Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Looser restrictions on the JOSE header typ #5

Closed
bellebaum opened this issue Dec 17, 2021 · 7 comments
Closed

Looser restrictions on the JOSE header typ #5

bellebaum opened this issue Dec 17, 2021 · 7 comments

Comments

@bellebaum
Copy link

Section 5.1 of RFC 7519 states that using a typ header claim with a value of JWT is RECOMMENDED.
This has allowed other specifications to use other media types for JWTs fulfilling a more specific purpose.
For example, RFC 9068 defines a media type of at+jwt SHOULD be used for OAuth2.0 Access Tokens following the JWT Profile given there.
This continues the pattern of using the typ claim as a hint, and allowing for more specialized media types to be defined later.

The VC Data Model breaks with this tradition, instead stating that

typ, if present, MUST be set to JWT.

I would like to know the background behind this decision and why it was made. To me, it feels unnecessarily restrictive and limits the possibility to make established structures having a different typ compatible with VCs, as well as to define more specialized forms of VC-JWTs in the future.
@kdenhartog
Copy link
Member

Opting to mark this as a V2.0 issue since it would be a normative change and we're past the window of making normative changes in the maintenance group. I'd expect this will still be addressed, but likely not right away and discussion can continue on it in the mean time.

@brentzundel brentzundel transferred this issue from w3c/vc-data-model Aug 3, 2022
@Sakurann
Copy link
Contributor

PR #10 removes typ JWT requirement.
In a separate PR I think we might want to add a guiding text saying typing is up to the use-case, and potentially define couple such as "jwt+vc"; "sd-jwt+vc"?

@OR13
Copy link
Contributor

OR13 commented Aug 31, 2022
edited
Loading

Sounds like we might already want to be thinking about new content types...

https://www.iana.org/assignments/media-types/media-types.xhtml

Not yet registered or requested:

application/jose+vc
application/jwt+vc
application/jwt-sd+vc

For example:

application/jwt (exists today)
application/jose (exists today) 
application/jose+json (exists today)

IMO, it would be acceptable for any web server to describe the current VC-JWT format using either:

  1. application/jwt
  2. application/jose

But not application/jose+json.

If we want to move the media conversation to a separate issue, I am happy to do that.

@selfissued
Copy link
Collaborator

We should decide what media type value(s) to use for explicit typing via the "typ" header. Doing so is RECOMMENDED by https://www.rfc-editor.org/rfc/rfc8725.html.

@OR13
Copy link
Contributor

OR13 commented Oct 14, 2022

we removed the requirement for typ in a previous PR.

if we add it back, I don't think it should be JWT... I think it should be less ambiguous :)

@Sakurann Sakurann mentioned this issue Jan 16, 2023
Closed
@Sakurann
Copy link
Contributor

typ header should be added and it should express that it is a JWS following rules defined in VC-JWS spec, and must not be confused with cty header which expresses whether what is signed using JWS does or does not use JSON-LD (putting CBOR aside for now)

@OR13
Copy link
Contributor

OR13 commented Feb 10, 2023

I am closing this, since its stale / out of date.... more specific issues should be raised for the current draft text.

@OR13 OR13 closed this as completed Feb 10, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@selfissued @OR13 @brentzundel @kdenhartog @Sakurann @bellebaum