IETF Logo Mail Archive

[OAUTH-WG] Leading underscores in SD-JWT Claim Names (was SD-JWT architecture feedback)

Michael Jones <michael_b_jones@hotmail.com> Sat, 21 September 2024 19:06 UTC

Return-Path: <michael_b_jones@hotmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 548A4C14F6EA for <oauth@ietfa.amsl.com>; Sat, 21 Sep 2024 12:06:39 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.233
X-Spam-Level:
X-Spam-Status: No, score=-6.233 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FORGED_HOTMAIL_RCVD2=0.874, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hotmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id SjJOBfXwBS6g for <oauth@ietfa.amsl.com>; Sat, 21 Sep 2024 12:06:35 -0700 (PDT)
Received: from SN4PR2101CU001.outbound.protection.outlook.com (mail-southcentralusazolkn19012050.outbound.protection.outlook.com [52.103.14.50]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5ED87C14F603 for <oauth@ietf.org>; Sat, 21 Sep 2024 12:06:35 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=aabcyRjbncBVu4u656maKevQPv4BbmqPXRndCMArLKSKNbaMUR7malwctRQyJ0tw9AovzrGnzSNH3H0rDCzi1/DIK6O5wF1pXqsRP1QF0mD/pNTNeN+MOGPHPRjYi6HEP5KK2tHyXVCglVGcikvtZL+2Gc7XdL5zAmMQmq/WQFjblCKcbDUgonmXRYXvsY9ssv7wzTk61tdeeGxUot4fD1UB2oeE+GpLCr+nZjqzWa8Eo5eXptUGsZxFCIJsEnsmPMnnbhoJUDCtwfdcZBi6upWTifGyXpzWWFwn4cP45M5wNz23YOJ8pZEXvKBbYs+sDx1YcCGO2vIUlWsRDg+4+Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=ehKdYxYFlO2oUyLnISti7ALFWFN+5xqTRsWc8fHBLII=; b=lMMNLKJU9Ues/mJm7/ThmDBe8djWjJZy/w4PHwwK5HHlqK7Vl//CDa/VP8Bb87m43jEOXpoYv/EhPX9wb5QXMEHNnoqHh2x8l9nIHPXR5LeroLNakuD9qoSTEqFJ+8l5Zwkxb8VDSK5av1ZTHZW6ghl4TCpiisQfiEU3DDePjsLDhXsu0uPZnYaW+ftHNHQM5OJGh3D76vyygn3GT4itU46hkY3mbfsHL1O1aAt3z4N4xI6Y5RtviOil7VUs657fG75REkOabusK7yYCteoqL3T6yZFsRczleO6xRcPHGwxyfEFmNvSAkR/7EEq1dPdaZfVk+V0aml8R0YIjS9amNQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=ehKdYxYFlO2oUyLnISti7ALFWFN+5xqTRsWc8fHBLII=; b=PnKBad9iXIKSKPZqiXwSavbxWZomiZd1jZwOhwF2jTDqDeTEean8b+VXylD4bvZ06CbDiJvYDRnWC/P024C1pSGIlDCkNmcetyRWq706TPtk+C98ZTgPInmLjWdo4M9dPLcWLPGBmAhveNdpsXEBXdR5wNnq/BXWG8NhmBBxamkJqE/POW98hmUVjI2uQJH9EqJpdkYmMPm+F2s6nswugZTbvq1tsIt4uvJ1yXN0E52uZogY2nDcq4vw/q2dIld+SbCMCnHeUylPJocAMAeTGRE5Hj76k3lGX/sU2TyRd0oJhmVmRI6lKJ0i2JQ9PzIRekYRglmyPQRsWs3VoxEXlA==
Received: from SJ0PR02MB7439.namprd02.prod.outlook.com (2603:10b6:a03:295::14) by MN6PR02MB10701.namprd02.prod.outlook.com (2603:10b6:208:4f0::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7982.24; Sat, 21 Sep 2024 19:06:33 +0000
Received: from SJ0PR02MB7439.namprd02.prod.outlook.com ([fe80::6394:e79c:c32a:4c6a]) by SJ0PR02MB7439.namprd02.prod.outlook.com ([fe80::6394:e79c:c32a:4c6a%3]) with mapi id 15.20.7982.022; Sat, 21 Sep 2024 19:06:33 +0000
From: Michael Jones <michael_b_jones@hotmail.com>
To: "Dick.Hardt@gmail.com" <Dick.Hardt@gmail.com>, Daniel Fett <mail@danielfett.de>
Thread-Topic: Leading underscores in SD-JWT Claim Names (was SD-JWT architecture feedback)
Thread-Index: AQHbDFlf6F8f2JileUGJ6sf3fDLbtg==
Date: Sat, 21 Sep 2024 19:06:33 +0000
Message-ID: <SJ0PR02MB74392337DDF75B31B1915EC5B76D2@SJ0PR02MB7439.namprd02.prod.outlook.com>
References: <CAD9ie-s9kricU8_VBBucQMob-n1jWN5xHd5Ymck=biUWqpH9yQ@mail.gmail.com> <e64eb21d-1ef4-4352-9c74-ffbb853ce3da@danielfett.de> <CAD9ie-t9jLMG5aROCR-EOuCYh19F2r67-C0Puw2OF4GEcvBc2g@mail.gmail.com>
In-Reply-To: <CAD9ie-t9jLMG5aROCR-EOuCYh19F2r67-C0Puw2OF4GEcvBc2g@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SJ0PR02MB7439:EE_|MN6PR02MB10701:EE_
x-ms-office365-filtering-correlation-id: 5cac50a1-3d6c-41d5-1b92-08dcda708215
