Request media type for 1.1 vc-jwt claim set

[OR13]

---

Preview | Diff

[selfissued]

I support this PR. Please apply the editorial correction to the WG name before merging.

[msporny]

The media type (which is a subclass of an unprotected JWT) can be confused w/ a media type for an (unprotected) credential. The media type needs to be more clear about the notion that this is a JOSE structure. Perhaps the JOSE WG should register a structured suffix for that purpose, which would make creating this media type easier.

[msporny]

Suggested change

	<h2>The <code>application/credential-1.1+json</code> Media Type</h2>
	<h2>The <code>application/credential-1.1+jose+json</code> Media Type</h2>

If this PR is about JWT claim sets, the media type identifier should contain that information in there somewhere.

Otherwise, people might misunderstand this media type to be THE media type for v1.1 VCs.

IOW, this media type could be seen as squatting on the main spec's media type.

[OR13]

its a payload type, not a "jose" type... jose currently refers to the entire token....

• https://www.iana.org/assignments/media-types/application/jose+json
• https://www.iana.org/assignments/media-types/application/jose

[dlongley]

Hmm, I'm confused by this. This media type is to identify a specific JWT claims set that has the vc claim in it, right? For example:

{
  "vc": {
    "@context": [
      "https://www.w3.org/2018/credentials/v1",
      "https://www.w3.org/2018/credentials/examples/v1"
    ],
    "id": "http://example.edu/credentials/3732",
    "type": [
      "VerifiableCredential",
      "UniversityDegreeCredential"
    ],
    "issuer": "https://example.edu/issuers/565049",
    "issuanceDate": "2010-01-01T00:00:00Z",
    "credentialSubject": {
      "id": "did:example:ebfeb1f712ebc6f1c276e12ec21",
      "degree": {
        "type": "BachelorDegree",
        "name": "Bachelor of Science and Arts"
      }
    }
  },
  "iss": "https://example.edu/issuers/565049",
  "nbf": 1262304000,
  "jti": "http://example.edu/credentials/3732",
  "sub": "did:example:ebfeb1f712ebc6f1c276e12ec21"
}

Is that right? If so, it seems like we should have jwt in the media type somewhere. Perhaps application/credential-1.1+jwt? This would be similar to application/at+jwt -- where the JWT must have access token claims.

This is to be used in the typ claim, right? The cty claim is "NOT RECOMMENDED" per RFC 7519 except for nested signing / encryption (a JWT within a JWT) cases, which I don't think we're talking about here.

[Sakurann]

JWS can sign anything - does not have to be a JWT. application/credential-1.1+json would allow signing using JWS a conformant structure which is not necessarily a JWT?

wrt nested JWT, it is a confusing term... it is defined as

A JWT in which nested signing and/or encryption are employed. In
Nested JWTs, a JWT is used as the payload or plaintext value of an
enclosing JWS or JWE structure, respectively.

so JWS(JWT claims) and JWE(JWT claims) are technically nested JWTs (though it is usually used for JWE(JWS(JWT claims)) ) is also a nested JWT so it is kind of in scope...

[dlongley]

application/credential-1.1+json would allow signing using JWS a conformant structure which is not necessarily a JWT?

But this PR says that when application/credential-1.1+json is used then it means the payload is a JWT Claims set ... right?

If not, when one sees application/credential-1.1+json in the cty field, what is the expected payload? What does the JSON look like if it isn't a JWT Claims set? It seems we need to enumerate the possibilities in this PR / change the text if it can be something other than that.

[dlongley]

In my research preparing this PR, I have not seen any example where claimset was present in other use of cty.

Yes, but I think that's because using cty when the payload is a claim set is recommended against. This is what I've been saying. If the payload is a claim set, you don't use cty -- at least this is what people who follow the RFC have been doing. Using cty in that case would be redundancy, IMO. The payload is assumed to be a claim set unless otherwise specified via cty, like when the content type is jwk+json or a nested JWT.

@selfissued noted that would be redundant on the last call and I agree.

I don't understand how it's redundant (clearly this is a different redundancy from what I said above). Perhaps there's an assumption about where the media type "may appear" -- but media types don't work that way. So, the media type name should properly reflect what it identifies regardless of where it appears.

Furthermore, using cty is a signal that the payload is not a claim set, but, rather, is whatever the media type says it is. This, to me, is an even stronger indication that we need to be clear -- we're using cty where it is advised against by the RFC, we haven't been able to find cases where other people do it (thus far, unless they are using non-claim sets), and the thing we're identifying is not a credential... but there actually is a thing that is a credential that it could be erroneously confused with.

[msporny]

Can you therefore withdraw the suggestion, @msporny ? Thanks.

The suggestion was to use SOMETHING to denote that the object isn't a VC as defined by the v1.1 data model, but a claim set that wraps a VC. So, we don't have to use +jose literally, but we do have to differentiate this thing vs. the v1.1 data model because the data structures are observably different.

One of the data structures is a claims set that wraps a VC, the other is a VC. Those are two different things.

