IETF Logo Mail Archive

[OAUTH-WG] Explicit typing of SD-JWTs (was SD-JWT architecture feedback)

Michael Jones <michael_b_jones@hotmail.com> Sat, 21 September 2024 19:17 UTC

Return-Path: <michael_b_jones@hotmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C7764C14F6A1 for <oauth@ietfa.amsl.com>; Sat, 21 Sep 2024 12:17:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.233
X-Spam-Level:
X-Spam-Status: No, score=-6.233 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FORGED_HOTMAIL_RCVD2=0.874, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=hotmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OorlKkxZ-DFl for <oauth@ietfa.amsl.com>; Sat, 21 Sep 2024 12:17:15 -0700 (PDT)
Received: from SN4PR2101CU001.outbound.protection.outlook.com (mail-southcentralusazolkn19012053.outbound.protection.outlook.com [52.103.14.53]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DADDCC14F70F for <oauth@ietf.org>; Sat, 21 Sep 2024 12:17:14 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=t833Xm/FuYqWhv1Xqh9EyIiQZyeG0l2P3BjmngopE5Fv80jnGNgGr1inYWkozR8ImXFcggWogspgnERxLwPPvv+HAfF1IPDxDF76d4KyhgAvZhThCjuwTUN0zUFpx4JJJI8myl8E+6QwqRIFasm6pfWg4sMir2G0ELDcAg/cBpY8IexzQROVkKyL/XMIuP50371pIm4B/RgCNS69CTnLuzn25YlK+m86Q3mkEHTsE6UqKGCiAlNnlN4+lCsjrJlRc/d7mynshjfxGsN0L6Ao9xIRM3Y+G8vnzIKdvjlU6c8RLFdq8kdPTElXbQNhur/wlFHe+HchgURmm5U2bLm+Gw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=LOIAgvRU14Z7fLwLrU9rYiU2Vasm08KC5gUpbPD1wJg=; b=jCprWh3nptOkgacOXB2aZleVf5GUBFXbO1HVW8Er5BlR5Bb6/iz0+zks9/NDEmUj1vx66Lj+fqNmHLL4QQ2sqSf3bdwb9K7lFnYw5aso6RGdee5ja7/ygN7BBj89wwfwl/t/xi6cDtyyxeWlfq6RDwrRvyqcBzlXg+DPiVV4A7oBgeagyzK5FofXgtilSgPoemUrK+yIzWb5sBhHmlZUpIhCHMfB+jlae2GCEs2XIkSP5b/jF776Cb7bXvf6QwpdpxDu5xB+Cv8vLGwSAjPCW9yESE+SAJDGy4RE7oBWNTlY3O5op8I3/FeECSb/nzFpxHUp+Y8Tne2BfZRR+48lVg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=none; dmarc=none; dkim=none; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hotmail.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=LOIAgvRU14Z7fLwLrU9rYiU2Vasm08KC5gUpbPD1wJg=; b=cFcTPKtBa3ueYWSI2g17/Nwt2gRju2z86/g6oW6xO9+W68FvGRYAK4C31oO5gAPtU5N7kqJ+TADlvd92A/+6sZYZ9y3umq3raYRJaYyHHRFzJSSQC1Rgyvo5f7c1H+27vdY78CtdXUnfZVdOMWLBAFuwIqP0S8QV2IEd6n5NnueQ+5PvkUd8SMFzjmaUWblK0+XiJaft5BZoVBSU458eQ8ygwaLgL24wDnz5M34oWoWUF6m02yD+jh4MJVWADTr7XbnWbw4oz5HsbTcIKmSt5Bz3Iq+FDm4pQ41Fz1pzDR6CqYnsABG+NmVa1LUtKrX0sI0NftSweJ6272bR0iHGkw==
Received: from SJ0PR02MB7439.namprd02.prod.outlook.com (2603:10b6:a03:295::14) by SJ0PR02MB7439.namprd02.prod.outlook.com (2603:10b6:a03:295::14) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.7982.23; Sat, 21 Sep 2024 19:17:06 +0000
Received: from SJ0PR02MB7439.namprd02.prod.outlook.com ([fe80::6394:e79c:c32a:4c6a]) by SJ0PR02MB7439.namprd02.prod.outlook.com ([fe80::6394:e79c:c32a:4c6a%3]) with mapi id 15.20.7982.022; Sat, 21 Sep 2024 19:17:06 +0000
From: Michael Jones <michael_b_jones@hotmail.com>
To: "Dick.Hardt@gmail.com" <Dick.Hardt@gmail.com>, Daniel Fett <mail@danielfett.de>
Thread-Topic: Explicit typing of SD-JWTs (was SD-JWT architecture feedback)
Thread-Index: AQHbDFrYqSk2VYX8VkKxm8nycn+MIQ==
Date: Sat, 21 Sep 2024 19:17:05 +0000
Message-ID: <SJ0PR02MB7439E7A8C62588FB6BBABA97B76D2@SJ0PR02MB7439.namprd02.prod.outlook.com>
References: <CAD9ie-s9kricU8_VBBucQMob-n1jWN5xHd5Ymck=biUWqpH9yQ@mail.gmail.com> <e64eb21d-1ef4-4352-9c74-ffbb853ce3da@danielfett.de> <CAD9ie-t9jLMG5aROCR-EOuCYh19F2r67-C0Puw2OF4GEcvBc2g@mail.gmail.com>
In-Reply-To: <CAD9ie-t9jLMG5aROCR-EOuCYh19F2r67-C0Puw2OF4GEcvBc2g@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: SJ0PR02MB7439:EE_
x-ms-office365-filtering-correlation-id: c044cb97-4e8e-4d09-723c-08dcda71fb35
x-microsoft-antispam: BCL:0;ARA:14566002|19110799003|9400799024|8060799006|8062599003|7092599003|12050799009|461199028|15080799006|102099032|10035399004|440099028|3412199025|4302099013|1602099012;
