Re: [OAUTH-WG] OAuth Digest, Vol 178, Issue 51
Hector Zepeda <zepedahector123@gmail.com> Fri, 25 August 2023 07:11 UTC
Return-Path: <zepedahector123@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9EE8FC15154E for <oauth@ietfa.amsl.com>; Fri, 25 Aug 2023 00:11:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.845
X-Spam-Level:
X-Spam-Status: No, score=-6.845 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_MIME_MALF=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WsCeUbqlDKk0 for <oauth@ietfa.amsl.com>; Fri, 25 Aug 2023 00:10:57 -0700 (PDT)
Received: from mail-yb1-xb2b.google.com (mail-yb1-xb2b.google.com [IPv6:2607:f8b0:4864:20::b2b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D0A8FC151540 for <OAuth@ietf.org>; Fri, 25 Aug 2023 00:10:57 -0700 (PDT)
Received: by mail-yb1-xb2b.google.com with SMTP id 3f1490d57ef6-d77f97a0e72so657741276.0 for <OAuth@ietf.org>; Fri, 25 Aug 2023 00:10:57 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20221208; t=1692947456; x=1693552256; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=aCJfz7gIIBCJdvyKhN3c64bnyoPDwwsQbl1rwzxnFsE=; b=onzFuWbYeCXnxgh8T+4GcH2HFOcTsbw/6LRiV+0lEMYbqeKJQH0E//eU2ifgGCY/pE j7hPfLDi1bZ42MBkWdH7vNxXw9KyoniNVRypy9rA8MYyNdDK8H1ZCEcYp5IUYynwuCCG DJREElzSWeblMgsmYZQL7UlEJyhQijvq5JLHZr07sCk6zHmPImZJhVoGHnI9MXzeLtlJ UzopErBwH/kc0EdZ2ypzb1Mr3sQJTAFbvpxChT22chwwuOBTxe4LnaKmLTiNH/m3WVgq wz7VWI/RIeHHFBYrJRIP5Y7AUt0lrjM90CXXsmMZU8aKU/kXTHpxznFDIE9tfAXaUrUM Pg9A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1692947456; x=1693552256; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=aCJfz7gIIBCJdvyKhN3c64bnyoPDwwsQbl1rwzxnFsE=; b=ECPvFfL+qAHmpVp5Q+aYB/eywaHEkI6kS8UhE7UKMkPlTe44/zhjUoflCgaENKavi+ 5VSkFrVKUDyjGgMJWFmlRwQTDOWKBoHfaxoAQNS1R+afMz+NRaflF9JM2svXNH2nlxXM kjWCGZAfbRwDwj05+SgoZAhPOMcFkY3AV/C5iVROayRErsMyrnWbk4ZqI3HnlEtXgTCr s9SYAKtAjPBmKgHL+OBFN3723CqHp92UsAlSgjMhsF0SNVC6CoWPD45h/yXKhdgGD7L6 MkchQftnznMDjkpXjca3tRAIfmuRTHBiQC9QT1d4kEWsSj99ezbnNFYthGPiIAHmPUJT LvNA==
X-Gm-Message-State: AOJu0YyqunAvuUkDpFlwuW9Uibt43aay2VY6Vdm78shAx+cAd67QLuh9 oRoky9pd/KPt9DNm0S95LX/+rfSByH2ZGz2rqU5jHfsbPnqmVg==
X-Google-Smtp-Source: AGHT+IF69Tb68DXhCuvUmX+lw3mGkg0BOVlISRe0ZXB3p/VdUZlgQvrONZS3S7zjPwGzqjRso7s5yyXE2cJKj866neo=
X-Received: by 2002:a25:bd1:0:b0:d06:f99e:6345 with SMTP id 200-20020a250bd1000000b00d06f99e6345mr16569406ybl.22.1692947456118; Fri, 25 Aug 2023 00:10:56 -0700 (PDT)
MIME-Version: 1.0
References: <mailman.6302.1692921000.4452.oauth@ietf.org>
In-Reply-To: <mailman.6302.1692921000.4452.oauth@ietf.org>
From: Hector Zepeda <zepedahector123@gmail.com>
Date: Fri, 25 Aug 2023 02:10:45 -0500
Message-ID: <CAPq=tg2GOU3GaGV-668iQB+J0fAijNPGMk_8ZmuCf=dux7OhPQ@mail.gmail.com>
To: OAuth@ietf.org
Content-Type: multipart/alternative; boundary="000000000000bed69d0603ba0b1d"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/6nIysp1598vO6nm2JG1Ti0rG4Yc>
Subject: Re: [OAUTH-WG] OAuth Digest, Vol 178, Issue 51
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 25 Aug 2023 07:11:01 -0000
Download and install please On Thu, Aug 24, 2023 at 6:50 PM <oauth-request@ietf.org> wrote: > Send OAuth mailing list submissions to > oauth@ietf.org > > To subscribe or unsubscribe via the World Wide Web, visit > https://www.ietf.org/mailman/listinfo/oauth > or, via email, send a message with subject or body 'help' to > oauth-request@ietf.org > > You can reach the person managing the list at > oauth-owner@ietf.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of OAuth digest..." > > > Today's Topics: > > 1. Re: SD-JWT does not meet standard security definitions > (Watson Ladd) > 2. Re: SD-JWT does not meet standard security definitions > (Kristina Yasuda) > 3. Re: SD-JWT does not meet standard security definitions > (Watson Ladd) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Thu, 24 Aug 2023 13:07:39 -0700 > From: Watson Ladd <watsonbladd@gmail.com> > To: Daniel Fett <mail@danielfett.de> > Cc: Hannes Tschofenig <hannes.tschofenig@gmx.net>, oauth@ietf.org, > draft-ietf-oauth-selective-disclosure-jwt.all@ietf.org > Subject: Re: [OAUTH-WG] SD-JWT does not meet standard security > definitions > Message-ID: > <CACsn0cm4crt-F4GJcZHGnhzcBdgZ+JL-DxJ+K=VV3L9UdXD= > Yw@mail.gmail.com> > Content-Type: text/plain; charset="UTF-8" > > On Thu, Aug 24, 2023 at 3:44?AM Daniel Fett <mail@danielfett.de> wrote: > > > > Thanks, Hannes. > > > > The fact that technologies like