There are security issues from this however if the public key is used to secure more than a single type of application message - say a message normally used to indicate someone is logging out accidentally being accepted for log-in or as a valid session token on a website.
In this scenario, you need some way to differentiate the two messages reliably (across many potential interoperable implementations), and making them different media types is the best current practice.
-DW On Sep 22, 2024, at 10:52 AM, Rohan Mahy <rohan.m...@gmail.com> wrote:
Hi, If someone defines a new profile application/foobar-audit-system and it has sd-jwt, jwt, and sd-cwt versions, it seems perfectly reasonable to have a fine-grained explicit media type application/foobar-audit-system+sd-jwt. That said, there are times when someone just wants an sd-jwt with an unspecified profile. In this second case, it makes more sense to me to also register application/sd-jwt. The implementor should fill in whichever form they are using in the `typ` header.
Thanks, -rohan
Actually, the JWT BCP (which we were both authors of) does not recommend using a single media type. Rather, it
recommends using a specific media type suffix in the “typ” values:
When explicit typing is employed for a JWT, it is RECOMMENDED that a media type name of the format "application/example+jwt" be used, where "example" is replaced by the identifier
for the specific kind of JWT.
SD-JWT is doing the same thing, recommending the use of the media type suffix “+sd-jwt”.
This enables more fine-grained explicit typing. For instance, when doing explicit typing for an SD-JWT in the Example use case, the “typ” value would be “example+sd-jwt”. This can then be distinguished from
an SD-JWT for the Other use case, which would use the “typ” value “other+sd-jwt” – meeting the goal of explicit typing.
-- Mike
…
Those issues don't really address the point.
_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-le...@ietf.org
_______________________________________________OAuth mailing list -- oauth@ietf.orgTo unsubscribe send an email to oauth-le...@ietf.org
|