x-microsoft-antispam-message-info: RKRITdKuLcq9JwGGrq2vu2iFbp1Xzj/lvpNQmWuQQramegzINQ8pPkaeoX6ssVEnC+IcoiCfgWk1BlyibUtkgthTD4blMEsEp41kdAlkflhsGkP6JPCl4iPGXCMAUhPYL9z/bA0Qk8CpdI9GfL89gjyclCGD4cidOOJ5IB3N/YdyQrFSVhQ7illQJp6pcumRwtQOE1GkUUHSvVy/D2WRlj1VKp5PslHdMe2DYCV0aMVU5IyR16DIVP6QR6vg9hQlxV9NLpEu1V+AvgNcy4/63Hd0OFAS+dw605yu3MfUuVTuXkHXrxzHy+t0+TZSWOc3dxLMo30Kp0+h8xxiBChSVvsSfBlxTkDsRmcIuC47snATdqfy50jOsZL1123jSpVmP+MhxfSkZO7dbCc7kS1c0/MS3a5xCjXwp2qKjyoOmZn4nzYl5YYds33IDYLH8mN839OgDHbiGpOcWY+8TLXyFnzoddlwdVw/QLk2kEZHBLtiVLz9GSJSt3Ui+YuNJ2/8EjbZTkBz9uYkCLIZ48yHPAJXkrn3G2n9YrVbTU4QowNNM8oM1UIqNkW7avNQRmEm4OFBBq0grC66IpGLwlzBugaECteV2kq558fuAdfvhG0jK94sXLdIogROO22LRpDbWa311CxC/pYZXsyofiCMPLBVBfGZp+0qA6W3nRZJPtJIVaYK11P/UvcXq1KExnqoN7LOvhfR3r2TDNYnCWHOCA7t39lEOWMmlHoT75LtzkR4uqscSQpd0azP7Flt4fGyO4CAqeVJXi/Z0csjkBKZ1WkM77BAqEGJAGC2ywDVwQzKQPgZsyDnI2Pv7i+ffpnThLrkG9tlp2RH3aGqNqq0dkrCYaYUvPO4WWbvPRAKrO1DMlwxKN+C/xv3YxS6O0ZDk6p+3hz7jJHxYA3OtRBnbxwbinXvZWtQuz6PGoxdvWFkko+i4g2pAcxEeBeT8XpV
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: 3mM8j2l65y0L92cnNIGrq/y2wC+FIxSdYE8h1bst83qAEnD0hT1S/WNNrkGYFymxIkXUcddCL6uu7ww6XVmbD9cazez8pSdbiB4olJ14hsPYkpk3CJACf+xJGYA9Dzxk8sNFXDVM6qBXO61d5AUa/95YAqR/jsamGm7cdtC66W0/il6dbN69eWFjE5imf6MwIlb+I2SNKZMC3/kA30eUcisIcG+Q2Jlip4WG9YCDcjOLrmv/PTIp3KoDX3W5O900DPWJEEaZccU7wzms9ugZdGCkXcx8LuSlZ0Z9BEuUkD1/G15uATGtP4jeYRwxVxy5tsBJXiiuz/Lk/vzxyP2/LpHPDJgRrG2sYKaFgRUPQMXyiJJxZgXGg2wizwsEKVwCXgpYZqMGIMZxK9/kYdKOwDjqRRjZorJDPcff5aoi0zemsQjykwCLzZGVYoTwjp1HnPlgl6N4rv4+u4VI8w6fP80v7Y0FX9qs3A5/lS3lLjnxeLH4e6UYfWzdQguAEQl2kshn+SdkWNnU0bENUiRgJaH26neTR03jSbVoq5T/LBajG4yntLIXH9vxU5jomfBnFwcr+RT9s6sNMTEh0WHBNFJUyGqHH29VEAATSbhsDlu7mND/IxZgGRX8bR+l4W+/EqtNmBrCUw3DESt6pkBfY81G8VOov0Fun8kDasm6RmpQ67QzIyPN6VPwVjV1M3lrvwcoezmVtf1qXMqHNybqIsaHw8cgho+mr+tJCNZuWmMAlMF4YmaigLTC7cAIaWmhcz2vSd4NoE5Yb937ZROEPC/jgYssOcKMw6R5IyAI8V8D7JMgaWmvenAIp45mV4Y4X55SxGg4WNG4OoUKb587MiNnfR7qAAEmaWS8oXAAMcUnEt2nKuOGswkvpwK2Y+gipt+DYm8J5zNRqNYqHdxBDG7gZoZAnsPxt/AdcL/NrukX42f/3RrlvJv07Dclj04b5enuIFIVocsPEXVWu3KWTe+07WXkTfpFK9Mdvp4wh6f3I2uOTs0ZslXpeTGi+2DyL1wR47Rd6o4IVEAU1WrFAFalaLitZFZDQLFIhqgC0Rj7H7S08+pT9PvWa+zEYIoy8oYB7EZ+4GeocZKMeKaa73vOzIKv/Sh8VfCV4z+Qex2YhrV5SybTL3a2nd3S8E7Rc6Gdl8yXNX7HZo7NItIbpVU26g6HD/803f7nOmfn/6Jh7gVkPL1mblqv+msL6LrmAJ1t0xC9pTvcH0uKTMvdnaDj/y3rflfhc8VBzFZkzJOXi5dT+QHbYIaYyhfG68VxmLLYvTdXWuDtpTA4YD42Bxf1z7xV+TUM4C++LuAmTHpSasYLo1aOl2LGDxlC5tJn
Content-Type: multipart/alternative; boundary="_000_SJ0PR02MB7439E7A8C62588FB6BBABA97B76D2SJ0PR02MB7439namp_"
MIME-Version: 1.0
X-OriginatorOrg: sct-15-20-7719-20-msonline-outlook-0f88b.templateTenant
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: SJ0PR02MB7439.namprd02.prod.outlook.com
X-MS-Exchange-CrossTenant-RMS-PersistedConsumerOrg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-CrossTenant-Network-Message-Id: c044cb97-4e8e-4d09-723c-08dcda71fb35
X-MS-Exchange-CrossTenant-originalarrivaltime: 21 Sep 2024 19:17:06.0080 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 84df9e7f-e9f6-40af-b435-aaaaaaaaaaaa
X-MS-Exchange-CrossTenant-rms-persistedconsumerorg: 00000000-0000-0000-0000-000000000000
X-MS-Exchange-Transport-CrossTenantHeadersStamped: SJ0PR02MB7439
Message-ID-Hash: KCNGZQA7X3WOBCLRIAPJBJXXR2G4YLBS
X-Message-ID-Hash: KCNGZQA7X3WOBCLRIAPJBJXXR2G4YLBS
X-MailFrom: michael_b_jones@hotmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "oauth@ietf.org" <oauth@ietf.org>, "kristina@sfc.keio.ac.jp" <kristina@sfc.keio.ac.jp>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Explicit typing of SD-JWTs (was SD-JWT architecture feedback)
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ncot9QCKFTETRz_uoFaTFrmVDrU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Actually, the JWT BCP (which we were both authors of) does not recommend using a single media type.  Rather, it recommends using a specific media type suffix in the “typ” values<https://www.rfc-editor.org/rfc/rfc8725.html#name-use-explicit-typing>:
When explicit typing is employed for a JWT, it is RECOMMENDED that a media type name of the format "application/example+jwt" be used, where "example" is replaced by the identifier for the specific kind of JWT.

