My intuition is that we’re better off without that. If we call out that “…” is
somehow different, it might trigger unanticipated objections.
But thanks for the suggestion.
-- Mike
From: Brian Campbell <bcampb...@pingidentity.com>
Sent: Monday, April 7, 2025 10:51 AM
To: Nat Sakimura <nat@nat.consulting>
Cc: Michael Jones <michael_b_jo...@hotmail.com>; Filip Skokan
<panva...@gmail.com>; drafts-expert-review-comm...@iana.org;
jwt-reg-rev...@ietf.org; oauth@ietf.org
Subject: Re: [IANA #1416058] expert review for
draft-ietf-oauth-selective-disclosure-jwt (jwt)
Would folks think it beneficial to add a very brief note in the document saying
something like "yeah yeah, we know it's not a traditional claim per se but
registering it seemed like a good idea nonetheless"?
On Thu, Apr 3, 2025 at 7:07 PM Nat Sakimura
<nat@nat.consulting<mailto:nat@nat.consulting>> wrote:
Catching up on the discussion now. It seems prudent to register "..." to me.
And all others look ok.
2025年4月4日(金) 5:52 Michael Jones
<michael_b_jo...@hotmail.com<mailto:michael_b_jo...@hotmail.com>>:
I then choose to defer to Brian’s judgement as an author (and a recused
Designated Expert) and approve this and all the other registrations.
IANA, please proceed to make the registrations.
-- Mike
From: Brian Campbell
<bcampb...@pingidentity.com<mailto:bcampb...@pingidentity.com>>
Sent: Thursday, April 3, 2025 1:50 PM
To: Michael Jones
<michael_b_jo...@hotmail.com<mailto:michael_b_jo...@hotmail.com>>
Cc: Filip Skokan <panva...@gmail.com<mailto:panva...@gmail.com>>;
drafts-expert-review-comm...@iana.org<mailto:drafts-expert-review-comm...@iana.org>;
nat@nat.consulting<mailto:nat@nat.consulting>;
jwt-reg-rev...@ietf.org<mailto:jwt-reg-rev...@ietf.org>;
oauth@ietf.org<mailto:oauth@ietf.org>
Subject: Re: [IANA #1416058] expert review for
draft-ietf-oauth-selective-disclosure-jwt (jwt)
I am (and always have been on this one) on the fence about it but also lean
towards making the registration.
On Thu, Apr 3, 2025 at 2:47 PM Michael Jones
<michael_b_jo...@hotmail.com<mailto:michael_b_jo...@hotmail.com>> wrote:
I would lean towards approving the registration of “…” even though it may not
appear as a top-level claim when used as defined in the specification. It’s
still a claim value integral to the functioning of this specification.
That said, Brian, as an author, do you believe we should register it or not? I
can’t tell from your response below.
Thanks all,
-- Mike
From: Brian Campbell
<bcampb...@pingidentity.com<mailto:bcampb...@pingidentity.com>>
Sent: Thursday, April 3, 2025 1:40 PM
To: Filip Skokan <panva...@gmail.com<mailto:panva...@gmail.com>>
Cc:
drafts-expert-review-comm...@iana.org<mailto:drafts-expert-review-comm...@iana.org>;
nat@nat.consulting<mailto:nat@nat.consulting>;
michael_b_jo...@hotmail.com<mailto:michael_b_jo...@hotmail.com>;
jwt-reg-rev...@ietf.org<mailto:jwt-reg-rev...@ietf.org>;
oauth@ietf.org<mailto:oauth@ietf.org>
Subject: Re: [IANA #1416058] expert review for
draft-ietf-oauth-selective-disclosure-jwt (jwt)
Indeed unlikely to appear as a top level claim and, I think even if it did,
it'd be unlikely to actually impact algorithms / steps defined in SD-JWT
(depends on implementation though, of course, so not impossible). But it could
certainly be a source of confusion seeing it there.
On Thu, Apr 3, 2025 at 2:32 PM Filip Skokan
<panva...@gmail.com<mailto:panva...@gmail.com>> wrote:
Hello Brian
to prevent it from being used as a top level claim name
That's a perfectly valid reason, would its appearance as a top level claim
(while unlikely, possible) impact the various algorithms / steps defined in
SD-JWT? If so, let's register it.
