[OAUTH-WG] Re: I-D Action: draft-ietf-oauth-sd-jwt-vc-06.txt

Markus Sabadello <markus@danubetech.com> Thu, 14 November 2024 19:10 UTC

Return-Path: <markus@danubetech.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2005DC151086 for <oauth@ietfa.amsl.com>; Thu, 14 Nov 2024 11:10:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.901
X-Spam-Level:
X-Spam-Status: No, score=-1.901 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3zjGgfU4JNUy for <oauth@ietfa.amsl.com>; Thu, 14 Nov 2024 11:10:36 -0800 (PST)
Received: from bsmtp2.bon.at (bsmtp2.bon.at [213.33.87.16]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id EBB9EC151062 for <oauth@ietf.org>; Thu, 14 Nov 2024 11:10:35 -0800 (PST)
Received: from [10.0.111.81] (unknown [80.120.189.138]) by bsmtp2.bon.at (Postfix) with ESMTPSA id 4Xq8qr6ccCzRnmF for <oauth@ietf.org>; Thu, 14 Nov 2024 20:10:31 +0100 (CET)
Content-Type: multipart/alternative; boundary="------------0xum0IMbtsC4LbmfYSE3FfUX"
Message-ID: <dc7e13bc-7fac-4cf5-a756-46b40377543c@danubetech.com>
Date: Thu, 14 Nov 2024 20:10:31 +0100
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: oauth@ietf.org
References: <173153074770.1068691.9710905485591752899@dt-datatracker-5f77bcf4bd-4q5pd> <41e7b267-f119-4ef9-bce1-5f8db2b9589a@danielfett.de> <AM8P191MB1299BB5A33EF566AC23B9EC2FA5A2@AM8P191MB1299.EURP191.PROD.OUTLOOK.COM> <d7aa4727-2ba8-4592-99ca-b0d59d3590c2@danielfett.de>
Content-Language: en-US
From: Markus Sabadello <markus@danubetech.com>
In-Reply-To: <d7aa4727-2ba8-4592-99ca-b0d59d3590c2@danielfett.de>
Message-ID-Hash: MOPR7NK6WHICD5MDWOGD262SSEN4OJ6C
X-Message-ID-Hash: MOPR7NK6WHICD5MDWOGD262SSEN4OJ6C
X-MailFrom: markus@danubetech.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Re: I-D Action: draft-ietf-oauth-sd-jwt-vc-06.txt
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/4SY8lZOZLmT9oIUV90UE_SDK2vY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Daniel,

I looked at https://datatracker.ietf.org/doc/html/rfc7282, and I don't 
think it's appropriate to declare "rough consensus" in this case.

There have been a significant number of people who articulated many 
concrete arguments why it would be a bad idea to drop DID support.

The editors didn't consider or address any of those arguments, or 
provide meaningful counter-arguments.
Instead they dismissed substantive arguments as "general advocacy for 
the wonders of DIDs", they labeled DIDs as "stuff that doesn't work 
anyway", they declared that "there were no real objections other than 
DIDs are great", and called the issue "tiresome".
Many of the editors' comments on this topic were passive aggressive, 
provocative, dismissive.

PR 251 was created with a deceptive title, without description, and 
without reference to the issue where the discussion was taking place, in 
an obvious attempt to mislead contributors, and to avoid attention and 
discussion.
After merging against objections, other related issues were quickly 
closed as "overcome by events".

In order to not just provide a one-sided perspective, as a DID 
supporter, I can actually understand concerns about DIDs in SD-JWT VC 
being underspecified (we can help address that), and in fact I have also 
seen good arguments why it may indeed make sense to move DID support 
into a separate specification (e.g. in this comment 
https://github.com/openid/OpenID4VP/issues/278#issuecomment-2422455336)

But the way how this topic has been handled and dismissed is not okay.

To say "drafts can be changed any time" is a weak excuse for this 
behavior, and to try to find rough consensus on a mailing list AFTER a 
change has been made is not okay either.

To say "nothing breaks, because it's all extensible and you can define 
your own profile" may or may not be true, but certainly doesn't justify 
making arbitrary changes despite objections.

The PR should be reverted, and corresponding issues re-opened, until 
consensus has been achieved, in order to avoid further damage to this work.

