[OAUTH-WG] Re: DPoP/RFC9449 - out-of-band public keys and no "jwk" in the header? OAuth 2.1?

Hi Ollie, Have you taken a look at the WIMSE Workload to Workload Authentication (formerly Service to Service) https://datatracker.ietf.org/doc/html/draft-ietf-wimse-s2s-protocol ? Offhand, it sounds like it might be applicable. On Tue, Jul 15, 2025 at 9:47 AM Chalk, Ollie (DSIT) wrote: > OFFIC

[OAUTH-WG] Re: Last minute request: Specifying key derivation for HMAC signatures on key binding JWT in SD JWT

Note that Paul's draft for something like this at the JWS algorithm layer is likely to be discussed at the JOSE session of the upcoming meeting https://mailarchive.ietf.org/arch/msg/jose/nBxAALrHMYE7Lgyq1dHoGx7RaHw/ On Sun, May 25, 2025 at 3:15 PM Stefan Santesson wrote: > All, > > Just to recap

[OAUTH-WG] Re: coding agents don't follow the spec for parsing Authorization header

On Sun, Jul 6, 2025 at 1:13 PM Neil Madden wrote: > On 6 Jul 2025, at 13:22, Dick Hardt wrote: > > > Do we as a WG want to be aligned with the HTTP spec, or align with what > is widely deployed? > > > I don’t think we can change the case-insensitivity of the auth scheme, but > we can certainly

[OAUTH-WG] Re: coding agents don't follow the spec for parsing Authorization header

On Sun, Jul 6, 2025 at 12:57 PM Warren Parad wrote: > Sure, but Postel's Law is actually harmful. And the "volume of LLM code" > isn't the relevant metric, but rather "What the future of generated LLM > code will look like". That is what is being generated at the moment, I > don't find relevant e

[OAUTH-WG] Fwd: New Version Notification for draft-ietf-oauth-sd-jwt-vc-10.txt

#integrity claim values in examples (Subresource Integrity uses regular base64 encoding and some were wrong length) -- Forwarded message - From: Date: Mon, Jul 7, 2025 at 11:18 AM Subject: New Version Notification for draft-ietf-oauth-sd-jwt-vc-10.txt To: Brian Campbell ,

[OAUTH-WG] Re: SD-JWT VC Issuer Signature Profiles/Mechanisms/Somethings

via profile/extension. - Is more explicit that the employed Issuer Signature Mechanism has to be one that is permitted for the Issuer according to policy. - Is more clear that one permitted Issuer Signature Mechanism is sufficient. On Fri, Apr 25, 2025 at 4:28 PM Brian Campbell wro

[OAUTH-WG] Re: I-D Action: draft-ietf-oauth-selective-disclosure-jwt-21.txt

Thanks again for catching that Dan. It should be fixed in -22 https://datatracker.ietf.org/doc/html/draft-ietf-oauth-selective-disclosure-jwt-22#name-array-elements On Thu, May 29, 2025 at 6:03 AM Brian Campbell wrote: > Thanks Dan, > > You aren't missing anything. That's

[OAUTH-WG] Re: I-D Action: draft-ietf-oauth-selective-disclosure-jwt-21.txt

t 11:47 AM wrote: > >> Internet-Draft draft-ietf-oauth-selective-disclosure-jwt-21.txt is now >> available. It is a work item of the Web Authorization Protocol (OAUTH) WG >> of >> the IETF. >> >>Title: Selective Disclosure for JWTs (SD-JWT) >>Aut

[OAUTH-WG] Fwd: Expiration impending:

A -09 draft with the changes noted below has been published in order to ward off this impending expiration. * Use SD-JWT KB in place of SD-JWT with Key Binding JWT * Editorial changes * Document reasons for not using JSON Pointer or JSON Path (Issue #267) * Clarify that private claim names MAY be

[OAUTH-WG] Re: Roman Danyliw's No Objection on draft-ietf-oauth-selective-disclosure-jwt-20: (with COMMENT)

Thanks for clearing the DISCUSS Roman, https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/579/files has a few more updates aimed at your remaining comments. Please let me know if anything there looks amiss. I'll work with the co-authors and responsible AD to get a new draft out and mo

[OAUTH-WG] Re: Roman Danyliw's Discuss on draft-ietf-oauth-selective-disclosure-jwt-19: (with DISCUSS and COMMENT)

Hi Roman, A draft -20 has been published incorporating the aforementioned changes, which is hopefully sufficient to clear the DISCUSS? On Fri, May 23, 2025 at 4:09 PM Brian Campbell wrote: > Another follow up to my previous follow ups (sorry!): > > Kristina has added to that PR

[OAUTH-WG] Re: Orie Steele's Discuss on draft-ietf-oauth-selective-disclosure-jwt-19: (with DISCUSS and COMMENT)

