IETF Logo Mail Archive

Re: [OAUTH-WG] OAuth Digital Credential Status Attestations

Denis <denis.ietf@free.fr> Thu, 18 January 2024 09:20 UTC

Return-Path: <denis.ietf@free.fr>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 21B8EC15153F; Thu, 18 Jan 2024 01:20:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.983
X-Spam-Level:
X-Spam-Status: No, score=-1.983 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.091, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YWOO95hrCKw2; Thu, 18 Jan 2024 01:20:22 -0800 (PST)
Received: from smtp6-g21.free.fr (smtp6-g21.free.fr [212.27.42.6]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F809C14CE25; Thu, 18 Jan 2024 01:20:21 -0800 (PST)
Received: from [192.168.1.11] (unknown [90.91.46.145]) (Authenticated sender: pinkas@free.fr) by smtp6-g21.free.fr (Postfix) with ESMTPSA id CDD3C78050E; Thu, 18 Jan 2024 10:20:13 +0100 (CET)
Content-Type: multipart/alternative; boundary="------------i7zW3aY8T2jjRjPBOCXyFOrl"
Message-ID: <3a80e0ce-682e-e3c5-8f39-7f3731aa9c1f@free.fr>
Date: Thu, 18 Jan 2024 10:20:13 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.15.1
Content-Language: en-GB
To: Giuseppe De Marco <demarcog83@gmail.com>, hannes.tschofenig=40gmx.net@dmarc.ietf.org
Cc: spice@ietf.org, fa.marino@ipzs.it, gi.demarco@innovazione.gov.it, oauth <oauth@ietf.org>
References: <CAN8C-_+5mSFAion-e4Ta6AZLVGadr7cdSWjw-UpnBvH9Z98ohw@mail.gmail.com> <05d901da4980$8c8021e0$a58065a0$@gmx.net> <CAP_qYy=Dh0wDJ1JwOkvLiRR==7ZJTH+oLtzSU=egho1L0===hQ@mail.gmail.com>
From: Denis <denis.ietf@free.fr>
In-Reply-To: <CAP_qYy=Dh0wDJ1JwOkvLiRR==7ZJTH+oLtzSU=egho1L0===hQ@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/6NE6e_Y7PBmz0HH-sHCBwxI2MXI>
Subject: Re: [OAUTH-WG] OAuth Digital Credential Status Attestations
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Jan 2024 09:20:26 -0000

Hi Giuseppe,

The current figure in the Introduction from 
draft-demarco-status-attestations-latest is:

+-----------------++-------------------+
|| Requests Status Attestation ||
||---------------------------->||
| Wallet Instance || Credential Issuer |
|| Status Attestation||
||<----------------------------||
+-----------------++-------------------+


+-- ----------------++----------+
|| Presents credential and||
|Wallet Instance| Status Attestation| Verifier |
||---------------------------->||
+-------------------++----------+

IMO, using the vocabulary agreed during the last BoF video conference, 
this figure should be modified as follows:


+------------++-------------------+
|| Requests *Digital Credential* ||
|| and presents proof of knowledge of ||
|| either a private key or a link secret ||
|| and proof or origin of wallet instance | Credential Issuer |
| Holder |--------------------------------------->||
||| |
||*Digital Credential*||
||<---------------------------------------||
+------------++-------------------+


+-- ---------++-------------------+
|| Presents *Credential proof*||
| Holder|| Verifier|
||--------------------------------------->||
+------------++-------------------+

