[OAUTH-WG] Re: [SPICE] Re: Re: [media-types] Re: Request for registering media types and structured suffixes defined by W3C VCWG candidate recommendations

Brian Campbell <bcampbell@pingidentity.com> Mon, 24 June 2024 16:48 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 49D81C14F681 for <oauth@ietfa.amsl.com>; Mon, 24 Jun 2024 09:48:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.093
X-Spam-Level:
X-Spam-Status: No, score=-2.093 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id P35VumTfSjAl for <oauth@ietfa.amsl.com>; Mon, 24 Jun 2024 09:48:02 -0700 (PDT)
Received: from mail-il1-x129.google.com (mail-il1-x129.google.com [IPv6:2607:f8b0:4864:20::129]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E374AC14F6AB for <oauth@ietf.org>; Mon, 24 Jun 2024 09:48:02 -0700 (PDT)
Received: by mail-il1-x129.google.com with SMTP id e9e14a558f8ab-376243a112cso16897345ab.3 for <oauth@ietf.org>; Mon, 24 Jun 2024 09:48:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; t=1719247681; x=1719852481; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=CVhrbBiwortdyuq58n0IMHQvaR+IDs2Amutf+fm6M6o=; b=K6tIcoHzqcpU2dMunLLdNuGJv/7GdOj6k9ZY99hDM+JtBrXy0mfr7m9dun/ppJOCrA bxu/LRcZZAD3n7a1PJw6uApLwXpLTaf3HA0cNYhBAsJiflXLxfNnBU86JUISfuOd8g+f qiV+RgEFxFLvYYRv3XkFaYA0INs179KJCpkncDq6vgfmwIT7uimvEQ5I9lanAtgeLqHk DiHuQ92Q2N/aIAyHYK1ucJK2ZGN/w+6C7t6m8DavvDufv0oPXJ8C4dBcxsDfyy6c6oTJ UpocpWCPBThwLeMWKDa6x6CHNNuYZvl6GlQ+ay9SrQYB3bxmy4vfrdFB6E3tRWntK7ms ps0g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719247681; x=1719852481; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=CVhrbBiwortdyuq58n0IMHQvaR+IDs2Amutf+fm6M6o=; b=W7CkozJs/Bd77RpAWMnwQSHY2G406mcXWA+TQZBCKCd3lTG1fyFR5ZducWU4NOqn3S WER9des6GaQZr1JcS8kJE4gNVQ8b0CMtHeG0/JcULNmj7l9ePe4TJm43iKSsRzAsxO43 YdI6J3SWgvbkiuUv5Sd5ixFkkHVdPSmV7beyD2qzRsBESUrIghnXVG5V34NdbVP3Ju2P 8/QDDc85Z4jns+BzetEVSOt4DlgKStbt8+W0KQ9aE4vLMsNC5znEjtaB4fAyf3lVDqmI 9ffP+50Ur8MBS/BOx1gxB11Lc0lYu5X1S1fXR+7LQnwWyz+l/HWVQuP4d+6bKFYD+0du 2SMA==
X-Forwarded-Encrypted: i=1; AJvYcCXGpOTifdBHcr5G6EEpUnWsGp6TVI4hMkmNn1atpD9quKbM65bQWrztOBT2q7pa0DatdwciYIocgqLzRIC4dQ==
X-Gm-Message-State: AOJu0YyB12cJGRGodSzHDYATxbyX447QQ2NXPMDlyvnEFOrNjhWcXW05 CA9Iv48ySs/OC/PzN7fabRf5bk/6edVEQOzopGTF3vzrTwcp2oxxHNoNZIUGfvWX2upZhWHxpUD jFGNmcum40o93Z2aFacJILKVfuk9JyzD6oNI5Y5Sjm3Zr99FXnW8CU83h0yIjlSVkKFtUst6kuJ 6ZBdPuORECx7iWIwHK3oMnM28=
X-Google-Smtp-Source: AGHT+IHAMvMM2DgYOStzCwwzZWdUMfvc+XSPImOtatemAEL18gTFCbqLrFy6ekRnYyabGt7cSlSl2FWwJ2/XArODdFo=
