Hello OAUTH, I am one of the Designated Experts for the IANA media types registry.
draft-ietf-oauth-selective-disclosure-jwt was approved by the IESG and is in the RFC Editor queue. It creates the media types structured syntax suffix "sd-jwt". We have received a request by the W3C to register "application/vp+sd-jwt", and this application has drawn some security-related scrutiny. Media type reviewers are not necessarily equipped to provide in-depth security opinions about media type registrations. For the most part, we try to pick off obvious problems, but mostly we constrain our security reviews to answering questions like "Was a security review done?" and "Is it clear whether this type's payload contains executable code?" as those are the primary questions RFC 6838 (the relevant BCP) asks. W3C is the official contact for the "application/vp" type. This use of "sd-jwt" appears to be controversial or at least has drawn some criticism that it is a "net harm"; see for example: https://mailarchive.ietf.org/arch/msg/media-types/VnhrnlQmh8rtlo6iU8gS1QYYK_I/ https://mailarchive.ietf.org/arch/msg/media-types/AL6QDGXYl-zsfkN4x_S9Jq_RX9I/ https://mailarchive.ietf.org/arch/msg/media-types/G9Lku0QcRYjjG09QXUYurqfOtQA/ Does OAUTH want to provide any feedback on the proposed registration for "application/vp+sd-jwt"? Absent any objection, I'm inclined to approve the request as long as it is well-formed and satisfies the security review of RFC 6838. Put another way, I suggest that the media type registration is the wrong place to address security concerns with the actual payload. One possible outcome would be to ask the W3C to amend its security considerations to cover the stated concerns, if consensus exists on what those are. Thanks for any support you can provide to our review function. -MSK
_______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
