[OAUTH-WG] Re: WGLC for SD-JWT

Judith Kahrer <judith.kahrer@curity.io> Thu, 05 September 2024 14:17 UTC

Return-Path: <judith.kahrer@curity.io>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6D1F2C14F6A9 for <oauth@ietfa.amsl.com>; Thu, 5 Sep 2024 07:17:35 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=curity.io
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oFyGnUu12wA1 for <oauth@ietfa.amsl.com>; Thu, 5 Sep 2024 07:17:31 -0700 (PDT)
Received: from mail-lj1-x22b.google.com (mail-lj1-x22b.google.com [IPv6:2a00:1450:4864:20::22b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 154BDC14F6F3 for <oauth@ietf.org>; Thu, 5 Sep 2024 07:17:31 -0700 (PDT)
Received: by mail-lj1-x22b.google.com with SMTP id 38308e7fff4ca-2f409c87b07so11249001fa.0 for <oauth@ietf.org>; Thu, 05 Sep 2024 07:17:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=curity.io; s=google; t=1725545848; x=1726150648; darn=ietf.org; h=message-id:in-reply-to:to:references:date:subject:mime-version:from :from:to:cc:subject:date:message-id:reply-to; bh=3KihQtbtH2SIFI2iqnP0Xe5A/8uBwgTAI2AzzbpdQ84=; b=RhnciwWotBI1I11aVA5hVazd1rsPt7gwN7VrEAsmPers5zSdXW5WZcgIqRpAwUuGS1 0jeFPy60HlbN4Srm5mBor9FHYWwgluC41rT9rdA+RjHAasPisbDP1YblwtkznOSaAWng rw9Rseepi1QLv822CxPdBkFtpvhyZkavOdSuTDF/DQI2KOKhGjFVEM+GGRpMfbUjHINC G7kXkuJJNFb6taziLc0u6MCDKvF6L55EEdjAcHUKbBsfSwyVb9V0tngpRafuHWLi90OC 1WRR2650msEjnSVmNrUvGcsqwF9m8RLn46m7OjzzgP62Ys6uGBiP0Rx9g3imIV0G2aOx 6v7w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725545848; x=1726150648; h=message-id:in-reply-to:to:references:date:subject:mime-version:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=3KihQtbtH2SIFI2iqnP0Xe5A/8uBwgTAI2AzzbpdQ84=; b=Zed8/1etn40iMHxR0YqMRJyl6Ly9Fvn9j6bx0ctfTihYzcLWa2rnP4iECdUz8DlnhQ Fm25HMMVzocLoal1JG/2QlSSoax+MzmBgR8XCwEHYGFVMLFAfdzWnO/UbXEoMOZvSaS3 Db3odQ1FcQy+ham2Mp6f5nC53yv6jKRunXsvvlwIOcZcP3auHaHQGVjbG1T7ikzT3gWU qHxn3PkyyAJ32HuRxs7kfSvEICmgQ6jnewOSetJmT7rH5gfJgH7rEskibV8d21dapeuY 2f/dY7Qix4dFKSGDt+5G7Hf16u0xPEeJxZ2V9oiJVH/VhQjbBZN4af8nOj6n9OUpQRKi HaKA==
X-Gm-Message-State: AOJu0YxciQvaXso2lcyGLc8vMqdxmtnQaLbjp8dn8MMELuHa9ZTbx83F 0KMskn/p/wpZUTQoEtct1w9O1s6TDihATEzOzTn2rvHB+blAivjZ6+O3WQJZPtDkbIp8G6qRHL4 n
X-Google-Smtp-Source: AGHT+IGY11+6Cww/Q5piVKIMWDtcyG/QjJo+Nizm5EWb+H02noz9CNWwmOXCSpNlHNH11VSMW0bMjA==
X-Received: by 2002:a05:6512:3d9e:b0:533:482f:afb7 with SMTP id 2adb3069b0e04-53546b93f55mr14318530e87.39.1725545848254; Thu, 05 Sep 2024 07:17:28 -0700 (PDT)
Received: from smtpclient.apple (h-82-196-111-212.NA.cust.bahnhof.se. [82.196.111.212]) by smtp.gmail.com with ESMTPSA id 2adb3069b0e04-53569eeb4d9sm376674e87.65.2024.09.05.07.17.27 for <oauth@ietf.org> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 05 Sep 2024 07:17:27 -0700 (PDT)
From: Judith Kahrer <judith.kahrer@curity.io>
Content-Type: multipart/alternative; boundary="Apple-Mail=_1BCA8CBB-1500-4C50-BDCB-1D9EBC3A4C0D"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3776.700.51\))
Date: Thu, 05 Sep 2024 16:17:17 +0200
References: <CADNypP_BESkJTXfuv=G9HnLcGwhpSYRggYDZxzaq6-6AaARh0w@mail.gmail.com> <CA+k3eCQOofXBSFz_Ob6y1ZCWjnx4agvFuMOFc6vNWP4c93XTJw@mail.gmail.com>
To: oauth <oauth@ietf.org>
In-Reply-To: <CA+k3eCQOofXBSFz_Ob6y1ZCWjnx4agvFuMOFc6vNWP4c93XTJw@mail.gmail.com>
Message-Id: <D21C283B-461A-462B-A454-484A467AABEA@curity.io>
X-Mailer: Apple Mail (2.3776.700.51)
Message-ID-Hash: C4ETBISCDZ5QXXOWUQS3LVGSCETJBNBG
X-Message-ID-Hash: C4ETBISCDZ5QXXOWUQS3LVGSCETJBNBG
X-MailFrom: judith.kahrer@curity.io
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: WGLC for SD-JWT
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/2MqzlCNcsAuWjGW5gc0oEILCsRU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