[selfissued]

@dlongley wrote:

Furthermore, using cty is a signal that the payload is not a claim set, but, rather, is whatever the media type says it is. This, to me, is an even stronger indication that we need to be clear -- we're using cty where it is advised against by the RFC

The definition in the PR explicitly says that it is a media type "identifying a JWT Claims Set conforming to the Verifiable Credentials 1.1 JWT format". So there's no doubt that it's a JWT Claims Set.

As for the JWT spec saying "In the normal case in which nested signing or encryption operations are not employed, the use of this Header Parameter is NOT RECOMMENDED." about cty, as the author of that sentence and an author of the JWT BCP, I can definitively say that explicit typing of objects is now favored by the IETF - which wasn't something we thought of a decade ago as we were developing the JWT spec. Yes, a JWT payload is always a JWT Claims Set, but there are numerous different kinds of JWT Claims Sets - one of which is the one identified by the proposed Media Type. Using cty enables us to use explicit typing to tell the difference between them.

@msporny wrote:

The suggestion was to use SOMETHING to denote that the object isn't a VC as defined by the v1.1 data model, but a claim set that wraps a VC.

The something that indicates that the object isn't a VC is that it's called a credential in the Media Type name. If we were to define Media Types for Verified Credentials, they would have vc (or verifiable-credential) in the name - not just credential - which indicates a yet-to-be-secured credential. The credential becomes verifiable once it's secured.

[dlongley]

@selfissued,

The definition in the PR explicitly says that it is a media type "identifying a JWT Claims Set conforming to the Verifiable Credentials 1.1 JWT format". So there's no doubt that it's a JWT Claims Set.

Many people will not read the full description, instead only looking at the media type name.

I don't understand your "redundant" argument since it seems that any name at all would be redundant if we're relying on people always reading the description. But, if you are really ok with the name being anything that isn't "redundant", because you think the description is clear, then let's change the name to address my concern and yours. As I said, I don't know what wouldn't be "redundant" to you, so if you could suggest something new to address both of our concerns, please do.

I'm happy for us to use another name that doesn't include "claim set" in it, so long as it won't be confused with a credential or some other thing this group defines / has defined. I don't think it's ideal for the name to not reflect what it is, but I'm more concerned about basic confusion. My preferences are for avoiding confusion first and then second for good naming hygiene (clearly name things after what they are / refer to).

[selfissued]

@dlongley wrote:

Many people will not read the full description, instead only looking at the media type name.

I'm not sympathetic to arguments based on the premise that people won't read the specification. If one follows that to its logical conclusion, we shouldn't bother writing anything down at all.

As already discussed, using the name credential aligns with the way we describe the data structures this working group has invented - and is distinct from "Verifiable Credential". I think we're good to go as-is.

[selfissued]

jose isn't a registered media type suffix so including +jose would be inappropriate. Also, this isn't about the JOSE securing of the payload - it's a media type for the payload itself - which is a JWT Claims Set. The credential part already indicates that - as opposed to if we used vc in the media type, which would indiciate that the media type is for the secured Verifiable Credential.

[msporny]

The credential part already indicates that - as opposed to if we used vc in the media type, which would indiciate that the media type is for the secured Verifiable Credential.

No, the credential part says it's a data structure that follows the W3C Verifiable Credential standard (the value in vc), so even that seems incorrect. Where is this media type expected to be used (cty, typ, or HTTP Accept/Content-Type headers -- or all three)?

this isn't about the JOSE securing of the payload - it's a media type for the payload itself - which is a JWT Claims

I'd say use +jwt, but it seems as if that structured suffix is meant for base64url-encoded binary values only:

https://www.iana.org/assignments/media-type-structured-suffix/media-type-structured-suffix.xhtml

but it looks like RFC9068, RFC9101, and RFC8417 already break that guidance when used with typ?

So, why can't we use +jwt, again? We're talking about something like this in a JWT header, right?

     {"typ":"credential-1.1+jwt","alg":"none"}

[Sakurann]

can we clarify that a credential with this media type in this PR follows the steps defined in section 6.3.1. of v1.1?

(and also clarify what transformation logic do credentials with media type in PR #1000 of vc-data-model have to follow..)

[dlongley]

@Sakurann,

can we clarify that a credential with this media type in this PR follows the steps defined in section 6.3.1. of v1.1?

There would never be a "credential" that has this media type. Something with this media type would be "a JWT Claims Set with the "vc" claim that requires transformation per the VCDM 1.1 mapping rules to 'become' a credential". The fact that it's already being read as "a credential with this media type" is the confusion I'm worried about.

[iherman]

The issue was discussed in a meeting on 2023-01-17

• no resolutions were taken

View the transcript

4. Request media type for 1.1 vc-jwt claim set (pr vc-jwt#40)

See github pull request vc-jwt#40.

Brent Zundel: Next we will look at VC-JWT PR #40.

Orie Steele: Now that we've merged PR #1000, we have a media type describing a credential without a proof.
… There's been commentary on the list for using the media type that we registered.

Orie Steele: These proposals need to be updated to use our new media type: w3c/vc-data-model#1000 (comment).

Orie Steele: These proposals need to be updated to use the new media type.
… In JWTs there are two fields that are relevant to the media type: "cty" and "typ".
… In VC-JWT PR #40, we define a media type for a VC-JWT 1.1 Claims Set.
… The one that includes "iss", "sub", "vc", etc..
… This media type defines a VC-JWT credential that will have an external proof.
… The "cty" and "typ" properties are different.
… This PR is to define the content type.

