Speaking as one of the editors but not one that was not involved in these aforementioned initial contacts, I think there might have been some miscommunication or misunderstanding here.
The intent in the context of this draft has long been (for at least a year and 10 revisions) to not prohibit the use of HMAC (or anything other than "none") JWS signing algorithms. But not to attempt to define the pieces like the KDF and key exchange that would be needed to make HMAC work kinda like an asymmetric signature. My stance has been that the proper layer for that is in the presentation request/response protocol (such as OpenID4VP). Or maybe not the proper layer exactly but the most pragmatic layer given the totality of circumstances. As mentioned in a comment on that #574 <https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/574#issuecomment-2877132922> issue, Paul believes it would be more appropriate at the JWS algorithm layer. That's certainly a reasonable perspective but would almost certainly still need some pieces spelled out at the presentation protocol layer. Having said that, I don't think much or even any allowance or guidance exits in the presentation request/response protocol layer that I'm familiar with, OpenID4VP, to facilitate anything like this. To the extent that it's as important as implied here, I'd suggest some of the energy behind this be directed there (while being aware that that document is in the latter stages of the OIDF process). As Danial mentioned also in a comment on that issue #574 <https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/574#issuecomment-2876517065> we use the term "signing" in SD-JWT to mean HMAC as well as typical asymmetric signatures. Even though it's not technically correct, it follows the terminology of JWS/JWT that encompass MACs as JSON Web Signatures. As far as I know, there is no normative language preventing or prohibiting the use of HMAC-based algorithms. However, if there are concrete suggestions to improve specific language in the draft, we can certainly consider incorporating clarifications or improvements. Lastly please note that IESG Balloting has already begun on this draft. So the bar for changes at this point, without incurring significant process intervention anyway, is quite high. On Tue, May 13, 2025 at 5:53 AM Stefan Santesson <[email protected]> wrote: > Hi, > > We just submitted the following issue on JD JWT GitHub page detailing > this request. > > https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/574 > > Providing the final stage of this document, we would only do this > because it is very important, is non breaking and our initial contacts > with editors suggests that this could be accepted. > > -- > ________________ > Stefan Santesson > > _______________________________________________ > OAuth mailing list -- [email protected] > To unsubscribe send an email to [email protected] > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