Orie, Thanks again for the review and engagement on this. A draft -20 has been published incorporating these changes and is hopefully sufficient to clear the DISCUSS. On Fri, May 23, 2025 at 3:10 PM Brian Campbell wrote: > Thanks Orie for a productive and enjoyable discussion yesterday. I

[OAUTH-WG] Re: Roman Danyliw's Discuss on draft-ietf-oauth-selective-disclosure-jwt-19: (with DISCUSS and COMMENT)

at some of the non-blocking comments: https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/577 On Thu, May 22, 2025 at 11:07 AM Brian Campbell wrote: > As a follow up to my prior follow up, Kristina's PR > https://github.com/oauth-wg/oauth-selective-disclosure-jwt/p

[OAUTH-WG] Re: Orie Steele's Discuss on draft-ietf-oauth-selective-disclosure-jwt-19: (with DISCUSS and COMMENT)

Thanks Orie for a productive and enjoyable discussion yesterday. I've updated the https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/576 PR as we discussed and incorporated changes for a number of your comments and nits. On Thu, May 22, 2025 at 1:05 PM Brian Campbell wrote:

[OAUTH-WG] Re: Orie Steele's Discuss on draft-ietf-oauth-selective-disclosure-jwt-19: (with DISCUSS and COMMENT)

gt; > If any step fails, the presentation is not valid and processing MUST be > aborted. > > I still think clearer guidance to profiles of the form "aud" in SD-JWT > with Key Binding is not recommended would make sense, but that is just a > non blocking comment. > &g

[OAUTH-WG] Re: Roman Danyliw's Discuss on draft-ietf-oauth-selective-disclosure-jwt-19: (with DISCUSS and COMMENT)

As a follow up to my prior follow up, Kristina's PR https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/575 has prospective changes aimed at addressing some of your comments and plans to add a few more such changes. On Thu, May 22, 2025 at 8:51 AM Brian Campbell wrote: > a f

[OAUTH-WG] Re: Roman Danyliw's Discuss on draft-ietf-oauth-selective-disclosure-jwt-19: (with DISCUSS and COMMENT)

a follow up on just one item is On Tue, May 20, 2025 at 4:20 PM Brian Campbell wrote: > ** Section 7.1 >>* the Issuer-signed JWT is valid, i.e., it is signed by the Issuer, >> the signature is valid, it is not expired, it is not suspended or >> revoked,

[OAUTH-WG] Re: Mike Bishop's No Objection on draft-ietf-oauth-selective-disclosure-jwt-19: (with COMMENT)

On Wed, May 21, 2025 at 2:53 PM Mike Bishop via Datatracker < nore...@ietf.org> wrote: > Mike Bishop has entered the following ballot position for > draft-ietf-oauth-selective-disclosure-jwt-19: No Objection > > COMMENT: > -- > >

[OAUTH-WG] Re: [OPS-DIR]draft-ietf-oauth-selective-disclosure-jwt call Opsdir review

Thanks for the review, Tiru! On Wed, May 21, 2025 at 2:25 AM tirumal reddy wrote: > Document: draft-ietf-oauth-selective-disclosure-jwt > Title: Selective Disclosure for JWTs (SD-JWT) > Reviewer: Tirumaleswar Reddy > Review result: "Ready with issues" > > Hi, > > I have reviewed this document as

[OAUTH-WG] Re: Mohamed Boucadair's No Objection on draft-ietf-oauth-selective-disclosure-jwt-19: (with COMMENT)

Thanks for the review, Med! On Wed, May 21, 2025 at 4:58 AM Mohamed Boucadair via Datatracker < nore...@ietf.org> wrote: > Mohamed Boucadair has entered the following ballot position for > draft-ietf-oauth-selective-disclosure-jwt-19: No Objection > > ---

[OAUTH-WG] Re: Orie Steele's Discuss on draft-ietf-oauth-selective-disclosure-jwt-19: (with DISCUSS and COMMENT)

Fett wrote: > >> Thanks for your Review, Orie! >> >> Comments inline. >> Am 21.05.25 um 17:21 schrieb Orie: >> >> Thanks Brian, >> >> There is a related comment regarding the typ for kb+jwt and its >> requirements. >> Which I pulled out

[OAUTH-WG] Re: Roman Danyliw's Discuss on draft-ietf-oauth-selective-disclosure-jwt-19: (with DISCUSS and COMMENT)

Thanks for the review Roman. In hopes of expediting discussion towards a resolution to the blocking comments, similar to how I responded to Orie, I'm going to reply separately to the DISCUSS here first. That's inline below. On Tue, May 20, 2025 at 11:50 AM Roman Danyliw via Datatracker < nore...@

[OAUTH-WG] Re: Orie Steele's Discuss on draft-ietf-oauth-selective-disclosure-jwt-19: (with DISCUSS and COMMENT)