Michael Prorock: +1 orie - that distinction between payload and otherwise is important.

Manu Sporny: This PR confused me.
… I think I followed what you were saying, Orie.

Michael Prorock: +1 cty.

Manu Sporny: I looked at other RFCs that defined media types.
… These seem to be using the +jwt suffix.

Michael Prorock: version hurts me.

Orie Steele: This is for "cty" - not "typ".
… We're versioning it because we're pretty unhappy with the 1.1 claims set.

Manu Sporny: +1, the payload format for VC-JWT is observably bad and has led to non-interoperable implementations..

Orie Steele: In particular, the instead-of vs. in-addition-to.
… We wanted to have a "cty" to refer to 1.1.

Gabe Cohen: no mention of cty/typ in https://transmute-industries.github.io/vc-jws.

Orie Steele: We expect developers to switch on the media type.
… How it's going to be versioned is subject to debate.
… For instance, there could be parameters.

Dave Longley: #40 (comment).

Orie Steele: But for sure, they are going to be versioned.

Dave Longley: RFC 7519 recommends against using "cty" for a JWT.

Orie Steele: I've read that section of the RFC and was similarly confused by it.
… I've seen developers use "cty" in the wild to describe the content.
… In COSE_Sign1, I've seen code productively switch on "cty".
… When RFCs are written, sometimes later things are used differently than originally intended.
… In COSE_Sign1, cty is used to protect other kinds of content.

Michael Prorock: cty is used to actively switch on content.
… I did approve this PR.
… The only thing that makes me uncomfortable is the versioning, but we clearly do have to version.

Dave Longley: seems like we need some kind of "this is a JWT claim set" in the media type name ... because it's not just a credential from the VCDM 1.1 ... it's a credential in a claims set in the "vc" claim :/.

Michael Prorock: I would not let versioning being imperfect block us from merging this.

Michael Jones: I wrote that text in 7519... over a decade ago, different environment. since then, JWTs succeeded. used for all types of things we never imagined. secure caller id, others.
… because of them succeeding IETF asked for a 'best current practices doc' on how to best securely use them. main thing added was strongly typing JWTs. for the typ field. used to prevent "cross-JWT-confusion".
… also appropriate to strongly type the content. only imagined there being one typ for a JWT, which is 'JWT' but the world has changed.
… practice is now on switching on the cty property. unconcerned about violating spec text. it is obsolete.

Michael Prorock: +1 let's make some progress!.

Michael Jones: agree with mprorock. versioning may not be perfect. can refine it. more important to put a stake in the ground, refine something that's versioned. this is a first attempt. shouldn't stand in the way of merging.

Brent Zundel: I will note that JWT-VC PR #40 is not in the same position of PR #1000.
… There is a change request that still needs to be resolved.

Manu Sporny: We keep saying that this will only be used with "cty", but that may not be true.
… We currently aren't saying anything about "cty" in the spec.
… If this is going to be used more broadly, we need to describe how.
… If you remove the version it starts to look like we have a conflict between the processing for the two media types.
… The PR doesn't say anything about it being a JWT Claims Set.
… If this is expressing a Claims Set, it should say so.
… Can this go in "typ"? Is it forbidden to be in "typ"?.
… We need to get answers to these questions before we merge it.

Dave Longley: I'd like to see Claims Set in the name.

Antony Nadalin: I'm trying to understand if "cty" is going to mandatory.

Orie Steele: We don't know yet.
… We didn't answer the similar questions when we merged PR #1000.
… This is specific to "cty".
… This is based on the BCP for JWTs.
… I don't think it's necessary to add all those paragraphs of text before merging the PR.

Dave Longley: {"vc": "..."} <-- is not a "credential" in the VCDM, i think this is the point of confusion.

Orie Steele: My gut is that it doesn't need to be required because it's not in current 1.1 VC-JWTs.

Kristina Yasuda: my gut would be say it is recommended to put a cty and define a de fault behavior when it is not present.

Michael Prorock: manu/dave - see https://github.com/w3c/vc-jwt/pull/40/files#r1072950447.

Michael Prorock: does that work?.

Kristina Yasuda: and guess it will apply to both cty and typ eg recommendation & de fault.

Orie Steele: It's OK to uniquely identify the structured data element before we completely describe it.

Dave Longley: no, the name should reflect that it's a claimset not a credential.

Orie Steele: Doing it the beginning helps us separate 1.1 and 2.0 ideas.

Michael Jones: Very good question from dlongley and others. why not claimset? in the same way we recommend specific content types that are specific as possible for typ. we want to use as specific as possible for cty, for the body, to prevent confusion.
… everything that is a jwt could have a content type of claim set. did not both defining it for the JWT. did not add value. defining claimset identifier that's a credential (albeit unsecured) does add value. says things about the content type.

Orie Steele: +1 selfissued, i think using "claimSet" in a cty is sort-of redundant..

ack man: ack manu.

Michael Prorock: +1 selfissued.