SD-JWT is doing the same thing, recommending the use of the media type suffix “+sd-jwt”.

This enables more fine-grained explicit typing.  For instance, when doing explicit typing for an SD-JWT in the Example use case, the “typ” value would be “example+sd-jwt”.  This can then be distinguished from an SD-JWT for the Other use case, which would use the “typ” value “other+sd-jwt” – meeting the goal of explicit typing.

                                                                -- Mike

From: Dick Hardt <dick.hardt@gmail.com>
Sent: Saturday, September 21, 2024 9:16 AM
To: Daniel Fett <mail@danielfett.de>
Cc: oauth@ietf.org; kristina@sfc.keio.ac.jp
Subject: [OAUTH-WG] Re: SD-JWT architecture feedback

…

Explicit Typing
Why leave the typing in the header to be determined by the application (10.11), and not just be 'sd-jwt' and be REQUIRED?

We had extensive discussions around typing, please refer to the following issues:

- https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/267

- https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/327

- https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/345

Those issues don't really address the point.

Per RFC 8725: JSON Web Token Best Current Practices (rfc-editor.org)<https://www.rfc-editor.org/rfc/rfc8725.html#name-use-explicit-typing> -- the best practice would be to have a single type that would allow a library to know it is an SD-JWT. If additional context is needed, perhaps that should be a different header property?

v2.37.1 | Report a Bug | By Email | System Status