Thanks for the review Orie. In hopes of expediting discussion towards a resolution to the blocking comments, I'm going to reply separately to the DISCUSS here first. That's inline below. On Tue, May 20, 2025 at 9:51 AM Orie Steele via Datatracker < nore...@ietf.org> wrote: > Orie Steele has ente

[OAUTH-WG] Re: Gorry Fairhurst's No Objection on draft-ietf-oauth-selective-disclosure-jwt-19: (with COMMENT)

Thanks Gorry. Appreciate the review and ballot of no objection. On Mon, May 19, 2025 at 4:14 AM Gorry Fairhurst via Datatracker < nore...@ietf.org> wrote: > Gorry Fairhurst has entered the following ballot position for > draft-ietf-oauth-selective-disclosure-jwt-19: No Objection > > When respondi

[OAUTH-WG] Re: draft-ietf-oauth-selective-disclosure-jwt-19 telechat Artart review

There was a lot of content in the recommendation[1] and subsequent emails[2] but some of all that did result in changes[3] to the draft that attempted to improve its clarity. Much of the text that is the target of the suggestions in points (b)--(d) has changed in draft -19[4] and no longer appears

[OAUTH-WG] Re: Last minute request: Specifying key derivation for HMAC signatures on key binding JWT in SD JWT

Speaking as one of the editors but not one that was not involved in these aforementioned initial contacts, I think there might have been some miscommunication or misunderstanding here. The intent in the context of this draft has long been (for at least a year and 10 revisions) to not prohibit the

[OAUTH-WG] Re: [Last-Call] draft-ietf-oauth-selective-disclosure-jwt-18 ietf last call Artart review

areas. On Fri, May 2, 2025 at 12:23 PM Brian Campbell wrote: > Thank you for the review Henry. And thank you for the engagement on it > Carsten. > > I do appreciate the desire to be precise with language and that it can be > difficult to do so, particularly with respect to va

[OAUTH-WG] Re: ABNF error in draft-ietf-oauth-selective-disclosure-jwt-18 ?

Thanks Carsten for pointing that out. I've created issue 570 to track this and, with the support of a different tool, tried to document why the use of () is equivalent to but also more correct than []. In my own defense, I was

[OAUTH-WG] Re: ABNF error in draft-ietf-oauth-selective-disclosure-jwt-18 ?

D-JWT MUST always have a trailing “~” as that is what the ABNF says? > > On Fri, May 2, 2025 at 12:46 PM Brian Campbell > wrote: > >> from this line, >> >> SD-JWT = JWT "~" *[DISCLOSURE "~"] >> >> the SD-JWT part always has a trailing ~

[OAUTH-WG] Re: ABNF error in draft-ietf-oauth-selective-disclosure-jwt-18 ?

from this line, SD-JWT = JWT "~" *[DISCLOSURE "~"] the SD-JWT part always has a trailing ~ so I think what's there is correct. On Fri, May 2, 2025 at 1:39 PM Dick Hardt wrote: > Hey > > Looks like you are missing a "~" in the abnf for SD-JWT-KB > > in section 4 a "~" separates the KB-JWT from

[OAUTH-WG] Re: [IANA #1416059] expert review for draft-ietf-oauth-selective-disclosure-jwt (media-type-structured-suffix)

Hi David, I just noticed that, from the view of my mail client anyway, these messages were sent only to dar...@tavis.ca and oauth@ietf.org. But not, as far as I can tell, to Alexey or media-ty...@ietf.org or similar. Should there be a wider or different distribution list? For what it's worth, I

[OAUTH-WG] Re: [Last-Call] draft-ietf-oauth-selective-disclosure-jwt-18 ietf last call Artart review

Thank you for the review Henry. And thank you for the engagement on it Carsten. I do appreciate the desire to be precise with language and that it can be difficult to do so, particularly with respect to various encodings. Nonetheless, there have been a nontrivial number of implementations already

[OAUTH-WG] Re: Last Call: (Selective Disclosure for JWTs (SD-JWT)) to Proposed Standard

Thanks Deb, Just one quick clarification - those changes are not yet published as a draft but rather 'staged' in git[hub]. A new draft will be out soonish though. On Wed, Apr 30, 2025 at 10:57 AM Deb Cooley wrote: > Denis, > > I have the following responses inline marked as [DC] in the summary o

[OAUTH-WG] Fwd: I-D Action: draft-ietf-oauth-selective-disclosure-jwt-18.txt

Kristina Yasuda Brian Campbell Name:draft-ietf-oauth-selective-disclosure-jwt-18.txt Pages: 97 Dates: 2025-04-28 Abstract: This specification defines a mechanism for the selective disclosure of individual elements of a JSON-encoded data structure used as the p

