[OAUTH-WG] Re: [media-types] Re: Request for registering media types and structured suffixes defined by W3C VCWG candidate recommendations
Orie Steele <orie@transmute.industries> Fri, 21 June 2024 19:41 UTC
Return-Path: <orie@transmute.industries>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A651C14F602 for <oauth@ietfa.amsl.com>; Fri, 21 Jun 2024 12:41:43 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3w-OhvO04F1S for <oauth@ietfa.amsl.com>; Fri, 21 Jun 2024 12:41:39 -0700 (PDT)
Received: from mail-pf1-x432.google.com (mail-pf1-x432.google.com [IPv6:2607:f8b0:4864:20::432]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3B0DEC14F5EE for <oauth@ietf.org>; Fri, 21 Jun 2024 12:41:39 -0700 (PDT)
Received: by mail-pf1-x432.google.com with SMTP id d2e1a72fcca58-7065e2fe7d9so459810b3a.3 for <oauth@ietf.org>; Fri, 21 Jun 2024 12:41:39 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; t=1718998898; x=1719603698; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=3T9ktVoiV3gewAj0jmrF8QGlymlYOekHvyELNb/gXgI=; b=B/TLGR34cTEjR1vYHfHuNXv7HqrH4C1EJIEX2PZfxfop0cm9turP6FCaNoTmgbeZjr hziARkzV6IjSJvw8uc/XUwkwGQ8iHxmXJerxWc81G/mm2IGHiotpBw4WsxX0IxA8/cyd aiRN1fEnIAKicxQgiTS09nt71lMB9ZcxmfSbsPBoeqmWszX5/uRjJHDG4GMHiUxQPwm3 L39FFVq54xPcJ13hk3zbKWmu7X+2MZS6/cN9yZIwKHBABa94OIsqdAmPWzODnrTUXfof bwqqgFSo/cKb7Qm2CU9h9Qyw3QJ4FJ4CJ39S656FErc8TZH4B6lcs6pBaRqjUO2PXC+2 lJ6g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1718998898; x=1719603698; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=3T9ktVoiV3gewAj0jmrF8QGlymlYOekHvyELNb/gXgI=; b=gHaBSirdzfP4vSlb+/8r/5xAl+vMVQVDShrAx4HKV9d8akYNsBKBPu9BY69MgoMrOp hw2YJvfXBuzFomCLTz3TbzLjc2nAweLLvi6qvdGQw6uS2IQVzidW5KCKEaS3O/sIVjAo 3o/IJgHpcJIZ523EI5k8GGQIbkVSxonE81Va+Lsf6OCu46mlnVPb6uTMOvBDfaCheBmA 8Clq0GgozjzViXyoyqG/UpDSwgjQo/WdNqLBmDhxkxOYGYNSPZYTW2Qto56EXs2Ybp2c Ebpll74YMC3koHCIRCmOiZeepGrfj2eWIYMn2gX7CLNKvKrRACh2oaGLhL6Z6336ejMa 6Uag==
X-Gm-Message-State: AOJu0YxBA61NB3kCdTm1xUhgxLdXPC5Q/K8CXjqlekyHFjB+7zhpwYr5 IVGvM6DQbZbMpACQi5YEpVvPb3faKM8cepO0/WxXFtDDpCMhLrhiq+YXxigrwuT8lKp0wFKtajI 3pt3EQGz4zq4Q3nhOHoOFnEpBTcN6fclnCMsVzOCiFxjN0bWKugg=
X-Google-Smtp-Source: AGHT+IFeun8kt8NRCImSw5ArYfEtskpjsrQc0ps8yAAbKjbQ/c8kP7/oy4ZKSUoBaa6VO4SqgSBQXyHCEpWnsIXzgGY=
X-Received: by 2002:a05:6a20:b919:b0:1bc:e898:c67f with SMTP id adf61e73a8af0-1bce898c6a5mr360293637.5.1718998898021; Fri, 21 Jun 2024 12:41:38 -0700 (PDT)
MIME-Version: 1.0
References: <SJ0PR02MB743933344852DB3E08A49C5EB71F2@SJ0PR02MB7439.namprd02.prod.outlook.com> <dcb35328-3d4c-4a13-8c8c-7e86e417d14e@it.aoyama.ac.jp> <CAOGO=oETa_m81MCJRhOrPVP+fJEAiwG7CrVrMNMkwZdRSJNzVw@mail.gmail.com> <CAMBN2CRKo4=Ece_iMJ8qqdvtC4mamhv_fF4DW5RDw+2ufLG54A@mail.gmail.com> <8ea60c19-cf68-013e-1d9b-3d33666bf1a6@isode.com> <CAMBN2CTdxb2rSvoR8Lxv-owM3y=DAoKYV=2njXv_UC4wWW_Y=w@mail.gmail.com> <CAN8C-_Ksava=qZb3ZG2Ri=Mczf-5DrkkWg37O1StfCnhTfStpw@mail.gmail.com> <CA+k3eCS+zB5Ax4DDL_qjCdbzTrVrghgzXsFQa2DrPr6EoCnQuA@mail.gmail.com> <SJ0PR02MB7439121FA0B195E5FC6D94E4B7C82@SJ0PR02MB7439.namprd02.prod.outlook.com> <CA+k3eCQJo-n=w7swokdM+ZDiuaVtP_jD59Sa7X_qf2tHK0W4og@mail.gmail.com>
In-Reply-To: <CA+k3eCQJo-n=w7swokdM+ZDiuaVtP_jD59Sa7X_qf2tHK0W4og@mail.gmail.com>
From: Orie Steele <orie@transmute.industries>
Date: Fri, 21 Jun 2024 14:41:26 -0500
Message-ID: <CAN8C-_KS0JUKiHchyPZAY=Bd7MXNpNAEvsznDsOn54H4w0gLrA@mail.gmail.com>
To: media-types@iana.org
Content-Type: multipart/alternative; boundary="000000000000afb8dc061b6b9ed5"
Message-ID-Hash: QVL5U3AABAWZ53VXRRJM2MSKU24WEK6O
X-Message-ID-Hash: QVL5U3AABAWZ53VXRRJM2MSKU24WEK6O