Manu Sporny: That didn't go were I thought Mike was going.
… People will look at the registry and use it in different place.
… Orie said that we already merged something with ambiguity but that doesn't mean that we need to merge another thing with ambiguity.
… We need to ensure that this is not confused with the VC Data Model.

Orie Steele: please read the proposals that have gone to the list... and compare to what we have shipped in 1.1.

Dave Longley: We're talking about two different JSON data objects: One is a credential - one is a Claims Set.

Michael Prorock: +1 proe.

Michael Prorock: +1 orie.

Dave Longley: Those things don't line up to me.

Michael Prorock: this has been detailed on the list and in 1.1.

Manu Sporny: I have read the proposals, this part of it doesn't make sense..

Dave Longley: If we include in the name that it's a Claims Set, then the confusion goes away.
… This defines a media type for what we've shipped in 1.1.
… In 1.1, you can secure with an external proof.
… When using an external proof, this gives you a media type to refer to the secured body.

Manu Sporny: ok, so this isn't just for cty... this is for "The media type for VCDM v1.1".

Dave Longley: You can declare that this is 100% compatible with 1.1 VC-JWT with this cty.

Dave Longley: does "cty": "application/credential-1.1+json" ... mean you should expect: {"vc": ...} ... as the payload?.

Michael Prorock: re: ok, so this isn't just for cty... this is for "The media type for VCDM v1.1 in cty in a jwt".

Manu Sporny: mprorock, that's not clear at all from the PR or from what is being said..

Michael Jones: I'm fine adding the clarifying comments folks are asking for. Only intended for 'cty' and we could add it is a media type for a jwt claim set as defined by 1.1 VC JWT section.

Orie Steele: +1 selfissued.

Michael Jones: but am opposed to adding redundant stuff to the name.

Michael Prorock: does this text work? #40 (comment).

Manu Sporny: I'm hearing multiple things being said.

Dave Longley: couldn't "application/credential-1.1+json" be confused with {"id": vc_id, ...} ?.

Dave Longley: i mean, i fully expect developers to make that mistake.

Michael Prorock: i have suggested text to clarify these items - please comment on the PR.

Manu Sporny: I've heard that this isn't just for VC-JWTs.

Orie Steele: This media type is intended to define the payload of a VC-JWT 1.1.
… Claims Set - not a "typ".

Brent Zundel: I think this was a very productive call.

Dave Longley: i support a media type for this ... i just think the naming is confusing right now :).

Brent Zundel: Please continue conversation in VC-JWT PR #40.
… Thanks everybody!.

Kerri Lemoie: Thanks!.

---

[msporny]

Just to be clear, this is the corner that we're painting ourselves into:

I had to create a decision matrix because the decision process around media types is going to get very complicated for developers... there are 40 possible outcomes to consider when picking a media type (based on the PRs being raised across multiple repos), which is probably going to be too much for developers to get right when designing systems.

If you have thoughts on the matrix above, please comment here, I'm sure I'm missing some media types people are expecting to register eventually: https://docs.google.com/spreadsheets/d/1RBsAG2VwbD8Rxi7zwcTT-H2A8F1fIXmWxJLzxKvyvBw/edit#gid=0

[dlongley]

The name of this proposed media type needs to be changed to reflect that it does NOT identify a credential in order for me to support this PR.

This media type is intended to identify a JWT Claims Set -- which is NOT a credential, and this group does define a different thing that is a credential. This is unacceptably confusing and the remedy is simple: change the name to avoid the confusion.

Additionally, RFC 7519 unambiguously states that the cty header parameter is NOT RECOMMENDED for the normal case. The cty parameter is used when the content is not an expected JWT Claims Set, but is instead, for example, a Nested JWT (a dotted-base64url string). The author of this RFC stated on a call that we should ignore this advice, but nearly all people will only have access to the RFC and up to ~8 years of experience (since its authorship) of developing or using software that followed the RFC and the reasoning there. Using the cty field against the recommendation in order to signal that the payload is a claim set is likely to confuse people. I do not believe the need to do this to satisfy a use case has been clearly technologically justified nor have the alternative solutions to the use case that were rejected (and why) been clearly explained.

That being said, I will only continue objecting to this PR while the name of the media type suggests that it identifies a credential, which it does not. I'm not here to stop people from contradicting RFC advice by misusing the cty field in a JWT in their use cases somewhere (not that I could do that anyway).

However, I do very much object to this group creating a media type with a name that will create confusion around what is and is not a credential per the specifications we create / have created.

I've offered alternative names for the media type that would remove my objection. Some of these have been called "redundant" without saying why. I've explained that it appears the opposite is true. It is good for the media type name to say it identifies a claim set when this media type will appear in the cty field, a field that the RFC says is for describing payloads other than JWT Claims Sets ("normal case").

Also, even if we were to accept the "redundant argument" against being clear in the media type name, it seems to be based on one specific use of the media type, not all uses. We should certainly not expect people to only use a media type in one place. Therefore, even if this argument held water, it is not a good enough argument not to use another name, especially when the media type name clearly confuses something for a credential that is not a credential.

If people do not want what the media type identifies to be in the name of the media type (I find this troubling), at the very least, it must not be easily confused with something that identifies a credential, which it does not. So other names that don't do this would also be acceptable.

