[OAUTH-WG] Re: [SPICE] Re: Re: [media-types] Re: Request for registering media types and structured suffixes defined by W3C VCWG candidate recommendations
Orie Steele <orie@transmute.industries> Mon, 24 June 2024 17:05 UTC
Return-Path: <orie@transmute.industries>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id ED2A2C151536 for <oauth@ietfa.amsl.com>; Mon, 24 Jun 2024 10:05:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7HjJYG5nsYsP for <oauth@ietfa.amsl.com>; Mon, 24 Jun 2024 10:05:03 -0700 (PDT)
Received: from mail-pg1-x52e.google.com (mail-pg1-x52e.google.com [IPv6:2607:f8b0:4864:20::52e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id AF150C15155A for <oauth@ietf.org>; Mon, 24 Jun 2024 10:05:03 -0700 (PDT)
Received: by mail-pg1-x52e.google.com with SMTP id 41be03b00d2f7-717f17d7c63so2079493a12.0 for <oauth@ietf.org>; Mon, 24 Jun 2024 10:05:03 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; t=1719248703; x=1719853503; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=BnpnGWoZ6Xx3kTID5MwscnmqOvKRe/3I4wTTJ/JBUQU=; b=BJcRrS28Ru9HDAO1mhSEjuaxFBDCitiVWYxDFSUm5Nkc2lNBM4CsD4OFi+X8Mk1Iru 9ECUT98514+NO6R4aFQWUt8demdIx0cP2VjeAB2+OGNEmmMujVZiajQvC7g2RimEbst0 sVbHuqVrbYfzv4ZDHL38pvRcG8Et88287kFj+ImLVkdQzt5YAacbDt/RLcsOUQkmny2X 11JXtGu15HBIrkwqKzwRipLDjFSfpRkniYq/sTTAJ2a6D0cppR8g4M6+MxMxg7PvPDfs 51mECT+P++j6M66oDrPlzlEhv/F3dJWfrZrTHAA3vpp+b1YQWuVLsOFMSwt9u/CfJ/Ab m76A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1719248703; x=1719853503; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=BnpnGWoZ6Xx3kTID5MwscnmqOvKRe/3I4wTTJ/JBUQU=; b=WechkX8H9Lc8BclKqJQCbEDBFD8DG54R1QIjBfJwFTyldHMmDMwHkuqd+OGok1PYZH uT8RBWgbeFlr2m6C0k1XuWwEfwVSQcFMlyztatlzZBmRd3P/XJJWPp2eRMsSjvzLGdaI qNWTh8ttJweV4POznSTAymx3HB0g62jiPfol7UIrU+l+RuRNXGKppatw1gn3DKxldmaH heNl0pFxO6KVKXgkSSotV6ZYa6y1ifWXwcAhba1mpFmGn89hG6nJ6OETQ8F40FMK1STu LMeyxzn1nqFixZEs+ZsMVuzraERVAEgK6zetxImwImYeCERzi+yTaZpk8exImD0y7MEx XLiw==
X-Forwarded-Encrypted: i=1; AJvYcCVrQ0NiYmhpZuayW9otw3eEm3UcvIhuWKF/6IygyblhTEBJ2Nr9w2YJfH9o4azoI3NVwadZ+XJEsF379fLvHQ==
X-Gm-Message-State: AOJu0Yzcw/VfFCSoEgitIDPq+bk4zKPety4pBYQeey33hCNdjY8p8YlV VrwMNNcHDGpWbUnrgewDajAUJJGV7ObQfa/JePECh/rvfWZyBVWs0WnJjabyK0PEw65z/YXjFE0 RMbus0kceD3s4ooUUkVoFt/oj9cLvnBkp54pvOw==
X-Google-Smtp-Source: AGHT+IGxZMIIDqytfdRKCHFCBGXP2f9xUE4TCKcBqOn57r3sHEdye6GHO57DKiqlVIyAW/fbUWwSJoUa0b4TB1wVgNY=
X-Received: by 2002:a17:90b:30c7:b0:2c3:2557:3de8 with SMTP id 98e67ed59e1d1-2c86146d113mr3468035a91.33.1719248702511; Mon, 24 Jun 2024 10:05:02 -0700 (PDT)
MIME-Version: 1.0
References: <SJ0PR02MB743933344852DB3E08A49C5EB71F2@SJ0PR02MB7439.namprd02.prod.outlook.com> <dcb35328-3d4c-4a13-8c8c-7e86e417d14e@it.aoyama.ac.jp> <CAOGO=oETa_m81MCJRhOrPVP+fJEAiwG7CrVrMNMkwZdRSJNzVw@mail.gmail.com> <CAMBN2CRKo4=Ece_iMJ8qqdvtC4mamhv_fF4DW5RDw+2ufLG54A@mail.gmail.com> <8ea60c19-cf68-013e-1d9b-3d33666bf1a6@isode.com> <CAMBN2CTdxb2rSvoR8Lxv-owM3y=DAoKYV=2njXv_UC4wWW_Y=w@mail.gmail.com> <CAN8C-_Ksava=qZb3ZG2Ri=Mczf-5DrkkWg37O1StfCnhTfStpw@mail.gmail.com> <CA+k3eCS+zB5Ax4DDL_qjCdbzTrVrghgzXsFQa2DrPr6EoCnQuA@mail.gmail.com> <SJ0PR02MB7439121FA0B195E5FC6D94E4B7C82@SJ0PR02MB7439.namprd02.prod.outlook.com> <CA+k3eCQJo-n=w7swokdM+ZDiuaVtP_jD59Sa7X_qf2tHK0W4og@mail.gmail.com> <CAN8C-_KS0JUKiHchyPZAY=Bd7MXNpNAEvsznDsOn54H4w0gLrA@mail.gmail.com> <CA+k3eCS2j8maVKva8VW2L6Zv08+U+1cLyiLXp4cSiejBDDT+AQ@mail.gmail.com>
In-Reply-To: <CA+k3eCS2j8maVKva8VW2L6Zv08+U+1cLyiLXp4cSiejBDDT+AQ@mail.gmail.com>
From: Orie Steele <orie@transmute.industries>
Date: Mon, 24 Jun 2024 12:04:51 -0500
