IETF Logo Mail Archive

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selective-disclosure-jwt-06.txt: Collaborative attacks against a Verifier

Daniel Fett <fett@danielfett.de> Fri, 03 November 2023 13:26 UTC

Return-Path: <fett@danielfett.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E81ABC15C298 for <oauth@ietfa.amsl.com>; Fri, 3 Nov 2023 06:26:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=danielfett.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nuYx3AmyEfaS for <oauth@ietfa.amsl.com>; Fri, 3 Nov 2023 06:26:14 -0700 (PDT)
Received: from mout-p-201.mailbox.org (mout-p-201.mailbox.org [80.241.56.171]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C98F7C16F3E8 for <oauth@ietf.org>; Fri, 3 Nov 2023 06:25:43 -0700 (PDT)
Received: from smtp2.mailbox.org (smtp2.mailbox.org [IPv6:2001:67c:2050:b231:465::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-201.mailbox.org (Postfix) with ESMTPS id 4SMM1s6fNRz9sTL for <oauth@ietf.org>; Fri, 3 Nov 2023 14:25:37 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=MBO0001; t=1699017937; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references; bh=Sic7LGANdSfiadoxliyJw86Q1cQeCohfklT1pDOnyKk=; b=lbq99O2VvNU70QjXTxEwtphTGxFN1UtntVKj9w2arKILGP48NXwgA6nqenYIhwZx8bbfkY dfYqJMYztYOEqMEx4mVgB/z2zMgQ4RkSReCIkMRDlLWGoIcx+UkRvwIG5aXaNJvhVXBDgO FKchSmk3n1gcnYNP8Mx1cQlbfooWI1yRkNTX9ACCdtCC904niCeiuVvDW3etwRQ0jbuUu7 Hkl41i2xem7qp3Ac8AE4OESxOVHbIBK5XhWnwf08vxYQLvsViHK5nDk5572+j/izqLalhW W5Ru0PC1tuEGQbvWZJaIkGDrmH1DKrnyL8OkAQY33UVEPYtSC3psxqT6NScD9w==
Content-Type: multipart/alternative; boundary="------------ztuGpnhR06sE7jMU0Hgfp8xs"
Message-ID: <10b6bb29-72cc-4c6f-a636-fa23e706c7a8@danielfett.de>
Date: Fri, 03 Nov 2023 14:25:37 +0100
MIME-Version: 1.0
Reply-To: mail@danielfett.de
To: oauth@ietf.org
References: <169807785056.8814.13239353071835579185@ietfa.amsl.com> <defbfabc-0a6c-4ae0-8cb2-a67d4d0315b5@danielfett.de> <ced0a8c1-a4b8-e790-f5ae-9e2ae3c631e2@free.fr> <4185c8f3-e8d4-48a0-9afc-b753e386a0d8@danielfett.de> <bd054cc7-f8a0-6944-d447-a6360c390c6d@free.fr>
From: Daniel Fett <fett@danielfett.de>
Content-Language: de-DE
In-Reply-To: <bd054cc7-f8a0-6944-d447-a6360c390c6d@free.fr>
X-Rspamd-Queue-Id: 4SMM1s6fNRz9sTL
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/CwI6nFNVFpzVDaBTkSpStakQdfM>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selective-disclosure-jwt-06.txt: Collaborative attacks against a Verifier
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Nov 2023 13:26:19 -0000

Hi Denis,

Am 31.10.23 um 17:10 schrieb Denis:
> Hi Daniel,
>>
>> Hi Denis,
>>
>> a discussion on claims-based/biometric binding, probably what you're 
>> hinting at,
>>
> I am not hinting at a discussion "on claims-based/biometric binding".
>
Ok.
>
> "Collaborative attacks against a Verifier" should be added to the 
> Security Considerations section.
>
We will consider this.

