IETF Logo Mail Archive

[OAUTH-WG] Re: Leading underscores in SD-JWT Claim Names (was SD-JWT architecture feedback)

Brian Campbell <bcampbell@pingidentity.com> Mon, 23 September 2024 19:40 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 59E6BC17C89D for <oauth@ietfa.amsl.com>; Mon, 23 Sep 2024 12:40:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.103
X-Spam-Level:
X-Spam-Status: No, score=-2.103 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ryNbsHSpZD09 for <oauth@ietfa.amsl.com>; Mon, 23 Sep 2024 12:39:57 -0700 (PDT)
Received: from mail-vk1-xa2b.google.com (mail-vk1-xa2b.google.com [IPv6:2607:f8b0:4864:20::a2b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4C696C15793B for <oauth@ietf.org>; Mon, 23 Sep 2024 12:39:57 -0700 (PDT)
Received: by mail-vk1-xa2b.google.com with SMTP id 71dfb90a1353d-502ae81b4daso1438223e0c.0 for <oauth@ietf.org>; Mon, 23 Sep 2024 12:39:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; t=1727120396; x=1727725196; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=VRLL0E+ZsWAJ7aNFAi9BRHw3KN3eDLZelwA6DYjB8tA=; b=fHzfFxECyl7fQzEqz1TiFWvuE8FI1/xL+9FmkftPPAmomeJjIlUvvUYdEppdZAhBzm q3Siq7l8QdgzRVIMFsMciwiayCrh2CbjohYAn288KnFBhGttHo3SeFBG39gRIc+CMZWm Na9zcK4c8y4w0EOV5SbAwh7hs+QVDPUHPNV9z5+fzp1Ru/vdr6jI0n3CxN+aqUgZmLfS VW53NNNIXeQiaRelW1OZvKIwTpFCk6uW4QLWPD3hCDBwo8qVVEpubuorKCa6mMyJ5CRf tL/f7jfXPYffnegFa631bM1yAk5TK8NE8VIVY/4VwZwqEJEPgh3lAWqALRG7NAImKtuw TzSg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727120396; x=1727725196; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=VRLL0E+ZsWAJ7aNFAi9BRHw3KN3eDLZelwA6DYjB8tA=; b=gvgAfqYhdRz+Uacri7c8mZYOEc0zTsuGUQgAMIZ7BJXVYKRpmCf/KDeQMlmINjs+0E Vyc4JCCbfaeIJams2oANxXt+BNR6P9V/Ty7QyJ8xKoOPc55dABqDHw6tRQspeUJPc9fG jW9pK20wGZQyE6Z+gprnDEMGtr6i8Wb8UeDxb81j5QLPcspdmWaS9JpnMZgvIpGGoHta V5ktJ/SbcScYbiVTpcJXAFyu4TTWarezpYScZyjGhnQyyKV7Tym2pr5z8Y2+AmOad+gT 6YU1DagQ+z27XyFhOJsaG/pKrBRp75hs73NciirKzfIqK33BpuokLdojk8vM6UEbBI/B 7Wfw==
X-Forwarded-Encrypted: i=1; AJvYcCXMHIhs8T8ojJYWF7qEeBLm73FMjgVIKEfeQiPLr9jJwLQYt31PuXbtdmOa5PPh/kBbDuENdA==@ietf.org
X-Gm-Message-State: AOJu0YyoK/zrcN9a6TVAvOpF6Y/oVaZlHoHV5tidCcsBr7r7hag9Oh0J UIuwbx3gtLxvZVLGwmQYxIH4UR2hr2fut+viCgUOOCxYZv6gFSFbv8Xt3uTuv+mRGmRHyqUAFjy W9eSG+kZkaJRpe6OC1Oluy2V276gIuNy5EJsmOaRc6uUH5mGl4DCwR2YapOkF3YUVMj/C449Q/J anMbPbgJa7eA==
X-Google-Smtp-Source: AGHT+IF9A4lUmWdt4h1eTIXkpEbCtkwd2pUUfCIMWbTiRQHAhls3zYT3oPvnt2/D0KTM9GRPRws2y89Y6cDdxMN5/F4=
X-Received: by 2002:a05:6122:a20:b0:503:1ca5:261e with SMTP id 71dfb90a1353d-503e03f2555mr10551322e0c.4.1727120396232; Mon, 23 Sep 2024 12:39:56 -0700 (PDT)
MIME-Version: 1.0
References: <CAD9ie-s9kricU8_VBBucQMob-n1jWN5xHd5Ymck=biUWqpH9yQ@mail.gmail.com> <e64eb21d-1ef4-4352-9c74-ffbb853ce3da@danielfett.de> <CAD9ie-t9jLMG5aROCR-EOuCYh19F2r67-C0Puw2OF4GEcvBc2g@mail.gmail.com> <SJ0PR02MB74392337DDF75B31B1915EC5B76D2@SJ0PR02MB7439.namprd02.prod.outlook.com> <CAD9ie-sE7VGPT9w0yy60hX=JOABi5BJdreR71VZHe3idfCi5_g@mail.gmail.com>
In-Reply-To: <CAD9ie-sE7VGPT9w0yy60hX=JOABi5BJdreR71VZHe3idfCi5_g@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Mon, 23 Sep 2024 13:39:30 -0600
Message-ID: <CA+k3eCRYnca9mkdt+=LZcd8CKD-mp+qizF6dMNch0DM9ZtiH-w@mail.gmail.com>
To: Dick.Hardt@gmail.com
Content-Type: multipart/alternative; boundary="000000000000b3c4690622ce8d58"
Message-ID-Hash: FCVFO6J2TBSSWKEESGU5XC3GMEQ2BEUD
X-Message-ID-Hash: FCVFO6J2TBSSWKEESGU5XC3GMEQ2BEUD
X-MailFrom: bcampbell@pingidentity.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "oauth@ietf.org" <oauth@ietf.org>, "kristina@sfc.keio.ac.jp" <kristina@sfc.keio.ac.jp>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: Leading underscores in SD-JWT Claim Names (was SD-JWT architecture feedback)
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/oxsARk-aec937y1hV2ea33ZyxaU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