X-MailFrom: orie@transmute.industries
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth <oauth@ietf.org>, spice@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: [media-types] Re: Request for registering media types and structured suffixes defined by W3C VCWG candidate recommendations
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/2qfLP2RFEehzUxrdmiXTAEqk7OQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
[ as an individual ] Adding SPICE since I anticipate this will be relevant to application/vc(?)+cwt, verifiable credential with or without selective disclosure, using CBOR Web Tokens - https://datatracker.ietf.org/doc/html/draft-prorock-spice-cose-sd-cwt On Fri, Jun 21, 2024 at 12:33 PM Brian Campbell <bcampbell@pingidentity.com> wrote: > With respect to application/vc+sd-jwt, I hope you'd agree that an IETF > SD-JWT VC and an SD-JWT with a payload conforming to the VCDM 2.0 are > distinctly different things and that it'd be wholly inappropriate to use > the same media type to represent them. > The mandatory JSON members are different. I think it's obvious that they should be different media types. However, I will note that `application/vc` has a subtype, so the confusion exists regardless of what suffixes you append. Is it inappropriate to use the same "subtype" for formats controlled by different standards organizations? I believe that the OAuth working group has received this feedback before. It's been blogged about: https://www.cyberforge.com/battle-for-the-brand/ It's also been discussed in the minutes of the W3C VCWG, although I won't be able to provide references, I am sure they exist. During the SPICE chartering process, the term "digital credential" was chosen instead, to side step this problem. OpenID Foundation created a working group called "digital credentials protocols": https://openid.net/wg/digital-credentials-protocols/ OpenID has specifications that move W3C VCs, ISO mDocs, and other digital credential formats that include the words "Verifiable Credential". https://openid.net/sg/openid4vc/ W3C Web Incubation Community Group has: https://wicg.github.io/digital-credentials/ This issue tracks the possible changes on the W3C side: https://github.com/w3c/vc-jose-cose/pull/279 OAuth might consider the following alternative media types in the same spirit: - application/dc+sd-jwt ( digital credential in sd jwt format ) - application/ic+sd-jwt ( internet credential in sd jwt format ) - application/vc-json+sd-jwt (verifiable credential in json using sd jwt format) Or perhaps even reuse some of the framing from eat media types: https://datatracker.ietf.org/doc/html/draft-ietf-rats-eat-media-type-07#name-application-eat-ucsjson-reg - application/vc-cs+sd-jwt ( verifiable credential claim set using sd jwt ) Then later, if protocols wish to convey an sd-jwt claim set over an authenticated channel, like HTTPS, or in MLS, or with HPKE, etc..., instead of through a signed object, they could do as eat does: - application/vc-ucs+json ( verifiable credential unsigned claim set using json ) I think the term "verifiable credential" (VC) is an industry term like "internet of things" (IoT), or "web3"... and registration requests for media types that look like this: application/web3 application/iot application/cloud application/credential application/schema Might all be rejected, since they are essentially squatting on a high value subtype. Elsewhere in the IETF, such as in YANG, we prefix namespace registrations with IETF to resolve