[jose] JWP
Richard Barnes <rlb@ipv.sx> Mon, 25 July 2022 19:03 UTC
Return-Path: <rlb@ipv.sx>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5079CC183576 for <jose@ietfa.amsl.com>; Mon, 25 Jul 2022 12:03:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.903
X-Spam-Level:
X-Spam-Status: No, score=-6.903 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=ipv-sx.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dhRx3gpAdIvI for <jose@ietfa.amsl.com>; Mon, 25 Jul 2022 12:03:33 -0700 (PDT)
Received: from mail-qt1-x833.google.com (mail-qt1-x833.google.com [IPv6:2607:f8b0:4864:20::833]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 09611C14F73D for <jose@ietf.org>; Mon, 25 Jul 2022 12:00:52 -0700 (PDT)
Received: by mail-qt1-x833.google.com with SMTP id e5so8974203qts.1 for <jose@ietf.org>; Mon, 25 Jul 2022 12:00:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ipv-sx.20210112.gappssmtp.com; s=20210112; h=mime-version:from:date:message-id:subject:to; bh=gjw37mB+rezJckxeXLKF2SFat/1RkFPiJUpJEHp0MtE=; b=WlmaDjeRtIVKpwGfPkJDIbmpUeVh+CruaLuMoBNg6qpnXNODOcO3pm01qdNq54hag7 uv2QVnMWbmUO4DLkfOIZx+Z+4gD/h042uQHzsh3Q2Ao3takSGJUhwap2P5PA42wnTs+4 WuwWBZhIL+k/2IKbcWadrnp7WBxhzfHhusjF4GofGQ/rerfZNg7VCUXpu2ZQjk0voIkz s1HW6H2YT55pk+4BQ8hlQfZbW2z9GUKvCJ19rH8refpgdqxBX20oe4chx1sxF6huyABO sknQRV5ElP34mcuTPplKqEo2OjVP1CdZVWIy6pNX6HI0VyJH4iYp0cG3B6Xouw6wF42r zFYA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:from:date:message-id:subject:to; bh=gjw37mB+rezJckxeXLKF2SFat/1RkFPiJUpJEHp0MtE=; b=HYZSvANP1t6rNcuxH9KlTB1Y2GKMHdyivLlMUhpf1Oxm0VBKar7TExZwt6aOQhxP0J ZOsaaquOb0YtTf4oE5lLaQChLXDWVF00CGaVwoDJCHI82zhwg2DrHkU6eJ/h5L4fBJOj iKj9J3Jd+N1SjzvZKXakpxZ4uzqzZpnPG+qLmumBCa61fNliA9ILu7X795kk/hB7GNEc psdRILtiByqpIYrBsYl2m97cAitCY/7qDc4HMlb/5gjbKM77NY8dJwo85zzpcgSs307V aqmiygpVct1zHNVbRqvS7Q3J+a022qmpoE/+hhG4JyTjY0AumS4fScRGguyVq82zYuaC 7+kA==
X-Gm-Message-State: AJIora9nhBTQpGoaVx8vh+HlTMo7FReF//vBykKLhYsuCdZA6rxsGYG3 ecGzj7E3T7J93MDkcnVyAQzuC8lKhZ31v2eFQpFb2ZqFmmnqBw==
X-Google-Smtp-Source: AGRyM1vnU8sUzHPtJhE3e6BJoWl3HbpXi4a56GZIfchYPu3xaIWxFM66RMgdm4VRnmWTY4VNocXXu9KAEPXqPBGBWxI=
X-Received: by 2002:a05:622a:1a96:b0:31e:ed32:8584 with SMTP id s22-20020a05622a1a9600b0031eed328584mr11569899qtc.89.1658775651150; Mon, 25 Jul 2022 12:00:51 -0700 (PDT)
MIME-Version: 1.0
From: Richard Barnes <rlb@ipv.sx>
Date: Mon, 25 Jul 2022 15:00:40 -0400
Message-ID: <CAL02cgTdAd-NGT3ZPRBapDF3gvK_BA3oj6Vii1zFqLtdruRLpg@mail.gmail.com>
To: jose@ietf.org
Content-Type: multipart/alternative; boundary="00000000000072fccc05e4a5cd88"
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/fD_c_l86tDwhDLlogAc2umTeiEs>
Subject: [jose] JWP
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 25 Jul 2022 19:03:37 -0000
Hi all, Recapping and extending my remarks here from the JWP BoF: It seems like the two problems people are proposing to addressed relative to base JWT are (1) selective disclosure of claims and (2) unlinkability, in the sense of being able to derive unlinkable "presentations" from an issued "credential" (using those terms in the sense of W3C VC). On the selective disclosure side: The objective here seems clear and uncontroversial to me, but it also seems like it doesn't require any changes to JWS/JWT. The SD-JWT work [1] seems to validate this. What selective disclosure property is not provided by SD-JWT that JWP would provide? On the unlinkability side: I assume the underlying presumption here is that the credential from which presentations are being generated is a JWT, and that the JWP is something that someone other than the issuer would generate from that JWT such that different JWPs derived from the same JWT are not linkable with each other or with the source JWT. It seems like there are a few threshold questions to be addressed before chartering work here: 1. What transformations are necessary for unlinkability? Clearly the Issuer's signature has to change. In cases where the credential is associated to a public key for the Holder (e.g., a "did:jwk" identifier), it would be necessary for different presentations to have different associated public keys. 2. What transformations can the Holder make? The Holder is creating statements that the Issuer has never seen, which the Verifier will trust as if they came from the Issuer. The framework here needs to assure that any statement the Holder can generate is one that the Issuer would have made themselves. 3. In what sense is the Holder a privileged role? For example, if a credential were to leak to a their party, could that third party perform the same transformations as the intended Holder? If there is a separation between the Holder and any other party, how is it enforced? 4. To what extent are those constraints dependent on the ciphers used? It would not be good to create a generic container format that requires deep analysis to determine whether an algorithm is safe to use. JWS has "alg: none" vulnerabilities, but if you use a real signature algorithm, you get the properties you expect. 5. Why are these transformations not possible within the bounds of JWS/JWT? I can understand the appeal of unlinkability -- I was involved in the WebAuthn work to create unlinkable public-key credentials. But when you're talking about deriving unlinkable things that tie back to an Issuer, there's a lot more danger, and I'm not seeing the security analysis here that would support the idea that we could build a thing here that doesn't have massive security problems from the start. Thanks, --Richard [1] https://datatracker.ietf.org/doc/draft-fett-oauth-selective-disclosure-jwt/
- [jose] JWP Richard Barnes
- Re: [jose] JWP Tobias Looker
- Re: [jose] JWP Neil Madden
- Re: [jose] JWP Tobias Looker
- [jose] Fwd: JWP Orie Steele
- Re: [jose] JWP Mike Prorock
- Re: [jose] JWP David Waite
- Re: [jose] JWP Jeremie Miller
- Re: [jose] JWP Neil Madden
- Re: [jose] JWP Torsten Lodderstedt
- Re: [jose] JWP Anders Rundgren
- Re: [jose] JWP Neil Madden
- Re: [jose] JWP Tobias Looker
- Re: [jose] JWP Zundel, Brent
- Re: [jose] JWP Jeremie Miller
- Re: [jose] JWP Neil Madden
- Re: [jose] JWP Jeremie Miller
- Re: [jose] JWP Neil Madden
- Re: [jose] JWP Mike Jones
- Re: [jose] JWP Zundel, Brent
- Re: [jose] JWP Richard Barnes
- Re: [jose] [EXTERNAL] Re: JWP Christian Paquin