I have a few points here as well: 1) the hash algorithm should be in the header. It is not a claim. It describes how to process the rest of the text in the token. People parse the header to learn what to do with the rest of the string. That was a key decision in this format.
2) underscores typically signal that something is an internal / off limits value. The digests are a claim in the payload that are expected to be operated on. 3) related to that, calling the digests "digests" would be more meaningful that "_sd" -- as that is what they are Just because there are other claims with _ does not mean they are intuitive to an implementer in this case. Daniel did not rationalize the use of underscore because other claims that are meta data used an underscore. Per my other note, I'm just giving my feedback as a community member. Zero interest in winning an argument. On Sat, Sep 21, 2024 at 9:06 PM Michael Jones <michael_b_jo...@hotmail.com> wrote: > SD-JWT is following an existing OAuth (and OpenID) convention by including > an underscore prefix in the names of claims about claims. You’ll find that > _claim_names and _claim_sources are registered at > https://www.iana.org/assignments/jwt/jwt.xhtml, which are both claims > about claims, rather than claims whose values are used in the usual way. > These are currently the only claims with leading underscores registered. > > > > Therefore, I believe SD-JWT is on solid ground creating and registering > the names _sd and _sd_alg as other claims about claims. > > > > -- Mike > > > > *From:* Dick Hardt <dick.ha...@gmail.com> > *Sent:* Saturday, September 21, 2024 9:16 AM > *To:* Daniel Fett <m...@danielfett.de> > *Cc:* oauth@ietf.org; krist...@sfc.keio.ac.jp > *Subject:* [OAUTH-WG] Re: SD-JWT architecture feedback > > > > … > > > > > > *Claim Names* > > Why do the claims start with '_'? Why not just 'sd' and 'sda'? Why is > '_sd_alg' in the payload and not in the header? > > While the underscore doesn't officially have any special meaning, adding > it reduces the chance for collisions with existing claims and makes the > SD-JWT-related claims sort nicely. All SD-related claims are in the > payload, that's why we put _sd_alg there as well. > > Do you have data that shows it will reduce collisions? I have seen many > implementations that created their own claims that start with _ to reduce > collisions with the same rationale! > > > > There is an IANA registry for claim names to avoid collisions. > > > > The _ reminds me of internal C variables that others were not supposed to > use, but eventually did. > > > > _sd_alg is NOT a claim. It is a signal for which algorithm to use and > should be in the header. > > > > I'm unclear on the sorting advantage. They would sort together if they > started with sd as well. > > >
_______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
