Re: [OAUTH-WG] OAuth Digital Credential Status Attestations
Denis <denis.ietf@free.fr> Thu, 18 January 2024 09:20 UTC
Return-Path: <denis.ietf@free.fr>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 21B8EC15153F; Thu, 18 Jan 2024 01:20:26 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.983
X-Spam-Level:
X-Spam-Status: No, score=-1.983 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.091, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YWOO95hrCKw2; Thu, 18 Jan 2024 01:20:22 -0800 (PST)
Received: from smtp6-g21.free.fr (smtp6-g21.free.fr [212.27.42.6]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F809C14CE25; Thu, 18 Jan 2024 01:20:21 -0800 (PST)
Received: from [192.168.1.11] (unknown [90.91.46.145]) (Authenticated sender: pinkas@free.fr) by smtp6-g21.free.fr (Postfix) with ESMTPSA id CDD3C78050E; Thu, 18 Jan 2024 10:20:13 +0100 (CET)
Content-Type: multipart/alternative; boundary="------------i7zW3aY8T2jjRjPBOCXyFOrl"
Message-ID: <3a80e0ce-682e-e3c5-8f39-7f3731aa9c1f@free.fr>
Date: Thu, 18 Jan 2024 10:20:13 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.15.1
Content-Language: en-GB
To: Giuseppe De Marco <demarcog83@gmail.com>, hannes.tschofenig=40gmx.net@dmarc.ietf.org
Cc: spice@ietf.org, fa.marino@ipzs.it, gi.demarco@innovazione.gov.it, oauth <oauth@ietf.org>
References: <CAN8C-_+5mSFAion-e4Ta6AZLVGadr7cdSWjw-UpnBvH9Z98ohw@mail.gmail.com> <05d901da4980$8c8021e0$a58065a0$@gmx.net> <CAP_qYy=Dh0wDJ1JwOkvLiRR==7ZJTH+oLtzSU=egho1L0===hQ@mail.gmail.com>
From: Denis <denis.ietf@free.fr>
In-Reply-To: <CAP_qYy=Dh0wDJ1JwOkvLiRR==7ZJTH+oLtzSU=egho1L0===hQ@mail.gmail.com>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/6NE6e_Y7PBmz0HH-sHCBwxI2MXI>
Subject: Re: [OAUTH-WG] OAuth Digital Credential Status Attestations
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Jan 2024 09:20:26 -0000
Hi Giuseppe, The current figure in the Introduction from draft-demarco-status-attestations-latest is: +-----------------++-------------------+ || Requests Status Attestation || ||---------------------------->|| | Wallet Instance || Credential Issuer | || Status Attestation|| ||<----------------------------|| +-----------------++-------------------+ +-- ----------------++----------+ || Presents credential and|| |Wallet Instance| Status Attestation| Verifier | ||---------------------------->|| +-------------------++----------+ IMO, using the vocabulary agreed during the last BoF video conference, this figure should be modified as follows: +------------++-------------------+ || Requests *Digital Credential* || || and presents proof of knowledge of || || either a private key or a link secret || || and proof or origin of wallet instance | Credential Issuer | | Holder |--------------------------------------->|| ||| | ||*Digital Credential*|| ||<---------------------------------------|| +------------++-------------------+ +-- ---------++-------------------+ || Presents *Credential proof*|| | Holder|| Verifier| ||--------------------------------------->|| +------------++-------------------+ Denis > Hi Hannes, > > Thank you for your quick reaction and also to Orie for sharing. > I've submitted the draft, here: > https://datatracker.ietf.org/doc/draft-demarco-status-attestations/ > > <https://datatracker.ietf.org/doc/draft-demarco-status-attestations/> > Regarding the term Attestation: good point. We have decided to use > this term since in several IETF and OpenID drafts this term seems > pretty established, the term Attestation is found at least in the > following specifications: > - Attestation based client-authentication (it's in the title) > - OpenID4VC High Assurance Interoperability Profile with SD-JWT VC > (wallet attestation) > - OpenID for Verifiable Presentations - draft 20 (verifier attestation) > - OpenID for Verifiable Credential Issuance (section "Trust between > Wallet and Issuer": Device Attestation) > > Meantime in the eIDAS Expert group this term is going to be changed to > "Wallet Trust Evidence". > > <https://datatracker.ietf.org/doc/draft-demarco-status-attestations/> > I don't have a strong opinion on what would be the best semantic for > this, I just have realized the functional difference between a Digital > Credential and an Attestation: > the first requires the user to be authenticated and give consent for > using the secure storage. The second is obtained with a > machine2machine flow where no user interaction is required, the secure > storage is not required, no user information is contained in it since > the subject is the wallet instance and not the user, it cannot be > (re)used without the cryptographic proof of possession. Probably a > discussion could start about this term aiming to align several > specifications on the same terminology. I could say that Status > Attestation is a specific artifact defined for a specific context, > other attestations can be defined outside the functional perimeter of > this specification. Let's talk about it, it doesn't matters changing > terms (eventually mindsets on perceivable meanings). > > Here I share some notes I picked along the last two months about this > brand new individual draft: > > - it is related to digital credential only, I don't expect to use it > in legacy infrastructure different from wallet. I really don't need > this kind of mechanism in OIDC or any other traditional infrastructure > since these doesn't show the privacy issues the wallet ecosystem has; > - it would interesting mentioning in the introduction that's > pratically an ocsp stapling like mechanism, just to give some context > (credit: Paul Bastien); > - The Rationale section needs to