JWT and unprotected header - generalisation?

[alenhorvat]

Dear,

Issue type: Discussion Blocking: No Impact (if considered): Breaking

JWT as a compact serialised JWT doesn't have support for an unprotected header.

~disclosures~KB

represent information that in JSON serialisation one puts in the unprotected header, as defined in the document.

Should this specification consider a generalisation of the approach, where an arbitrary "unprotected header" can be encoded, in a sense: protected.payload.signature.header~<type-specific content> or protected.payload.signature.header.<type-specific content> where header has a claim 'cty' defining the content type of what follows

in case of sd-jwt, type specific content is ~disclosures~KB (and the combination of);

Note: if such construct should be considered, IMO an annex to https://datatracker.ietf.org/doc/html/rfc7519 would be more appropriate.

[bc-pi]

While a generalization of the approach is certainly an interesting idea, it's well outside the scope of this work to do so.

For consideration of such a construct, I would encourage you bring it to the attention of an appropriate WG or perhaps DISPATCH group.

[alenhorvat]

Thank you for your answer.

Would you kindly suggest which would be the appropriate WG? Where can I find more information about the DISPATCH group?

Thank you in advance!

[bc-pi]

JWS/JWE came out of JOSE so arbitrary "unprotected header" on the compact serializations would perhaps be most appropriate there. https://datatracker.ietf.org/wg/jose/

JWT, which relies on those the compact serializations, hails from OAUTH so that's not an unreasonable place either.
https://datatracker.ietf.org/wg/oauth

DISPATCH and/or SECDISPATCH are intended to help consider proposals for new work and, if the work is appropriate and there's sufficient interest, help find or create appropriate venue for such work. https://datatracker.ietf.org/wg/dispatch/about/
https://datatracker.ietf.org/wg/secdispatch/about/

[alenhorvat]

Thank you @bc-pi.