IETF Logo Mail Archive

Re: [OAUTH-WG] Call for adoption - SD-JWT

Kristina Yasuda <Kristina.Yasuda@microsoft.com> Tue, 02 August 2022 02:21 UTC

Return-Path: <Kristina.Yasuda@microsoft.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 3B1A5C14CF11 for <oauth@ietfa.amsl.com>; Mon, 1 Aug 2022 19:21:22 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.588
X-Spam-Level:
X-Spam-Status: No, score=-2.588 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.582, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HbMaRqRHIFcL for <oauth@ietfa.amsl.com>; Mon, 1 Aug 2022 19:21:20 -0700 (PDT)
Received: from na01-obe.outbound.protection.outlook.com (mail-centralusazon11021020.outbound.protection.outlook.com [52.101.62.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 23D62C14F74A for <oauth@ietf.org>; Mon, 1 Aug 2022 19:21:20 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=GolZ1DV7c5VKcoGbjQbHOFPxK0GCJISUB6VJ8I7mlN3BCI+dU/I4jcsGqYZMTC14v7ra2w+wH9I0dHNbpazI68tGwzioMkV3W14yMJuO9B+3BzzHBCdgzHSQWSln8dT0r4nP8GhPFk2vNLGGqLaPvRE4kO96+GgGREE0hFDKfsX6rDE3fspfGNhRVJHqYT5qIU5QjLdMKruqmCtKi+ykDvWGBbYbrmZTZUm7FIQkWxaxix5c/1svG6jCGlih+O/AB2ZL5CsPiTKhvY+7LpwzbmNUZLCfIix+ZTbNFdAIO7L99EyKn7lTjXssrUS4ll1WyLVkqxj+5x8uLBbHNGlU3A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=Hw7sERSzQVRecl6j7dyqzMfwn4uI/Ozz3l0Voqix2ts=; b=TMW+roDuA9KO6GERdOYeJWAAkto9Ebut4R6Ikd8HjL+2ooq+9UO3HSulHE3qkNzDHlZsnq8Xla80BNxbpxk3oCDgCILcWPNJOMJXDzcwZyRDa5jJch8kO53cbVMi7WMQY/vzHhDwObbKPX12QcPAiJdHaXnicvy3UIR8pzE0tGOJmz2mqXsLulvMHXCR5H0WAA1JWJnSH/JyMMwHt3BrLsEhaqh1CFjgkHhRlpmYOGQU2F5dBOzpPtDHZ0keRHtN5D0GvGSvc5RSOUwLY6c+0mOznWIcICEWV0QBMD9AXUSkxwtPs8ROZ2pXJ4JAuEyUo1xPbgbD2GZ+UrvUXcQgQQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=Hw7sERSzQVRecl6j7dyqzMfwn4uI/Ozz3l0Voqix2ts=; b=J8GoYNVfyjBNo4phe8bV+EYfFhqZiK+p9gdHDOq9ckHtYra2Jhbyycm35kKINpPpuZmejlfip/u6L/ivWH+UkOvMBRMfcUtWU4iAI2OouBKO6UxwxFsZsZ6k+uQG9LkSccjS6JuB/4RsFyltWus630sQaWRffDAjH/3Z2vJi5eE=
Received: from MN2PR00MB0893.namprd00.prod.outlook.com (2603:10b6:208:fd::15) by MN2PR00MB0735.namprd00.prod.outlook.com (2603:10b6:208:1d0::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5533.0; Tue, 2 Aug 2022 02:20:54 +0000
Received: from MN2PR00MB0893.namprd00.prod.outlook.com ([fe80::41cc:c6f9:5a66:7735]) by MN2PR00MB0893.namprd00.prod.outlook.com ([fe80::41cc:c6f9:5a66:7735%3]) with mapi id 15.20.5536.000; Tue, 2 Aug 2022 02:20:53 +0000
From: Kristina Yasuda <Kristina.Yasuda@microsoft.com>
To: oauth <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Call for adoption - SD-JWT
Thread-Index: AQHYouCSYdQ/0/bazkK0Blh3C8f3dq2VSeCQ
Date: Tue, 02 Aug 2022 02:20:53 +0000
Message-ID: <MN2PR00MB08930D8DCA347979CB77E4D9E59D9@MN2PR00MB0893.namprd00.prod.outlook.com>
References: <CADNypP9xSXWKV=0nj803fW9xdqgguLWLOpMMQd0Uw3P16LQpfQ@mail.gmail.com>
In-Reply-To: <CADNypP9xSXWKV=0nj803fW9xdqgguLWLOpMMQd0Uw3P16LQpfQ@mail.gmail.com>
Accept-Language: en-US, ja-JP
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: 3f3a38c0-1386-4291-e93c-08da742da02f
x-ms-traffictypediagnostic: MN2PR00MB0735:EE_