[OAUTH-WG] SD-JWT VC Issuer Signature Profiles/Mechanisms/Somethings

While not new, the subject of how an issuer signs an SD-JWT VC and how a verifier properly finds the public key and checks the signature has come more into focus recently. Slides 7 and 8 of the SD-JWT VC presentation at the Friday WG session

[OAUTH-WG] Re: Updates to RFC 7523

ue, Apr 22, 2025 at 1:04 PM Brian Campbell wrote: > > On Tue, Apr 22, 2025 at 1:01 PM Benjamin Kaduk wrote: > >> I hope we don't end up with a "late surprise" later on. > > > Yeah, me too. > -- _CONFIDENTIALITY NOTICE: This email may contain confide

[OAUTH-WG] Re: Updates to RFC 7523

On Tue, Apr 22, 2025 at 1:01 PM Benjamin Kaduk wrote: > I hope we don't end up with a "late surprise" later on. Yeah, me too. -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution

[OAUTH-WG] Re: Updates to RFC 7523

I, of course, cannot say what the IESG will be happy or unhappy to receive. But I do know that the responsable AD was present in the session at IETF 122 where this was discussed in general. And didn't object as far as I remember. I can also say that, from my perspective anyway, the alternative of f

[OAUTH-WG] Re: Secdir ietf last call review of draft-ietf-oauth-selective-disclosure-jwt-17

Thanks Shawn, I appreciate the review and the acknowledgement of the little touch of humor :) This PR addresses the editorial comments https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/565 On Mon, Apr 14, 2025 at 12:00 AM Shawn Emery via Datatracker < nore...@ietf.org> wrote: > Doc

[OAUTH-WG] Re: Genart ietf last call review of draft-ietf-oauth-selective-disclosure-jwt-17

Thank you Tomas, appreciate you taking the time to review the document. On Fri, Apr 11, 2025 at 7:50 PM Thomas Fossati via Datatracker < nore...@ietf.org> wrote: > Document: draft-ietf-oauth-selective-disclosure-jwt > Title: Selective Disclosure for JWTs (SD-JWT) > Reviewer: Thomas Fossati > Revi

[OAUTH-WG] Re: [IANA #1416058] expert review for draft-ietf-oauth-selective-disclosure-jwt (jwt)

anks for the suggestion. > > > > -- Mike > > > > *From:* Brian Campbell > *Sent:* Monday, April 7, 2025 10:51 AM > *To:* Nat Sakimura > *Cc:* Michael Jones ; Filip Skokan < > panva...@gmail.com>;

[OAUTH-WG] Re: [IANA #1416059] expert review for draft-ietf-oauth-selective-disclosure-jwt (media-type-structured-suffix)

Thanks David, Just to try and connect the dots on the various pieces here - this is the same Structured Syntax Suffixes request as the last item in [media-types] draft-ietf-oauth-selective-disclosure-jwt media types and structured syntax suffix and registration review request

[OAUTH-WG] Re: Second WGLC for Token Status List

On Thu, Apr 3, 2025 at 11:33 AM Steffen Schwalm wrote: > I strongly oppose against moving forward the specification as Issues still > open. > > > >1. There´s no documented decision on the well-known x509 issue – >beside the wishes of the authors > > Having seen and participated in discuss

[OAUTH-WG] Re: [IANA #1416058] expert review for draft-ietf-oauth-selective-disclosure-jwt (jwt)

registrations. >> >> >> >> IANA, please proceed to make the registrations. >> >> >> >> -- Mike >> >> >> >> *From:* Brian Campbell >> *Sent:* Thursday, April

[OAUTH-WG] Re: [IANA #1416058] expert review for draft-ietf-oauth-selective-disclosure-jwt (jwt)

es are for >"Claim Name"(s) and "..." can only appear inside "Claim Value" it seems >like it needs no registration. Thoughts? Is my understanding of it never >being on the top level JSON object correct? > > S pozdravem, > *Filip Skokan* > >

[OAUTH-WG] Re: [Last-Call] draft-ietf-oauth-selective-disclosure-jwt non-selectively disclosable claims

thanks Chad, I put in https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/563 so as not to lose track of this On Thu, Apr 3, 2025 at 7:19 AM Chad Parry wrote: > The phrase "non-selectively disclosable claims" confused me. At first I > interpreted it to mean "claims that are disclos

[OAUTH-WG] Re: [IANA #1416058] expert review for draft-ietf-oauth-selective-disclosure-jwt (jwt)

from your response below. > > > > Thanks all, > > -- Mike > > > > *From:* Brian Campbell > *Sent:* Thursday, April 3, 2025 1:40 PM > *To:* Filip Skokan > *Cc:* drafts-expert-review-comm...@iana.org;

[OAUTH-WG] Re: [IANA #1416058] expert review for draft-ietf-oauth-selective-disclosure-jwt (jwt)