AnonCreds are based on such old > principles, yet they are not uniformly standardized, often times limited to > a few implementations that may or may not be secure, are full of security > footguns, lack hardware support, and are just extremely hard or impossible > to deploy speaks for itself. > > > > That's why things like SD-JWT exist and gain traction. > > > > Yes, you have to jump through hoops to get unlinkability, but it is not > impossible, and it seems to be a good tradeoff for many. > > Is there a document describing this that we can compare to the BBS > version? Because it's a lot harder than you think: you need a blind > signature and cut and choose for the credential openings (or > rerandomization via structure preserving signatures, hello pairings), > you need to deal with exhaustion of the supply of tokens, your > issuance process has to be repeatable at low cost, so that's also > getting messy, and then the hardware binding has its own special > problems. None of that is in this draft, and I think it would be a lot > better if we spelled it out here or someplace else to get a better > sense of the tradeoffs. > > I would also like to point out that if end users don't like the > privacy aspects, they simply won't use this technology. That's a very > serious deployment issue. > > Sincerely, > Watson Ladd > > -- > Astra mortemque praestare gradatim > > > > ------------------------------ > > Message: 2 > Date: Thu, 24 Aug 2023 20:32:02 +0000 > From: Kristina Yasuda <Kristina.Yasuda@microsoft.com> > To: Watson Ladd <watsonbladd@gmail.com>, Daniel Fett > <mail@danielfett.de> > Cc: Hannes Tschofenig <hannes.tschofenig@gmx.net>, "oauth@ietf.org" > <oauth@ietf.org>, > "draft-ietf-oauth-selective-disclosure-jwt.all@ietf.org" > <draft-ietf-oauth-selective-disclosure-jwt.all@ietf.org> > Subject: Re: [OAUTH-WG] SD-JWT does not meet standard security > definitions > Message-ID: > < > SA1PR00MB13101B25440011FD872FD7EEE51DA@SA1PR00MB1310.namprd00.prod.outlook.com > > > > Content-Type: text/plain; charset="utf-8" > > First of all, BBS and SD-JWT are not comparable apple to apple. BBS is a > signature scheme and it needs to be combined with few other things like JWP > or BBS data integrity proof type (https://www.w3.org/TR/vc-di-bbs/) with > JSON-LD payload. While SD-JWT is a mechanism that can be used with any > crypto suite. > > Second, how to do batch issuance of the credential (honestly, of any > credential format: not just SD-JWT VCs but also mdocs and JWT-VCs) and > whether it can be done low cost is out of scope of the credential format > (or any of its components) specification itself. Btw when using OpenID4VCI > (an extension of oauth), batch issuing SD-JWTs does not need a blind > signature and I do not know what you mean by exhaustion of the supply of > tokens, there are only access token and refresh token involved in a usual > manner. > > Best, > Kristina > > Get Outlook for iOS<https://aka.ms/o0ukef> > ________________________________ > From: Watson Ladd <watsonbladd@gmail.com> > Sent: Thursday, August 24, 2023 9:08 PM > To: Daniel Fett <mail@danielfett.de> > Cc: Hannes Tschofenig <hannes.tschofenig@gmx.net>; oauth@ietf.org < > oauth@ietf.org>; draft-ietf-oauth-selective-disclosure-jwt.all@ietf.org < > draft-ietf-oauth-selective-disclosure-jwt.all@ietf.org> > Subject: Re: SD-JWT does not meet standard security definitions > > [You don't often get email from watsonbladd@gmail.com. Learn why this is > important at https://aka.ms/LearnAboutSenderIdentification ] > > On Thu, Aug 24, 2023 at 3:44?AM Daniel Fett <mail@danielfett.de> wrote: > > > > Thanks, Hannes. > > > > The fact that technologies like AnonCreds are based on such old > principles, yet they are not uniformly standardized, often times limited to > a few implementations that may or may not be secure, are full of security > footguns, lack hardware support, and are just extremely hard or impossible > to deploy speaks for itself. > > > > That's why things like SD-JWT exist and gain traction. > > > > Yes, you have to jump through hoops to get unlinkability, but it is not > impossible, and it seems to be a good tradeoff for many. > > Is there a document describing this that we can compare to the BBS > version? Because it's a lot harder than you think: you need a blind > signature and cut and choose for the credential openings (or > rerandomization via structure