Re: [jose] JWP
David Waite <david@alkaline-solutions.com> Thu, 28 July 2022 00:30 UTC
Return-Path: <david@alkaline-solutions.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A4B60C13CCDF for <jose@ietfa.amsl.com>; Wed, 27 Jul 2022 17:30:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=alkaline-solutions.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j0bJsqC1EGij for <jose@ietfa.amsl.com>; Wed, 27 Jul 2022 17:30:34 -0700 (PDT)
Received: from caesium6.alkaline.solutions (caesium6.alkaline.solutions [157.230.133.164]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 880FDC14CF12 for <jose@ietf.org>; Wed, 27 Jul 2022 17:30:34 -0700 (PDT)
From: David Waite <david@alkaline-solutions.com>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alkaline-solutions.com; s=dkim; t=1658968231; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=MjzKSmd4TqsDHp7HUiHAY7MbfYZ8P6Ji2T9Wtv8FW/M=; b=KvdRAicfmu7uTVpvSdHMq7+s1jk9KT+qKs6sZtxPSm+kEoz8tIZFXyMs3HrG+kBqZ0ap9v lQrn0zl90wFJ20BCo8pbPkDlIC8YBdYiLHDU2QEBXs6nGR+XKdxcXwbiV8dJYBAhAFNQlK rylKjJ2cQNEImETdrAH6l32ykWAqVgo=
Message-Id: <4C408901-7B2E-45B1-8ECB-C8948609511E@alkaline-solutions.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_4FC657FB-756E-40AD-B902-CC38E181341F"
Mime-Version: 1.0
Date: Wed, 27 Jul 2022 20:30:19 -0400
In-Reply-To: <A8154191-F45F-4FDE-9BC5-118F4EFAF4F8@forgerock.com>
Cc: Tobias Looker <tplooker@gmail.com>, jose@ietf.org
To: Neil Madden <neil.madden@forgerock.com>
References: <CAGum7cEz-_XTJDJDXuMVexfN5emmG6VZ60X4XfyeKb_Zvbj2Lg@mail.gmail.com> <A8154191-F45F-4FDE-9BC5-118F4EFAF4F8@forgerock.com>
X-Spamd-Bar: /
Authentication-Results: caesium6.alkaline.solutions; auth=pass smtp.mailfrom=david@alkaline-solutions.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/vi5f-gpJYFrWPmfTcdb5CATvuUo>
Subject: Re: [jose] JWP
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 28 Jul 2022 00:30:38 -0000
On Jul 27, 2022, at 5:16 PM, Neil Madden <neil.madden@forgerock.com> wrote: >> On 27 Jul 2022, at 17:20, Tobias Looker <tplooker@gmail.com> wrote: <snip> >> JWP accounts for this in its design by encoding each claim value that is to be selectively disclose-able separately so it can then be appropriately handled at the cryptographic layer by different algorithms. > > > If you’re going to do this, why not just ask the issuer to give you multiple tokens in the first place, each containing some subset of claims you want to disclose? In the limit you could issue a separate JWT for each claim. Is there a fundamental reason this doesn’t work? If I understand, the question is if you could do selective disclosure by signing a number of JWTs (each perhaps with all the mandatory claims and parameters, and a new correlation parameter marked as critical) could verify all of the JWTs were meant to represent a single identity credential and do not conflict, and release some subset of them at once, then discard them to to get unlinkability through single-use. This could be defined on top of existing algorithms, although it would incur data size, system logic and cryptographic processing penalties. Indeed, this is similar to what the JWS-based algorithm (section 6.1) in JPA starts to define. However, that proposes additional steps to optimize data size in transit by operating on a hierarchy of documents as well as reducing the protected headers conveyed in transit. Trying to optimize the cryptographic processing might lead you to use salted hashes or MACs, similar to what is described in section 6.3 of that document. To hopefully both summarize and to answer the question: when constrained to the realm of existing cryptographic primitives in the JOSE family, JWP does attempt to apply and compose those algorithms to define ways to meet a minimal set of cryptographic properties for presentation in a consistent set of serializations. There are obviously a number of trade-offs to consider in these new composed algorithms, and improvements to them would be welcomed. I however want to talk some about the use of the word “just” in the original question. I would posit that use case still has lots of complexity to describe. The processing steps still need to be defined on how to issue and confirm the credentials whether it is a new format or a collection of JWTs. It still needs to define how to present and verify the credentials, with subject confirmation and with the claims being re-consistituted or otherwise interpreted in a meaningful way after being selectively reduced. There would still be security considerations on how to make sure security claims which limit usage such as audience and expiry are not capable of being omitted. There would still be privacy considerations on how to keep the subject claims or other security properties from the credential from turning into vectors for unintended linkability. Finally, newer cryptographic algorithms with provide more properties (such as multi-use unlinkability and integrated subject confirmation proofs) would not have separate signatures but rather a single proof covering the multiple messages, and thus would not support being decomposed into a "multiple JWT” representation with valid signatures. -DW
- [jose] JWP Richard Barnes
- Re: [jose] JWP Tobias Looker
- Re: [jose] JWP Neil Madden
- Re: [jose] JWP Tobias Looker
- [jose] Fwd: JWP Orie Steele
- Re: [jose] JWP Mike Prorock
- Re: [jose] JWP David Waite
- Re: [jose] JWP Jeremie Miller
- Re: [jose] JWP Neil Madden
- Re: [jose] JWP Torsten Lodderstedt
- Re: [jose] JWP Anders Rundgren
- Re: [jose] JWP Neil Madden
- Re: [jose] JWP Tobias Looker
- Re: [jose] JWP Zundel, Brent
- Re: [jose] JWP Jeremie Miller
- Re: [jose] JWP Neil Madden
- Re: [jose] JWP Jeremie Miller
- Re: [jose] JWP Neil Madden
- Re: [jose] JWP Mike Jones
- Re: [jose] JWP Zundel, Brent
- Re: [jose] JWP Richard Barnes
- Re: [jose] [EXTERNAL] Re: JWP Christian Paquin