651C14F602 for <oauth@ietfa.amsl.com>; Fri, 21 Jun 2024 12:41:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3w-OhvO04F1S for <oauth@ietfa.amsl.com>; Fri, 21 Jun 2024 12:41:39 -0700 (PDT)
Received: from mail-pf1-x432.google.com (mail-pf1-x432.google.com [IPv6:2607:f8b0:4864:20::432]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B0DEC14F5EE for <oauth@ietf.org>; Fri, 21 Jun 2024 12:41:39 -0700 (PDT)
Received: by mail-pf1-x432.google.com with SMTP id d2e1a72fcca58-7065e2fe7d9so459810b3a.3 for <oauth@ietf.org>; Fri, 21 Jun 2024 12:41:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; t=1718998898; x=1719603698; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=3T9ktVoiV3gewAj0jmrF8QGlymlYOekHvyELNb/gXgI=; b=B/TLGR34cTEjR1vYHfHuNXv7HqrH4C1EJIEX2PZfxfop0cm9turP6FCaNoTmgbeZjr hziARkzV6IjSJvw8uc/XUwkwGQ8iHxmXJerxWc81G/mm2IGHiotpBw4WsxX0IxA8/cyd aiRN1fEnIAKicxQgiTS09nt71lMB9ZcxmfSbsPBoeqmWszX5/uRjJHDG4GMHiUxQPwm3 L39FFVq54xPcJ13hk3zbKWmu7X+2MZS6/cN9yZIwKHBABa94OIsqdAmPWzODnrTUXfof bwqqgFSo/cKb7Qm2CU9h9Qyw3QJ4FJ4CJ39S656FErc8TZH4B6lcs6pBaRqjUO2PXC+2 lJ6g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718998898; x=1719603698; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=3T9ktVoiV3gewAj0jmrF8QGlymlYOekHvyELNb/gXgI=; b=gHaBSirdzfP4vSlb+/8r/5xAl+vMVQVDShrAx4HKV9d8akYNsBKBPu9BY69MgoMrOp hw2YJvfXBuzFomCLTz3TbzLjc2nAweLLvi6qvdGQw6uS2IQVzidW5KCKEaS3O/sIVjAo 3o/IJgHpcJIZ523EI5k8GGQIbkVSxonE81Va+Lsf6OCu46mlnVPb6uTMOvBDfaCheBmA 8Clq0GgozjzViXyoyqG/UpDSwgjQo/WdNqLBmDhxkxOYGYNSPZYTW2Qto56EXs2Ybp2c Ebpll74YMC3koHCIRCmOiZeepGrfj2eWIYMn2gX7CLNKvKrRACh2oaGLhL6Z6336ejMa 6Uag==
X-Gm-Message-State: AOJu0YxBA61NB3kCdTm1xUhgxLdXPC5Q/K8CXjqlekyHFjB+7zhpwYr5 IVGvM6DQbZbMpACQi5YEpVvPb3faKM8cepO0/WxXFtDDpCMhLrhiq+YXxigrwuT8lKp0wFKtajI 3pt3EQGz4zq4Q3nhOHoOFnEpBTcN6fclnCMsVzOCiFxjN0bWKugg=
