Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selective-disclosure-jwt-06.txt: Collaborative attacks against a Verifier
Daniel Fett <fett@danielfett.de> Fri, 03 November 2023 13:26 UTC
Return-Path: <fett@danielfett.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E81ABC15C298 for <oauth@ietfa.amsl.com>; Fri, 3 Nov 2023 06:26:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=danielfett.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nuYx3AmyEfaS for <oauth@ietfa.amsl.com>; Fri, 3 Nov 2023 06:26:14 -0700 (PDT)
Received: from mout-p-201.mailbox.org (mout-p-201.mailbox.org [80.241.56.171]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C98F7C16F3E8 for <oauth@ietf.org>; Fri, 3 Nov 2023 06:25:43 -0700 (PDT)
Received: from smtp2.mailbox.org (smtp2.mailbox.org [IPv6:2001:67c:2050:b231:465::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-201.mailbox.org (Postfix) with ESMTPS id 4SMM1s6fNRz9sTL for <oauth@ietf.org>; Fri, 3 Nov 2023 14:25:37 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=MBO0001; t=1699017937; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references; bh=Sic7LGANdSfiadoxliyJw86Q1cQeCohfklT1pDOnyKk=; b=lbq99O2VvNU70QjXTxEwtphTGxFN1UtntVKj9w2arKILGP48NXwgA6nqenYIhwZx8bbfkY dfYqJMYztYOEqMEx4mVgB/z2zMgQ4RkSReCIkMRDlLWGoIcx+UkRvwIG5aXaNJvhVXBDgO FKchSmk3n1gcnYNP8Mx1cQlbfooWI1yRkNTX9ACCdtCC904niCeiuVvDW3etwRQ0jbuUu7 Hkl41i2xem7qp3Ac8AE4OESxOVHbIBK5XhWnwf08vxYQLvsViHK5nDk5572+j/izqLalhW W5Ru0PC1tuEGQbvWZJaIkGDrmH1DKrnyL8OkAQY33UVEPYtSC3psxqT6NScD9w==
Content-Type: multipart/alternative; boundary="------------ztuGpnhR06sE7jMU0Hgfp8xs"
Message-ID: <10b6bb29-72cc-4c6f-a636-fa23e706c7a8@danielfett.de>
Date: Fri, 03 Nov 2023 14:25:37 +0100
MIME-Version: 1.0
Reply-To: mail@danielfett.de
To: oauth@ietf.org
References: <169807785056.8814.13239353071835579185@ietfa.amsl.com> <defbfabc-0a6c-4ae0-8cb2-a67d4d0315b5@danielfett.de> <ced0a8c1-a4b8-e790-f5ae-9e2ae3c631e2@free.fr> <4185c8f3-e8d4-48a0-9afc-b753e386a0d8@danielfett.de> <bd054cc7-f8a0-6944-d447-a6360c390c6d@free.fr>
From: Daniel Fett <fett@danielfett.de>
Content-Language: de-DE
In-Reply-To: <bd054cc7-f8a0-6944-d447-a6360c390c6d@free.fr>
X-Rspamd-Queue-Id: 4SMM1s6fNRz9sTL
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/CwI6nFNVFpzVDaBTkSpStakQdfM>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selective-disclosure-jwt-06.txt: Collaborative attacks against a Verifier
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 03 Nov 2023 13:26:19 -0000
Hi Denis, Am 31.10.23 um 17:10 schrieb Denis: > Hi Daniel, >> >> Hi Denis, >> >> a discussion on claims-based/biometric binding, probably what you're >> hinting at, >> > I am not hinting at a discussion "on claims-based/biometric binding". > Ok. > > "Collaborative attacks against a Verifier" should be added to the > Security Considerations section. > We will consider this. -Daniel > Denis > >> -Daniel >> >> Am 26.10.23 um 11:01 schrieb Denis: >>> Hi All, >>> >>> Section 11.6. is about "Key Binding" which is indeed an important >>> security feature. >>> However, in the context of "selective disclosure" while this feature >>> is essential, it is insufficient. >>> >>> Let us take an example: If a Token indicates that an individual has >>> the nationality X, in case of a collusion between two individuals >>> and when using two pieces of software specifically developed for >>> that purpose, an individual would be able to compute and transmit >>> a Token to another individual for the benefit of that other >>> individual in order to cheat a Verifier. This is a collusion between >>> two individuals. >>> >>> The first individual may not have the knowledge of the private key >>> but since he has the use of the private key, he is in a position to >>> sign >>> anything he wants. Since the Token does not include claims allowing >>> to uniquely identity the individual, "if he is not seen, he will not >>> be caught". >>> >>> "Collaborative attacks against a Verifier" should be added to the >>> Security Considerations section. >>> >>> There exist ways to counter collaborative attacks against a >>> Verifier. These ways should be mentioned in the core of the document. >>> >>> Denis >>> >>>> Hi all, >>>> >>>> this release of SD-JWT includes one important normative change, >>>> which is a hash in the key binding JWT to ensure the