In that case, *I believe all the proposed registrations are in order*. S pozdravem, *Filip Skokan*
On Thu, 3 Apr 2025 at 22:50, Brian Campbell <bcampb...@pingidentity.com> wrote: > I am (and always have been on this one) on the fence about it but also > lean towards making the registration. > > On Thu, Apr 3, 2025 at 2:47 PM Michael Jones <michael_b_jo...@hotmail.com> > wrote: > >> I would lean towards approving the registration of “…” even though it may >> not appear as a top-level claim when used as defined in the specification. >> It’s still a claim value integral to the functioning of this specification. >> >> >> >> That said, Brian, as an author, do you believe we should register it or >> not? I can’t tell from your response below. >> >> >> >> Thanks >> all, >> >> -- Mike >> >> >> >> *From:* Brian Campbell <bcampb...@pingidentity.com> >> *Sent:* Thursday, April 3, 2025 1:40 PM >> *To:* Filip Skokan <panva...@gmail.com> >> *Cc:* drafts-expert-review-comm...@iana.org; nat@nat.consulting; >> michael_b_jo...@hotmail.com; jwt-reg-rev...@ietf.org; oauth@ietf.org >> *Subject:* Re: [IANA #1416058] expert review for >> draft-ietf-oauth-selective-disclosure-jwt (jwt) >> >> >> >> Indeed unlikely to appear as a top level claim and, I think even if it >> did, it'd be unlikely to actually impact algorithms / steps defined in >> SD-JWT (depends on implementation though, of course, so not impossible). >> But it could certainly be a source of confusion seeing it there. >> >> >> >> On Thu, Apr 3, 2025 at 2:32 PM Filip Skokan <panva...@gmail.com> wrote: >> >> Hello Brian >> >> >> >> to prevent it from being used as a top level claim name >> >> >> >> That's a perfectly valid reason, would its appearance as a top level >> claim (while unlikely, possible) impact the various algorithms / steps >> defined in SD-JWT? If so, let's register it. >> >> >> >> S pozdravem, >> *Filip Skokan* >> >> >> >> >> >> On Thu, 3 Apr 2025 at 22:20, Brian Campbell <bcampb...@pingidentity.com> >> wrote: >> >> Thanks Filip, >> >> >> >> I think your observations about "..." are correct. It doesn't necessarily >> need to be registered and isn't even strictly speaking a claim name. We >> talked about this some (poorly captured in this issue /315 >> <https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/315>) >> and decided it'd be a reasonable idea to request to register it anyway. I >> think the motivation was largely to have it documented in a place, other >> than the draft itself, where people might maybe look for such information >> and to prevent it from being used as a top level claim name. Also (other >> than having this conversation, which was anticipated) there didn't seem to >> be any real downside to requesting registration. And there's not, as far as >> I know, definitive guidance or precedent. >> >> >> >> Having said that, however, I don't think there's a lot of conviction >> behind it from anyone involved. And not requesting / making the >> registration for "..." would be a perfectly reasonable outcome too. >> >> >> >> >> >> On Thu, Apr 3, 2025 at 8:39 AM Filip Skokan <panva...@gmail.com> wrote: >> >> Hello David, SD-JWT authors, >> >> >> >> I have reviewed the proposed registrations in >> draft-ietf-oauth-selective-disclosure-jwt-17 >> <https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-17.html> >> . >> >> - *"_sd"* - OK *✓* >> - *"_sd_alg"* - OK *✓* >> - *"sd_hash"* - OK *✓* (after digging out the discussion around why >> "sd_hash" does not have a prefix (issues/371 >> <https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/371> >> , pull/387 >> <https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/387>) >> like "_sd" and "_sd_alg" do) >> - *"..."* - Since this can never appear in the top level JSON object >> that represents the JWT Claims Set and appears exclusively as a property >> in >> a JSON array member that itself is an object, i.e. inside a Claim Value, >> it >> does not seem fit to be registered as a JSON Web Token Claim. However, >> lacking more details in the review instructions for designated experts I'm >> not finding a more solid ground to say no to it. That is other than this >> potentially far-fetching thought that since the registry entries are for >> "Claim Name"(s) and "..." can only appear inside "Claim Value" it seems >> like it needs no registration. Thoughts? Is my understanding of it never >> being on the top level JSON object correct? >> >> S pozdravem, >> *Filip Skokan* >> >> >> >> >> >> On Wed, 2 Apr 2025 at 22:11, David Dong via RT < >> drafts-expert-review-comm...@iana.org> wrote: >> >> Dear Mike Jones, Nat Sakimura, Filip Skokan (cc: Brian Campbell, oauth >> WG), >> >> As the designated experts for the JSON Web Token Claims registry, can you >> review the proposed registrations in >> draft-ietf-oauth-selective-disclosure-jwt-17 for us? Please note Brian is a >> co-author on this document. >> >> Please see: >> >> >> https://datatracker.ietf.org/doc/draft-ietf-oauth-selective-disclosure-jwt/ >> >> The due date is April 23rd. >> >> If this is OK, when the IESG approves the document for publication, we'll >> make the registration at: >> >> https://www.iana.org/assignments/jwt/ >> >> We will assume that your response is a consensus response, unless you >> tell us otherwise. >> >> Unless you ask us to wait for the other reviewer, we’ll act one week >> after the first response we receive. >> >> With thanks, >> >> David Dong >> IANA Services Sr. Specialist >> >> >> *CONFIDENTIALITY NOTICE: This email may contain confidential and >> privileged material for the sole use of the intended recipient(s). Any >> review, use, distribution or disclosure by others is strictly prohibited. >> If you have received this communication in error, please notify the sender >> immediately by e-mail and delete the message and any file attachments from >> your computer. Thank you.* >> >> >> *CONFIDENTIALITY NOTICE: This email may contain confidential and >> privileged material for the sole use of the intended recipient(s). Any >> review, use, distribution or disclosure by others is strictly prohibited. >> If you have received this communication in error, please notify the sender >> immediately by e-mail and delete the message and any file attachments from >> your computer. Thank you.* >> > > *CONFIDENTIALITY NOTICE: This email may contain confidential and > privileged material for the sole use of the intended recipient(s). Any > review, use, distribution or disclosure by others is strictly prohibited. > If you have received this communication in error, please notify the sender > immediately by e-mail and delete the message and any file attachments from > your computer. Thank you.*
_______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
