[OAUTH-WG] Re: Explicit typing of SD-JWTs (was SD-JWT architecture feedback)

[Brian Campbell <bcampbell@pingidentity.com>]

I must admit that I'm finding it difficult to fully grasp the points you're
making on this topic.. As with the other topics, there has been extensive
discussion about typing and media types[1]. And, while I have my own
reservations about using something inside a thing to say what the thing is
and the ascension of that questionable mechanism to "best" practice[2], the
SD-JWT document explicitly cites and follows the guidance on explicit
typing[3] from the JWT BCP that bears your name as an author[3']. The
citing of that very section in asking "Why leave the typing in the header
to be determined by the application (10.11), and not just be 'sd-jwt' and
be REQUIRED"[4] seems incongruent and leads me to wonder if maybe there's
been some misunderstanding and/or miscommunication somewhere in all this.

The document does plan to request registration of an "application/sd-jwt"
media type to be used wherever media types might be used "indicate that the
content is an SD-JWT." As such, one could certainly use "typ":"sd-jwt" in a
SD-JWT header. But I don't see the utility in doing so and feel it would be
a throwback to the now largely seen as flawed suggestion in JWT that
"typ":"JWT" be used to say that the JWT is a JWT.

[1] a sampling of such discussions that I think have been referenced
previously but are relevant nonetheless:
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/267
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/327

[2] one small diatribe on the topic
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/327#issuecomment-1736438782

[3] The Explicit Typing section in SD-JWT (10.11)
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-selective-disclosure-jwt-12#section-10.11
<https://datatracker.ietf.org/doc/html/draft-ietf-oauth-selective-disclosure-jwt#name-explicit-typing>

[3'] RFC 8725 aka BCP 225 aka JSON Web Token Best Current Practices
https://datatracker.ietf.org/doc/rfc8725/

[4] SD-JWT architecture feedback received several days after the close of
WGLC
https://mailarchive.ietf.org/arch/msg/oauth/412IiUprR9YbXNfEGfSXVVx_pzk/

[5] Media Type Registration in the draft
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-selective-disclosure-jwt-12#section-13.2

[6] the "typ" (Type) Header Parameter in JWT
https://datatracker.ietf.org/doc/html/rfc7519#section-5.1

On Sun, Sep 22, 2024 at 8:15 AM Dick Hardt <dick.hardt@gmail.com> wrote:

> I am trying to make a few points. My reference to the BCP was on the
> recommendation to do explicit typing. I'm suggesting that the sd-jwt
> document state that include "typ" is a requirement, and to be explicit in
> what that value should be.
>
> I would suggest that value be "sd-jwt"
>
> The "application+" mechanism was already deployed when we wrote the BCP --
> too late to change that. But sd-jwt is a new token format and can learn
> from implementation challenges in the past.
>
>
>
> On Sat, Sep 21, 2024 at 9:17 PM Michael Jones <michael_b_jones@hotmail.com>
> wrote:
>
>> Actually, the JWT BCP (which we were both authors of) does not recommend
>> using a single media type.  Rather, it recommends using a specific media
>> type suffix in the “typ” values
>> <https://www.rfc-editor.org/rfc/rfc8725.html#name-use-explicit-typing>:
>>
>> When explicit typing is employed for a JWT, it is *RECOMMENDED* that a
>> media type name of the format "application/example+jwt" be used, where
>> "example" is replaced by the identifier for the specific kind of JWT.
>>
>>
>>
>> SD-JWT is doing the same thing, recommending the use of the media type
>> suffix “+sd-jwt”.
>>
>>
>>
>> This enables more fine-grained explicit typing.  For instance, when doing
>> explicit typing for an SD-JWT in the Example use case, the “typ” value
>> would be “example+sd-jwt”.  This can then be distinguished from an SD-JWT
>> for the Other use case, which would use the “typ” value “other+sd-jwt” –
>> meeting the goal of explicit typing.
>>
>>
>>
>>                                                                 -- Mike
>>
>>
>>
>> *From:* Dick Hardt <dick.hardt@gmail.com>
>> *Sent:* Saturday, September 21, 2024 9:16 AM
>> *To:* Daniel Fett <mail@danielfett.de>
>> *Cc:* oauth@ietf.org; kristina@sfc.keio.ac.jp
>> *Subject:* [OAUTH-WG] Re: SD-JWT architecture feedback
>>
>>
>>
>> …
>>
>>
>>
>> *Explicit Typing*
>>
>> Why leave the typing in the header to be determined by the application
>> (10.11), and not just be 'sd-jwt' and be REQUIRED?
>>
>> We had extensive discussions around typing, please refer to the following
>> issues:
>>
>> - https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/267
>>
>> - https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/327
>>
>> - https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/345
>>
>>
>>
>> Those issues don't really address the point.
>>
>>
>>
>> Per RFC 8725: JSON Web Token Best Current Practices (rfc-editor.org)
>> <https://www.rfc-editor.org/rfc/rfc8725.html#name-use-explicit-typing> --
>> the best practice would be to have a single type that would allow a library
>> to know it is an SD-JWT. If additional context is needed, perhaps that
>> should be a different header property?
>>
> _______________________________________________
> OAuth mailing list -- oauth@ietf.org
> To unsubscribe send an email to oauth-leave@ietf.org
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._