x-microsoft-antispam: BCL:0;ARA:14566002|12050799009|8060799006|19110799003|461199028|15080799006|7092599003|9400799024|8062599003|102099032|440099028|3412199025|4302099013|10035399004|1602099012;
x-microsoft-antispam-message-info: aBR4f6dJp1wNIaBGQNFQuVYixMtcg06WKM3pwhhthPtHvu2uuPFUfvgmDsp9qttdXwQM5bsx+Eme85wmEO65iaPs2eBre8Rzh8aVKEIMsl1zkD8wFrKBOCRu9M/wFGC8X131lf9Ig0+7ikoAazVJ1Y8fhHBBlEpGjjXUaPXREnHXyrNmi39RTA/5Z0p4PBnz0jSwYj6pxJe3yC1TymrmjBa4s3xekAexc7UHb1ggKDI7q+uWaUeIKwJ1Yik5EVY9ubWZm241/lE9uAYO1AIvzPwd7LDgZOIfd0oYlR0Vv+oNCPZzAYLLwoJDENj/e+v93nqWuRXKRj2O7MADWL0f2aZLh0g509WMwX5N3QqWOOng/1hQFv6cJw8Abu4d60cZD9EN2GQND1ue80phea0naZwkHagO1+NQMD16AoO4DxfjktnLtcRtAIf5W7qV7Y3LYjKQG2GaS2mGxCodONBbrJzkL3DE9ycBpmuN6WGVsciThtG1ujfEwVHAzw7yS1TYfqoW2mu//Uaa4EP3RrjkwZR4RNjUICh0LaXDTtLOufOndFX+UVLO6UvsW8Yd911wtEaEluqFdHO78g+Uz+uXAm76+iHL2lZ+VIh4ZUEzmwNetXNCKj4rzZdwUPEYz0xMGqD/xQj1QCl9QLp7GTEDPHQxO/C5T5PaO7RZfwMC8v2ReUURtFxR/AiXDUI3js27RSFC5LH7eeKpAlWI46y+CSl0lrirec1+IVjLx5DH9eeejKZbLT/bxHO1Ml+MLmc60v4eMrZzNWZHYIuXUctcgSmO1R80eAYlm36f+MejHgQBcwOtXK6uF+88GNprwLVr6WPfrsidkwWAFn+ERXSidQbWx9TDk009AdUchGQW/P4Y0AeOB7i4sOXjtXazN1Ew0EVMRDUJPy8J5/vQoDbfEsx73bGGpT+biMN5xl4kCH04ZJJ0qqZl2J0bTvHu5w7d
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: xE6RVGpcpR7S/1WYJKcXvKzgNh5f6xBX7jF2hIXh1argAch/OZTHCCsnhl5cHR8P45hWvAPL4pwNh4bFecekLx/LL1uhCc+450cwRk+NQ5jWJtUFTopDLoECvggXvECNKH6DwM53xEbFLta4ykl4N4JwXWEAAXAvSNy0srfbuV9EfFEYrP00lv/y8ekMmcy3RVQYcueijR6we8U6L8L7GzLB7C7VTbBYzpExvn0vStrg4pSFQn4AlRWRDnOUa0iKD+UIGHNe50DHDGfpikTqBFWzuIl2qyXQmyhWN1bf9h5of467vkOMyEcUc+gefVwaiNlvGQS14OGuN6KNjy1SDxczBYqD9vJFKDbLhIQFWWsawXMoDeqQCX5LEvkHwcBHCP+/esC4r+fJhsHuwgh/UqhwuEyLSmzEqSSvUrCoV3YGQ2LSnw3XhiytWL2ZxW9gq7b3+zHzf2pR0vRYLfGJ/aDf9huIdT+Llq9gF2W60cInifNHu7JXhz6HMhW+3vgMx5gztvUFpHKrVDOCCOCjRdO95XWdGVZAilulsz0lvUGiQDgNxg66uEQ7YwoEg0mHDTdDG9DRDp6z7t3Xlzuagh8Vxn1jIY/fpheaVNkPwWbUJ/JMKh18a4sh3qLCccrrXqkp3Dr89o18p0rBFr+g8vq7ehEkJW0tqom507pLi7G5+klnBGPPGco7I5jEOKyVn58aGKz4ghGohbvdGbDig0D+qenNf9pUTtTGJEbY19dRJooOFsO2ZPBtG1RxYYl+v7A6SIoKho0h/tMf1m+6EuiC9sZbirTuyqVfNrlt7cNVpA3zGakZZlzRnxYQDeGjO0Hcy+d/iE0qnjRFNSfp0gXZ5Q7C63kSVCCSmwuultEJHXYPl4PJOjPxlcgGxuJEXB8yJfN0mEV4VU3D/CZ38WNRYmcW5kJW7nlA9BDDp1xTxdqUIEuodACE3XfS1zvQiUyqZzhHk7YyLCqC48r0Sc83FEPSRIGEHUNoptFz29cprECVOodjUgvKHeeS67tMv2tYmQHE9U82XdXDvAPBOhKEYePyH7eYzoBuCZC0AjHOLXLLy0oCqVgh/CTyVnyVzkH3IaRtdhmLJX8Ub9nD+SzEfrB0fugneG4V660algwbvSBpYyy8QJ3QbftxSg1Egs5AIEgJKBj2aVi3UcyMJW5SaqTlFrDL+qykVUIdVV5bvXO/6CYW9xkpif3hxTy9cdlOdtHQHjiVp3FIprnuAcE7zM/zVLeWg3G0azp8RXbjtt5RKli9Q9U3LChGg1J/jS5JPGhii2lz+W/iuiLfbMGNHrUGuylS7QKtvs/2Zzi/XsWPeE2jOcnENjeGdvZF
Content-Type: multipart/alternative; boundary="_000_SJ0PR02MB74392337DDF75B31B1915EC5B76D2SJ0PR02MB7439namp_"
MIME-Version: 1.0
X-OriginatorOrg: sct-15-20-7719-20-msonline-outlook-0f88b.templateTenant
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SJ0PR02MB7439.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: 5cac50a1-3d6c-41d5-1b92-08dcda708215
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Sep 2024 19:06:33.3327 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN6PR02MB10701
Message-ID-Hash: 4GZH2T7LPTYMJOFCYMKN24DGXZVA2E5X
X-Message-ID-Hash: 4GZH2T7LPTYMJOFCYMKN24DGXZVA2E5X
X-MailFrom: michael_b_jones@hotmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "oauth@ietf.org" <oauth@ietf.org>, "kristina@sfc.keio.ac.jp" <kristina@sfc.keio.ac.jp>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Leading underscores in SD-JWT Claim Names (was SD-JWT architecture feedback)
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/5hn4ScQlgXFM08B3G9gmIoBWEIw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