X-Google-Smtp-Source: AGHT+IFeun8kt8NRCImSw5ArYfEtskpjsrQc0ps8yAAbKjbQ/c8kP7/oy4ZKSUoBaa6VO4SqgSBQXyHCEpWnsIXzgGY=
X-Received: by 2002:a05:6a20:b919:b0:1bc:e898:c67f with SMTP id adf61e73a8af0-1bce898c6a5mr360293637.5.1718998898021; Fri, 21 Jun 2024 12:41:38 -0700 (PDT)
MIME-Version: 1.0
References: <SJ0PR02MB743933344852DB3E08A49C5EB71F2@SJ0PR02MB7439.namprd02.prod.outlook.com> <dcb35328-3d4c-4a13-8c8c-7e86e417d14e@it.aoyama.ac.jp> <CAOGO=oETa_m81MCJRhOrPVP+fJEAiwG7CrVrMNMkwZdRSJNzVw@mail.gmail.com> <CAMBN2CRKo4=Ece_iMJ8qqdvtC4mamhv_fF4DW5RDw+2ufLG54A@mail.gmail.com> <8ea60c19-cf68-013e-1d9b-3d33666bf1a6@isode.com> <CAMBN2CTdxb2rSvoR8Lxv-owM3y=DAoKYV=2njXv_UC4wWW_Y=w@mail.gmail.com> <CAN8C-_Ksava=qZb3ZG2Ri=Mczf-5DrkkWg37O1StfCnhTfStpw@mail.gmail.com> <CA+k3eCS+zB5Ax4DDL_qjCdbzTrVrghgzXsFQa2DrPr6EoCnQuA@mail.gmail.com> <SJ0PR02MB7439121FA0B195E5FC6D94E4B7C82@SJ0PR02MB7439.namprd02.prod.outlook.com> <CA+k3eCQJo-n=w7swokdM+ZDiuaVtP_jD59Sa7X_qf2tHK0W4og@mail.gmail.com>
In-Reply-To: <CA+k3eCQJo-n=w7swokdM+ZDiuaVtP_jD59Sa7X_qf2tHK0W4og@mail.gmail.com>
From: Orie Steele <orie@transmute.industries>
Date: Fri, 21 Jun 2024 14:41:26 -0500
Message-ID: <CAN8C-_KS0JUKiHchyPZAY=Bd7MXNpNAEvsznDsOn54H4w0gLrA@mail.gmail.com>
To: media-types@iana.org
Content-Type: multipart/alternative; boundary="000000000000afb8dc061b6b9ed5"
Message-ID-Hash: QVL5U3AABAWZ53VXRRJM2MSKU24WEK6O
X-Message-ID-Hash: QVL5U3AABAWZ53VXRRJM2MSKU24WEK6O
X-MailFrom: orie@transmute.industries
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth <oauth@ietf.org>, spice@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: [media-types] Re: Request for registering media types and structured suffixes defined by W3C VCWG candidate recommendations
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/2qfLP2RFEehzUxrdmiXTAEqk7OQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

