IETF Logo Mail Archive

Re: [OAUTH-WG] Call for adoption - SD-JWT

Warren Parad <wparad@rhosys.ch> Tue, 02 August 2022 07:53 UTC

Return-Path: <wparad@rhosys.ch>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 1CC80C159490 for <oauth@ietfa.amsl.com>; Tue, 2 Aug 2022 00:53:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.005
X-Spam-Level:
X-Spam-Status: No, score=-2.005 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rhosys.ch
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eI_aaDBB4nAj for <oauth@ietfa.amsl.com>; Tue, 2 Aug 2022 00:53:29 -0700 (PDT)
Received: from mail-yw1-x1133.google.com (mail-yw1-x1133.google.com [IPv6:2607:f8b0:4864:20::1133]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1B5F8C14F74C for <oauth@ietf.org>; Tue, 2 Aug 2022 00:53:29 -0700 (PDT)
Received: by mail-yw1-x1133.google.com with SMTP id 00721157ae682-32269d60830so132541037b3.2 for <oauth@ietf.org>; Tue, 02 Aug 2022 00:53:29 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhosys.ch; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc; bh=zhL4me2Ig7RjMRKN4QE+039LG75xHxkol/oP0ZjTxe8=; b=HVcV0ErfUVJ+rnKhuJS3sWzwNYgxytpc+ISdzzbgZsRdYv6g8FdESF8nvKpu0H5zDZ RC6KoSFNORF7YynduEoW+MXCzBG6LhWfkpl7W172lutC9wIC6W93/rsQdzUinbN4jAWl 2D/MDOb2ZZt8L1fEuakDUYVpLp4XJ0K+NnHPpt/2agr6KFRpgwoqCxBkKCiY4woDGbYs K5+G4CuSCI0GboAxB8l5+6iMIpZHCAehwWwEVH8V2D4l0Xv5SQtf4CToyk7bpXd/j9q0 5ZdgNKes49mbMBs/l2ZQDP7g/nPkwe3pBWQUaqovmCQCYfdTiGBhS4o0+04eIDcvm5h4 vriQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=zhL4me2Ig7RjMRKN4QE+039LG75xHxkol/oP0ZjTxe8=; b=kGvtPYHp5oIyWAj1aDgdrYWcfvEvNi7jIZ0U/eRBrA8D66phbjYwsStlx+EocTWrDh beRDEwC1BkODBQ2Jd4C4v1ar/FVe00KohEg1i3xnJGx9Nz8Ge7o4PuilrjOK/xCg7KXj JfD3qNtP6py2LR+HNJM/RjhzNDnPnWVBVujR8yqKFLze7iSHGlRC2nNktTAG654FEieO HgTPQAqgyqbE57n8sdW79Od66hxKjOUzS3nTuZypDLN0DlX3UYqOSKQ+hhtAk/GTHlZ4 deEtP5zqMaYotxwG3ndQXdA6bwVVyuN26BWfwMgg5n0UThiOpWPdkPEy+5Bk65atDiH2 3JAw==
X-Gm-Message-State: ACgBeo14DzydwucwZghdfSqrxzK8XaaWK28vC9F/VxLwp3ZD2TJF8CC5 LsI58vH9jgdRbl20UTIqdEXteJeSe58MCS6cJ5vA0+JLUf64t44=
X-Google-Smtp-Source: AA6agR5OLkfEHHxkJ6VHW7K3LWS1k0bDwpuVH1TbegbnSkiKfm+NAi02BnWCojf0Zpu8dtvFQo2OYzR7EE00t1pqPe0=
X-Received: by 2002:a81:9106:0:b0:328:158c:1de2 with SMTP id i6-20020a819106000000b00328158c1de2mr291663ywg.309.1659426808038; Tue, 02 Aug 2022 00:53:28 -0700 (PDT)
MIME-Version: 1.0
References: <CADNypP9xSXWKV=0nj803fW9xdqgguLWLOpMMQd0Uw3P16LQpfQ@mail.gmail.com> <MN2PR00MB08930D8DCA347979CB77E4D9E59D9@MN2PR00MB0893.namprd00.prod.outlook.com>
In-Reply-To: <MN2PR00MB08930D8DCA347979CB77E4D9E59D9@MN2PR00MB0893.namprd00.prod.outlook.com>
From: Warren Parad <wparad@rhosys.ch>
Date: Tue, 02 Aug 2022 09:53:17 +0200
Message-ID: <CAJot-L3OBz6QVKbAppcw8tyXYZxq3krMnrUyyfW5JDkSMb=hFg@mail.gmail.com>
To: Kristina Yasuda <Kristina.Yasuda=40microsoft.com@dmarc.ietf.org>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000006c9dce05e53d6980"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/3m3no0IEQcflRRF2fOWPy3u56EY>
Subject: Re: [OAUTH-WG] Call for adoption - SD-JWT
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Aug 2022 07:53:33 -0000

If we are in a offline scenario how does the verifier got ahold of the
public key associated with the id token?