Denis


> Hi Hannes,
>
> Thank you for your quick reaction and also to Orie for sharing.
> I've submitted the draft, here: 
> https://datatracker.ietf.org/doc/draft-demarco-status-attestations/
>
> <https://datatracker.ietf.org/doc/draft-demarco-status-attestations/>
> Regarding the term Attestation: good point. We have decided to use 
> this term since in several IETF and OpenID drafts this term seems 
> pretty established, the term Attestation is found at least in the 
> following specifications:
>   - Attestation based client-authentication (it's in the title)
>   - OpenID4VC High Assurance Interoperability Profile with SD-JWT VC 
> (wallet attestation)
>   - OpenID for Verifiable Presentations - draft 20 (verifier attestation)
>   - OpenID for Verifiable Credential Issuance (section "Trust between 
> Wallet and Issuer": Device Attestation)
>
> Meantime in the eIDAS Expert group this term is going to be changed to 
> "Wallet Trust Evidence".
>
> <https://datatracker.ietf.org/doc/draft-demarco-status-attestations/>
> I don't have a strong opinion on what would be the best semantic for 
> this, I just have realized the functional difference between a Digital 
> Credential and an Attestation:
> the first requires the user to be authenticated and give consent for 
> using the secure storage. The second is obtained with a 
> machine2machine flow where no user interaction is required, the secure 
> storage is not required, no user information is contained in it since 
> the subject is the wallet instance and not the user, it cannot be 
> (re)used without the cryptographic proof of possession. Probably a 
> discussion could start about this term aiming to align several 
> specifications on the same terminology. I could say that Status 
> Attestation is a specific artifact defined for a specific context, 
> other attestations can be defined outside the functional perimeter of 
> this specification. Let's talk about it, it doesn't matters changing 
> terms (eventually mindsets on perceivable meanings).
>
> Here I share some notes I picked along the last two months about this 
> brand new individual draft:
>
> - it is related to digital credential only, I don't expect to use it 
> in legacy infrastructure different from wallet. I really don't need 
> this kind of mechanism in OIDC or any other traditional infrastructure 
> since these doesn't show the privacy issues the wallet ecosystem has;
> - it would interesting mentioning in the introduction that's 
> pratically an ocsp stapling like mechanism, just to give some context 
> (credit: Paul Bastien);
> - The Rationale section needs to clarify better problems and 
> solutions, where it seems that the problem does not exist or that it 
> is weak. A review is necessary to clearly bring the benefits;
> - Editorials mistake are still along the reading.
>
> thank you for your time and interest,
> best
>
>
>
>
>
>
> Il giorno mer 17 gen 2024 alle ore 21:06 
> <hannes.tschofenig=40gmx.net@dmarc.ietf.org> ha scritto:
>
>     Hi Guiseppe, Francesco, Orie,
>
>     @Orie: Thanks for sharing the draft.
>
>     As a quick reaction: It would be good to invent a new term for
>     “attestation” in draft-demarco-status-attestations.html because
>     this term is already widely used in a different context (see RFC
>     9334).
>
>     @Guiseppe and Francesco: It would be great if you could submit
>     your draft to OAuth or SPICE for discussion.
>
>     Ciao
>
>     Hannes
>
>     *From:*OAuth <oauth-bounces@ietf.org> *On Behalf Of *Orie Steele
>     *Sent:* Mittwoch, 17. Jänner 2024 19:07
>     *To:* spice@ietf.org
>     *Cc:* oauth <oauth@ietf.org>
>     *Subject:* [OAUTH-WG] OAuth Digital Credential Status Attestations
>
>     Hello Digital Credential Enthusiasts,
>
>     See:
>     https://peppelinux.github.io/draft-demarco-status-attestations/draft-demarco-status-attestations.html
>
>     Note the use of the term digital credential, and the alignment to
>     CWT based credentials and CWT based credential status lists.
>
>     As a quick summary of the editors draft above:
>
>     It is basically a refresh-token-like approach to dynamic state,
>     where the holder retrieves updated state from the issuer at
>     regular intervals, and can then present that dynamic state
>     directly to the verifier.
>
>     This eliminates the herd privacy and phone home issues
>     associated with W3C Bitstring Status Lists.
>
>     And it informs the holder of dynamic state, so the digital wallet
>     can provide a better user experience.
>
>     However, an issuer (government or ngo) could use the interval of
>     requesting dynamic state, to track the holder... so the guidance
>     from
>     https://datatracker.ietf.org/doc/draft-steele-spice-oblivious-credential-state/
>
>     Is also relevant to this draft.
>
>     I also learned that
>     https://datatracker.ietf.org/doc/draft-ietf-oauth-sd-jwt-vc/
>
>     Has defined a new property for expressing "Verifiable Credential"
>     "type" `vct`, which is different from how W3C defines credential
>     types.
>
>     W3C uses the expanded IRI for the graph node type, based on the
>     JSON-LD context.
>
>     For example with:
>
>     {
>       "@context": [
>         "https://www.w3.org/ns/credentials/v2",
>         "https://www.w3.org/ns/credentials/examples/v2"
>       ],
>       "id": "http://university.example/credentials/1872",
>       "type": ["VerifiableCredential", "ExampleAlumniCredential"],
>       ...
>     }
>
>     The credential type in RDF becomes
>     "https://www.w3.org/ns/credentials/examples#ExampleAlumniCredential"
>
>     Which is different from "ExampleAlumniCredential" in JSON... More
>     evidence that RDF leads to developer confusion regarding safe typing.
>
>     The OAuth solution does not have this confusing issue, they set
>     the type explicitly:
>
>     {
>      "vct": "https://credentials.example.com/identity_credential",
>      "given_name": "John",
>      "family_name": "Doe",
>      "email": "johndoe@example.com",
>      "phone_number": "+1-202-555-0101",
>      "address": {
>        "street_address": "123 Main St",
>        "locality": "Anytown",
>        "region": "Anystate",
>        "country": "US"
>      },
>      "birthdate": "1940-01-01",
>      "is_over_18": true,
>      "is_over_21": true,
>      "is_over_65": true,
>      "status": {
>         "status_attestation": {
>             "credential_hash_alg": "S256",
>         }
>      }
>     }
>
>     Regards,
>
>     OS
>
>     -- 
>
>     *ORIE STEELE
>     *Chief Technology Officer
>     www.transmute.industries <http://www.transmute.industries>
>
>     <https://transmute.industries/>
>
>     _______________________________________________
>     OAuth mailing list
>     OAuth@ietf.org
>     https://www.ietf.org/mailman/listinfo/oauth
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email