[OR13]

@dlongley @msporny are you still requesting changes on this pull request, can you describe (briefly) the changes you would like to see.

[dlongley]

@OR13,

@dlongley @msporny are you still requesting changes on this pull request, can you describe (briefly) the changes you would like to see.

Yes, I put my thoughts here: #40 (review)

I want a new media type name that isn't easily confused with a credential as defined in the 1.1 spec, i.e., the media type that identifies something other than a credential as defined in the 1.1 spec SHOULD NOT be application/credential-1.1+json. I have recommended at least one other name that put claimset into the media type name -- but this was rejected as "redundant" for reasons I don't fully understand. I've asked for alternatives that would both not be "redundant" and would avoid the confusion I've mentioned.

I expect that a new name that avoids confusing what this media type identifies with other things this group defines will be acceptable to me.

[quartzjer]

This media type is intended to identify a JWT Claims Set -- which is NOT a credential

@dlongley I completely disagree with this statement, and feel like it is trying to rewrite history.

From the VC-1.1 JWT definition (emphasis mine):

To encode a verifiable credential as a JWT,...

It then defines the credential properties that can be stored in the JWT claims. The claims set is absolutely a credential with a specific transformation as defined in the standard.

This media type unambiguously registers the credential format for a JWT claims set as defined in 1.1.

[dlongley]

@quartzjer,

You quoted the spec:

To encode a verifiable credential as a JWT,...

This quote is about a verifiable credential that is encoded as a JWT. As I mentioned above, I'd be fine with us defining a media type named application/credential-1.1+jwt or application/verifiable-credential+jwt. This does not create the confusion I'm concerned about.

[TallTed]

There are a number of comments in this thread that suggest that the commenters are mixing up how media types work.

example/p is a supertype of
example/o+p, which is a supertype of
example/n+o+p, which is a supertype of
example/m+n+o+p.

From top to bottom, each of those must be defined for the next to be valid.

Neither example/m
nor example/m+n
nor example/m+n+o are defined here, and
there is no requirement for a definition
of example/o
nor example/n
nor example/m.

The + has special meaning in media types. If the full media type (example/m+n+o+p) is not recognized, the first + to the right of the / and any characters to its left, up to but not including the /, may be ignored (or dropped during runtime), and the media type which remains (example/n+o+p) may then be used for processing the document in question. This may be repeated (example/o+p) until you reach the largest type (example/p), which contains one / and no +, and which is expected to be recognized by any media-handling application in the relevant ecosystem.

Please, if you've made comments above, review your comment(s). If there is anything there which appears to contradict this comment, and you can't see what to do to resolve that contradiction, please make a new comment highlighting that issue, and I'll try to clarify further.

We must have at least this degree of understanding common among us, if we're to hope to come to workable conclusions about the several media types we seem to need to register, based on the length of this thread (among others).

[decentralgabe]

@msporny I appreciate you taking the time to make the matrix. I was thinking of the same thing.

The question I'm asking myself is this a corner we're already painted into and just a clarification of the current state of things, or is this also inviting new corner painting?

How can we avoid the propagation of endless media types? Should we even attempt to?

[mprorock]

just to stir the pot, we could also utilize one approach that overloads the vendor side of mime types to cover version like so:
application/1_1.credential-claimset+json

or as I suggested on call:
application/credential-claimset-1.1+json
or, slight variation given occasional special properties of a dot in names:
application/credential-claimset-1_1+json

[OR13]

Note from the call

RESOLVED: We should merge the PR after changing the name to application/credential-claims-set-1.1+json and raise an issue to track further bikeshedding of the name

[mprorock]

Note from the call

RESOLVED: We should merge the PR after changing the name to application/credential-claims-set-1.1+json and raise an issue to track further bikeshedding of the name

i would suggest we replace 1.1 with 1_1

[jandrieu]

I think that using "credential" for something other than the data model defined in the VCDM as a credential is going to cause significant confusion and lead to improper and insecure use in the marketplace.

We already have confusion about the VC as a real-world credential versus VCs that represent a real-world credential. Adding more confusion will not help.

[brentzundel]

During the VCWG meeting on 2023 01 25 it was resolved to merge this PR after changing the media type to application/credential-claims-set-1.1+json and raising an issue to track further possible changes to the media type (Issue #42 ).

This resolution was made with the objections of two WG participants, whom the minutes will show ultimately decided to not block the proposal, though the rights were retained to wave an I told you so hat at some future point, which rights were confirmed.

[msporny]

@msporny I appreciate you taking the time to make the matrix. I was thinking of the same thing.

Here's an update based on some feedback from the group and the most recent meeting:

The question I'm asking myself is this a corner we're already painted into and just a clarification of the current state of things, or is this also inviting new corner painting?

It's inviting new corner painting. We still have a possibility to reduce the number of media types by, but not if we do a random walk across media types as we need them.

How can we avoid the propagation of endless media types? Should we even attempt to?