> SD-JWT? If so, let's register it. > > S pozdravem, > *Filip Skokan* > > > On Thu, 3 Apr 2025 at 22:20, Brian Campbell > wrote: > >> Thanks Filip, >> >> I think your observations about "..." are correct. It doesn't necessarily >

[OAUTH-WG] Fwd: I-D Action: draft-ietf-oauth-selective-disclosure-jwt-16.txt

thors: Daniel Fett Kristina Yasuda Brian Campbell Name:draft-ietf-oauth-selective-disclosure-jwt-16.txt Pages: 96 Dates: 2025-02-27 Abstract: This specification defines a mechanism for the selective disclosure of individual elements of a JSON-enco

[OAUTH-WG] Re: Status List Feature Request

I concur with Filip's perspective. On Wed, Feb 26, 2025, 4:21 PM Filip Skokan wrote: > I believe it is inappropriate and wildly out of scope for an oauth > document to define X.509 extensions, which IIUC is needed in order to > define the Status Claim for X.509? The important thing to make sure

[OAUTH-WG] Re: Implementation Status of SD-JWT

Here's another implementation that I just recently learned about: https://github.com/openwallet-foundation-labs/multiformat-vc-ios On Sun, Feb 9, 2025 at 8:16 AM Brian Campbell wrote: > There's this very lightly curated list of implementations in the > repository > https://

[OAUTH-WG] Re: late review of draft-ietf-oauth-selective-disclosure-jwt-15

Thanks Rohan, I've gone through the comments and incorporated a bunch of the feedback into this https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/553 On Thu, Feb 13, 2025 at 12:33 PM Rohan Mahy wrote: > Hi, > I have a few comments on Section 10.1. > > However, when the user only d

[OAUTH-WG] Re: Review comments for SD-JWT

On Wed, Feb 12, 2025 at 12:50 PM Brian Campbell wrote: > >> suggest removing the "fnord" from Richard "fnord" Barnes >> > > > treatment for Richard Barnes (whom I highly respect) in the > Acknowledgements section of this draft was absolutely int

[OAUTH-WG] Re: IETF122 Call for topics

Thanks Rifaat, On behalf of myself and the various co-conspirators I would like to formally request agenda time at IETF 122 for presentation and discussion of the following documents currently under the remit of the OAUTH WG: Selective Disclosure for JWTs (SD-JWT) https://datatracker.ietf.org/doc

[OAUTH-WG] Re: Review comments for SD-JWT

Thanks Hannes, I really appreciate the feedback and work towards moving this one foreword in the process. I've prepared this pull request https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/552 with updates aimed at addressing the review comments. Please take a look and let us know if

[OAUTH-WG] Re: [Technical Errata Reported] RFC7519 (8060)

ted errata on that > RFC? (RFC 7519 and Erratas: 5906, 7720, and 8225) > To make it worth my while to wrestle w/ the RFC errata system... > > Deb > > On Mon, Feb 10, 2025 at 5:56 PM Brian Campbell > wrote: > >> Pieter said errata in July of last year and we've

[OAUTH-WG] Re: [Technical Errata Reported] RFC7519 (8060)

, HFDU). The > tooling for this is, h old, so I like to do these in groups. > > If there is appetite, we can look at other oauth errata... > > Deb > > > > On Fri, Feb 7, 2025 at 2:56 PM Brian Campbell 40pingidentity@dmarc.ietf.org> wrote: > >> Apolog

[OAUTH-WG] Re: IPR Disclosure - Selective Disclosure for JWTs (SD-JWT)

gt; Hannes > > > Am 09.02.2025 um 16:02 schrieb Brian Campbell: > > Thanks Hannes, > > I am not aware of any IPR associated with the document. > > On Sun, Feb 9, 2025 at 6:59 AM Hannes Tschofenig > wrote: > > Hi Daniel, Kristina, Brian > > as part

[OAUTH-WG] Re: Implementation Status of SD-JWT

There's this very lightly curated list of implementations in the repository https://github.com/oauth-wg/oauth-selective-disclosure-jwt?tab=readme-ov-file#sd-jwt-implementations SD-JWT Implementations

[OAUTH-WG] Re: IPR Disclosure - Selective Disclosure for JWTs (SD-JWT)

Thanks Hannes, I am not aware of any IPR associated with the document. On Sun, Feb 9, 2025 at 6:59 AM Hannes Tschofenig wrote: > Hi Daniel, Kristina, Brian > > as part of the shepherd write-up, all authors of > > must confirm that any and all appropriate IPR disclosures required for full > con

[OAUTH-WG] Re: draft-jones-oauth-rfc7523bis published and questions to the working group

be applied to SAML because there's no equivalent construct in a SAML assertion to the typ header in JWS/JWT. And it doesn't work for request objects because RFC 9101 already has a media type defined. I view the current draft as a practical means to close all the identified > vulner

