dbsc

dbsc copied to clipboard

An example JWT has "jti": "nonce", but the word nonce doesn't appear anywhere else. Is the value intended to be the challenge from the Sec-Session-Challenge header? This could use some clarification/fixing.

Yes, it is meant to be the value from the Sec-Session-Challenge header. We'll clarify this and other hand-waving in the examples.

Yes, it is meant to be the value from the Sec-Session-Challenge header. We'll clarify this and other hand-waving in the examples.

That would be great, thanks!

Additional clarity around the content of the JWT and required verification steps could also be provided in text. I'm sure your already tired of me mentioning DPoP but https://www.rfc-editor.org/rfc/rfc9449.html#section-4.2 and https://www.rfc-editor.org/rfc/rfc9449.html#section-4.3 are an example of a spec describing somewhat similar JWT syntax and verification steps respectively.

We now have https://w3c.github.io/webappsec-dbsc/#format-jwt which should make the format very clear. Though I am leaning towards removing that section in favor of an HTTPSig integration (requested in https://github.com/w3c/webappsec-dbsc/issues/112). Either way, the signature inputs/format will be fully described.

https://w3c.github.io/webappsec-dbsc/#format-jwt '25 May 9 Editor’s Draft has the following, with iat and key having erroneous or self-contradictory as string type definitions.