It has been a minute. Is there a plan? Deb
On Thu, Jul 24, 2025 at 11:15 AM Murray S. Kucherawy <[email protected]> wrote: > Hello OAUTH, > > I am one of the Designated Experts for the IANA media types registry. > > draft-ietf-oauth-selective-disclosure-jwt was approved by the IESG and is > in the RFC Editor queue. It creates the media types structured syntax > suffix "sd-jwt". We have received a request by the W3C to register > "application/vp+sd-jwt", and this application has drawn some > security-related scrutiny. > > Media type reviewers are not necessarily equipped to provide in-depth > security opinions about media type registrations. For the most part, we > try to pick off obvious problems, but mostly we constrain our security > reviews to answering questions like "Was a security review done?" and "Is > it clear whether this type's payload contains executable code?" as those > are the primary questions RFC 6838 (the relevant BCP) asks. > > W3C is the official contact for the "application/vp" type. This use of > "sd-jwt" appears to be controversial or at least has drawn some criticism > that it is a "net harm"; see for example: > > > https://mailarchive.ietf.org/arch/msg/media-types/VnhrnlQmh8rtlo6iU8gS1QYYK_I/ > > https://mailarchive.ietf.org/arch/msg/media-types/AL6QDGXYl-zsfkN4x_S9Jq_RX9I/ > > https://mailarchive.ietf.org/arch/msg/media-types/G9Lku0QcRYjjG09QXUYurqfOtQA/ > > Does OAUTH want to provide any feedback on the proposed registration for > "application/vp+sd-jwt"? Absent any objection, I'm inclined to approve the > request as long as it is well-formed and satisfies the security review of > RFC 6838. Put another way, I suggest that the media type registration is > the wrong place to address security concerns with the actual payload. > > One possible outcome would be to ask the W3C to amend its security > considerations to cover the stated concerns, if consensus exists on what > those are. > > Thanks for any support you can provide to our review function. > > -MSK > _______________________________________________ > OAuth mailing list -- [email protected] > To unsubscribe send an email to [email protected] >
_______________________________________________ OAuth mailing list -- [email protected] To unsubscribe send an email to [email protected]
