Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Remove mention of unspecified key binding methods #383

Closed
bifurcation opened this issue Nov 22, 2023 · 7 comments · Fixed by #404
Closed

Remove mention of unspecified key binding methods #383

bifurcation opened this issue Nov 22, 2023 · 7 comments · Fixed by #404
Assignees
@bc-pi
Labels
has-PR

Comments

@bifurcation
Copy link
Contributor

The algorithm in Section 8.3 includes the following branch:

If Key Binding is provided by means not defined in this specification, verify the Key Binding according to the method used.

We should remove that branch. If an implementation is doing something outside this specification, their behavior can deviate arbitrarily from what the specification says. It's not the job of this specification to cover everything that a verifier might possibly do.
@bc-pi
Copy link
Collaborator

bc-pi commented Nov 28, 2023

Indeed it's not the job of this specification to cover everything that a verifier might possibly do. But verifying key binding is important and the specification elsewhere discusses the possibility that the proof of possession could be accomplished by ways other than the KB JWT. As such, we felt that it deserved treatment in the validation steps.

@bifurcation
Copy link
Contributor Author

On the one hand, KB is important. On the other hand, KB is optional. 🤔

What other discussion do you have in mind? I'm not finding it on a quick search through the document.

@bc-pi
Copy link
Collaborator

bc-pi commented Nov 28, 2023

Alternatives to a Key Binding JWT for example

@bifurcation bifurcation mentioned this issue Dec 4, 2023
Closed
@bifurcation
Copy link
Contributor Author

Yeah, we should delete that and Section 10 as well. They don't actually define anything, and they are harmful because they encourage divergent, non-interoperable implementations. If there are use cases that KB-JWT doesn't cover and needs to, we should accommodate them. If we don't need to accommodate them, we shouldn't.

@Sakurann
Copy link
Collaborator

discussed during the editor's call - agreed to remove specific references that allow additional key binding mechanisms, to encourage interoperability using the mechanisms defined in the spec and because even without the text those additional mechanisms are not precluded as spec makes it clear KB JWT is optional.

@danielfett to open a separate issue on updating section 9 to reflect most recent implementation experience.

bc-pi added a commit that referenced this issue Feb 20, 2024
@bc-pi
Remove mention of unspecified key binding methods and the Enveloping …
ac34352 
…SD-JWTs section (issue #383)
@bc-pi bc-pi mentioned this issue Feb 20, 2024
Merged
@bc-pi bc-pi linked a pull request Feb 20, 2024 that will close this issue
Remove mention of unspecified key binding methods #404
Merged
@bc-pi
Copy link
Collaborator

bc-pi commented Feb 20, 2024

PR #404 removes mention of unspecified key binding methods and the Enveloping SD-JWTs section

@bc-pi bc-pi added has-PR and removed ready-for-PR labels Feb 23, 2024
@bc-pi
Copy link
Collaborator

bc-pi commented Feb 25, 2024

discussed during the editor's call - agreed to remove specific references that allow additional key binding mechanisms, to encourage interoperability using the mechanisms defined in the spec and because even without the text those additional mechanisms are not precluded as spec makes it clear KB JWT is optional.

PR #404 does that

@danielfett to open a separate issue on updating section 9 to reflect most recent implementation experience.

And issue #403 is that.

danielfett added a commit that referenced this issue Feb 27, 2024
@bc-pi @danielfett
Remove mention of unspecified key binding methods (#404)
894905a 
* Remove mention of unspecified key binding methods and the Enveloping SD-JWTs section (issue #383)

* Daniel's one nit

Co-authored-by: Daniel Fett <fett@danielfett.de>

---------

Co-authored-by: Daniel Fett <fett@danielfett.de>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@bc-pi bc-pi

Labels
has-PR
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Remove mention of unspecified key binding methods oauth-wg/oauth-selective-disclosure-jwt
3 participants
@bifurcation @Sakurann @bc-pi