[OAUTH-WG] Re: [Technical Errata Reported] RFC7519 (8060)

Neither RFC 7515 nor > RFC 7516 include any special provisions for only ignoring header parameters > if they are specified as being ignored, but instead requires all header > parameters to be ignored if they are not understood, except if they are > critical. > > This errata cl

[OAUTH-WG] Re: Call for adoption - RFC7523bis

As stated in the "[OAUTH-WG] Re: draft-jones-oauth-rfc7523bis published and questions to the working group " thread - I don't believe this draft is the right starting point. But if the WG decides otherwise, I sincerely hope

[OAUTH-WG] Re: draft-jones-oauth-rfc7523bis published and questions to the working group

Thanks for the work on this document Mike. Regarding the questions for the working group: 1. My preference is for a single document. 2. The scope of the changes should be constrained to only what is necessary to address the issue that brought us here, which is JWT Client Assertion Auth

[OAUTH-WG] Re: Status List Feature Request

That seems well beyond the scope of both the Status List draft and the OAuth WG in general. On Fri, Feb 7, 2025 at 2:57 PM Christian Bormann wrote: > Hi all, > > > > While going through the feedback and issues on github, there was one > bigger discussion point that we would like to bring to the

[OAUTH-WG] Re: -15 of SD-JWT

Watson, I think perhaps there's a misalignment of goals here. My perspective is that the privacy considerations are good enough (and have been for several months now) for the draft to proceed and will likely be improved or changed more anyway during the course of shepherd, AD, directorate, and IE

[OAUTH-WG] -15 of SD-JWT

ssage - From: Date: Thu, Jan 16, 2025 at 11:30 AM Subject: New Version Notification for draft-ietf-oauth-selective-disclosure-jwt-15.txt To: Brian Campbell , Daniel Fett < m...@danielfett.de>, Kristina Yasuda A new version of Internet-Draft draft-ietf-oauth-selective-disclosure-jwt-15.t

[OAUTH-WG] Re: Reminder: Alternative text for sd-jwt privacy considerations.

On Thu, Jan 9, 2025 at 11:18 AM Watson Ladd wrote: > > > On Thu, Jan 9, 2025, 10:14 AM Watson Ladd wrote: > >> >> >> On Thu, Jan 9, 2025, 10:10 AM Pierce Gorman >> wrote: >> >>> Hi Watson, >>> >>> I thought it was a good suggestion and am looking forward to feedback >>> from others. >>> >>> I d

[OAUTH-WG] Re: Reminder: Alternative text for sd-jwt privacy considerations.

Pull request https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/535 incorporates text based on this suggestion into the end of the Unlinkability subsection of the Privacy Considerations. Barring objections/concerns with this, we'll look to merge it and publish a new draft next week. O

[OAUTH-WG] Re: Fwd: New Version Notification for draft-ietf-oauth-selective-disclosure-jwt-14.txt

ave checked the github PR and it appears to cover all my 'to do' items > (marked with a '*') in the previous message. Thank you for this. > > Deb > > On Thu, Dec 12, 2024 at 11:23 AM Brian Campbell < > bcampb...@pingidentity.com> wrote: > >

[OAUTH-WG] Client ID scheme Interim followup link

I wanted to share a pointer to the somewhat related issue over in the OIDF's DCP WG I mentioned during the Interim yesterday https://github.com/openid/OpenID4VP/issues/376 -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended rec

[OAUTH-WG] Re: Alternative text for sd-jwt privacy considerations.

I feel like this thread has strayed a bit from its origin, which was some text Watson proposed for the privacy considerations https://mailarchive.ietf.org/arch/msg/oauth/ugVBj2O0hw-nuWNVTFpt0JH3yVY >From my perspective, it wouldn't be a wholesale replacement for anything but, assuming the co-autho

[OAUTH-WG] Re: SD-JWT linkability

On Mon, Dec 23, 2024 at 2:03 PM Watson Ladd wrote: > > On Mon, Dec 23, 2024 at 6:17 AM Joseph Heenan wrote: > >> I don’t think it is helpful to repeatedly make very similar proposals >> whilst ignoring the feedback on why that proposal is inappropriate, nor >> does it look like trying to meet ha

[OAUTH-WG] Re: SD-JWT linkability

wards me. On Sun, Dec 22, 2024 at 1:36 PM Watson Ladd wrote: > On Sun, Dec 22, 2024, 2:35 PM Brian Campbell > wrote: > > > > > > > > On Sat, Dec 21, 2024 at 1:37 PM Joseph Heenan > wrote: > >> > >> > >> < ... snip ... > >

