Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bikeshedding the name for the vc-jwt 1.1 cty value. #42

Closed
OR13 opened this issue Jan 25, 2023 · 6 comments
Closed

Bikeshedding the name for the vc-jwt 1.1 cty value. #42

OR13 opened this issue Jan 25, 2023 · 6 comments
Labels
pending-close

Comments

@OR13
Copy link
Contributor

OR13 commented Jan 25, 2023

See the original PR here: #40

The original proposal was :

application/credential-1.1+json

The name was modified to:

application/credential-claims-set-1.1+json

The editors noted that "claim-set" is redundant.
@OR13 OR13 changed the title Bikeshedding the name for the vc-jwt 1.1 cty Bikeshedding the name for the vc-jwt 1.1 cty value. Jan 25, 2023
@brentzundel brentzundel mentioned this issue Jan 25, 2023
Merged
@TallTed
Copy link
Member

TallTed commented Jan 25, 2023
edited
Loading

application/claimset+json MIGHT be viable.

It's a subtype of application/json and could potentially be further subtyped to something like application/{claims-domain}+claimset+json.

I am not sure whether something like application/claimset+{intermediary type I don't yet grok}+json would be preferred, but I think this would be within the realm of possible, if application/{intermediary type I don't yet grok}+json can be clearly described.

I still do not understand the wish or need to include 1.1 or 1_1 or 1-1 in the media type. @OR13's comment in the call did not make it any clearer --

specific binding to 1.1 ... is important, because we have need to describe the requirements associated with this object

Can anyone help me understand this? What are the anticipated differences between data in media type application/credential-1_1+json and application/credential-2_0+json that justify the version number, vs the differences between text/html for HTML 3 and text/html for HTML 5?

@dlongley
Copy link
Contributor

Also, I'm not exactly sure what the need is for 1.1 in the name, is it related to the "instead of / in addition to" language?

With respect to that language, perhaps it would be better to have two different media types:

  • One that represents a claims set that has a "vc" claim with a value of a credential (matching the "in addition to" case) .
  • One that represents a claims set that has a "vc" claim with a value of a non-credential because it's missing some required fields that have been preserved via a mapping to JWT claims (matching the "instead of" case).

The 1.1 spec discusses these three things in JSON format:

  1. A credential (media type application/credential+ld+json), e.g.:
{
  "@context": [...],
  "type": ["VerifiableCredential", "..."],
  "id": "<credentialId>",
  "issuer": "<issuerId>",
  "credentialSubject": {
    "id": "<subjectId>",
    ...
  },
  "issuanceDate": "<issuanceDate>",
  ...
}
  1. A JWT Claims Set with a "vc" claim with a credential as its value ("in addition to"), e.g.:
{
  "jti": "<credentialId>",
  "iss": "<issuerId>",
  "nbf": "<unix-time-stamp-encoded issuanceDate>",
  "sub": "<subjectId>",
  "vc": {
    "@context": [...],
    "type": ["VerifiableCredential", "..."],
    "id": "<credentialId>",
    "issuer": "<issuerId>",
    "credentialSubject": {
      "id": "<subjectId>",
      ...
    },
    "issuanceDate": "<issuanceDate>",
    ...
  }
}
  1. A JWT Claims Set with a "vc" claim with a non-credential, because of missing required fields, as its value ("instead of"), e.g.:
{
  "jti": "<credentialId>",
  "iss": "<issuerId>",
  "nbf": "<unix-time-stamp-encoded issuanceDate>",
  "sub": "<subjectId>",
  "vc": {
    "@context": [...],
    "type": ["VerifiableCredential", "..."],
    // "id", "issuer", "issuanceDate", fields removed
    "credentialSubject": {
      // "id" field removed
      ...
    },
    ...
  }
}

The latter two would share the media type: application/credential-claims-set-1.1+json today. Should this just become two different "claims set" media types?

@dlongley
Copy link
Contributor

dlongley commented Jan 25, 2023
edited
Loading

Also, for anyone who didn't read the comments in the related PR, I'm linking to my comments there on what the JSON Web Token Best Current Practices RFC has to say on using "Explicit Types". Notably, the advice is to use the typ field (not the cty field) and to use a media type of application/example+jwt. Please take this into consideration in addressing use cases related to the naming and usage of this new media type.

I understand the media type being discussed in this issue is meant to represent the JWT Claims Set, not the JWT itself, however, it may be worth reconsidering whether that's the best approach to addressing use cases vs. following the advice in the JWT Best Current Practices RFC.

This was referenced Feb 15, 2023
Merged
Closed
@OR13
Copy link
Contributor Author

OR13 commented Jun 30, 2023

I think we have addressed this feedback in the latest draft, please review and let me know if you think this issue is actionable, what action you would like to see.

@dlongley
Copy link
Contributor

@OR13,

Removing the 1.1 stuff and fixing the media types (both of which have been done in the latest draft) addresses my concerns here. Anything else I raised around following best practices is there for anyone to review if they want to ensure what we're doing follows those, I have nothing more to say on that either way. I'm happy for this issue to be closed if others feel similarly.

@OR13
Copy link
Contributor Author

OR13 commented Jul 19, 2023

Marked pending close over 1 week ago, closing.

@OR13 OR13 closed this as completed Jul 19, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
pending-close
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@dlongley @TallTed @OR13