[OAUTH-WG] Re: WGLC for SD-JWT

Denis <denis.ietf@free.fr> Fri, 20 September 2024 19:38 UTC

Return-Path: <denis.ietf@free.fr>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 72322C14F5E6 for <oauth@ietfa.amsl.com>; Fri, 20 Sep 2024 12:38:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.905
X-Spam-Level:
X-Spam-Status: No, score=-1.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 8liKwNwll65j for <oauth@ietfa.amsl.com>; Fri, 20 Sep 2024 12:38:19 -0700 (PDT)
Received: from smtp6-g21.free.fr (smtp6-g21.free.fr [212.27.42.6]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 30F2EC14E515 for <oauth@ietf.org>; Fri, 20 Sep 2024 12:38:19 -0700 (PDT)
Received: from [192.168.1.11] (unknown [90.91.46.145]) (Authenticated sender: pinkas@free.fr) by smtp6-g21.free.fr (Postfix) with ESMTPSA id E4BC7780375; Fri, 20 Sep 2024 21:38:16 +0200 (CEST)
Content-Type: multipart/alternative; boundary="------------vwZjGe2g81WhyYgm09RsfU90"
Message-ID: <74b9d59d-da77-4b5c-81bd-21ab41622c9d@free.fr>
Date: Fri, 20 Sep 2024 21:38:18 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
From: Denis <denis.ietf@free.fr>
To: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>, oauth <oauth@ietf.org>
References: <CADNypP_BESkJTXfuv=G9HnLcGwhpSYRggYDZxzaq6-6AaARh0w@mail.gmail.com> <6f822e18-bd1c-47ba-8237-a7ede4a59e45@free.fr>
Content-Language: en-GB
In-Reply-To: <6f822e18-bd1c-47ba-8237-a7ede4a59e45@free.fr>
Message-ID-Hash: 3UAWJAUROPKFLEBNWKXSL5KRFE6BIWS5
X-Message-ID-Hash: 3UAWJAUROPKFLEBNWKXSL5KRFE6BIWS5
X-MailFrom: denis.ietf@free.fr
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: WGLC for SD-JWT
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/EYlDtN8gg1--tsZ-AWolMjw4jAk>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

*About disclosures for Array Elements versus disclosures of name/value pair*

1) The draft of Annex - Ares(2024)5786783 "laying down rules for the 
application of Regulation (EU) No 910/2014
of the European Parliament and of the Council as regards person 
identification data and electronic attestations
of attributes issued to European Digital Identity Wallets" identifies on 
page 1 in Table 1: Mandatory attributes, the following attribute:

*Attribute identifier*

	

*Definition*

	

*Presence*

	

*Encoding format*

nationality

	

One or more Alpha-2 country codes as specified in ISO 3166-1, 
representing the nationality of the person identification data user.

	

Mandatory

	

tstr

  Section 5.2.6 from draft-ietf-oauth-selective-disclosure-jwt-12 
(Recursive Disclosures) describes an example
which is much better than the current**Mandatory attribute "nationality" 
described in the draft of Annex - Ares(2024)5786783.

*When the *End-User* has multiple nationalities, the issuer may wish to
conceal the presence of any statement regarding nationalities while
also allowing the holder to reveal each of those nationalities
individually.This can be accomplished by first making the entries
within the "nationalities" array selectively disclosable, and then
making the whole "nationalities" field selectively disclosable.
*
The structure from section 5.26 should be recommended as a replacement.
Maybe such a recommendation has already been done to the EC. If it is 
not the case, this should be done.

2) In the same way, the draft of Annex - Ares(2024)5786783 "laying down 
rules for the application of Regulation (EU) No 910/2014
of the European Parliament and of the Council as regards person 
identification data and electronic attestations
of attributes issued to European Digital Identity Wallets" identifies on 
page 3 in Table 2: Optional attributes, the following two attributes:

Attribute identifier

	

Definition

	

Presence

	

Encoding format

age_over_18

	

Confirming whether the person identification data user is currently an 
adult (true) or a minor (false)

	

Optional

	

bool

age_over_13

	

Confirming whether the person identification data user is currently over 
13 years of age (false)

	

Optional

	

bool

Some countries have additional needs for "age_over_15," and "age_over_25"
as well as for age_under_25 (for social networks).

Some organizations have needs for "age_over_60" and "age_over_65".

Rather than defining new attributes names each time there will be a new 
need,
the approach used for nationality (i.e. "nationalities") should be 
followed.

This leads to define two fields:

      - "age_over", and
      - "age_under".

The issuer may wish to make the whole "age_over" and/or "age_under" 
field selectively disclosable and allow the holder to make
the entries within the "age_over" and/or "age_under" array selectively 
disclosable. Such an example should be added into the draft.

Maybe such a recommendation has already been done to the EC. If it is 
not the case, this should be done.

Denis