SD-JWT is following an existing OAuth (and OpenID) convention by including an
underscore prefix in the names of claims about claims. You’ll find that
_claim_names and _claim_sources are registered at
https://www.iana.org/assignments/jwt/jwt.xhtml, which are both claims about
claims, rather than claims whose values are used in the usual way. These are
currently the only claims with leading underscores registered.
Therefore, I believe SD-JWT is on solid ground creating and registering the
names _sd and _sd_alg as other claims about claims.
-- Mike
From: Dick Hardt <dick.ha...@gmail.com>
Sent: Saturday, September 21, 2024 9:16 AM
To: Daniel Fett <m...@danielfett.de>
Cc: oauth@ietf.org; krist...@sfc.keio.ac.jp
Subject: [OAUTH-WG] Re: SD-JWT architecture feedback
…
Claim Names
Why do the claims start with '_'? Why not just 'sd' and 'sda'? Why is '_sd_alg'
in the payload and not in the header?
While the underscore doesn't officially have any special meaning, adding it
reduces the chance for collisions with existing claims and makes the
SD-JWT-related claims sort nicely. All SD-related claims are in the payload,
that's why we put _sd_alg there as well.
Do you have data that shows it will reduce collisions? I have seen many
implementations that created their own claims that start with _ to reduce
collisions with the same rationale!
There is an IANA registry for claim names to avoid collisions.
The _ reminds me of internal C variables that others were not supposed to use,
but eventually did.
_sd_alg is NOT a claim. It is a signal for which algorithm to use and should be
in the header.
I'm unclear on the sorting advantage. They would sort together if they started
with sd as well.
_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-le...@ietf.org
