Changes to normative statements

[OR13]

Aligns with #141

This PR, changes MUST to SHOULD to allow for more specific typing via media types.

This PR also recommends securing with JOSE be done with sd-jwt

---

Preview | Diff

[andresuribe87]

Some suggestions reinforcing the definition of what an SD-JWT is.

Selectively Disclosable JWT (SD-JWT):
A composite structure, consisting of an Issuer-signed JWT (JWS, [RFC7515]), Disclosures, and optionally a Key Binding JWT that supports selective disclosure as defined in this document. It can contain both regular claims and digests of selectively-disclosable claims.

Importantly, an SD-JWT is NOT a JWT.

[Sakurann]

why changing MUST to SHOULD allows more explicit typing..? if there is one media type that is to be used, why not mandate it..? what am I missing

[OR13]

@Sakurann at the last IETF, I asked a lot of people about this... There was some concern over not allowing specific VCs to use the more specific typing, similar to sec+jwt using it... This allows for that to happen with W3C VCs, so perhaps some token processors might do foo+sd-jwt instead of vc+ld+json+sd-jwt... It also reduces the risk of further issues with multiple suffixes in case there are issues that arise with it in the future.

[iherman]

The issue was discussed in a meeting on 2023-08-30

• no resolutions were taken

View the transcript

1.1. Changes to normative statements (pr vc-jose-cose#143)

See github pull request vc-jose-cose#143.

Brent Zundel: looking to transition to CR no later than end of September.

Michael Prorock: one PR ready to merge (vc-jose-cose).
… clean things up. better to test.
… should help with test suites.

[selfissued]

Add rationale. Say that it's a SHOULD so that more specific media types can be used.

[TallTed]

Including the reason for the SHOULD would be helpful. Might also consider "application/jwt or subtype thereof (e.g., application/sec+jwt)"

[iherman]

The issue was discussed in a meeting on 2023-09-05

• no resolutions were taken

View the transcript

4.1. Changes to normative statements (pr vc-jose-cose#143)

See github pull request vc-jose-cose#143.

Orie Steele: lot of discussions about media types at last IETF.
… possibly not a great idea to have very specific key types.
… e.g. all VCs had to have the type of jwt, but you could not know anything about what was in the jwt.
… by using jwt we could not make it any more specific.
… this PR does not preclude using more specific values in future.
… this PR alters the amount of work needed to perform the tests for getting to a standard.
… ie. it reduces the amount of work needed.

Kristina Yasuda: +1 selfissued.

Orie Steele: I agree, but prefer to address that in a separate PR.

Orie Steele: Feel free to file an issue to track the suggested language.

Michael Jones: rationale should be included to say this media type should be used unless a profile specifies a more specific media type.

[OR13]

@selfissued @TallTed added guidance based on your review in : 6a821e1

[TallTed]

Language tweaks, to hopefully clarify somewhat...

[OR13]

@TallTed thanks for your suggestions, both are applied. @selfissued can you please re-review.

[Sakurann]

Suggested change

	ought to be used, unless there is a more specific media type that would even
	should to be used, unless there is a more specific media type that would even

[TallTed]

ought to was meant to avoid potential confusion of should with SHOULD.

If should is now to be kept, should to be should be changed to should be or perhaps SHOULD be.

[OR13]

I prefer to avoid the normative language

[selfissued]

Thanks for adding the rationale.