Message-ID: <CAN8C-_Lw_gvsweCNVQ5SxzOwd7wee2Treh_r=6DvDJxtjn9ONA@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
Content-Type: multipart/alternative; boundary="00000000000031baae061ba5c828"
Message-ID-Hash: MAK4JRSIYSVXZEX5CDTSEVVNHIRV6GLI
X-Message-ID-Hash: MAK4JRSIYSVXZEX5CDTSEVVNHIRV6GLI
X-MailFrom: orie@transmute.industries
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: media-types@iana.org, oauth <oauth@ietf.org>, spice@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: [SPICE] Re: Re: [media-types] Re: Request for registering media types and structured suffixes defined by W3C VCWG candidate recommendations
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/G-zaWxk1isa90ohssp6iD3_S7Sk>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
Thanks Brian, The 2 cases you mention "application/at+jwt and application/dpop+jwt" Are cases where the subtype, suffix and full media type are from IETF. I disagree that there was no conflict however, since the use of a suffix implies a distinct subtype which is being suffixed, and as you have pointed out earlier. The required elements of the claimset are different between "w3c claimset", and "oauth claimset". See also these comments: https://github.com/eu-digital-identity-wallet/eudi-doc-architecture-and-reference-framework/issues/201 Regards, OS On Mon, Jun 24, 2024 at 11:48 AM Brian Campbell <bcampbell@pingidentity.com> wrote: > Just to comment on the indirect comment about essentially squatting on a > high value subtypes: > > The authors of draft-ietf-oauth-sd-jwt-vc > <https://datatracker.ietf.org/doc/draft-ietf-oauth-sd-jwt-vc/> (and the > WG on behalf of whose rough consensus the work endeavors to represent) have > no intent or interest in requesting registration of "application/vc". > > While the anticipated request for "application/vc+sd-jwt" was modeled > loosely after existing media types like application/at+jwt > <https://www.iana.org/assignments/media-types/application/at+jwt> and > application/dpop+jwt > <https://www.iana.org/assignments/media-types/application/dpop+jwt> where > a relatively short value is useful and the part to the left of the suffix > doesn't have any oblivious utility standing on its own. > > Furthermore, up until rather recently, the W3C VCWG was aspiring to > register the following, for which there was no prospective conflict. > > application/vc+ld+json > application/vp+ld+json > application/vc+ld+json+jwt > application/vp+ld+json+jwt > application/vc+ld+json+sd-jwt > application/vp+ld+json+sd-jwt > application/vc+ld+json+cose > application/vp+ld+json+cose > +ld+json+jwt > +json+jwt > +ld+json+sd-jwt > +json+sd-jwt > +ld+json+cose > +json+cose > > On Fri, Jun 21, 2024 at 1:41 PM Orie Steele <orie@transmute.industries> > wrote: > >> [ as an individual ] >> >> Adding SPICE since I anticipate this will be relevant to >> application/vc(?)+cwt, verifiable credential with or without selective >> disclosure, using CBOR Web Tokens - >> https://datatracker.ietf.org/doc/html/draft-prorock-spice-cose-sd-cwt >> >> On Fri, Jun 21, 2024 at 12:33 PM Brian Campbell < >> bcampbell@pingidentity.com> wrote: >> >>> With respect to application/vc+sd-jwt, I hope you'd agree that an IETF >>> SD-JWT VC and an SD-JWT with a payload conforming to the VCDM 2.0 are >>> distinctly different things and that it'd be wholly inappropriate to use >>> the same media type to represent them. >>> >> >> The mandatory JSON members are different. >> I think it's obvious that they should be different media types. >> >> However, I will note that `application/vc` has a