preserving signatures, hello pairings), > you need to deal with exhaustion of the supply of tokens, your > issuance process has to be repeatable at low cost, so that's also > getting messy, and then the hardware binding has its own special > problems. None of that is in this draft, and I think it would be a lot > better if we spelled it out here or someplace else to get a better > sense of the tradeoffs. > > I would also like to point out that if end users don't like the > privacy aspects, they simply won't use this technology. That's a very > serious deployment issue. > > Sincerely, > Watson Ladd > > -- > Astra mortemque praestare gradatim > -------------- next part -------------- > An HTML attachment was scrubbed... > URL: < > https://mailarchive.ietf.org/arch/browse/oauth/attachments/20230824/f2163fef/attachment.htm > > > > ------------------------------ > > Message: 3 > Date: Thu, 24 Aug 2023 16:49:45 -0700 > From: Watson Ladd <watsonbladd@gmail.com> > To: Kristina Yasuda <Kristina.Yasuda@microsoft.com> > Cc: Daniel Fett <mail@danielfett.de>, Hannes Tschofenig > <hannes.tschofenig@gmx.net>, IETF oauth WG <oauth@ietf.org>, > draft-ietf-oauth-selective-disclosure-jwt.all@ietf.org > Subject: Re: [OAUTH-WG] SD-JWT does not meet standard security > definitions > Message-ID: > <CACsn0cntKgk-nQf71XbdVtbVUXxwt6Njsd3pTg4TB= > g6qwhE+A@mail.gmail.com> > Content-Type: text/plain; charset="UTF-8" > > On Thu, Aug 24, 2023, 1:32 PM Kristina Yasuda > <Kristina.Yasuda@microsoft.com> wrote: > > > > First of all, BBS and SD-JWT are not comparable apple to apple. BBS is a > signature scheme and it needs to be combined with few other things like JWP > or BBS data integrity proof type (https://www.w3.org/TR/vc-di-bbs/) with > JSON-LD payload. While SD-JWT is a mechanism that can be used with any > crypto suite. > > Agreed: the relevant comparison is at the level of systems based on > these formats. That makes it more difficult to have a discussion of > the security of the overall system when these documents go in other > places, and this might not be the right vehicle for it. > > > > > Second, how to do batch issuance of the credential (honestly, of any > credential format: not just SD-JWT VCs but also mdocs and JWT-VCs) and > whether it can be done low cost is out of scope of the credential format > (or any of its components) specification itself. Btw when using OpenID4VCI > (an extension of oauth), batch issuing SD-JWTs does not need a blind > signature and I do not know what you mean by exhaustion of the supply of > tokens, there are only access token and refresh token involved in a usual > manner. > > So the issuer knows what it signed? Then it's capable of linking all > presentations to each other because the signature and message is shown > to each verifier even if different commitments are opened each time. > That's a serious problem. Separately, if each SD-JWT is one use only, > then the issuer needs to be available for refresh once the tokens are > all used, which is a troublesome proposition. It's a very different > model from a one time issuance. VC usecases are likely to lend > themselves to things that don't look like oauth in terms of > availability, and as we learned from OCSP running services that must > be up is hard. > > I want to be clear: the threat model that's applicable to real people > across the web has the issuer working with data sent to the verifiers > to try to determine what the holder did. This is extremely unlike real > world credential presentation where e.g. showing my drivers license to > a bouncer doesn't mean the DMV knows what bar I went to. We have very > clear guidance in RFC 8890 from the IAB that we are supposed to take > these risks seriously, and privilege them over other considerations. > The applications to Digital Wallets when combined with a push for Age > Verification are exactly the sort of thing where people will make > expedient choices (use SD-JWT with what's being issued) in a way that > creates an enormous privacy risk that is not obvious to end users. > > Sincerely, > Watson Ladd > > > > ------------------------------ > > Subject: Digest Footer > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > > > ------------------------------ > > End of OAuth Digest, Vol 178, Issue 51 > ************************************** > -- null
- Re: [OAUTH-WG] OAuth Digest, Vol 178, Issue 51 Hector Zepeda