this kind of issue, for example: urn:ietf:params:xml:ns:yang:ietf-restconf So perhaps in the spirit in which Brian originally suggested: - application/w3c-vc+sd-jwt We might also consider: - application/ietf-vc+sd-jwt Although I think Brian's suggestions here makes more sense, especially for the W3C to consider: https://github.com/w3c/vc-jose-cose/pull/279#issuecomment-2183160606 > As far application/vp+sd-jwt goes, I don't personally see a reasonable > justification for the existence of using SD-JWT to secure verifiable > presentations conforming to the VCDM 2.0. > The justification can be found here: - https://w3c.github.io/vc-data-model/#verifiable-presentations - https://w3c.github.io/vc-data-model/#dfn-verifiable-presentation - https://w3c.github.io/vc-data-model/#json-ld As a general comment, the W3C VCWG sees value in "Holders" providing structured data about a collection of credentials presented, in addition to providing the credentials. This ends up feeling like an envelope containing loose paper, sticky notes, and other envelopes. It gives you a lot of flexibility, but also a lot of different ways to solve the same problems. But that's a digression that I don't have the energy or motivation to > further try to convince the W3C VC WG about. The concept isn't relevant in > the IETF SD-JWT VC context though so there's nothing to do with respect to > having it work for both. > I agree. > > On Thu, Jun 20, 2024 at 4:08 PM Michael Jones <michael_b_jones@hotmail.com> > wrote: > >> It’s my hope that the registrations of application/vc+sd-jwt and >> application/vp+sd-jwt will be able to be done in a way that works for both >> VC-JOSE-COSE and SD-JWT-VC. As I see it, that should be an attainable goal >> and one that the interested parties should work together towards. >> >> >> >> -- Mike >> >> >> >> *From:* Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org> >> *Sent:* Thursday, June 20, 2024 1:19 PM >> *To:* Orie Steele <orie@transmute.industries> >> *Cc:* media-types@iana.org; oauth <oauth@ietf.org> >> *Subject:* [OAUTH-WG] Re: [media-types] Re: Request for registering >> media types and structured suffixes defined by W3C VCWG candidate >> recommendations >> >> >> >> Thanks for pointing out the potential dependencies and collisions on the >> horizon. As a co-author on a couple of the documents mentioned and a >> general media type novice, I have a couple of observations and questions. >> >> >> >> The >> https://datatracker.ietf.org/doc/draft-ietf-oauth-selective-disclosure-jwt/ >> document does plan to request registration of a "+sd-jwt" structured syntax >> suffix. I believe (hope is perhaps a better word) that the draft is nearing >> WGLC and it could all happen this year. >> >> >> >> The https://datatracker.ietf.org/doc/draft-ietf-oauth-sd-jwt-vc/ >> document, which builds on the aforementioned document, plans on requesting >> registration of an "application/vc+sd-jwt" media type. That draft is less >> mature overall and not expected to be "finished" anytime soon. However, the >> "application/vc+sd-jwt" media type is already being used in implementations >> as well as downstream specifications and profiles. >> >> >> >> Would it be useful in avoidance of dependencies to request early or >> provisional registration of that structured syntax suffix and media type? >> Please forgive my ignorance of the process but is early or provisional >> registration even possible? >> >> >> >> >> >> On Mon, Jun 10, 2024 at 10:58 AM Orie Steele <orie@transmute.industries> >> wrote: >> >> [ as an individual ] >> >> +sd-jwt is requested to be registered in this document: >> >> >> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-selective-disclosure-jwt-08#name-structured-syntax-suffix-re >> >> +cwt is requested to registered in this document: >> >> >> https://datatracker.ietf.org/doc/html/draft-ietf-rats-eat-media-type-07#name-cwt-structured-syntax-suffi >> >> Both drafts are still work in progress, but for the W3C Verifiable >> Credentials use case, only +sd-jwt might be relevant, since +cwt is for >> claimsets that are CBOR maps where the map keys come from >> https://www.iana.org/assignments/cwt/cwt.xhtml >> >> Based on the comments I've seen here, I would expect to see requests for >> the following: >> >> application/vc >> application/vc+jwt >> application/vc+cose >> application/vc+sd-jwt (depends on the draft above) >> >> application/vp >> application/vp+jwt >> application/vp+cose >> application/vp+sd-jwt (depends on the draft above) >> >> Perhaps it is worth asking now if application/vc+sd-jwt will be rejected, >> since it is currently already being requested here: >> >> >> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-sd-jwt-vc-03#name-application-vcsd-jwt >> >> Including OAuth for awareness. >> >> Regards, >> >> OS >> >> >> >> On Mon, Jun 10, 2024 at 10:33 AM Manu Sporny <msporny@digitalbazaar.com> >> wrote: >> >> On Mon, Jun 10, 2024 at 10:22 AM Alexey Melnikov >> <alexey.melnikov@isode.com> wrote: >> > Yes, I can confirm that the registration is currently denied due to >> > unclear rules about multiple structured suffixes, as well as lack of any >> > conlusion on how to proceed on the mailing list. >> >> Thank you, Alexey, much appreciated, that helps the VCWG move forward. >> >> We'll update our specs and send in another set of registrations that >> will fall more in line w/ the current accepted practices at IANA. >> >> -- manu >> >> -- >> Manu Sporny - https://www.linkedin.com/in/manusporny/ >> Founder/CEO - Digital Bazaar, Inc. >> https://www.digitalbazaar.com/ >> >> _______________________________________________ >> media-types mailing list -- media-types@ietf.org >> To unsubscribe send an email to media-types-leave@ietf.org >> >> >> >> >> -- >> >> >> >> >> *ORIE STEELE *Chief Technology Officer >> www.transmute.industries >> >> <https://transmute.industries/> >> >> _______________________________________________ >> OAuth mailing list -- oauth@ietf.org >> To unsubscribe send an email to oauth-leave@ietf.org >> >> >> *CONFIDENTIALITY NOTICE: This email may contain confidential and >> privileged material for the sole use of the intended recipient(s). Any >> review, use, distribution or disclosure by others is strictly prohibited. >> If you have received this communication in error, please notify the sender >> immediately by e-mail and delete the message and any file attachments from >> your computer. Thank you.* >> > > *CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you.* -- ORIE STEELE Chief Technology Officer www.transmute.industries <https://transmute.industries>
- [OAUTH-WG] Re: [media-types] Re: Request for regi… Orie Steele
- [OAUTH-WG] Re: [media-types] Re: Request for regi… Michael Jones
- [OAUTH-WG] Re: [media-types] Re: Request for regi… Brian Campbell
- [OAUTH-WG] Re: [media-types] Re: Request for regi… Brian Campbell
- [OAUTH-WG] Re: [media-types] Re: Request for regi… Orie Steele
- [OAUTH-WG] Re: [SPICE] Re: Re: [media-types] Re: … Brian Campbell
- [OAUTH-WG] Re: [SPICE] Re: Re: [media-types] Re: … Orie Steele