subtype, so the >> confusion exists regardless of what suffixes you append. >> >> Is it inappropriate to use the same "subtype" for formats controlled by >> different standards organizations? >> >> I believe that the OAuth working group has received this feedback before. >> >> It's been blogged about: https://www.cyberforge.com/battle-for-the-brand/ >> >> It's also been discussed in the minutes of the W3C VCWG, although I won't >> be able to provide references, I am sure they exist. >> >> During the SPICE chartering process, the term "digital credential" was >> chosen instead, to side step this problem. >> >> OpenID Foundation created a working group called "digital credentials >> protocols": https://openid.net/wg/digital-credentials-protocols/ >> >> OpenID has specifications that move W3C VCs, ISO mDocs, and other digital >> credential formats that include the words "Verifiable Credential". >> >> https://openid.net/sg/openid4vc/ >> >> W3C Web Incubation Community Group has: >> https://wicg.github.io/digital-credentials/ >> >> This issue tracks the possible changes on the W3C side: >> >> https://github.com/w3c/vc-jose-cose/pull/279 >> >> OAuth might consider the following alternative media types in the same >> spirit: >> >> - application/dc+sd-jwt ( digital credential in sd jwt format ) >> - application/ic+sd-jwt ( internet credential in sd jwt format ) >> - application/vc-json+sd-jwt (verifiable credential in json using sd jwt >> format) >> >> Or perhaps even reuse some of the framing from eat media types: >> >> >> https://datatracker.ietf.org/doc/html/draft-ietf-rats-eat-media-type-07#name-application-eat-ucsjson-reg >> >> - application/vc-cs+sd-jwt ( verifiable credential claim set using sd jwt >> ) >> >> Then later, if protocols wish to convey an sd-jwt claim set over an >> authenticated channel, like HTTPS, or in MLS, or with HPKE, etc..., instead >> of through a signed object, they could do as eat does: >> >> - application/vc-ucs+json ( verifiable credential unsigned claim set >> using json ) >> >> I think the term "verifiable credential" (VC) is an industry term like >> "internet of things" (IoT), or "web3"... and registration requests for >> media types that look like this: >> >> application/web3 >> application/iot >> application/cloud >> application/credential >> application/schema >> >> Might all be rejected, since they are essentially squatting on a high >> value subtype. >> >> Elsewhere in the IETF, such as in YANG, we prefix namespace registrations >> with IETF to resolve this kind of issue, for example: >> >> urn:ietf:params:xml:ns:yang:ietf-restconf >> >> So perhaps in the spirit in which Brian originally suggested: >> >> - application/w3c-vc+sd-jwt >> >> We might also consider: >> >> - application/ietf-vc+sd-jwt >> >> Although I think Brian's suggestions here makes more sense, >> especially for the W3C to consider: >> >> https://github.com/w3c/vc-jose-cose/pull/279#issuecomment-2183160606 >> >>> As far application/vp+sd-jwt goes, I don't personally see a reasonable >>> justification for the existence of using SD-JWT to secure verifiable >>> presentations conforming to the VCDM 2.0. >>> >> >> The justification can be found here: >> - https://w3c.github.io/vc-data-model/#verifiable-presentations >> - https://w3c.github.io/vc-data-model/#dfn-verifiable-presentation >> - https://w3c.github.io/vc-data-model/#json-ld >> >> As a general comment, the W3C VCWG sees value in "Holders" providing >> structured data about a collection of credentials presented, in addition to >> providing the