SD-JWT is following an existing OAuth (and OpenID) convention by including an
underscore prefix in the names of claims about claims. You’ll find that
_claim_names and _claim_sources are registered at
https://www.iana.org/assignments/jwt/jwt.xhtml, which are both claims about
claims, rather than claims whose values are used in the usual way. These are
currently the only claims with leading underscores registered.
Therefore, I believe SD-JWT is on solid ground creating and registering the
names _sd and _sd_alg as other claims about claims.
-- Mike
From: Dick Hardt <[email protected]>
Sent: Saturday, September 21, 2024 9:16 AM
To: Daniel Fett <[email protected]>
Cc: [email protected]; [email protected]
Subject: [OAUTH-WG] Re: SD-JWT architecture feedback
…
Claim Names
Why do the claims start with '_'? Why not just 'sd' and 'sda'? Why is '_sd_alg'
in the payload and not in the header?
While the underscore doesn't officially have any special meaning, adding it
reduces the chance for collisions with existing claims and makes the
SD-JWT-related claims sort nicely. All SD-related claims are in the payload,
that's why we put _sd_alg there as well.
Do you have data that shows it will reduce collisions? I have seen many
implementations that created their own claims that start with _ to reduce
collisions with the same rationale!
There is an IANA registry for claim names to avoid collisions.
The _ reminds me of internal C variables that others were not supposed to use,
but eventually did.
_sd_alg is NOT a claim. It is a signal for which algorithm to use and should be
in the header.
I'm unclear on the sorting advantage. They would sort together if they started
with sd as well.
_______________________________________________
OAuth mailing list -- [email protected]
To unsubscribe send an email to [email protected]
