search

w3c / vc-jose-cose

Verifiable Credentials Working Group — VC JSON Web Tokens specification
https://w3c.github.io/vc-jose-cose/
Other
31 stars 13 forks source link

Changes to normative statements #143

Closed OR13 closed 1 year ago

OR13 commented 1 year ago

Aligns with https://github.com/w3c/vc-jose-cose/issues/141

This PR, changes MUST to SHOULD to allow for more specific typing via media types.

This PR also recommends securing with JOSE be done with sd-jwt

Preview | Diff

Sakurann commented 1 year ago

why changing MUST to SHOULD allows more explicit typing..? if there is one media type that is to be used, why not mandate it..? what am I missing

OR13 commented 1 year ago

@Sakurann at the last IETF, I asked a lot of people about this... There was some concern over not allowing specific VCs to use the more specific typing, similar to sec+jwt using it... This allows for that to happen with W3C VCs, so perhaps some token processors might do foo+sd-jwt instead of vc+ld+json+sd-jwt... It also reduces the risk of further issues with multiple suffixes in case there are issues that arise with it in the future.

iherman commented 1 year ago

The issue was discussed in a meeting on 2023-08-30

View the transcript #### 1.1. Changes to normative statements (pr vc-jose-cose#143) _See github pull request [vc-jose-cose#143](https://github.com/w3c/vc-jose-cose/pull/143)._ **Brent Zundel:** looking to transition to CR no later than end of September. **Michael Prorock:** one PR ready to merge (vc-jose-cose). … clean things up. better to test. … should help with test suites.
TallTed commented 1 year ago

Including the reason for the SHOULD would be helpful. Might also consider "application/jwt or subtype thereof (e.g., application/sec+jwt)"

iherman commented 1 year ago

The issue was discussed in a meeting on 2023-09-05

View the transcript #### 4.1. Changes to normative statements (pr vc-jose-cose#143) _See github pull request [vc-jose-cose#143](https://github.com/w3c/vc-jose-cose/pull/143)._ **Orie Steele:** lot of discussions about media types at last IETF. … possibly not a great idea to have very specific key types. … e.g. all VCs had to have the type of jwt, but you could not know anything about what was in the jwt. … by using jwt we could not make it any more specific. … this PR does not preclude using more specific values in future. … this PR alters the amount of work needed to perform the tests for getting to a standard. … ie. it reduces the amount of work needed. > *Kristina Yasuda:* +1 selfissued. > *Orie Steele:* I agree, but prefer to address that in a separate PR. > *Orie Steele:* Feel free to file an issue to track the suggested language. **Michael Jones:** rationale should be included to say this media type should be used unless a profile specifies a more specific media type.
OR13 commented 1 year ago

@selfissued @TallTed added guidance based on your review in : https://github.com/w3c/vc-jose-cose/pull/143/commits/6a821e1795c9caa792dbb47821a50d28769a9ee6

OR13 commented 1 year ago

@TallTed thanks for your suggestions, both are applied. @selfissued can you please re-review.