-Daniel


> Denis
>
>> -Daniel
>>
>> Am 26.10.23 um 11:01 schrieb Denis:
>>> Hi All,
>>>
>>> Section 11.6. is about "Key Binding" which is indeed an important 
>>> security feature.
>>> However, in the context of "selective disclosure" while this feature 
>>> is essential, it is insufficient.
>>>
>>> Let us take an example: If a Token indicates that an individual has 
>>> the nationality X, in case of a collusion between two individuals
>>> and when using two pieces of software specifically developed for 
>>> that purpose, an individual would be able to compute and transmit
>>> a Token to another individual for the benefit of that other 
>>> individual in order to cheat a Verifier. This is a collusion between 
>>> two individuals.
>>>
>>> The first individual may not have the knowledge of the private key 
>>> but since he has the use of the private key, he is in a position to 
>>> sign
>>> anything he wants. Since the Token does not include claims allowing 
>>> to uniquely identity the individual, "if he is not seen, he will not 
>>> be caught".
>>>
>>> "Collaborative attacks against a Verifier" should be added to the 
>>> Security Considerations section.
>>>
>>> There exist ways to counter collaborative attacks against a 
>>> Verifier. These ways should be mentioned in the core of the document.
>>>
>>> Denis
>>>
>>>> Hi all,
>>>>
>>>> this release of SD-JWT includes one important normative change, 
>>>> which is a hash in the key binding JWT to ensure the integrity of 
>>>> presentations. The second biggest change is that we restructured 
>>>> some sections of the document to make it more readable.
>>>>
>>>> As always, we're looking forward to discussing SD-JWT here on the 
>>>> mailing list and in Prague.
>>>>
>>>> -Daniel
>>>>
>>>> This is the full changelog:
>>>>
>>>>    -06
>>>>
>>>>     *  Added hash of Issuer-signed part and Disclosures in KB-JWT
>>>>
>>>>     *  Fix minor issues in some examples
>>>>
>>>>     *  Added IANA media type registration request for the JSON
>>>>        Serialization
>>>>
>>>>     *  More precise wording around storing artifacts with sensitive data
>>>>
>>>>     *  The claim name _sd or ... must not be used in a disclosure.
>>>>
>>>>     *  Added JWT claims registration requests to IANA
>>>>     *  Ensure claims that control validity are checked after decoding
>>>>        payload
>>>>
>>>>     *  Restructure sections around data formats and Example 1
>>>>
>>>>     *  Update JSON Serialization to remove the kb_jwt member and allow
>>>>        for the disclosures to be conveyed elsewhere
>>>>
>>>>     *  Expand the Enveloping SD-JWTs section to also discuss enveloping
>>>>        JSON serialized SD-JWTs
>>>>
>>>> Am 23.10.23 um 18:17 schrieb internet-drafts@ietf.org:
>>>>> Internet-Draft draft-ietf-oauth-selective-disclosure-jwt-06.txt is now
>>>>> available. It is a work item of the Web Authorization Protocol (OAUTH) WG of
>>>>> the IETF.
>>>>>
>>>>>     Title:   Selective Disclosure for JWTs (SD-JWT)
>>>>>     Authors: Daniel Fett
>>>>>              Kristina Yasuda
>>>>>              Brian Campbell
>>>>>     Name:    draft-ietf-oauth-selective-disclosure-jwt-06.txt
>>>>>     Pages:   90
>>>>>     Dates:   2023-10-23
>>>>>
>>>>> Abstract:
>>>>>
>>>>>     This specification defines a mechanism for selective disclosure of
>>>>>     individual elements of a JSON object used as the payload of a JSON
>>>>>     Web Signature (JWS) structure.  It encompasses various applications,
>>>>>     including but not limited to the selective disclosure of JSON Web
>>>>>     Token (JWT) claims.
>>>>>
>>>>> The IETF datatracker status page for this Internet-Draft is:
>>>>> https://datatracker.ietf.org/doc/draft-ietf-oauth-selective-disclosure-jwt/
>>>>>
>>>>> There is also an HTML version available at:
>>>>> https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-06.html
>>>>>
>>>>> A diff from the previous version is available at:
>>>>> https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-selective-disclosure-jwt-06
>>>>>
>>>>> Internet-Drafts are also available by rsync at:
>>>>> rsync.ietf.org::internet-drafts
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>> -- 
>>>> Please use my new email address:mail@danielfett.de
>>>>
>>>> _______________________________________________
>>>> OAuth mailing list
>>>> OAuth@ietf.org
>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>>
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>> -- 
>> Please use my new email address:mail@danielfett.de
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

-- 
Please use my new email address:mail@danielfett.de

v2.23.0 | Report a Bug | By Email