[ as an individual ]

Adding SPICE since I anticipate this will be relevant to
application/vc(?)+cwt, verifiable credential with or without selective
disclosure, using CBOR Web Tokens -
https://datatracker.ietf.org/doc/html/draft-prorock-spice-cose-sd-cwt

On Fri, Jun 21, 2024 at 12:33 PM Brian Campbell <bcampbell@pingidentity.com>
wrote:

> With respect to application/vc+sd-jwt, I hope you'd agree that an IETF
> SD-JWT VC and an SD-JWT with a payload conforming to the VCDM 2.0 are
> distinctly different things and that it'd be wholly inappropriate to use
> the same media type to represent them.
>

The mandatory JSON members are different.
I think it's obvious that they should be different media types.

However, I will note that `application/vc` has a subtype, so the confusion
exists regardless of what suffixes you append.

Is it inappropriate to use the same "subtype" for formats controlled by
different standards organizations?

I believe that the OAuth working group has received this feedback before.

It's been blogged about: https://www.cyberforge.com/battle-for-the-brand/

It's also been discussed in the minutes of the W3C VCWG, although I won't
be able to provide references, I am sure they exist.

During the SPICE chartering process, the term "digital credential" was
chosen instead, to side step this problem.

OpenID Foundation created a working group called "digital credentials
protocols": https://openid.net/wg/digital-credentials-protocols/

OpenID has specifications that move W3C VCs, ISO mDocs, and other digital
credential formats that include the words "Verifiable Credential".

https://openid.net/sg/openid4vc/

W3C Web Incubation Community Group has:
https://wicg.github.io/digital-credentials/

This issue tracks the possible changes on the W3C side:

https://github.com/w3c/vc-jose-cose/pull/279

OAuth might consider the following alternative media types in the same
spirit:

- application/dc+sd-jwt ( digital credential in sd jwt format )
- application/ic+sd-jwt ( internet credential in sd jwt format )
- application/vc-json+sd-jwt (verifiable credential in json using sd jwt
format)

Or perhaps even reuse some of the framing from eat media types:

https://datatracker.ietf.org/doc/html/draft-ietf-rats-eat-media-type-07#name-application-eat-ucsjson-reg

- application/vc-cs+sd-jwt ( verifiable credential claim set using sd jwt )

Then later, if protocols wish to convey an sd-jwt claim set over an
authenticated channel, like HTTPS, or in MLS, or with HPKE, etc..., instead
of through a signed object, they could do as eat does:

- application/vc-ucs+json ( verifiable credential unsigned claim set using
json )

I think the term "verifiable credential" (VC) is an industry term like
"internet of things" (IoT), or "web3"... and registration requests for
media types that look like this:

application/web3
application/iot
application/cloud
application/credential
application/schema

Might all be rejected, since they are essentially squatting on a high value
subtype.

Elsewhere in the IETF, such as in YANG, we prefix namespace registrations
with IETF to resolve this kind of issue, for example:

urn:ietf:params:xml:ns:yang:ietf-restconf

So perhaps in the spirit in which Brian originally suggested:

- application/w3c-vc+sd-jwt

We might also consider:

- application/ietf-vc+sd-jwt

Although I think Brian's suggestions here makes more sense, especially for
the W3C to consider:

https://github.com/w3c/vc-jose-cose/pull/279#issuecomment-2183160606

> As far application/vp+sd-jwt goes, I don't personally see a reasonable
> justification for the existence of using SD-JWT to secure verifiable
> presentations conforming to the VCDM 2.0.
>

The justification can be found here:
- https://w3c.github.io/vc-data-model/#verifiable-presentations
- https://w3c.github.io/vc-data-model/#dfn-verifiable-presentation
- https://w3c.github.io/vc-data-model/#json-ld

As a general comment, the W3C VCWG sees value in "Holders" providing
structured data about a collection of credentials presented, in addition to
providing the credentials.

This ends up feeling like an envelope containing loose paper, sticky notes,
and other envelopes.

It gives you a lot of flexibility, but also a lot of different ways to
solve the same problems.

But that's a digression that I don't have the energy or motivation to
> further try to convince the W3C VC WG about. The concept isn't relevant in
> the IETF SD-JWT VC context though so there's nothing to do with respect to
> having it work for both.
>
I agree.


