IETF Logo Mail Archive

[jose] An attempt at unlinkable tokens with minimal magic

Richard Barnes <rlb@ipv.sx> Thu, 28 July 2022 21:40 UTC

Return-Path: <rlb@ipv.sx>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0472BC15AD43 for <jose@ietfa.amsl.com>; Thu, 28 Jul 2022 14:40:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.903
X-Spam-Level:
X-Spam-Status: No, score=-1.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wvEUpB5HzISG for <jose@ietfa.amsl.com>; Thu, 28 Jul 2022 14:40:09 -0700 (PDT)
Received: from mail-qk1-x733.google.com (mail-qk1-x733.google.com [IPv6:2607:f8b0:4864:20::733]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 30A33C15C51A for <jose@ietf.org>; Thu, 28 Jul 2022 14:40:08 -0700 (PDT)
Received: by mail-qk1-x733.google.com with SMTP id g1so2428254qki.7 for <jose@ietf.org>; Thu, 28 Jul 2022 14:40:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20210112.gappssmtp.com; s=20210112; h=mime-version:from:date:message-id:subject:to; bh=X0PPizgqYR1Z71hvDrXbgqYsVALMbOgipCy7actNhMo=; b=URtS6X0JtSaCDYGZ8Fs49ED6YMLJ1NYfLIpqLgQybYxKcX3p2bYGwwRFQteD9EfS9b NI6e06IHzWCV+w3W8BUt6yx51CH//JujzEfg7ZyvUVzTX794C5uSzO9A5Pd4NRuuLOQl iiCQuHXFKzEhEIryAe4sULoZs4p97njVa/Iu0jLsjzptk/S3YpelAUSY9qaTd41TwtZq WQhXHNg11ZQDghhjJC0LDXMYggUyeiUpI/Em+Dj6ME0piqOed3fpTJJ/fiwz0sexaDcJ /zHVsGo4P/BOJmTYp5yFs8P674VWOKsLjwf1f1yY5zWqqOLSWbUgvNPx/P+XWmLTCd4Y /YJg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=X0PPizgqYR1Z71hvDrXbgqYsVALMbOgipCy7actNhMo=; b=OHfHVVBhSDbnkFJ3COTPNiVEHlcT+1gXtJfUzYzkJQTUyiNvRCFB1I5evv5ob9NRiR rHNq2gFEkM4El/Jr8ViwUMDgft+Z78/+puOIk0GOhNz35r/KVtA/h8rctUIkuk0LKwKZ XEFV1+Cg2XMiE7LKcVj0FyfODBG9pFAFw4VGYJ9a/oYtmSSd2mV+/Mg6rkPiMjhlGrbr jYp/TlmvRM7Mmw0zqcjUzWmjkiKBLWkgj9w0xBGfFcTJng5a/h0rsyKcgI7/F/eT0VyB 0gh551d8vbBeZgMQRIR9ZOb+b00mtI34Tb1BPomZsF//duOsatZWKp+bm9ETsrBPVoXr fnlQ==
X-Gm-Message-State: AJIora9KT3Ho0c0ua2PxvG82RgEtypb2G0ypDKdUgJUOckRQbNUtJ48o qafdpffbPGRlW/6CJ22MHYNOfWxfL6B1SVTQK+aTCMjPsEc96g==
X-Google-Smtp-Source: AGRyM1sAWP0UmHaGqoj0G9LKgLs6dhVD63pL0tHOZJbCq9zFzuOELYIFv9aH3TSPJPsmxP4delYKgq3vTGY2qnEcBLc=
X-Received: by 2002:a05:620a:17a6:b0:6b5:fe97:8c3d with SMTP id ay38-20020a05620a17a600b006b5fe978c3dmr671015qkb.468.1659044407632; Thu, 28 Jul 2022 14:40:07 -0700 (PDT)
MIME-Version: 1.0
From: Richard Barnes <rlb@ipv.sx>
Date: Thu, 28 Jul 2022 17:39:56 -0400
Message-ID: <CAL02cgQMqeac=FWuh1fwUG6UrCtM7pggCGt6X3thy4dNGTTJLw@mail.gmail.com>
To: jose@ietf.org
Content-Type: multipart/alternative; boundary="00000000000095766c05e4e4604c"
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/ZZqtjiy3FEC-XZwYc23kD_BvlEg>
Subject: [jose] An attempt at unlinkable tokens with minimal magic
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Jul 2022 21:40:13 -0000

Trying to collect some of the "couldn't you just" threads from the JWP
thread into a semi-coherent straw-man.

First, I claim that it is straightforward to implement token issuance and
presentation where the presentations are (a) linkable, (b) holder-bound,
and (c) allow selective disclosure.  For example, one could use the draft
OpenID spec for issuing Verifiable Credentials [1], with "did:key" subjects
for holder binding [2] and something like SD-JWT for selective disclosure
[3].  For presentation with selective disclosure, you just present the
credential and PoP, together with whichever claims you want to expose.

Supposing such a system exists, consider the following scheme:

1. At issuance time, the holder executes the issuance protocol N times,
each time with a fresh random subject key pair and fresh blinding of the
selective disclosable claims.
2. As a result, the holder obtains N credentials with different subject
public keys and different signatures
3. The holder presents each credential exactly once
4. The holder goes back to step (1) when they need a new pile of credentials

It seems like this trivial scheme meets most of the requirements I've seen
expressed so far:

* The credentials are not linkable with each other by the verifier(s) to
whom they are presented
* The issuer doesn't know anything about the verifier
* The issuer doesn't have to be online at redemption time

The things I suspect some people will object to are (a) that the issuer can
link all the credentials, and (b) that the issuer and the verifier see the
same object. But I'm not sure I've seen it clearly expressed why these
would be a problem.  (And to the degree they are, cf. PrivacyPass [4].)

Anyway, it seems like the above system achieves the stated goals of
unlinkability and selective disclosure, with no fancy cryptography or new
JSON structs required aside from the SD stuff.  What critical requirement
is this missing that would motivate a significant new engineering effort?

Thanks,
--Richard

[1]
https://openid.net/specs/openid-4-verifiable-credential-issuance-1_0.html#
[2] https://w3c-ccg.github.io/did-method-key/
[3]
https://datatracker.ietf.org/doc/draft-fett-oauth-selective-disclosure-jwt/
[4] https://datatracker.ietf.org/wg/privacypass/

v2.23.0 | Report a Bug | By Email