Yes, absolutely, we should try to minimize media types as much as we can because, if we don't, it will almost guarantee that developers will use the wrong media type in the wrong scenario. The decision matrix above is what developers are going to have to consider when working with the VCDM... now, compare that to text/html. :)

[iherman]

The issue was discussed in a meeting on 2023-01-25

List of resolutions:

• Resolution No. 1: We should merge the PR after changing the name to application/credential-claims-set-1.1+json and raise an issue to track further bikeshedding of the name.

View the transcript

4.11. Request media type for 1.1 vc-jwt claim set (pr vc-jwt#40)

See github pull request vc-jwt#40.

Michael Jones: would like to discuss extensive review on PR 40.
… follows onto data model PR re media types.
… creates a second media type for teh 1.1 VC JWT claimset.
… just like OIDC tokens, a credential is much more specific that just a general claimset.
… I think we're good to go, and should merge this, can always wordsmith later.

Ted Thibodeau Jr.: I think it needs a bit more than wordsmithing; I'm generally not in favor of merging a thing that needs smithing, since that might never happen.
… as I commented on the thread there, there are a number of comments that dont appear to understand how media types actually work, which is not useful.
… I'm not sure people are processing this right.
… it's frustrating to not have that last comment mentioned.

Manu Sporny: I don't think we have consensus here.
… I think there's consensus that we might need a media type for this.
… I think this thing should exist -- that's not under debate. it's "what should this thing be called" - that's what under debate.
… what we're talking about is a Claims Set.
… however, the media type makes it sound like the claims set is the credential, in the VC Data Model sense of the word.
… so the concern is that people will think that it's In VC format, whereas it's in JWT format.
… so the suggestion is - let's call it what it is. the current name is confusing, let's pick a more indicative name.
… as Ted said, there's a number of comments that confuse how media types work.
… this is not a popularity contest; concrete changes have been requested. there's big concern about media type confusion; the group needs to talk about that.

Orie Steele: I think, like Manu said, there's consensus that this needs to exist.
… there needs to be SOMETHING. there's debate over the specific name.
… in the interest of acknowledging that we're definitely intending to add a name, I think we have a couple paths forward.
… we can file an issue next to the name in the spec, saying WG is considering the name, then we can continue to bikeshed.
… but at least we can refer to the entity consistently; that's my primary interest, as editor -- we need to be able to refer to this object.
… and the specific name is less important than it being addressable.
… the comments regarding the claimset.

Ted Thibodeau Jr.: placeholder name should be something that's blatently not meant to persist, e.g., george/harry+fred.

Orie Steele: and whether or not this is really a credential -- I think in the interpretation of v1.1, this is actually a credential.
… so I think it's named correctly and clearly.
… I think if we want to change the specific media type that's being registered, we can continue to bikeshed..
… but this is blocking additional refinement, not being able to reference.
… if the name changes after it's merged, it won't change our ability to work.

Gabe Cohen: +1 to agility.

Orie Steele: so, I request we file an issue registering that there's no name consensus, but merge this PR.

Dave Longley: there's already "credential" in 1.1 in JSON format that is NOT a JWT Claim Set much more prominent in the spec (the one specifically called that in the spec) that is easily confused with the media type name "application/credential-1.1+json".

Michael Jones: I want to agree with something that Ted said, which is - there IS some confusion among some people who commented about how media types are used.
… as I said in a private conversation with Orie, we do have an education task in front of us, to get people used to thinking about declaring the types of things.
… deep background: one of the things that changed in the JWT world, in the 10 years since we invented it, is that IETF and others realized that explicitly typing things has a lot of value.
… it can prevent confusion between two things.
… that are intended for different purposes, which is the root for a number of security flaws.
… which this can prevent.
… so, I'm happy for the WG to continue the education task.
… I think that's important; we need to get people used to typing things. And this is part of an initiative of the editors of the JWT spec, and I'd like you to support that.
… if we want to continue bikeshedding the name, we should file an issue saying we want to rename it.
… Dave Longley expressed concern in a comment that maybe people won't read the spec and won't understand the definition that it's a claim set. But if people don't read the spec, we have a different world of problems.

Michael Prorock: +1 selfissued.

Michael Jones: I think it's time to merge this, so we can strongly type things. and continue bikeshedding.

Manu Sporny: -1 to "merge this".

Dave Longley: I'm a strong -1 to merging this without just changing the name.
… I've said a lot more on the PR regarding what I think the mistakes we're making, around the usage, around assumptions.
… that if we use a media type in one place, it'll be used differently in other places, that doesn't match what developers tend to do.
… so, if we can avoid that kind of confusion, we should do so in the name.
… I've responded to comments about redundancy, and pointed out that the RFCs today talk about using the 'cty' claim in JWTs, talking about things that are /not/ in the claimsets.

Dave Longley: See RFC section discussed in the comment.

Dave Longley: I'm less concerned about that, than I am concerned about calling something jwt 1.1 credential, whereas the spec has it as something different.
… I responded to Mike's comment, about explicit typing, and here's the link to that.
… about using the 'typ' claim vs use of 'cty', and what the specs say today,.
… if there's an argument that people will not read the spec (which is what I said about naming of this), I think it's even more concerning that we DO have a spec that specifically warns against what this spec is proposing.

Ted Thibodeau Jr.: +1 dlongley.

Ted Thibodeau Jr.: -1 merge now.

