Murray holds the action on this. He had requested a call with Brent Zundel,
Brian Campbell, and myself (all W3C VCWG members, with Brent being the chair)
to discuss, which was held yesterday. Brent, Brian, and I attended and Murray
didn’t for some reason. Brent is working with Murray to reschedule.
-- Mike
From: Deb Cooley <[email protected]>
Sent: Tuesday, August 19, 2025 4:22 AM
To: Murray S. Kucherawy <[email protected]>
Cc: [email protected]
Subject: [OAUTH-WG] Re: Fwd: OAUTH message for your comments
It has been a minute. Is there a plan?
Deb
On Thu, Jul 24, 2025 at 11:15 AM Murray S. Kucherawy
<[email protected]<mailto:[email protected]>> wrote:
Hello OAUTH,
I am one of the Designated Experts for the IANA media types registry.
draft-ietf-oauth-selective-disclosure-jwt was approved by the IESG and is in
the RFC Editor queue. It creates the media types structured syntax suffix
"sd-jwt". We have received a request by the W3C to register
"application/vp+sd-jwt", and this application has drawn some security-related
scrutiny.
Media type reviewers are not necessarily equipped to provide in-depth security
opinions about media type registrations. For the most part, we try to pick off
obvious problems, but mostly we constrain our security reviews to answering
questions like "Was a security review done?" and "Is it clear whether this
type's payload contains executable code?" as those are the primary questions
RFC 6838 (the relevant BCP) asks.
W3C is the official contact for the "application/vp" type. This use of
"sd-jwt" appears to be controversial or at least has drawn some criticism that
it is a "net harm"; see for example:
https://mailarchive.ietf.org/arch/msg/media-types/VnhrnlQmh8rtlo6iU8gS1QYYK_I/
https://mailarchive.ietf.org/arch/msg/media-types/AL6QDGXYl-zsfkN4x_S9Jq_RX9I/
https://mailarchive.ietf.org/arch/msg/media-types/G9Lku0QcRYjjG09QXUYurqfOtQA/
Does OAUTH want to provide any feedback on the proposed registration for
"application/vp+sd-jwt"? Absent any objection, I'm inclined to approve the
request as long as it is well-formed and satisfies the security review of RFC
6838. Put another way, I suggest that the media type registration is the wrong
place to address security concerns with the actual payload.
One possible outcome would be to ask the W3C to amend its security
considerations to cover the stated concerns, if consensus exists on what those
are.
Thanks for any support you can provide to our review function.
-MSK
_______________________________________________
OAuth mailing list -- [email protected]<mailto:[email protected]>
To unsubscribe send an email to
[email protected]<mailto:[email protected]>
_______________________________________________
OAuth mailing list -- [email protected]
To unsubscribe send an email to [email protected]