They would need to be online, that defeats any benefit this could provide.

Or what if the token you have expires. Many providers issue tokens only
good for 1 hour. If that expires, the user has to go through the online
flow again.

Unless we can add some provisions to ensure long lived token validity, I
think in practice we're cripling the usefulness.


On Tue, Aug 2, 2022, 04:21 Kristina Yasuda <Kristina.Yasuda=
40microsoft.com@dmarc.ietf.org> wrote:

> I support adoption.
>
>
>
> To add some color.
>
>
>
> One of the use-cases is a flow where issuance of a user credential
> (collection of user claims) is decoupled from presentation (where both
> issuance and presentation of a user credential are done using extensions of
> OAuth flows). The goal of this decoupling is to avoid “issuer call home”,
> where the user can send a user credential directly to the RP, without RP
> needing to contact the Issuer directly. So the motivations are not limited
> to offline scenarios, but are applicable to the scenarios that want to
> recreate in the online environment, the user experience of presenting
> credentials in-person.
>
>
>
> Driver’s Licence just happens to be an example familiar to many, and there
> is no reason it cannot be a diploma, or an employee card, or a training
> certificate, etc. But it is worth highlighting that SD-JWT work becomes
> critical if we are to enable ISO-compliant mobile Driver Licences expressed
> in JSON to enable online scenarios and make life of the Web developers
> easier (as opposed processing data encoded as CBOR and signed as a COSE
> message). Selective disclosure is a requirement in many government issued
> credentials, while the usage of advanced cryptography is not always
> encouraged by the national cybersecurity agencies.
>
>
>
>
>
> Regarding an approach where issuer issues multiple JWTs of a same type but
> with different subset of claims, it is not an ideal way to do selective
> disclosure with JWTs (type as a way to differentiate credential with one
> data structure/syntax from another). It complicates implementations that
> try to provide RP-U unlinkability (RPs cannot collude to track the user).
> The simplest way to achieve unlinkability with JWTs without using advanced
> cryptography is to issue multiple credentials of the same type but with
> varying use identifiers and enable pairwise identifiers per RP. Now there
> are multiple copies of each JWT with subset of claims of the same type.
> This greatly complicates presentation of these credentials too – since
> credentials are of the same type, now wallet needs to manage the
> combination of a subset of claims + pairwise identifier…
>
>
>
> What if the implementation also wants predicates property, where
> age_over_XX boolean is sent instead of a birthdate string? The simplest way
> to do predicates with JWTs without using advanced cryptography is to have
> issuers to issue multiple age_over_xx booleans so that an appropriate one
> can be selectively disclosed to the RP. How many “JWTs with subset of
> claims” does the issuer needs to issue to account for all possible age
> requirements? Note that it’s not just age_over_21 to start gambling, it’s
> also age_over_65 to get pension benefits.
>
>
>
> Managing the combinatorial explosion of sets of claims in speculatively
> issued JWTs, many of which will never be used, seems unwieldy, to say the
> least. "A conventional JWT with a subset of claims" approach could be taken
> in some implementations, but it should not prevent a simpler, extensible
> alternative of SD-JWT.
>
>
>
>
>
> Finally, as Giuseppe pointed out, an option to blind claim names is on the
> table. As discussed on this list previously, we should analyze privacy
> properties of the mechanism and decide if we want to mandate it – which can
> be discussed after the adoption.
>
>
>
> Best,
>
> Kristina
>
>
>
>
>
> *From:* OAuth <oauth-bounces@ietf.org> *On Behalf Of * Rifaat Shekh-Yusef
> *Sent:* Thursday, July 28, 2022 8:17 PM
> *To:* oauth <oauth@ietf.org>
> *Subject:* [OAUTH-WG] Call for adoption - SD-JWT
>
>
>
> All,
>
>
>
> This is a call for adoption for the *SD-JWT* document
>
> https://datatracker.ietf.org/doc/draft-fett-oauth-selective-disclosure-jwt/
> <https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-fett-oauth-selective-disclosure-jwt%2F&data=05%7C01%7CKristina.Yasuda%40microsoft.com%7Ca2d72420ea2c40f2d7c908da70f7b388%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637946506426392735%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=d1EoHuRcBi40%2B1h1p5yZ28O7l8oq%2FibDewlJObT1Gwc%3D&reserved=0>
>
>
>
> Please, provide your feedback on the mailing list by *August 12th*.
>
>
>
> Regards,
>
>  Rifaat & Hannes
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email