Dave Longley: it seems very inconsistent that people will go read /that/ spec, ignore the text, then go read our spec, and listen to it.
… so, I'm really confused, generally, about the approach we're taking.

Kristina Yasuda: but jwt bcp does not prevent specific typing of cty.

Orie Steele: -1 I feel there is effort to confuse the issue in the comments, and its leading to confusion... the only problem is the "name".... we can bike shed on an issue..

Dave Longley: but all that aside. the main concern is with the name that confuses a JWT Claimset, which is very different from a credential in JWT 1.1 format..
… it's easily avoidable confusion.
… if we change the name, I won't block this PR.

Manu Sporny: I find it troubling that we've repeatedly brought up technical issues on this PR, and they're being ignored.

Ted Thibodeau Jr.: I see no effort to confuse the issue in the comments, only confirmation that there is confusion about the issue.

Orie Steele: several CEPC issues have already occurred... assuming folks are not aware of the background, or assuming bad faith... let's not do that please..

Manu Sporny: one could argue that this is a continuation of the 'make context optional' conversation.
… I'm concerned about fairly simple questions not being answered.
… that said, if people are saying that names don't really matter, let's just merge the PR,.
… it would be fine if we changed the name to something like: application/credential-1.1+TOBEDETERMINED+json or application/credential-1.1+SOME-KIND-OF-JOSE-CLAIM-SET+json.
… so that people don't start shipping it in software.
… since people are asserting that name doesn't matter. so if we rename it to something like this, I won't block the PR.

Ted Thibodeau Jr.: or even TEMPORARY/application/credential-1.1+json.

Ted Thibodeau Jr.: which is an invalid media type, but can be used to refer to the specific thing.

Brent Zundel: I want to run a straw poll, see where consensus lies.
… I've got the text of a proposal I think a lot of people will hate, and we can run it a few different ways.

Proposed resolution: The WG will merge #40 with the name 'application/credential-1.1+jwt' and raise an issue to track further bikeshedding of the name. (Brent Zundel)

Brent Zundel: so let's see what happens, and iterate.

Ted Thibodeau Jr.: -1.

Joe Andrieu: -1.

Manu Sporny: -1 that's not what the PR is about, IMHO..

Dave Longley: -1.

Michael Jones: -1.

Brent Zundel: and... people all hate it, wow.

Ivan Herman: -1.

Manu Sporny: it's not about a JWT, it's about a claims set.

Mahmoud Alkhraishi: -1.

Oliver Terbu: -1.

Brent Zundel: ok! well, at least we have consensus on that.

Orie Steele: -1.

Michael Prorock: -1.

Chris Abernethy: -1.

Steve McCown: -1.

Kristina Yasuda: I think you should run the same proposal about application.credential json.

Michael Jones: yeah, that's what's in the PR.

Proposed resolution: The WG will merge #40 and raise an issue to track further bikeshedding of the name. (Brent Zundel)

Michael Jones: +1.

Orie Steele: +1.

Dave Longley: -1.

Michael Prorock: +1.

Mahmoud Alkhraishi: +1.

Joe Andrieu: -1.

Oliver Terbu: +1.

Ted Thibodeau Jr.: -1.

Chris Abernethy: +1.

David Waite: +1.

Manu Sporny: -1 there are significant technical concerns that have not been addressed..

Kristina Yasuda: +1.

Shigeya Suzuki: +1.

Steve McCown: +1.

Phillip Long: -1.

Kristina Yasuda: tony says +1.

Ivan Herman: -1.

Gabe Cohen: +0.

Andres Uribe: 0.

Brent Zundel: we have 6 '-1s', which is more opposition than I was hoping.
… let's go back to the queue, but I want to know what the path forward is, for the -1s.
… what changes are being required, and is there further conversation to be had.

Michael Jones: manu, I don't find it's helpful when you say that technical issues have not been addressed. this is a pattern that you have. if you read the comments, you'll find issues are addressed.
… I find it unhelpful to cast aspersions on people operating in good faith.

Dave Longley: no, they were not addressed, "explicit typing" uses the typ field, this was ignored.

Michael Jones: secondly, if it provides a path forward, it's not the end of the world if we add 'claimset' to the name; I'll run a proposal for that.
… it is redundant, but if it unblocks, I can live with it.

Michael Prorock: or application/credential-claimset-1.1+json.

Proposed resolution: We should merge the PR after changing the name to application/credential-claims-set-1.1+json. (Michael Jones)

Orie Steele: +1.

Oliver Terbu: +1.

Michael Jones: +1.

Dave Longley: +1.

Michael Prorock: +1.

Joe Andrieu: -1.

Gabe Cohen: +1.1.

Manu Sporny: +0.7 -- better... feel like we can improve from here, though..

Brent Zundel: the proposal is in, is the 1.1. part necessary?.

Michael Jones: 1.1 is critical.

Ivan Herman: +1.

Kristina Yasuda: +1 can we do application/credential-claimset-1.1+json MikeP is proposing?.

Chris Abernethy: +1.

David Waite: +1.

Brent Zundel: ok, seems to be a feeling that it's critical.

Mahmoud Alkhraishi: +1.