X-Received: by 2002:a05:6e02:b25:b0:374:92d0:caa7 with SMTP id e9e14a558f8ab-3763e0607camr66355515ab.25.1719247681448; Mon, 24 Jun 2024 09:48:01 -0700 (PDT)
MIME-Version: 1.0
References: <SJ0PR02MB743933344852DB3E08A49C5EB71F2@SJ0PR02MB7439.namprd02.prod.outlook.com> <dcb35328-3d4c-4a13-8c8c-7e86e417d14e@it.aoyama.ac.jp> <CAOGO=oETa_m81MCJRhOrPVP+fJEAiwG7CrVrMNMkwZdRSJNzVw@mail.gmail.com> <CAMBN2CRKo4=Ece_iMJ8qqdvtC4mamhv_fF4DW5RDw+2ufLG54A@mail.gmail.com> <8ea60c19-cf68-013e-1d9b-3d33666bf1a6@isode.com> <CAMBN2CTdxb2rSvoR8Lxv-owM3y=DAoKYV=2njXv_UC4wWW_Y=w@mail.gmail.com> <CAN8C-_Ksava=qZb3ZG2Ri=Mczf-5DrkkWg37O1StfCnhTfStpw@mail.gmail.com> <CA+k3eCS+zB5Ax4DDL_qjCdbzTrVrghgzXsFQa2DrPr6EoCnQuA@mail.gmail.com> <SJ0PR02MB7439121FA0B195E5FC6D94E4B7C82@SJ0PR02MB7439.namprd02.prod.outlook.com> <CA+k3eCQJo-n=w7swokdM+ZDiuaVtP_jD59Sa7X_qf2tHK0W4og@mail.gmail.com> <CAN8C-_KS0JUKiHchyPZAY=Bd7MXNpNAEvsznDsOn54H4w0gLrA@mail.gmail.com>
In-Reply-To: <CAN8C-_KS0JUKiHchyPZAY=Bd7MXNpNAEvsznDsOn54H4w0gLrA@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 24 Jun 2024 10:47:35 -0600
Message-ID: <CA+k3eCS2j8maVKva8VW2L6Zv08+U+1cLyiLXp4cSiejBDDT+AQ@mail.gmail.com>
To: Orie Steele <orie@transmute.industries>
Content-Type: multipart/alternative; boundary="000000000000558643061ba58b96"
Message-ID-Hash: OEWQQYSXSYTSHVTTB73MUSJ3FDBLZBKI
X-Message-ID-Hash: OEWQQYSXSYTSHVTTB73MUSJ3FDBLZBKI
X-MailFrom: bcampbell@pingidentity.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: media-types@iana.org, oauth <oauth@ietf.org>, spice@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: [SPICE] Re: Re: [media-types] Re: Request for registering media types and structured suffixes defined by W3C VCWG candidate recommendations
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/C_o7y_dG57QWnF0zgEjiKQvFZPw>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Just to comment on the indirect comment about essentially squatting on a
high value subtypes:

The authors of draft-ietf-oauth-sd-jwt-vc
<https://datatracker.ietf.org/doc/draft-ietf-oauth-sd-jwt-vc/> (and the WG
on behalf of whose rough consensus the work endeavors to represent) have no
intent or interest in requesting registration of "application/vc".

While the anticipated request for "application/vc+sd-jwt" was modeled
loosely after existing media types like application/at+jwt
<https://www.iana.org/assignments/media-types/application/at+jwt> and
application/dpop+jwt
<https://www.iana.org/assignments/media-types/application/dpop+jwt> where a
relatively short value is useful and the part to the left of the suffix
doesn't have any oblivious utility standing on its own.