>
> On Thu, Jun 20, 2024 at 4:08 PM Michael Jones <michael_b_jones@hotmail.com>
> wrote:
>
>> It’s my hope that the registrations of application/vc+sd-jwt and
>> application/vp+sd-jwt will be able to be done in a way that works for both
>> VC-JOSE-COSE and SD-JWT-VC.  As I see it, that should be an attainable goal
>> and one that the interested parties should work together towards.
>>
>>
>>
>>                                                                 -- Mike
>>
>>
>>
>> *From:* Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>
>> *Sent:* Thursday, June 20, 2024 1:19 PM
>> *To:* Orie Steele <orie@transmute.industries>
>> *Cc:* media-types@iana.org; oauth <oauth@ietf.org>
>> *Subject:* [OAUTH-WG] Re: [media-types] Re: Request for registering
>> media types and structured suffixes defined by W3C VCWG candidate
>> recommendations
>>
>>
>>
>> Thanks for pointing out the potential dependencies and collisions on the
>> horizon. As a co-author on a couple of the documents mentioned and a
>> general media type novice, I have a couple of observations and questions.
>>
>>
>>
>> The
>> https://datatracker.ietf.org/doc/draft-ietf-oauth-selective-disclosure-jwt/
>> document does plan to request registration of a "+sd-jwt" structured syntax
>> suffix. I believe (hope is perhaps a better word) that the draft is nearing
>> WGLC and it could all happen this year.
>>
>>
>>
>> The https://datatracker.ietf.org/doc/draft-ietf-oauth-sd-jwt-vc/
>> document, which builds on the aforementioned document, plans on requesting
>> registration of an "application/vc+sd-jwt" media type. That draft is less
>> mature overall and not expected to be "finished" anytime soon. However, the
>> "application/vc+sd-jwt" media type is already being used in implementations
>> as well as downstream specifications and profiles.
>>
>>
>>
>> Would it be useful in avoidance of dependencies to request early or
>> provisional registration of that structured syntax suffix and media type?
>> Please forgive my ignorance of the process but is early or provisional
>> registration even possible?
>>
>>
>>
>>
>>
>> On Mon, Jun 10, 2024 at 10:58 AM Orie Steele <orie@transmute.industries>
>> wrote:
>>
>> [ as an individual ]
>>
>> +sd-jwt is requested to be registered in this document:
>>
>>
>> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-selective-disclosure-jwt-08#name-structured-syntax-suffix-re
>>
>> +cwt is requested to registered in this document:
>>
>>
>> https://datatracker.ietf.org/doc/html/draft-ietf-rats-eat-media-type-07#name-cwt-structured-syntax-suffi
>>
>> Both drafts are still work in progress, but for the W3C Verifiable
>> Credentials use case, only +sd-jwt might be relevant, since +cwt is for
>> claimsets that are CBOR maps where the map keys come from
>> https://www.iana.org/assignments/cwt/cwt.xhtml
>>
>> Based on the comments I've seen here, I would expect to see requests for
>> the following:
>>
>> application/vc
>> application/vc+jwt
>> application/vc+cose
>> application/vc+sd-jwt (depends on the draft above)
>>
>> application/vp
>> application/vp+jwt
>> application/vp+cose
>> application/vp+sd-jwt (depends on the draft above)
>>
>> Perhaps it is worth asking now if application/vc+sd-jwt will be rejected,
>> since it is currently already being requested here:
>>
>>
>> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-sd-jwt-vc-03#name-application-vcsd-jwt
>>
>> Including OAuth for awareness.
>>
>> Regards,
>>
>> OS
>>
>>
>>
>> On Mon, Jun 10, 2024 at 10:33 AM Manu Sporny <msporny@digitalbazaar.com>
>> wrote:
>>
>> On Mon, Jun 10, 2024 at 10:22 AM Alexey Melnikov
>> <alexey.melnikov@isode.com> wrote:
>> > Yes, I can confirm that the registration is currently denied due to
>> > unclear rules about multiple structured suffixes, as well as lack of any
>> > conlusion on how to proceed on the mailing list.
>>
>> Thank you, Alexey, much appreciated, that helps the VCWG move forward.
>>
>> We'll update our specs and send in another set of registrations that
>> will fall more in line w/ the current accepted practices at IANA.
>>
>> -- manu
>>
>> --
>> Manu Sporny - https://www.linkedin.com/in/manusporny/
>> Founder/CEO - Digital Bazaar, Inc.
>> https://www.digitalbazaar.com/
>>
>> _______________________________________________
>> media-types mailing list -- media-types@ietf.org
>> To unsubscribe send an email to media-types-leave@ietf.org
>>
>>
>>
>>
>> --
>>
>>
>>
>>
>> *ORIE STEELE *Chief Technology Officer
>> www.transmute.industries
>>
>> <https://transmute.industries/>
>>
>> _______________________________________________
>> OAuth mailing list -- oauth@ietf.org
>> To unsubscribe send an email to oauth-leave@ietf.org
>>
>>
>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>> privileged material for the sole use of the intended recipient(s). Any
>> review, use, distribution or disclosure by others is strictly prohibited.
>> If you have received this communication in error, please notify the sender
>> immediately by e-mail and delete the message and any file attachments from
>> your computer. Thank you.*
>>
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*



-- 


ORIE STEELE
Chief Technology Officer
www.transmute.industries

<https://transmute.industries>