Apologies, meant to link to the issue in case anyone would like to contribute to the discussion.
https://github.com/vcstuff/draft-ietf-oauth-status-list/issues/93 Thanks, [MATTR website]<https://mattr.global/> Tobias Looker MATTR +64 273 780 461 [email protected]<mailto:[email protected]> [MATTR website]<https://mattr.global/> [MATTR on LinkedIn]<https://www.linkedin.com/company/mattrglobal> [MATTR on Twitter]<https://twitter.com/mattrglobal> [MATTR on Github]<https://github.com/mattrglobal> This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it – please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002. From: Tobias Looker <[email protected]> Date: Monday, 15 January 2024 at 9:17 PM To: Orie Steele <[email protected]>, oauth <[email protected]>, [email protected] <[email protected]> Subject: Re: [SPICE] Regarding draft-ietf-oauth-status-list-00 > Will there be a similar recommendation to use OHTTP with > draft-ietf-oauth-status-list ? I’ve opened an issue to track this but in general as editors we agree that adding an implementation consideration is likelyworthwhile. Thanks, [MATTR website]<https://mattr.global/> Tobias Looker MATTR +64 273 780 461 [email protected]<mailto:[email protected]> [MATTR website]<https://mattr.global/> [MATTR on LinkedIn]<https://www.linkedin.com/company/mattrglobal> [MATTR on Twitter]<https://twitter.com/mattrglobal> [MATTR on Github]<https://github.com/mattrglobal> This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it – please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002. From: SPICE <[email protected]> on behalf of Orie Steele <[email protected]> Date: Sunday, 14 January 2024 at 7:56 AM To: oauth <[email protected]>, [email protected] <[email protected]> Subject: [SPICE] Regarding draft-ietf-oauth-status-list-00 EXTERNAL EMAIL: This email originated outside of our organisation. Do not click links or open attachments unless you recognise the sender and know the content is safe. Hello VC Enthusiasts, I wrote this draft today: https://datatracker.ietf.org/doc/draft-steele-spice-oblivious-credential-state/ It captures some of the discussion we have seen regarding OHTTP and Verifiable Credential Status Lists, that has happened at W3C. - https://github.com/w3c/vc-bitstring-status-list/issues/80 In particular, this paragraph was added as a result of privacy feedback: > Issuers SHOULD publish status list information using HTTPS URLs and in ways > that minimize possible correlation of usage patterns related to the list. > Verifiers SHOULD retrieve status list information using protocols that guard > against access pattern correlation, such as Oblivious HTTP [OHTTP]. > For example, a verifiable credential secured with Data Integrity Proofs might > have media type application/vc+ld+json, while a verifiable credential secured > with SD-JWT might have media type application/sd-jwt. - https://w3c.github.io/vc-bitstring-status-list/#media-types I note that the W3C draft for vc-bitstring-status-list is using the `application/sd-jwt` media type to refer to a specific JSON-LD payload being secured with sd-jwt, namely `application/vc+ld+json`... this seems to be in violation of the JWT BCP, which recommends using explicit types. It also makes me wonder how compatible these 2 drafts will end up being. I think it would be better to recommend a CWT based media type, instead of sd-jwt. Will there be a similar recommendation to use OHTTP with draft-ietf-oauth-status-list ? Regards, OS -- ORIE STEELE Chief Technology Officer www.transmute.industries [Image removed by sender.]<https://transmute.industries/>
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