Furthermore, up until rather recently, the W3C VCWG was aspiring to
register the following, for which there was no prospective conflict.

application/vc+ld+json
application/vp+ld+json
application/vc+ld+json+jwt
application/vp+ld+json+jwt
application/vc+ld+json+sd-jwt
application/vp+ld+json+sd-jwt
application/vc+ld+json+cose
application/vp+ld+json+cose
+ld+json+jwt
+json+jwt
+ld+json+sd-jwt
+json+sd-jwt
+ld+json+cose
+json+cose

On Fri, Jun 21, 2024 at 1:41 PM Orie Steele <orie@transmute.industries>
wrote:

> [ as an individual ]
>
> Adding SPICE since I anticipate this will be relevant to
> application/vc(?)+cwt, verifiable credential with or without selective
> disclosure, using CBOR Web Tokens -
> https://datatracker.ietf.org/doc/html/draft-prorock-spice-cose-sd-cwt
>
> On Fri, Jun 21, 2024 at 12:33 PM Brian Campbell <
> bcampbell@pingidentity.com> wrote:
>
>> With respect to application/vc+sd-jwt, I hope you'd agree that an IETF
>> SD-JWT VC and an SD-JWT with a payload conforming to the VCDM 2.0 are
>> distinctly different things and that it'd be wholly inappropriate to use
>> the same media type to represent them.
>>
>
> The mandatory JSON members are different.
> I think it's obvious that they should be different media types.
>
> However, I will note that `application/vc` has a subtype, so the confusion
> exists regardless of what suffixes you append.
>
> Is it inappropriate to use the same "subtype" for formats controlled by
> different standards organizations?
>
> I believe that the OAuth working group has received this feedback before.
>
> It's been blogged about: https://www.cyberforge.com/battle-for-the-brand/
>
> It's also been discussed in the minutes of the W3C VCWG, although I won't
> be able to provide references, I am sure they exist.
>
> During the SPICE chartering process, the term "digital credential" was
> chosen instead, to side step this problem.
>
> OpenID Foundation created a working group called "digital credentials
> protocols": https://openid.net/wg/digital-credentials-protocols/
>
> OpenID has specifications that move W3C VCs, ISO mDocs, and other digital
> credential formats that include the words "Verifiable Credential".
>
> https://openid.net/sg/openid4vc/
>
> W3C Web Incubation Community Group has:
> https://wicg.github.io/digital-credentials/
>
> This issue tracks the possible changes on the W3C side:
>
> https://github.com/w3c/vc-jose-cose/pull/279
>
> OAuth might consider the following alternative media types in the same
> spirit:
>
> - application/dc+sd-jwt ( digital credential in sd jwt format )
> - application/ic+sd-jwt ( internet credential in sd jwt format )
> - application/vc-json+sd-jwt (verifiable credential in json using sd jwt
> format)
>
> Or perhaps even reuse some of the framing from eat media types:
>
>
> https://datatracker.ietf.org/doc/html/draft-ietf-rats-eat-media-type-07#name-application-eat-ucsjson-reg
>
> - application/vc-cs+sd-jwt ( verifiable credential claim set using sd jwt )
>
> Then later, if protocols wish to convey an sd-jwt claim set over an
> authenticated channel, like HTTPS, or in MLS, or with HPKE, etc..., instead
> of through a signed object, they could do as eat does:
>
> - application/vc-ucs+json ( verifiable credential unsigned claim set using
> json )
>
> I think the term "verifiable credential" (VC) is an industry term like
> "internet of things" (IoT), or "web3"... and registration requests for
> media types that look like this:
>
> application/web3
> application/iot
> application/cloud
> application/credential
> application/schema
>
> Might all be rejected, since they are essentially squatting on a high
> value subtype.