SD-JWT is following an existing OAuth (and OpenID) convention by including an underscore prefix in the names of claims about claims.  You’ll find that _claim_names and _claim_sources are registered at https://www.iana.org/assignments/jwt/jwt.xhtml, which are both claims about claims, rather than claims whose values are used in the usual way.    These are currently the only claims with leading underscores registered.

Therefore, I believe SD-JWT is on solid ground creating and registering the names _sd and _sd_alg as other claims about claims.

                                                                -- Mike

From: Dick Hardt <dick.hardt@gmail.com>
Sent: Saturday, September 21, 2024 9:16 AM
To: Daniel Fett <mail@danielfett.de>
Cc: oauth@ietf.org; kristina@sfc.keio.ac.jp
Subject: [OAUTH-WG] Re: SD-JWT architecture feedback

…


Claim Names
Why do the claims start with '_'? Why not just 'sd' and 'sda'? Why is '_sd_alg' in the payload and not in the header?

While the underscore doesn't officially have any special meaning, adding it reduces the chance for collisions with existing claims and makes the SD-JWT-related claims sort nicely. All SD-related claims are in the payload, that's why we put _sd_alg there as well.
Do you have data that shows it will reduce collisions? I have seen many implementations that created their own claims that start with _ to reduce collisions with the same rationale!

 There is an IANA registry for claim names to avoid collisions.

The _ reminds me of internal C variables that others were not supposed to use, but eventually did.

_sd_alg is NOT a claim. It is a signal for which algorithm to use and should be in the header.

I'm unclear on the sorting advantage. They would sort together if they started with sd as well.

v2.37.1 | Report a Bug | By Email | System Status