As someone with some experience in this space, I believe it's reasonable to
acknowledge that the layering within JWS/JWT is not perfectly clean.
Consequently, reasonable sounding arguments can be made for placing the
"_sd_hash" either in the header or the payload. Ultimately, this is
somewhat subjective, and neither approach is definitively 'correct.' Given
that, it's difficult to see a compelling reason for change, particularly at
this stage in the process.

Similarly, naming conventions for claims are inherently subjective, perhaps
even more so. As such, I see little justification for altering them at this
point based on personal preferences or aesthetic considerations.


On Sun, Sep 22, 2024 at 8:16 AM Dick Hardt <dick.hardt@gmail.com> wrote:

> I have a few points here as well:
>
> 1) the hash algorithm should be in the header. It is not a claim. It
> describes how to process the rest of the text in the token. People parse
> the header to learn what to do with the rest of the string. That was a key
> decision in this format.
>
> 2) underscores typically signal that something is an internal / off limits
> value. The digests are a claim in the payload that are expected to be
> operated on.
>
> 3) related to that, calling the digests "digests" would be more meaningful
> that "_sd" -- as that is what they are
>
> Just because there are other claims with _ does not mean they are
> intuitive to an implementer in this case. Daniel did not rationalize the
> use of underscore because other claims that are meta data used an
> underscore.
>
> Per my other note, I'm just giving my feedback as a community member. Zero
> interest in winning an argument.
>
> On Sat, Sep 21, 2024 at 9:06 PM Michael Jones <michael_b_jones@hotmail.com>
> wrote:
>
>> SD-JWT is following an existing OAuth (and OpenID) convention by
>> including an underscore prefix in the names of claims about claims.  You’ll
>> find that _claim_names and _claim_sources are registered at
>> https://www.iana.org/assignments/jwt/jwt.xhtml, which are both claims
>> about claims, rather than claims whose values are used in the usual way.
>>   These are currently the only claims with leading underscores registered.
>>
>>
>>
>> Therefore, I believe SD-JWT is on solid ground creating and registering
>> the names _sd and _sd_alg as other claims about claims.
>>
>>
>>
>>                                                                 -- Mike
>>
>>
>>
>> *From:* Dick Hardt <dick.hardt@gmail.com>
>> *Sent:* Saturday, September 21, 2024 9:16 AM
>> *To:* Daniel Fett <mail@danielfett.de>
>> *Cc:* oauth@ietf.org; kristina@sfc.keio.ac.jp
>> *Subject:* [OAUTH-WG] Re: SD-JWT architecture feedback
>>
>>
>>
>> …
>>
>>
>>
>>
>>
>> *Claim Names*
>>
>> Why do the claims start with '_'? Why not just 'sd' and 'sda'? Why is
>> '_sd_alg' in the payload and not in the header?
>>
>> While the underscore doesn't officially have any special meaning, adding
>> it reduces the chance for collisions with existing claims and makes the
>> SD-JWT-related claims sort nicely. All SD-related claims are in the
>> payload, that's why we put _sd_alg there as well.
>>
>> Do you have data that shows it will reduce collisions? I have seen many
>> implementations that created their own claims that start with _ to reduce
>> collisions with the same rationale!
>>
>>
>>
>>  There is an IANA registry for claim names to avoid collisions.
>>
>>
>>
>> The _ reminds me of internal C variables that others were not supposed to
>> use, but eventually did.
>>
>>
>>
>> _sd_alg is NOT a claim. It is a signal for which algorithm to use and
>> should be in the header.
>>
>>
>>
>> I'm unclear on the sorting advantage. They would sort together if they
>> started with sd as well.
>>
>>
>>
> _______________________________________________
> OAuth mailing list -- oauth@ietf.org
> To unsubscribe send an email to oauth-leave@ietf.org
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.37.1 | Report a Bug | By Email | System Status