I gave the -12 revision a read. Thanks for the great work Brian, Kristina and Dr. Fett.

One thing that I find confusing is the term “Issuer-signed JWT”. Isn’t it self-evident that a signed JWT is signed by its Issuer (that is its creator as defined in the spec)? I think, the spec would read just fine if “Issuer-signed JWT” was replaced by “signed JWT”. Section 5.1 called “Issuer-signed JWT” could be renamed to “SD-JWT payload”, that’s after all what it’s about. Also, I noticed that currently the term “Issuer-signed JWT” is never formally specified. 

Speaking of terminology, I noticed that the TOC contains both “1.2 Conventions and Terminology” and “2. Terms and Definitions”. What’s the difference between terminology and terms? I suggest to rename the sections or merge them.

On the subject of terminology, Disclosure is defined as

> Disclosure: A JSON array containing a combination of a salt, a cleartext claim name (present when the claim is a name/value pair and absent when the claim is an array element), and a cleartext claim value, which is base64url-encoded and used to calculate a digest for the respective claim. The term Disclosure refers to the whole base64url-encoded string.

I instinctively read “a cleartext claim value, which is base64url-encoded” and not the array being base64url-encoded. I suggest to emphasize the “base64url-encoded string” in the definition. For example, a Disclosure could be "A base64url-encoded string of a JSON array that contains a salt, a claim name (present when the claim is a name/value pair and absent when the claim is an array element), and a claim value. The Disclosure is used to calculate a digest for the respective claim.”

Typo in 4.1 SD-JWT and Disclosures:
> An SD-JWT MAY also contain clear-text claims that are always disclosed to the Verifier.
“clear-text” should say “cleartext”.

Regards,
Judith

> On 3 Sep 2024, at 17:04, Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org> wrote:
> 
> Thanks Rifaat & Hannes,
> 
> In an effort to make the most up-to-date content available for the WGLC period, a -12 revision was just recently published, which contains a number of editorial improvements.  
> 
> https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-12.html
> 
> Respectfully,
>  Brian, Kristina, and Dr. Fett
> 
> 
> 
> On Tue, Sep 3, 2024 at 4:40 AM Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com <mailto:rifaat.s.ietf@gmail.com>> wrote:
>> All,
>> 
>> As per the discussion in Vancouver, this is a WG Last Call for the SD-JWT document.
>> https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-11.html
>> 
>> Please, review this document and reply on the mailing list if you have any comments or concerns, by Sep 17th.
>> 
>> Regards,
>>   Rifaat & Hannes
>> _______________________________________________
>> OAuth mailing list -- oauth@ietf.org <mailto:oauth@ietf.org>
>> To unsubscribe send an email to oauth-leave@ietf.org <mailto:oauth-leave@ietf.org>
> 
> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._______________________________________________
> OAuth mailing list -- oauth@ietf.org
> To unsubscribe send an email to oauth-leave@ietf.org