Phillip Long: +1.

Ted Thibodeau Jr.: media types rarely if ever include version numbers, for good reasons.

Brent Zundel: all right, in general, this is way more consensus.

Steve McCown: +1.

Ted Thibodeau Jr.: -0.8.

Brent Zundel: I'm only seeing one -1 at this point -- Joe, would you like to speak to it?.

Joe Andrieu: I think we all know that naming is hard,.
… my concern with the term 'credential' at all is that we have significant and deep confusion in the marketplace between a VC as a digital object, and the real world credentials/claims that are modeled.

Michael Jones: "Credential" is the term that this WG defined and uses.

Joe Andrieu: since it seems like I'm a lone voice, I won't block it, but I wish we had a better name.

Ted Thibodeau Jr.: application/claimset+json MIGHT work.

Orie Steele: agree with joe's comment, but I believe its best resolved by merging the PR, so we can define the requirements associated with the name..

Ted Thibodeau Jr.: media types rarely if ever include a version number in them, for very good reasons. I dont think it should be included.
… if that's vital, I want to know exactly why, in the technical sense.

Dave Longley: +1 to TallTed, the technical needs are confusing here.

Ted Thibodeau Jr.: as I've said here and in the issue, I really want the people who are approving this to demonstrate they understand the technical aspect of how media types work, since I still don't think everyone who is participating/voting has that understanding, which is I think why the naming is not proceeding well.
… if you do the naming wrong, it's difficult to fix stuff in the wild.

Kristina Yasuda: we could file an issue to revisit this naming before CR to incorporate JoeAndrieu's comment.

Brent Zundel: the question for you, Ted, is -- if the issue is raised to continue working on the name, would you still be opposed to the PR.

Manu Sporny: +1 to TallTed, I'm not convinced that the people voting for one approach understand the ramifications at depth (though, it's always difficult to understand if people truly understand)..

Ted Thibodeau Jr.: yes, because if the thing we settle on is going to continue to percolate, tracking it down to change it again might be difficult.
… unless we do something drastic like adding 'TEMPORARY' to the media type.
… so that it's clearly named, but clearly wrong and temporary.

Kristina Yasuda: from my observation we rarely have the same level of "technical understanding" in many issues....

Brent Zundel: before we go back to the queue, Ted, I don't appreciate your assertions that those involved do not have the expertise necessary to have the opiniion.

Ted Thibodeau Jr.: I'm basing my assertion on the comments in the issue, that demonstrate the lack of understanding.
… I'm sorry if that hurts feelings, but that's how it is.
… I feel it's a technical point, not a personality point.

Kristina Yasuda: I'm sorry Brent, I'm still not OK with the language used....

Ted Thibodeau Jr.: that's very different language, and I'm sorry, we should have an offline conversation.

Michael Prorock: other options can include application/1_1.credential-claimset+json.

Kristina Yasuda: thank you, yes, let's have it offline.

Brent Zundel: we are over time.

Orie Steele: I was queued to comment on the specific binding to 1.1.
… it is important, because we have need to describe the requirements associated with this object.
… based on teh way the conversation has gone here, it does seem that with the sole exception of Ted, it would be possible to merge the PR, and continue to bikeshedding the name.
… but I'm not sure I'm interpreting Joe's comments fully.

Ted Thibodeau Jr.: I see people's typed comments concurring with my spoken words.

Dave Longley: just quickly, I appreciate people moving to change the name to address my concern. I''m no longer blocking the PR on those grounds.

Kristina Yasuda: +1 dlongley.

Dave Longley: I want to caution people that I made a number of technical arguments quoting different specs, I want to make sure you do the right thing.

Orie Steele: Thanks dave, indeed I have read your comments and appreciate them..

Manu Sporny: to echo Dave, I also am no longer blocking the PR.
… I do want to point out this media type discussion is way deeper than what it seems.
… I'm not sure what the rush is.
… and explore the things that have been raised multiple types with regard to media type discussion.

Kristina Yasuda: would consider having a special topic call wrt bringing everyone on the same page wrt media types.

Manu Sporny: so this is a request to the chairs to maybe have a special topic call on media types.

Michael Jones: We can have a bigger discussion on Media Types during the F2F, if the chairs think that would be valuable.

Kristina Yasuda: yes, manu, was typing exactly that.

Manu Sporny: so that we can all get on the same page.

Brent Zundel: thank you Manu.
… we are over time, and can have a special topic call.
… we do need a decision on the proposal though.
… my inclination as chair is to say - we are raising an issue to handle it, we hear the objections, and will work on addressing those concerns.
… but I don't want to block the PR.

Kristina Yasuda: Ted, would you prefer a special topic call before merging.

Ted Thibodeau Jr.: no, go ahead and merge, if it goes wrong in deployment, I'll wave my 'told you so' hat.

Michael Prorock: see this comment #40 (comment).

Resolution #1: We should merge the PR after changing the name to application/credential-claims-set-1.1+json and raise an issue to track further bikeshedding of the name.

Michael Prorock: periods can cause issues with some processors.

Brent Zundel: thank you all for attending and for your comments.

---

[dlongley]

This needed to be updated too, if an editor wants to quickly fix it.