Closed bifurcation closed 4 months ago
bc-pi
commented
7 months ago Indeed it's not the job of this specification to cover everything that a verifier might possibly do. But verifying key binding is important and the specification elsewhere discusses the possibility that the proof of possession could be accomplished by ways other than the KB JWT. As such, we felt that it deserved treatment in the validation steps.
bifurcation
commented
7 months ago On the one hand, KB is important. On the other hand, KB is optional. 🤔
What other discussion do you have in mind? I'm not finding it on a quick search through the document.
bc-pi
commented
7 months ago Alternatives to a Key Binding JWT for example
bifurcation
commented
7 months ago Yeah, we should delete that and Section 10 as well. They don't actually define anything, and they are harmful because they encourage divergent, non-interoperable implementations. If there are use cases that KB-JWT doesn't cover and needs to, we should accommodate them. If we don't need to accommodate them, we shouldn't.
Sakurann
commented
5 months ago discussed during the editor's call - agreed to remove specific references that allow additional key binding mechanisms, to encourage interoperability using the mechanisms defined in the spec and because even without the text those additional mechanisms are not precluded as spec makes it clear KB JWT is optional.
@danielfett to open a separate issue on updating section 9 to reflect most recent implementation experience.
bc-pi
commented
5 months ago PR #404 removes mention of unspecified key binding methods and the Enveloping SD-JWTs section
bc-pi
commented
4 months ago discussed during the editor's call - agreed to remove specific references that allow additional key binding mechanisms, to encourage interoperability using the mechanisms defined in the spec and because even without the text those additional mechanisms are not precluded as spec makes it clear KB JWT is optional.
PR https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/404 does that
@danielfett to open a separate issue on updating section 9 to reflect most recent implementation experience.
And issue #403 is that.
The algorithm in Section 8.3 includes the following branch:
We should remove that branch. If an implementation is doing something outside this specification, their behavior can deviate arbitrarily from what the specification says. It's not the job of this specification to cover everything that a verifier might possibly do.