credentials. >> >> This ends up feeling like an envelope containing loose paper, sticky >> notes, and other envelopes. >> >> It gives you a lot of flexibility, but also a lot of different ways to >> solve the same problems. >> >> But that's a digression that I don't have the energy or motivation to >>> further try to convince the W3C VC WG about. The concept isn't relevant in >>> the IETF SD-JWT VC context though so there's nothing to do with respect to >>> having it work for both. >>> >> I agree. >> >> >>> >>> On Thu, Jun 20, 2024 at 4:08 PM Michael Jones < >>> michael_b_jones@hotmail.com> wrote: >>> >>>> It’s my hope that the registrations of application/vc+sd-jwt and >>>> application/vp+sd-jwt will be able to be done in a way that works for both >>>> VC-JOSE-COSE and SD-JWT-VC. As I see it, that should be an attainable goal >>>> and one that the interested parties should work together towards. >>>> >>>> >>>> >>>> -- Mike >>>> >>>> >>>> >>>> *From:* Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org> >>>> *Sent:* Thursday, June 20, 2024 1:19 PM >>>> *To:* Orie Steele <orie@transmute.industries> >>>> *Cc:* media-types@iana.org; oauth <oauth@ietf.org> >>>> *Subject:* [OAUTH-WG] Re: [media-types] Re: Request for registering >>>> media types and structured suffixes defined by W3C VCWG candidate >>>> recommendations >>>> >>>> >>>> >>>> Thanks for pointing out the potential dependencies and collisions on >>>> the horizon. As a co-author on a couple of the documents mentioned and a >>>> general media type novice, I have a couple of observations and questions. >>>> >>>> >>>> >>>> The >>>> https://datatracker.ietf.org/doc/draft-ietf-oauth-selective-disclosure-jwt/ >>>> document does plan to request registration of a "+sd-jwt" structured syntax >>>> suffix. I believe (hope is perhaps a better word) that the draft is nearing >>>> WGLC and it could all happen this year. >>>> >>>> >>>> >>>> The https://datatracker.ietf.org/doc/draft-ietf-oauth-sd-jwt-vc/ >>>> document, which builds on the aforementioned document, plans on requesting >>>> registration of an "application/vc+sd-jwt" media type. That draft is less >>>> mature overall and not expected to be "finished" anytime soon. However, the >>>> "application/vc+sd-jwt" media type is already being used in implementations >>>> as well as downstream specifications and profiles. >>>> >>>> >>>> >>>> Would it be useful in avoidance of dependencies to request early or >>>> provisional registration of that structured syntax suffix and media type? >>>> Please forgive my ignorance of the process but is early or provisional >>>> registration even possible? >>>> >>>> >>>> >>>> >>>> >>>> On Mon, Jun 10, 2024 at 10:58 AM Orie Steele <orie@transmute.industries> >>>> wrote: >>>> >>>> [ as an individual ] >>>> >>>> +sd-jwt is requested to be registered in this document: >>>> >>>> >>>> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-selective-disclosure-jwt-08#name-structured-syntax-suffix-re >>>> >>>> +cwt is requested to registered in this document: >>>> >>>> >>>> https://datatracker.ietf.org/doc/html/draft-ietf-rats-eat-media-type-07#name-cwt-structured-syntax-suffi >>>> >>>> Both drafts are still work in progress, but for the W3C Verifiable >>>> Credentials use case, only +sd-jwt might be relevant, since +cwt is for >>>> claimsets that are CBOR maps where the map keys come from >>>> https://www.iana.org/assignments/cwt/cwt.xhtml >>>> >>>> Based on the comments I've seen here, I would expect to see requests >>>> for the following: >>>> >>>> application/vc >>>> application/vc+jwt >>>> application/vc+cose >>>> application/vc+sd-jwt (depends on the draft above) >>>> >>>> application/vp >>>> application/vp+jwt >>>> application/vp+cose >>>> application/vp+sd-jwt (depends on the draft above) >>>> >>>> Perhaps it is worth asking now if application/vc+sd-jwt will be >>>> rejected, since it is currently already being requested here: >>>> >>>> >>>> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-sd-jwt-vc-03#name-application-vcsd-jwt >>>> >>>> Including OAuth for awareness. >>>> >>>> Regards, >>>> >>>> OS >>>> >>>> >>>> >>>> On Mon, Jun 10, 2024 at 10:33 AM Manu Sporny <msporny@digitalbazaar.com> >>>> wrote: >>>> >>>> On Mon, Jun 10, 2024 at 10:22 AM Alexey Melnikov >>>> <alexey.melnikov@isode.com> wrote: >>>> > Yes, I can confirm that the registration is currently denied due to >>>> > unclear rules about multiple structured suffixes, as well as lack of >>>> any >>>> > conlusion on how to proceed on the mailing list. >>>> >>>> Thank you, Alexey, much appreciated, that helps the VCWG move forward. >>>> >>>> We'll update our specs and send in another set of registrations that >>>> will fall more in line w/ the current accepted practices at IANA. >>>> >>>> -- manu >>>> >>>> -- >>>> Manu Sporny - https://www.linkedin.com/in/manusporny/ >>>> Founder/CEO - Digital Bazaar, Inc. >>>> https://www.digitalbazaar.com/ >>>> >>>> _______________________________________________ >>>> media-types mailing list -- media-types@ietf.org >>>> To unsubscribe send an email to media-types-leave@ietf.org >>>> >>>> >>>> >>>> >>>> -- >>>> >>>> >>>> >>>> >>>> *ORIE STEELE *Chief Technology Officer >>>> www.transmute.industries >>>> >>>> <https://transmute.industries/> >>>> >>>> _______________________________________________ >>>> OAuth mailing list -- oauth@ietf.org >>>> To unsubscribe send an email to oauth-leave@ietf.org >>>> >>>> >>>> *CONFIDENTIALITY NOTICE: This email may contain confidential and >>>> privileged material for the sole use of the intended recipient(s). Any >>>> review, use, distribution or disclosure by others is strictly prohibited. >>>> If you have received this communication in error, please notify the sender >>>> immediately by e-mail and delete the message and any file attachments from >>>> your computer. Thank you.* >>>> >>> >>> *CONFIDENTIALITY NOTICE: This email may contain confidential and >>> privileged material for the sole use of the intended recipient(s). Any >>> review, use, distribution or disclosure by others is strictly prohibited. >>> If you have received this communication in error, please notify the sender >>> immediately by e-mail and delete the message and any file attachments from >>> your computer. Thank you.* >> >> >> >> -- >> >> >> ORIE STEELE >> Chief Technology Officer >> www.transmute.industries >> >> <https://transmute.industries> >> -- >> SPICE mailing list -- spice@ietf.org >> To unsubscribe send an email to spice-leave@ietf.org >> > > *CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you.* -- ORIE STEELE Chief Technology Officer www.transmute.industries <https://transmute.industries>
- [OAUTH-WG] Re: [media-types] Re: Request for regi… Orie Steele
- [OAUTH-WG] Re: [media-types] Re: Request for regi… Michael Jones
- [OAUTH-WG] Re: [media-types] Re: Request for regi… Brian Campbell
- [OAUTH-WG] Re: [media-types] Re: Request for regi… Brian Campbell
- [OAUTH-WG] Re: [media-types] Re: Request for regi… Orie Steele
- [OAUTH-WG] Re: [SPICE] Re: Re: [media-types] Re: … Brian Campbell
- [OAUTH-WG] Re: [SPICE] Re: Re: [media-types] Re: … Orie Steele