Hello Brian to prevent it from being used as a top level claim name
That's a perfectly valid reason, would its appearance as a top level claim (while unlikely, possible) impact the various algorithms / steps defined in SD-JWT? If so, let's register it. S pozdravem, *Filip Skokan* On Thu, 3 Apr 2025 at 22:20, Brian Campbell <bcampb...@pingidentity.com> wrote: > Thanks Filip, > > I think your observations about "..." are correct. It doesn't necessarily > need to be registered and isn't even strictly speaking a claim name. We > talked about this some (poorly captured in this issue /315 > <https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/315>) > and decided it'd be a reasonable idea to request to register it anyway. I > think the motivation was largely to have it documented in a place, other > than the draft itself, where people might maybe look for such information > and to prevent it from being used as a top level claim name. Also (other > than having this conversation, which was anticipated) there didn't seem to > be any real downside to requesting registration. And there's not, as far as > I know, definitive guidance or precedent. > > Having said that, however, I don't think there's a lot of conviction > behind it from anyone involved. And not requesting / making the > registration for "..." would be a perfectly reasonable outcome too. > > > On Thu, Apr 3, 2025 at 8:39 AM Filip Skokan <panva...@gmail.com> wrote: > >> Hello David, SD-JWT authors, >> >> I have reviewed the proposed registrations in >> draft-ietf-oauth-selective-disclosure-jwt-17 >> <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-17.html> >> . >> >> - *"_sd"* - OK *✓* >> - *"_sd_alg"* - OK *✓* >> - *"sd_hash"* - OK *✓* (after digging out the discussion around why >> "sd_hash" does not have a prefix (issues/371 >> <https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/371> >> , pull/387 >> <https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/387>) >> like "_sd" and "_sd_alg" do) >> - *"..."* - Since this can never appear in the top level JSON object >> that represents the JWT Claims Set and appears exclusively as a property >> in >> a JSON array member that itself is an object, i.e. inside a Claim Value, >> it >> does not seem fit to be registered as a JSON Web Token Claim. However, >> lacking more details in the review instructions for designated experts I'm >> not finding a more solid ground to say no to it. That is other than this >> potentially far-fetching thought that since the registry entries are for >> "Claim Name"(s) and "..." can only appear inside "Claim Value" it seems >> like it needs no registration. Thoughts? Is my understanding of it never >> being on the top level JSON object correct? >> >> S pozdravem, >> *Filip Skokan* >> >> >> On Wed, 2 Apr 2025 at 22:11, David Dong via RT < >> drafts-expert-review-comm...@iana.org> wrote: >> >>> Dear Mike Jones, Nat Sakimura, Filip Skokan (cc: Brian Campbell, oauth >>> WG), >>> >>> As the designated experts for the JSON Web Token Claims registry, can >>> you review the proposed registrations in >>> draft-ietf-oauth-selective-disclosure-jwt-17 for us? Please note Brian is a >>> co-author on this document. >>> >>> Please see: >>> >>> >>> https://datatracker.ietf.org/doc/draft-ietf-oauth-selective-disclosure-jwt/ >>> >>> The due date is April 23rd. >>> >>> If this is OK, when the IESG approves the document for publication, >>> we'll make the registration at: >>> >>> https://www.iana.org/assignments/jwt/ >>> >>> We will assume that your response is a consensus response, unless you >>> tell us otherwise. >>> >>> Unless you ask us to wait for the other reviewer, we’ll act one week >>> after the first response we receive. >>> >>> With thanks, >>> >>> David Dong >>> IANA Services Sr. Specialist >>> >> > *CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you.*
_______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