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: BmJDgIza2uYKwFWqRfBGTDw02NCNaurAqgfFtMR8jLLsS5F8PdxzIi/1fS5y8kxZ3Cwx8v/K2CkuRyNItjSmLSS5FpCnXlxCuDbsHXIDHS8zoGqi2lWq9jZmIVDJ+d4ztp0584KoJika96eBhE2kwKi7ZWQr8ZzcrNmBSnokTvSKI9veBxpkre/nDqj1ani9qdVrf6S5edfLYJ293i/BnnieG4vnqtKNsETVbzwRnPguvajoMfEazdVDoSEms1NnMNSsZcjn2giHPcVJBu8hdbWXZlMl+tNtKWBwfseZ8jrAxMB4opa1EjRFZ45Dzi0Ffn+g5fH5VLf6Pk7ujEFfyKG3/k8wN0lKVBHV5qVWsF9mg/s6ZWBd0hjelzAuFeS0mPuGAho6muTF0hOpXBeME8dEyiNWu7+uM1OyC5HgkeIpXsE9dIYP/xG6C+/ZrHxBQe2dW9qqxhNhpAsFTDY0sr6iQwAw27ymryojv3uC1mTF3p9PiAsL0AYDcbFLRaW7BGDq627QdS43gb3ptA39VdM3LDW49d3/fj/uj8Xjkg3G6rexxYpV8ZbFs7L5WFSqUxtbBN/l7HZgp9Bfy+KcsRSBLmyKoLjBZM36VwMyFlZZl9pReQW6vvxNYzibMSjlPO/aApIpab5cl5kKKkR7pTTE1qjoHSZBTKs3PYTVkm71XC0lkJ+u0bGDp0x6aOnfvIEOInhLlYsGcS8JdOtGt6KU0PbU7Q8hWKKD7h86gS6uB49kj1oQ8lj+gEx4nm+Kl3w4NPT17XjmMHEn9H6kLFazFFsQM/gbNaibhChNzbcPL++pTYOEUc453mwJyP9YA3VPmMsyxK8/nJu2MQIs4U17BAey2XcRKsXpift5D4DyA2jmT/pGf2axMffqho1y
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:MN2PR00MB0893.namprd00.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230016)(4636009)(346002)(396003)(376002)(39860400002)(136003)(366004)(451199009)(33656002)(166002)(83380400001)(71200400001)(316002)(38100700002)(122000001)(966005)(6916009)(2906002)(55016003)(41300700001)(26005)(8936002)(52536014)(9686003)(8676002)(66446008)(64756008)(4326008)(10290500003)(8990500004)(66476007)(82950400001)(82960400001)(86362001)(186003)(66574015)(53546011)(6506007)(7696005)(76116006)(5660300002)(66946007)(478600001)(66556008)(38070700005); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: oyo8VVByQF4PFNCQiIbwSqcQeF/lRsgTXsAYD1nK6zU9Tb1qJXMVg/whSCVm37MB+i2TNRHKAtvObZJCGyC9QQIQHfvzn9osSau1XSCwUXoVzNJjTTAcA8IvISxYy91mxITmGbYgdwp6XpVBgR9dtGYR3zYM1Y5RsINOwB7DW+hSO5ap+EejAG/FUzCgZQ7lMW4TWr4jWOXS3hkQ5R+86oARBfTjLF84GeMoGr2zFao/lbZ4jWEfmPAYEA6koiRReZiE+lDdP34xKDLfd1vBHv39muBjrZ4SarDl7VOrJedo7iqxaV1UbQ5aGwn48EB0KxiZFpQff4GlTbMLU4dBHiicFKd4V3R/L7K/FKb7xJCW3oBYnaIfKJ7B6dGMlBxyRvE944Hwjjqk9oiDKV1F4Z5xMTvWIZKGRCOgiu6HLjyzN2Un91RaDSpix9J4D5oeKJFe1e1hWE05Fo5uccRSIDamsPtchzci0aZerNi4bZZMT7MIYE6B6PpzkeFg12FyspgBbWYtE6y/OgiTtrd5TDUoK3RsG+09TIF1N9QhJ5kXBlnu/WaT8NPnmwdYnknx3QehzPtkZelWI1JGApa3WwgX5AXSEWeBTsKCxndqyKdyy1OAY+hmEe+s4+qVTGN6aa3J2hIYBy3QDr7J5fatBHuPwEzWwDNayefrnpRcqCWYCuLzYItMrpW/1sCynxn33bLO/jjxqwZZt7/OtmNdj7293vBWjH82jMRx0aJb2gemprnybZBI//XPJVuowvShV3Oad1Gsznjf7DXEyMxsv6C58pTSON8KTaFX+upLIe0xsxS7z2COC8tejLzj7h5AE7vJ198kJAutPUS32oNAlSoY2VeUxXC5jBfyz0beZbtjLZqiaYk1FYxGBmCSQD+5a0wLd+6cUqGVMI4iIca1oNkKqGAB7Jzn/7qew7H6t54v8+RrW9/mLQK6q+IqZXa8g90UHw+4U1PpUSobPQi70RgE1TIFE511u6IwdST64135m5y8BjilKFX3y0v38PyJiCRJl7cVeli74htQEmxfI3XmgpfXTzEZruDEWrREAWrfoRBSP74uR7QF6QUsYOg51NTI7HkQ1TkKXgAMiT/LskDRe42KzvN1r8ojAcyCZUOmZLbaYfPHrYvLIZ6gGardiTTDfvTIDQ6clYvkuW9WcWC6xmt4OlBhIUExuPGQV+FK2SoFxrcherEtc99msk9lZMhHgHcckgOYjXc+H/GxzaDeUPU3Zsvq4adNnIfpZwzVEuLDX43CcY+SnMeadDh5KPlf76XMv9EtfD4VqoVdzZwSMHxBr6rNhjpsQYX8eQX4Ws8ULDmwnjB5lLKO9JtGYIfpndXMR/G0JuU3BBRbrGAbzM857F/G94/0m7muytskjFF9WUQH0fq0unJuETcGLpV0802Mi2v1qaP0O5UuxiY9Hg0mbywpFCbE+YiKgw+nXoBv97ZuzL/3H7k8gfpS2svXPyu7KJbsc5JUJrR4LqjzdRS3DWdo/t5Ghug8jPmS4uqeueAZ8pF6usftMyYLzwcxpIKsp3SY5foC41tMSFMgA1cj/KwzTX2dZPeDfBXfNNgIuzAf6MxapOWAy4xd
Content-Type: multipart/alternative; boundary="_000_MN2PR00MB08930D8DCA347979CB77E4D9E59D9MN2PR00MB0893namp_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: MN2PR00MB0735
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/kPxSYqGP6f04Wnzm9xJxQqmyT_o>
Subject: Re: [OAUTH-WG] Call for adoption - SD-JWT
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Aug 2022 02:21:22 -0000

