Hello VC Enthusiasts, I wrote this draft today: https://datatracker.ietf.org/doc/draft-steele-spice-oblivious-credential-state/
It captures some of the discussion we have seen regarding OHTTP and Verifiable Credential Status Lists, that has happened at W3C. - https://github.com/w3c/vc-bitstring-status-list/issues/80 In particular, this paragraph was added as a result of privacy feedback: > Issuers SHOULD publish status list information using HTTPS URLs and in ways that minimize possible correlation of usage patterns related to the list. Verifiers SHOULD retrieve status list information using protocols that guard against access pattern correlation, such as Oblivious HTTP [OHTTP]. > For example, a verifiable credential secured with Data Integrity Proofs might have media type application/vc+ld+json, while a verifiable credential secured with SD-JWT might have media type application/sd-jwt. - https://w3c.github.io/vc-bitstring-status-list/#media-types I note that the W3C draft for vc-bitstring-status-list is using the `application/sd-jwt` media type to refer to a specific JSON-LD payload being secured with sd-jwt, namely `application/vc+ld+json`... this seems to be in violation of the JWT BCP, which recommends using explicit types. It also makes me wonder how compatible these 2 drafts will end up being. I think it would be better to recommend a CWT based media type, instead of sd-jwt. Will there be a similar recommendation to use OHTTP with draft-ietf-oauth-status-list ? Regards, OS -- ORIE STEELE Chief Technology Officer www.transmute.industries <https://transmute.industries>
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