clarify better problems and > solutions, where it seems that the problem does not exist or that it > is weak. A review is necessary to clearly bring the benefits; > - Editorials mistake are still along the reading. > > thank you for your time and interest, > best > > > > > > > Il giorno mer 17 gen 2024 alle ore 21:06 > <hannes.tschofenig=40gmx.net@dmarc.ietf.org> ha scritto: > > Hi Guiseppe, Francesco, Orie, > > @Orie: Thanks for sharing the draft. > > As a quick reaction: It would be good to invent a new term for > “attestation” in draft-demarco-status-attestations.html because > this term is already widely used in a different context (see RFC > 9334). > > @Guiseppe and Francesco: It would be great if you could submit > your draft to OAuth or SPICE for discussion. > > Ciao > > Hannes > > *From:*OAuth <oauth-bounces@ietf.org> *On Behalf Of *Orie Steele > *Sent:* Mittwoch, 17. Jänner 2024 19:07 > *To:* spice@ietf.org > *Cc:* oauth <oauth@ietf.org> > *Subject:* [OAUTH-WG] OAuth Digital Credential Status Attestations > > Hello Digital Credential Enthusiasts, > > See: > https://peppelinux.github.io/draft-demarco-status-attestations/draft-demarco-status-attestations.html > > Note the use of the term digital credential, and the alignment to > CWT based credentials and CWT based credential status lists. > > As a quick summary of the editors draft above: > > It is basically a refresh-token-like approach to dynamic state, > where the holder retrieves updated state from the issuer at > regular intervals, and can then present that dynamic state > directly to the verifier. > > This eliminates the herd privacy and phone home issues > associated with W3C Bitstring Status Lists. > > And it informs the holder of dynamic state, so the digital wallet > can provide a better user experience. > > However, an issuer (government or ngo) could use the interval of > requesting dynamic state, to track the holder... so the guidance > from > https://datatracker.ietf.org/doc/draft-steele-spice-oblivious-credential-state/ > > Is also relevant to this draft. > > I also learned that > https://datatracker.ietf.org/doc/draft-ietf-oauth-sd-jwt-vc/ > > Has defined a new property for expressing "Verifiable Credential" > "type" `vct`, which is different from how W3C defines credential > types. > > W3C uses the expanded IRI for the graph node type, based on the > JSON-LD context. > > For example with: > > { > "@context": [ > "https://www.w3.org/ns/credentials/v2", > "https://www.w3.org/ns/credentials/examples/v2" > ], > "id": "http://university.example/credentials/1872", > "type": ["VerifiableCredential", "ExampleAlumniCredential"], > ... > } > > The credential type in RDF becomes > "https://www.w3.org/ns/credentials/examples#ExampleAlumniCredential" > > Which is different from "ExampleAlumniCredential" in JSON... More > evidence that RDF leads to developer confusion regarding safe typing. > > The OAuth solution does not have this confusing issue, they set > the type explicitly: > > { > "vct": "https://credentials.example.com/identity_credential", > "given_name": "John", > "family_name": "Doe", > "email": "johndoe@example.com", > "phone_number": "+1-202-555-0101", > "address": { > "street_address": "123 Main St", > "locality": "Anytown", > "region": "Anystate", > "country": "US" > }, > "birthdate": "1940-01-01", > "is_over_18": true, > "is_over_21": true, > "is_over_65": true, > "status": { > "status_attestation": { > "credential_hash_alg": "S256", > } > } > } > > Regards, > > OS > > -- > > *ORIE STEELE > *Chief Technology Officer > www.transmute.industries <http://www.transmute.industries> > > <https://transmute.industries/> > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] OAuth Digital Credential Status Attest… Orie Steele
- Re: [OAUTH-WG] OAuth Digital Credential Status At… hannes.tschofenig
- Re: [OAUTH-WG] OAuth Digital Credential Status At… Giuseppe De Marco
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Leif Johansson
- Re: [OAUTH-WG] OAuth Digital Credential Status At… Denis
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Denis
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Giuseppe De Marco
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Denis
- Re: [OAUTH-WG] R: [SPICE] OAuth Digital Credentia… Denis
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Paul Bastian
- Re: [OAUTH-WG] R: [SPICE] OAuth Digital Credentia… Tom Jones
- Re: [OAUTH-WG] R: [SPICE] OAuth Digital Credentia… Orie Steele
- Re: [OAUTH-WG] R: [SPICE] OAuth Digital Credentia… Tom Jones
- Re: [OAUTH-WG] R: [SPICE] OAuth Digital Credentia… Tom Jones
- Re: [OAUTH-WG] R: [SPICE] OAuth Digital Credentia… Tom Jones
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Tom Jones
- Re: [OAUTH-WG] R: [SPICE] OAuth Digital Credentia… Watson Ladd
- Re: [OAUTH-WG] R: [SPICE] OAuth Digital Credentia… Tom Jones
- Re: [OAUTH-WG] R: [SPICE] OAuth Digital Credentia… Orie Steele
- Re: [OAUTH-WG] [SPICE] R: OAuth Digital Credentia… Oliver Terbu
- Re: [OAUTH-WG] R: [SPICE] OAuth Digital Credentia… Tom Jones
- Re: [OAUTH-WG] R: [SPICE] OAuth Digital Credentia… Giuseppe De Marco
- Re: [OAUTH-WG] R: [SPICE] OAuth Digital Credentia… Giuseppe De Marco
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Denis
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Giuseppe De Marco
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Denis
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Giuseppe De Marco
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Giuseppe De Marco
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Denis
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Tom Jones