[OAUTH-WG] Re: SD-JWT linkability

On Sat, Dec 21, 2024 at 1:37 PM Joseph Heenan wrote: > > < ... snip ... > > > The current text is clear that there are situations where issuer-verifier > linkability can’t be fully prevented. > > Process wide, I believe if you think the text currently in the > specification is inadequate, you n

[OAUTH-WG] Re: Fwd: New Version Notification for draft-ietf-oauth-selective-disclosure-jwt-14.txt

Thanks for the detailed review and treatment of the issues Deb, The document editors will take an action to incorporate the indicated changes in the next draft. On Thu, Dec 12, 2024 at 6:58 AM Deb Cooley wrote: > +oauth working group and Paul: > > Denis, > > I have gone through every issue requ

[OAUTH-WG] Re: Issuers, resolution, squatting, and the WebPKI

Thanks Watson, I'm trying to synthesize this in my own thinking. So please tell me if I'm off base. Effectively one manifestation of this is as a problem is a verifier, which only uses an https issuer value to find issuer metadata and key(s), that is checking a credential from an issuer who has em

[OAUTH-WG] Re: Section 3.5 in sd-jwt-vc

On Tue, Dec 3, 2024 at 12:03 PM Watson Ladd wrote: > What exactly does one do with an iss that has an HTTPS URL? Seems like > we say two different things must happen. > Do you mean what is said in this issue https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/281, which I assume was inspired by y

[OAUTH-WG] Fwd: New Version Notification for draft-ietf-oauth-sd-jwt-vc-08.txt

To: Brian Campbell , Daniel Fett < m...@danielfett.de>, Oliver Terbu A new version of Internet-Draft draft-ietf-oauth-sd-jwt-vc-08.txt has been successfully submitted by Brian Campbell and posted to the IETF repository. Name: draft-ietf-oauth-sd-jwt-vc Revision: 08 Title:SD-JWT-

[OAUTH-WG] Fwd: New Version Notification for draft-ietf-oauth-sd-jwt-vc-07.txt

-oauth-sd-jw… <https://mailarchive.ietf.org/arch/msg/oauth/JJaJZwOSxDkdgEbzFgt6ndboLn8/> Brian Campbell [OAUTH-WG] Re: I-D Action: draft-ietf-oauth-sd-jw… <https://mailarchive.ietf.org/arch/msg/oauth/HyP1pMOhkx2rz-d3OxniM2l2C6Q/> Markus Sabadello [OAUTH-WG] Re: I-D Action: draft-ietf-oauth-sd-jw… &l

[OAUTH-WG] Re: I-D Action: draft-ietf-oauth-sd-jwt-vc-06.txt

dds the “Status” field for the well-known > URI registration per IANA early review. > > -Daniel > > > > [0] https://www.youtube.com/watch?v=LvIBqlHkuXY > > [1] https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/250 > > [2] https://github.com/oauth-wg/oauth-sd-jwt-v

[OAUTH-WG] Re: I-D Action: draft-ietf-oauth-sd-jwt-vc-06.txt

for the well-known > URI registration per IANA early review. > > -Daniel > > > > [0] https://www.youtube.com/watch?v=LvIBqlHkuXY > > [1] https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/250 > > [2] https://github.com/oauth-wg/oauth-sd-jwt-vc/pull/251 > > Am 13.11.24

[OAUTH-WG] Fwd: New Version Notification for draft-ietf-oauth-selective-disclosure-jwt-14.txt

lQUUwMaHDjR9OgA/ -- Forwarded message - From: Date: Fri, Nov 15, 2024 at 11:45 AM Subject: New Version Notification for draft-ietf-oauth-selective-disclosure-jwt-14.txt To: Brian Campbell , Daniel Fett < m...@danielfett.de>, Kristina Yasuda A new version of Internet-Draft draft

[OAUTH-WG] Re: Media Types conversation during the OAuth session last week

ors' work to come to a > resolution. It was not easy work. I look forward to when these drafts are > passed to me (as Sec AD) for publication. > > Deb Cooley > Sec AD > > On Thu, Nov 14, 2024 at 5:24 AM Brian Campbell 40pingidentity@dmarc.ietf.org> wrote: > &g

[OAUTH-WG] Re: Media Types conversation during the OAuth session last week

quot;application/dc+sd-jwt" On Wed, Nov 13, 2024 at 6:27 PM Brian Campbell wrote: > Thanks Brent, the note is genuinely appreciated. I did take painstaking > efforts to ensure the presentation was factual and somewhat well-reasoned > (if at the cost of brevity) so personally

[OAUTH-WG] Re: Media Types conversation during the OAuth session last week

Thanks Brent, the note is genuinely appreciated. I did take painstaking efforts to ensure the presentation was factual and somewhat well-reasoned (if at the cost of brevity) so personally especially appreciate that acknowledgement. On Wed, Nov 13, 2024 at 3:40 PM Brent Zundel wrote: > I want to

