Indeed unlikely to appear as a top level claim and, I think even if it did, it'd be unlikely to actually impact algorithms / steps defined in SD-JWT (depends on implementation though, of course, so not impossible). But it could certainly be a source of confusion seeing it there.
On Thu, Apr 3, 2025 at 2:32 PM Filip Skokan <panva...@gmail.com> wrote: > Hello Brian > > to prevent it from being used as a top level claim name > > > That's a perfectly valid reason, would its appearance as a top level claim > (while unlikely, possible) impact the various algorithms / steps defined in > SD-JWT? If so, let's register it. > > S pozdravem, > *Filip Skokan* > > > On Thu, 3 Apr 2025 at 22:20, Brian Campbell <bcampb...@pingidentity.com> > wrote: > >> Thanks Filip, >> >> I think your observations about "..." are correct. It doesn't necessarily >> need to be registered and isn't even strictly speaking a claim name. We >> talked about this some (poorly captured in this issue /315 >> <https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/315>) >> and decided it'd be a reasonable idea to request to register it anyway. I >> think the motivation was largely to have it documented in a place, other >> than the draft itself, where people might maybe look for such information >> and to prevent it from being used as a top level claim name. Also (other >> than having this conversation, which was anticipated) there didn't seem to >> be any real downside to requesting registration. And there's not, as far as >> I know, definitive guidance or precedent. >> >> Having said that, however, I don't think there's a lot of conviction >> behind it from anyone involved. And not requesting / making the >> registration for "..." would be a perfectly reasonable outcome too. >> >> >> On Thu, Apr 3, 2025 at 8:39 AM Filip Skokan <panva...@gmail.com> wrote: >> >>> Hello David, SD-JWT authors, >>> >>> I have reviewed the proposed registrations in >>> draft-ietf-oauth-selective-disclosure-jwt-17 >>> <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-17.html> >>> . >>> >>> - *"_sd"* - OK *✓* >>> - *"_sd_alg"* - OK *✓* >>> - *"sd_hash"* - OK *✓* (after digging out the discussion around why >>> "sd_hash" does not have a prefix (issues/371 >>> <https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/371> >>> , pull/387 >>> <https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/387>) >>> like "_sd" and "_sd_alg" do) >>> - *"..."* - Since this can never appear in the top level JSON object >>> that represents the JWT Claims Set and appears exclusively as a property >>> in >>> a JSON array member that itself is an object, i.e. inside a Claim Value, >>> it >>> does not seem fit to be registered as a JSON Web Token Claim. However, >>> lacking more details in the review instructions for designated experts >>> I'm >>> not finding a more solid ground to say no to it. That is other than this >>> potentially far-fetching thought that since the registry entries are for >>> "Claim Name"(s) and "..." can only appear inside "Claim Value" it seems >>> like it needs no registration. Thoughts? Is my understanding of it never >>> being on the top level JSON object correct? >>> >>> S pozdravem, >>> *Filip Skokan* >>> >>> >>> On Wed, 2 Apr 2025 at 22:11, David Dong via RT < >>> drafts-expert-review-comm...@iana.org> wrote: >>> >>>> Dear Mike Jones, Nat Sakimura, Filip Skokan (cc: Brian Campbell, oauth >>>> WG), >>>> >>>> As the designated experts for the JSON Web Token Claims registry, can >>>> you review the proposed registrations in >>>> draft-ietf-oauth-selective-disclosure-jwt-17 for us? Please note Brian is a >>>> co-author on this document. >>>> >>>> Please see: >>>> >>>> >>>> https://datatracker.ietf.org/doc/draft-ietf-oauth-selective-disclosure-jwt/ >>>> >>>> The due date is April 23rd. >>>> >>>> If this is OK, when the IESG approves the document for publication, >>>> we'll make the registration at: >>>> >>>> https://www.iana.org/assignments/jwt/ >>>> >>>> We will assume that your response is a consensus response, unless you >>>> tell us otherwise. >>>> >>>> Unless you ask us to wait for the other reviewer, we’ll act one week >>>> after the first response we receive. >>>> >>>> With thanks, >>>> >>>> David Dong >>>> IANA Services Sr. Specialist >>>> >>> >> *CONFIDENTIALITY NOTICE: This email may contain confidential and >> privileged material for the sole use of the intended recipient(s). Any >> review, use, distribution or disclosure by others is strictly prohibited. >> If you have received this communication in error, please notify the sender >> immediately by e-mail and delete the message and any file attachments from >> your computer. Thank you.* > > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