Markus

On 11/14/24 7:00 PM, Daniel Fett wrote:
>
> Steffen,
>
> I am surprised and somewhat startled by the tone in your message. My 
> message to this list was clearly intended to find the rough consensus 
> that is missing - that's why I pointed to the two threads of 
> discussions - and not to ignore the usual IETF processes.
>
> Am 13.11.24 um 22:34 schrieb Steffen Schwalm:
>>
>> great work! Looking at [1] and [2] there`s obviously no consensus – 
>> which implies a breach of Sections 1.2, 5 and 9.2 of the IETF 
>> Directives on Internet Standards Process.
>>
> These are strong accusations. I presume you're referring to RFC 2026 
> <https://datatracker.ietf.org/doc/html/rfc2026>? How would Sections 5 
> and 9.2 apply here, even remotely?
>>
>> An assumption is great but not sufficient as in any standardization 
>> body.
>>
> Again, finding this consensus is precisely what my previous message 
> intended. Maybe this got lost in translation.
>
>> According to IETF rules the consensus shall be ensured before 
>> announcement of new version.
>>
> In my understanding and experience in this group, draft versions are 
> just that - drafts. They can be changed at any time and this can 
> include reverting previous changes if the working group comes to the 
> conclusion that that is required. A new draft version can be the 
> trigger to start a discussion to find rough consensus on a specific topic.
>
> As far as I know, there is no part in the IETF rules that says that 
> consensus on any change must be ensured before publication of a new 
> draft version.
>
>> The profiling you suggest is technically the worst solution as it 
>> leads directly to additional effort to ensure interoperability 
>> between fundamental standard and its profiles and extend complexity 
>> unnecessarily. Means the inclusion of DID in SD-JWT-VC shall be 
>> discussed with the relevant experts such as Markus Sabadello, Alen 
>> Horvat etc. Decision making based on actual consensus not assumed one.
>>
> As above - this discussion is exactly what I wanted to trigger. It 
> needs to happen here on this list. If the outcome is that the DID 
> references should be preserved, we'll do so.
>>
>> Formal appeal acc. Section 6.5 of IETF Directives on Internet 
>> Standards Process will follow in case the IETF directives will still 
>> be ignored.
>>
> Ok.
>
> -Daniel
>
>> Best
>> Steffen
>>
>> *Von:* Daniel Fett <mail=40danielfett.de@dmarc.ietf.org>
>> *Gesendet:* Mittwoch, 13. November 2024 21:03
>> *An:* oauth@ietf.org
>> *Betreff:* [OAUTH-WG] Re: I-D Action: draft-ietf-oauth-sd-jwt-vc-06.txt
>>
>> *Caution:* This email originated from outside of the organization. 
>> Despite an upstream security check of attachments and links by 
>> Microsoft Defender for Office, a residual risk always remains. Only 
>> open attachments and links from known and trusted senders.
>>
>> Hi all,
>>
>> we are happy to announce version -06 of SD-JWT VC. In this release, 
>> we're updating the media type from application/vc+sd-jwt to 
>> application/dc+sd-jwt (for background, see Brian's excellent summary 
>> at the IETF meeting last week [0]).
>>
>> This version also removes references to DIDs in the specification, 
>> while leaving the door open for those who want to define a profile of 
>> SD-JWT VC using DIDs. The previously provided text on DIDs was 
>> underspecified and therefore not helpful, and a more complete 
>> specification would exceed the scope of this document while 
>> interoperability issues would remain. We think that those ecosystems 
>> wanting to use DIDs are best served by defining a profile for doing so.
>>
>> We would like to point out that there are concerns about this step 
>> raised both in the respective issue [1] and in the pull request [2]. 
>> While it is our understanding from various discussions that there is 
>> a consensus for the removal of the references to DIDs in the group, 
>> this change had not been discussed here on the mailing list before. 
>> So we'd like to take this opportunity to do that now.
>>
>> As a minor point, this version adds the “Status” field for the 
>> well-known URI registration per IANA early review.
>>
>> -Daniel
>>
>> [0] https://www.youtube.com/watch?v=LvIBqlHkuXY
>>
>> [1] https://github.com/oauth-wg/oauth-sd-jwt-vc/issues/250
>>
>> [2] https://github.com/oauth-wg/oauth-sd-jwt-vc/pull/251
>>
>> Am 13.11.24 um 21:45 schrieb internet-drafts@ietf.org:
>>
>>     Internet-Draft draft-ietf-oauth-sd-jwt-vc-06.txt is now available. It is a
>>
>>     work item of the Web Authorization Protocol (OAUTH) WG of the IETF.
>>
>>         Title:   SD-JWT-based Verifiable Credentials (SD-JWT VC)
>>
>>         Authors: Oliver Terbu
>>
>>                  Daniel Fett
>>
>>                  Brian Campbell
>>
>>         Name:    draft-ietf-oauth-sd-jwt-vc-06.txt
>>
>>         Pages:   53
>>
>>         Dates:   2024-11-13
>>
>>     Abstract:
>>
>>         This specification describes data formats as well as validation and
>>
>>         processing rules to express Verifiable Credentials with JSON payloads
>>
>>         with and without selective disclosure based on the SD-JWT
>>
>>         [I-D.ietf-oauth-selective-disclosure-jwt] format.
>>
>>     The IETF datatracker status page for this Internet-Draft is:
>>
>>     https://datatracker.ietf.org/doc/draft-ietf-oauth-sd-jwt-vc/
>>
>>     There is also an HTML version available at:
>>
>>     https://www.ietf.org/archive/id/draft-ietf-oauth-sd-jwt-vc-06.html
>>
>>     A diff from the previous version is available at:
>>
>>     https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-sd-jwt-vc-06
>>
>>     Internet-Drafts are also available by rsync at:
>>
>>     rsync.ietf.org::internet-drafts
>>
>>     _______________________________________________
>>
>>     OAuth mailing list --oauth@ietf.org
>>
>>     To unsubscribe send an email tooauth-leave@ietf.org
>>
>>
>> _______________________________________________
>> OAuth mailing list --oauth@ietf.org
>> To unsubscribe send an email tooauth-leave@ietf.org
>
> _______________________________________________
> OAuth mailing list --oauth@ietf.org
> To unsubscribe send an email tooauth-leave@ietf.org