[OAUTH-WG] Re: Second WGLC for SD-JWT

Consistently saying something isn't the same as gathering consensus about what, if any, changes to make as a result of saying it. The IETF has a consensus-based process for standards development and sometimes one individual's viewpoint falls outside consensus. Repeatedly voicing the viewpoint doesn

[OAUTH-WG] Re: Nit in section 4 of draft 13 of SD-JWT

> the consuming of the specs to be appreciated. I will say that I can't > actually decide if the comma belongs or not though. > > > > On Fri, Oct 25, 2024 at 1:11 AM Brian Campbell 40pingidentity@dmarc.ietf.org> wrote: > >> > >> The phrase "for th

[OAUTH-WG] Re: Nit in section 4 of draft 13 of SD-JWT

The phrase "for those who celebrate" there is a subtle attempt at a little bit of good-natured humor. ChatGPT explains the general phrase thusly: The phrase "for those who celebrate" is often used to acknowledge that not everyone may participate in a particular holiday, event, or tradition. It's a

[OAUTH-WG] Fwd: New Version Notification for draft-ietf-oauth-selective-disclosure-jwt-13.txt

Notification for draft-ietf-oauth-selective-disclosure-jwt-13.txt A new version of Internet-Draft draft-ietf-oauth-selective-disclosure-jwt-13.txt has been successfully submitted by Brian Campbell and posted to the IETF repository. Name: draft-ietf-oauth-selective-disclosure-jwt Revision: 13

[OAUTH-WG] Re: Explicit typing of SD-JWTs (was SD-JWT architecture feedback)

sd-jwt and other tokens isn't what explicit typing is about. I'll take another look at the language in the draft around typing and see if there's anything that can reasonably be done to make it less confusing or potentially problematic. > > On Mon, Sep 30, 2024 at 1

[OAUTH-WG] Re: Explicit typing of SD-JWTs (was SD-JWT architecture feedback)

ny people will just read this > doc and do what it suggests, hence let's make explicit typing a MUST. > > FWIW: the "typ" header property was intended to help a processor know how > to process the rest of the dot separated components. The initial use cases > being

[OAUTH-WG] Re: SD-JWT disclosure ordering

As it's the input to a hash, I think it should be well enough understood that the order is important in that context. On Tue, Sep 24, 2024 at 10:51 AM David Waite wrote: > I didn’t see anything in SD-JWT about a canonical disclosure ordering. > > Disclosures from the issuer (and after selective

[OAUTH-WG] Re: Explicit typing of SD-JWTs (was SD-JWT architecture feedback)

I must admit that I'm finding it difficult to fully grasp the points you're making on this topic.. As with the other topics, there has been extensive discussion about typing and media types[1]. And, while I have my own reservations about using something inside a thing to say what the thing is and t

[OAUTH-WG] Re: SD-JWT architecture feedback

The feedback has indeed sparked a number of discussions in this thread and others on the mailing list, which hopefully have been productive. Rest assured, the feedback is not being ignored, and no one is attempting to 'push it through.' These points have been considered—often extensively—over the

[OAUTH-WG] Re: Leading underscores in SD-JWT Claim Names (was SD-JWT architecture feedback)

As someone with some experience in this space, I believe it's reasonable to acknowledge that the layering within JWS/JWT is not perfectly clean. Consequently, reasonable sounding arguments can be made for placing the "_sd_hash" either in the header or the payload. Ultimately, this is somewhat subje

[OAUTH-WG] Re: WGLC for SD-JWT

Resending this because I didn't see it show up in the list archive https://mailarchive.ietf.org/arch/browse/oauth/ On Thu, Sep 19, 2024 at 2:00 PM Brian Campbell wrote: > As an individual, I don't believe the additional text is necessary. > However, as an editor committed to t

[OAUTH-WG] Re: WGLC for SD-JWT

As an individual, I don't believe the additional text is necessary. However, as an editor committed to that same goal of publishing this specification as an RFC (hopefully soon), I'm happy to add it to the draft to help achieve that goal. On Tue, Sep 17, 2024 at 10:01 PM Michael Jones wrote: >

[OAUTH-WG] Re: WGLC for SD-JWT

Watson, Thank you for your comments during the Vancouver meeting and subsequently on the mailing list. Your input helped initiate some valuable discussions, and I’ve incorporated additional text into the Unlinkability subsection under the Privacy Considerations to reflect the general consensus tha

[OAUTH-WG] Re: WGLC for SD-JWT

Thanks Neil, That is indeed an error. Thanks for catching that. We'll get it fixed. I see how that other part is a bit confusing too and will look at improving how those pieces flow together. And also maybe fix some other stuff in that area while we're at it, like inadequate salt length in at leas

  1   2   3   4   5   6   7   8   9   10   >