>
> Elsewhere in the IETF, such as in YANG, we prefix namespace registrations
> with IETF to resolve this kind of issue, for example:
>
> urn:ietf:params:xml:ns:yang:ietf-restconf
>
> So perhaps in the spirit in which Brian originally suggested:
>
> - application/w3c-vc+sd-jwt
>
> We might also consider:
>
> - application/ietf-vc+sd-jwt
>
> Although I think Brian's suggestions here makes more sense, especially for
> the W3C to consider:
>
> https://github.com/w3c/vc-jose-cose/pull/279#issuecomment-2183160606
>
>> As far application/vp+sd-jwt goes, I don't personally see a reasonable
>> justification for the existence of using SD-JWT to secure verifiable
>> presentations conforming to the VCDM 2.0.
>>
>
> The justification can be found here:
> - https://w3c.github.io/vc-data-model/#verifiable-presentations
> - https://w3c.github.io/vc-data-model/#dfn-verifiable-presentation
> - https://w3c.github.io/vc-data-model/#json-ld
>
> As a general comment, the W3C VCWG sees value in "Holders" providing
> structured data about a collection of credentials presented, in addition to
> providing the credentials.
>
> This ends up feeling like an envelope containing loose paper, sticky
> notes, and other envelopes.
>
> It gives you a lot of flexibility, but also a lot of different ways to
> solve the same problems.
>
> But that's a digression that I don't have the energy or motivation to
>> further try to convince the W3C VC WG about. The concept isn't relevant in
>> the IETF SD-JWT VC context though so there's nothing to do with respect to
>> having it work for both.
>>
> I agree.
>
>
>>
>> On Thu, Jun 20, 2024 at 4:08 PM Michael Jones <
>> michael_b_jones@hotmail.com> wrote:
>>
>>> It’s my hope that the registrations of application/vc+sd-jwt and
>>> application/vp+sd-jwt will be able to be done in a way that works for both
>>> VC-JOSE-COSE and SD-JWT-VC.  As I see it, that should be an attainable goal
>>> and one that the interested parties should work together towards.
>>>
>>>
>>>
>>>                                                                 -- Mike
>>>
>>>
>>>
>>> *From:* Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>
>>> *Sent:* Thursday, June 20, 2024 1:19 PM
>>> *To:* Orie Steele <orie@transmute.industries>
>>> *Cc:* media-types@iana.org; oauth <oauth@ietf.org>
>>> *Subject:* [OAUTH-WG] Re: [media-types] Re: Request for registering
>>> media types and structured suffixes defined by W3C VCWG candidate
>>> recommendations
>>>
>>>
>>>
>>> Thanks for pointing out the potential dependencies and collisions on the
>>> horizon. As a co-author on a couple of the documents mentioned and a
>>> general media type novice, I have a couple of observations and questions.
>>>
>>>
>>>
>>> The
>>> https://datatracker.ietf.org/doc/draft-ietf-oauth-selective-disclosure-jwt/
>>> document does plan to request registration of a "+sd-jwt" structured syntax
>>> suffix. I believe (hope is perhaps a better word) that the draft is nearing
>>> WGLC and it could all happen this year.
>>>
>>>
>>>
>>> The https://datatracker.ietf.org/doc/draft-ietf-oauth-sd-jwt-vc/
>>> document, which builds on the aforementioned document, plans on requesting
>>> registration of an "application/vc+sd-jwt" media type. That draft is less
>>> mature overall and not expected to be "finished" anytime soon. However, the
>>> "application/vc+sd-jwt" media type is already being used in implementations
>>> as well as downstream specifications and profiles.
>>>
>>>
>>>
>>> Would it be useful in avoidance of dependencies to request early or
>>> provisional registration of that structured syntax suffix and media type?
>>> Please forgive my ignorance of the process but is early or provisional
>>> registration even possible?