integrity of >>>> presentations. The second biggest change is that we restructured >>>> some sections of the document to make it more readable. >>>> >>>> As always, we're looking forward to discussing SD-JWT here on the >>>> mailing list and in Prague. >>>> >>>> -Daniel >>>> >>>> This is the full changelog: >>>> >>>> -06 >>>> >>>> * Added hash of Issuer-signed part and Disclosures in KB-JWT >>>> >>>> * Fix minor issues in some examples >>>> >>>> * Added IANA media type registration request for the JSON >>>> Serialization >>>> >>>> * More precise wording around storing artifacts with sensitive data >>>> >>>> * The claim name _sd or ... must not be used in a disclosure. >>>> >>>> * Added JWT claims registration requests to IANA >>>> * Ensure claims that control validity are checked after decoding >>>> payload >>>> >>>> * Restructure sections around data formats and Example 1 >>>> >>>> * Update JSON Serialization to remove the kb_jwt member and allow >>>> for the disclosures to be conveyed elsewhere >>>> >>>> * Expand the Enveloping SD-JWTs section to also discuss enveloping >>>> JSON serialized SD-JWTs >>>> >>>> Am 23.10.23 um 18:17 schrieb internet-drafts@ietf.org: >>>>> Internet-Draft draft-ietf-oauth-selective-disclosure-jwt-06.txt is now >>>>> available. It is a work item of the Web Authorization Protocol (OAUTH) WG of >>>>> the IETF. >>>>> >>>>> Title: Selective Disclosure for JWTs (SD-JWT) >>>>> Authors: Daniel Fett >>>>> Kristina Yasuda >>>>> Brian Campbell >>>>> Name: draft-ietf-oauth-selective-disclosure-jwt-06.txt >>>>> Pages: 90 >>>>> Dates: 2023-10-23 >>>>> >>>>> Abstract: >>>>> >>>>> This specification defines a mechanism for selective disclosure of >>>>> individual elements of a JSON object used as the payload of a JSON >>>>> Web Signature (JWS) structure. It encompasses various applications, >>>>> including but not limited to the selective disclosure of JSON Web >>>>> Token (JWT) claims. >>>>> >>>>> The IETF datatracker status page for this Internet-Draft is: >>>>> https://datatracker.ietf.org/doc/draft-ietf-oauth-selective-disclosure-jwt/ >>>>> >>>>> There is also an HTML version available at: >>>>> https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-06.html >>>>> >>>>> A diff from the previous version is available at: >>>>> https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-selective-disclosure-jwt-06 >>>>> >>>>> Internet-Drafts are also available by rsync at: >>>>> rsync.ietf.org::internet-drafts >>>>> >>>>> >>>>> _______________________________________________ >>>>> OAuth mailing list >>>>> OAuth@ietf.org >>>>> https://www.ietf.org/mailman/listinfo/oauth >>>> -- >>>> Please use my new email address:mail@danielfett.de >>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>> >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> -- >> Please use my new email address:mail@danielfett.de >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth -- Please use my new email address:mail@danielfett.de
- [OAUTH-WG] I-D Action: draft-ietf-oauth-selective… internet-drafts
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selec… Daniel Fett
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selec… Neil Madden
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selec… Denis
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selec… Brian Campbell
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selec… Daniel Fett
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selec… Neil Madden
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selec… Brian Campbell
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selec… Denis
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selec… Daniel Fett
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selec… Brian Campbell
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selec… Neil Madden
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selec… Watson Ladd
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selec… Neil Madden
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selec… Denis
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selec… Neil Madden
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selec… Brian Campbell
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selec… Denis
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selec… Neil Madden