I'm not sure the JWT claims registry has turned out to be exactly what was envisioned. And, to your point, the utility of some of the registrations is questionable. The issue of name conflicts vs reuse is more subtle than it seems. And practically speaking the registry is kind of the only way to legitimately get/use a short claim name (so called private claim names aren't ideal and arguably not appropriate for a prospective spec).
There was some sort of related discussion with an AD a while back https://mailarchive.ietf.org/arch/msg/jwt-reg-review/O4rmJbMOZZFbi6mlVk6VHp-xUs8/ that basically resulted in "just go ahead and register stuff". At least that was my takeaway. FWIW there was also some discussion around those very questions with respect to "nonce" (see https://github.com/danielfett/draft-dpop/pull/81#discussion_r713354503 and maybe a few comments back) with some push-back on using it. But the outcome was to go ahead with nonce but also update the registry via a OIDC errata. Though I suspect that action got lost in the shuffle. Maybe DPoP should do it? On Thu, Jun 16, 2022 at 3:33 PM Neil Madden <neil.mad...@forgerock.com> wrote: > Is that actually true? The DPoP spec itself is a case in point: it reuses > the existing OIDC “nonce” claim but explicitly says that DPoP nonces are > not like OIDC nonces (section 9): > > “ Developers should also take care to not > > confuse DPoP nonces with the OpenID Connect [OpenID.Core > <https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop#ref-OpenID.Core>] > ID Token > nonce.” > > > The official IANA registration of “nonce” says: > > > Value used to associate a Client session with an ID Token > > > Does this matter? If not, does it matter if some other spec defines a “htm” > claim with different meaning? > > > On 16 Jun 2022, at 20:50, Dick Hardt <dick.ha...@gmail.com> wrote: > > > Registering the names provides clarity on use and avoids confusion on the > meaning of a claim — ie two specs won’t have conflicting definitions of > “htm” > > On Thu, Jun 16, 2022 at 10:20 AM Warren Parad <wparad= > 40rhosys...@dmarc.ietf.org> wrote: > >> I think the registration really helps with discovery, especially as an >> implementer. When you see or observe these claims in a JWT, you can google >> them potentially returning no results. If you know about the IANA registry >> you can find them, even if you don't know that the tokens have anything to >> do with DPoP. >> >> On Thu, Jun 16, 2022 at 6:21 PM Neil Madden <neil.mad...@forgerock.com> >> wrote: >> >>> The DPoP spec registers the “htm”, “htu”, and “ath” claims [1]. But do >>> these claims actually make sense outside of a DPoP proof? Presumably the >>> risk of naming collision within a DPoP proof is pretty small, so is there >>> any benefit to registering them rather than just using them as private >>> claims? >>> >>> (I guess I could ask the same question about lots of other entries in >>> the current registry at IANA, many of which look completely app-specific to >>> me). >>> >>> [1]: >>> https://datatracker.ietf.org/doc/html/draft-ietf-oauth-dpop#section-12.7 >>> >>> >>> — Neil >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