>>>
>>>
>>>
>>>
>>>
>>> On Mon, Jun 10, 2024 at 10:58 AM Orie Steele <orie@transmute.industries>
>>> wrote:
>>>
>>> [ as an individual ]
>>>
>>> +sd-jwt is requested to be registered in this document:
>>>
>>>
>>> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-selective-disclosure-jwt-08#name-structured-syntax-suffix-re
>>>
>>> +cwt is requested to registered in this document:
>>>
>>>
>>> https://datatracker.ietf.org/doc/html/draft-ietf-rats-eat-media-type-07#name-cwt-structured-syntax-suffi
>>>
>>> Both drafts are still work in progress, but for the W3C Verifiable
>>> Credentials use case, only +sd-jwt might be relevant, since +cwt is for
>>> claimsets that are CBOR maps where the map keys come from
>>> https://www.iana.org/assignments/cwt/cwt.xhtml
>>>
>>> Based on the comments I've seen here, I would expect to see requests for
>>> the following:
>>>
>>> application/vc
>>> application/vc+jwt
>>> application/vc+cose
>>> application/vc+sd-jwt (depends on the draft above)
>>>
>>> application/vp
>>> application/vp+jwt
>>> application/vp+cose
>>> application/vp+sd-jwt (depends on the draft above)
>>>
>>> Perhaps it is worth asking now if application/vc+sd-jwt will be
>>> rejected, since it is currently already being requested here:
>>>
>>>
>>> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-sd-jwt-vc-03#name-application-vcsd-jwt
>>>
>>> Including OAuth for awareness.
>>>
>>> Regards,
>>>
>>> OS
>>>
>>>
>>>
>>> On Mon, Jun 10, 2024 at 10:33 AM Manu Sporny <msporny@digitalbazaar.com>
>>> wrote:
>>>
>>> On Mon, Jun 10, 2024 at 10:22 AM Alexey Melnikov
>>> <alexey.melnikov@isode.com> wrote:
>>> > Yes, I can confirm that the registration is currently denied due to
>>> > unclear rules about multiple structured suffixes, as well as lack of
>>> any
>>> > conlusion on how to proceed on the mailing list.
>>>
>>> Thank you, Alexey, much appreciated, that helps the VCWG move forward.
>>>
>>> We'll update our specs and send in another set of registrations that
>>> will fall more in line w/ the current accepted practices at IANA.
>>>
>>> -- manu
>>>
>>> --
>>> Manu Sporny - https://www.linkedin.com/in/manusporny/
>>> Founder/CEO - Digital Bazaar, Inc.
>>> https://www.digitalbazaar.com/
>>>
>>> _______________________________________________
>>> media-types mailing list -- media-types@ietf.org
>>> To unsubscribe send an email to media-types-leave@ietf.org
>>>
>>>
>>>
>>>
>>> --
>>>
>>>
>>>
>>>
>>> *ORIE STEELE *Chief Technology Officer
>>> www.transmute.industries
>>>
>>> <https://transmute.industries/>
>>>
>>> _______________________________________________
>>> OAuth mailing list -- oauth@ietf.org
>>> To unsubscribe send an email to oauth-leave@ietf.org
>>>
>>>
>>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>>> privileged material for the sole use of the intended recipient(s). Any
>>> review, use, distribution or disclosure by others is strictly prohibited.
>>> If you have received this communication in error, please notify the sender
>>> immediately by e-mail and delete the message and any file attachments from
>>> your computer. Thank you.*
>>>
>>
>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>> privileged material for the sole use of the intended recipient(s). Any
>> review, use, distribution or disclosure by others is strictly prohibited.
>> If you have received this communication in error, please notify the sender
>> immediately by e-mail and delete the message and any file attachments from
>> your computer. Thank you.*
>
>
>
> --
>
>
> ORIE STEELE
> Chief Technology Officer
> www.transmute.industries
>
> <https://transmute.industries>
> --
> SPICE mailing list -- spice@ietf.org
> To unsubscribe send an email to spice-leave@ietf.org
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._