I support adoption.

To add some color.

One of the use-cases is a flow where issuance of a user credential (collection of user claims) is decoupled from presentation (where both issuance and presentation of a user credential are done using extensions of OAuth flows). The goal of this decoupling is to avoid "issuer call home", where the user can send a user credential directly to the RP, without RP needing to contact the Issuer directly. So the motivations are not limited to offline scenarios, but are applicable to the scenarios that want to recreate in the online environment, the user experience of presenting credentials in-person.

Driver's Licence just happens to be an example familiar to many, and there is no reason it cannot be a diploma, or an employee card, or a training certificate, etc. But it is worth highlighting that SD-JWT work becomes critical if we are to enable ISO-compliant mobile Driver Licences expressed in JSON to enable online scenarios and make life of the Web developers easier (as opposed processing data encoded as CBOR and signed as a COSE message). Selective disclosure is a requirement in many government issued credentials, while the usage of advanced cryptography is not always encouraged by the national cybersecurity agencies.


Regarding an approach where issuer issues multiple JWTs of a same type but with different subset of claims, it is not an ideal way to do selective disclosure with JWTs (type as a way to differentiate credential with one data structure/syntax from another). It complicates implementations that try to provide RP-U unlinkability (RPs cannot collude to track the user). The simplest way to achieve unlinkability with JWTs without using advanced cryptography is to issue multiple credentials of the same type but with varying use identifiers and enable pairwise identifiers per RP. Now there are multiple copies of each JWT with subset of claims of the same type. This greatly complicates presentation of these credentials too - since credentials are of the same type, now wallet needs to manage the combination of a subset of claims + pairwise identifier...

What if the implementation also wants predicates property, where age_over_XX boolean is sent instead of a birthdate string? The simplest way to do predicates with JWTs without using advanced cryptography is to have issuers to issue multiple age_over_xx booleans so that an appropriate one can be selectively disclosed to the RP. How many "JWTs with subset of claims" does the issuer needs to issue to account for all possible age requirements? Note that it's not just age_over_21 to start gambling, it's also age_over_65 to get pension benefits.

Managing the combinatorial explosion of sets of claims in speculatively issued JWTs, many of which will never be used, seems unwieldy, to say the least. "A conventional JWT with a subset of claims" approach could be taken in some implementations, but it should not prevent a simpler, extensible alternative of SD-JWT.


Finally, as Giuseppe pointed out, an option to blind claim names is on the table. As discussed on this list previously, we should analyze privacy properties of the mechanism and decide if we want to mandate it - which can be discussed after the adoption.

Best,
Kristina


From: OAuth <oauth-bounces@ietf.org> On Behalf Of Rifaat Shekh-Yusef
Sent: Thursday, July 28, 2022 8:17 PM
To: oauth <oauth@ietf.org>
Subject: [OAUTH-WG] Call for adoption - SD-JWT

All,

This is a call for adoption for the SD-JWT document
https://datatracker.ietf.org/doc/draft-fett-oauth-selective-disclosure-jwt/<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-fett-oauth-selective-disclosure-jwt%2F&data=05%7C01%7CKristina.Yasuda%40microsoft.com%7Ca2d72420ea2c40f2d7c908da70f7b388%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637946506426392735%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=d1EoHuRcBi40%2B1h1p5yZ28O7l8oq%2FibDewlJObT1Gwc%3D&reserved=0>

Please, provide your feedback on the mailing list by August 12th.

Regards,
 Rifaat & Hannes

v2.23.0 | Report a Bug | By Email