S pozdravem,
Filip Skokan
On Thu, 3 Apr 2025 at 22:20, Brian Campbell
<bcampb...@pingidentity.com<mailto:bcampb...@pingidentity.com>> wrote:
Thanks Filip,
I think your observations about "..." are correct. It doesn't necessarily need
to be registered and isn't even strictly speaking a claim name. We talked about
this some (poorly captured in this issue
/315<https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/315>)
and decided it'd be a reasonable idea to request to register it anyway. I think
the motivation was largely to have it documented in a place, other than the
draft itself, where people might maybe look for such information and to prevent
it from being used as a top level claim name. Also (other than having this
conversation, which was anticipated) there didn't seem to be any real downside
to requesting registration. And there's not, as far as I know, definitive
guidance or precedent.
Having said that, however, I don't think there's a lot of conviction behind it
from anyone involved. And not requesting / making the registration for "..."
would be a perfectly reasonable outcome too.
On Thu, Apr 3, 2025 at 8:39 AM Filip Skokan
<panva...@gmail.com<mailto:panva...@gmail.com>> wrote:
Hello David, SD-JWT authors,
I have reviewed the proposed registrations in
draft-ietf-oauth-selective-disclosure-jwt-17<https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-17.html>.
* "_sd" - OK ✓
* "_sd_alg" - OK ✓
* "sd_hash" - OK ✓ (after digging out the discussion around why "sd_hash"
does not have a prefix
(issues/371<https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/371>,
pull/387<https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/387>)
like "_sd" and "_sd_alg" do)
* "..." - Since this can never appear in the top level JSON object that
represents the JWT Claims Set and appears exclusively as a property in a JSON
array member that itself is an object, i.e. inside a Claim Value, it does not
seem fit to be registered as a JSON Web Token Claim. However, lacking more
details in the review instructions for designated experts I'm not finding a
more solid ground to say no to it. That is other than this potentially
far-fetching thought that since the registry entries are for "Claim Name"(s)
and "..." can only appear inside "Claim Value" it seems like it needs no
registration. Thoughts? Is my understanding of it never being on the top level
JSON object correct?
S pozdravem,
Filip Skokan
On Wed, 2 Apr 2025 at 22:11, David Dong via RT
<drafts-expert-review-comm...@iana.org<mailto:drafts-expert-review-comm...@iana.org>>
wrote:
Dear Mike Jones, Nat Sakimura, Filip Skokan (cc: Brian Campbell, oauth WG),
As the designated experts for the JSON Web Token Claims registry, can you
review the proposed registrations in
draft-ietf-oauth-selective-disclosure-jwt-17 for us? Please note Brian is a
co-author on this document.
Please see:
https://datatracker.ietf.org/doc/draft-ietf-oauth-selective-disclosure-jwt/
The due date is April 23rd.
If this is OK, when the IESG approves the document for publication, we'll make
the registration at:
https://www.iana.org/assignments/jwt/
We will assume that your response is a consensus response, unless you tell us
otherwise.
Unless you ask us to wait for the other reviewer, we’ll act one week after the
first response we receive.
With thanks,
David Dong
IANA Services Sr. Specialist
CONFIDENTIALITY NOTICE: This email may contain confidential and privileged
material for the sole use of the intended recipient(s). Any review, use,
distribution or disclosure by others is strictly prohibited. If you have
received this communication in error, please notify the sender immediately by
e-mail and delete the message and any file attachments from your computer.
Thank you.
CONFIDENTIALITY NOTICE: This email may contain confidential and privileged
material for the sole use of the intended recipient(s). Any review, use,
distribution or disclosure by others is strictly prohibited. If you have
received this communication in error, please notify the sender immediately by
e-mail and delete the message and any file attachments from your computer.
Thank you.
CONFIDENTIALITY NOTICE: This email may contain confidential and privileged
material for the sole use of the intended recipient(s). Any review, use,
distribution or disclosure by others is strictly prohibited. If you have
received this communication in error, please notify the sender immediately by
e-mail and delete the message and any file attachments from your computer.
Thank you.
CONFIDENTIALITY NOTICE: This email may contain confidential and privileged
material for the sole use of the intended recipient(s). Any review, use,
distribution or disclosure by others is strictly prohibited. If you have
received this communication in error, please notify the sender immediately by
e-mail and delete the message and any file attachments from your computer.
Thank you.
_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-le...@ietf.org
