Re: [OAUTH-WG] R: [SPICE] OAuth Digital Credential Status Attestations (typo)
Tom Jones <thomasclinganjones@gmail.com> Fri, 19 January 2024 17:50 UTC
Return-Path: <thomasclinganjones@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 796D3C14F5EC; Fri, 19 Jan 2024 09:50:18 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.094
X-Spam-Level:
X-Spam-Status: No, score=-1.094 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, FREEMAIL_REPLY=1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cY-uWQmJmMZ7; Fri, 19 Jan 2024 09:50:14 -0800 (PST)
Received: from mail-ed1-x530.google.com (mail-ed1-x530.google.com [IPv6:2a00:1450:4864:20::530]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0BC9CC14F5E8; Fri, 19 Jan 2024 09:50:14 -0800 (PST)
Received: by mail-ed1-x530.google.com with SMTP id 4fb4d7f45d1cf-55369c59708so237323a12.1; Fri, 19 Jan 2024 09:50:13 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1705686612; x=1706291412; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=6BcV4hO71TN/lV2z7UE4ueaR6utJ+yj9bG1jwcTh/qk=; b=h61j9lICIbZw1Z7KKqd2mEilB2vqYQjtgCocU5AZgy97//aG7eAUDUiEA00Ta3QCmL lV3rbPjUvBfTuaAqp/ojMZx1fl2Exl3IApGGq9vFKQoVnlie4IBM0Afb1u5xdgqaYR74 Da3V9KMnSQAuLPBMJmHPh+G7KaRpeaxBd5h9mryKVj5uuj2sxmNZBzfDjevLO16w6uO4 T/ETzNTrU2XJGC/nICXuim6nIHUmqJOOVvZyyjriBb5qw2oFKICC55p4KycZdOcdX4S+ c2n6PAFcVkyFp883t89lBGSt86B3mNt+I3XDy4/vGg14QdoADeygzN0cZwyUdmrNBmBB 953w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705686612; x=1706291412; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=6BcV4hO71TN/lV2z7UE4ueaR6utJ+yj9bG1jwcTh/qk=; b=Q4olXOxbvdNYOR0QGSunUeGLWBwKEURlcV1+x3Ep7piImDMwVIuOOkOn9hwPuPbaAt e2xn6wNF2WJUHmSkNKDcdSSU2VKkrrmqDFl+TGZKZmAnJsv+ko7UnKwsIV2z6H5j06H8 sb9zEfbPnEleeSe0ykKjW5aCDuJtGiznsgdUOQ9/Iw3vs2Dthv1+ix5l54XKAjnUetT8 okhJHXJNz1dhrSmm8UFAEElqaIsN7K1pK73Ip3gRio+ePh6nAVyTYSeYQqhR5X9mI35l 46+UmmK/5rVz/M3GfW5s01svjc3o9WNhgwsHQwy+iy+SMi20Ykku+ye6bKH4XliJZ81m /Epw==
X-Gm-Message-State: AOJu0YwVNO/i/GpbA7tub4+RDwZHl1bS+9JX+PJOX1bSSVR3Eo7sB0qr kaRiu2yzsnx9BnMR25zPct/FmB8i+UZwdMcLSEH7HSib2a3SnhkR/XyGrmVnrhki46lgeGzvqH5 ueLKoz2BmZcw7Q4YcV8mCPDROgy8=
X-Google-Smtp-Source: AGHT+IFZnhAMvoi1PY0Gn+qxa+JrhVuU4xTJbiy2TCkcswjuN1uFGpTzGwko99o4PNvkhsVvQuHS1cB7EgI3c/B5S9k=
X-Received: by 2002:aa7:d614:0:b0:559:87b5:9692 with SMTP id c20-20020aa7d614000000b0055987b59692mr160605edr.2.1705686611982; Fri, 19 Jan 2024 09:50:11 -0800 (PST)
MIME-Version: 1.0
References: <CAN8C-_+5mSFAion-e4Ta6AZLVGadr7cdSWjw-UpnBvH9Z98ohw@mail.gmail.com> <05d901da4980$8c8021e0$a58065a0$@gmx.net> <CAP_qYy=Dh0wDJ1JwOkvLiRR==7ZJTH+oLtzSU=egho1L0===hQ@mail.gmail.com> <3a80e0ce-682e-e3c5-8f39-7f3731aa9c1f@free.fr> <a5a530c8-bf2d-1edb-8ba7-cb05b18ac151@free.fr> <CAP_qYymC=dWbVjQjQmJC7fFkQki5nN3D646TNCO8=JWXC-TOOQ@mail.gmail.com> <c1d7db80-61b6-629e-3ed9-6ed2065322db@free.fr> <AS8PR07MB7527985F6E29AF5620523D19AC712@AS8PR07MB7527.eurprd07.prod.outlook.com> <59401024-b4b3-054b-3b89-0f70f0e0400b@free.fr>
In-Reply-To: <59401024-b4b3-054b-3b89-0f70f0e0400b@free.fr>
From: Tom Jones <thomasclinganjones@gmail.com>
Date: Fri, 19 Jan 2024 09:50:00 -0800
Message-ID: <CAK2Cwb5YwPu1A7nvcUx8ypBXGXaFjrEdCxs5rnpYhCegtnPNkA@mail.gmail.com>
To: Denis <denis.ietf@free.fr>
Cc: Giuseppe De Marco <gi.demarco@innovazione.gov.it>, demarcog83 <demarcog83@gmail.com>, "spice@ietf.org" <spice@ietf.org>, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000009afedd060f501c2b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/F4lQNFwXeItXSrxxBt_piylYXLM>
Subject: Re: [OAUTH-WG] R: [SPICE] OAuth Digital Credential Status Attestations (typo)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 19 Jan 2024 17:50:18 -0000
Proof seems to be yet another term for which we already have other terms. Can anyone explain the difference between: proof presentation evidence. ..tom On Fri, Jan 19, 2024 at 4:28 AM Denis <denis.ietf@free.fr> wrote: > Hi Giuseppe, > > Ciao Denis, > > Thank you! By points. > > First, I still have a vocabulary problem. The text states: > > A *digital credential* may be presented to a verifier long after it has > been issued. > > It should rather say: A *digital proof *(derived from a digital > credential) may be presented to a verifier. > > Then, the text states: > > Verifier: > > Entity that relies on the validity of the Digital Credentials presented to > it. > > I should rather say: > > Verifier: > > Entity that relies on the validity of the *digital proof* > presented to it. > > > OAuth Status List can be accessed by a Verifier when an internet > connection is present. > > - This does not correspond to the flows of the figure. > > > the section enumerates the differences between oauth status list and oauth > status attestations. > The subject of the sentence is then the oauth status list, below I report > the original text in that point: > > *Offline flow*: OAuth Status List can be accessed by a Verifier when an > internet connection is present. At the same time, OAuth Status List defines > how to provide a static Status List Token, to be included within a Digital > Credential. This requires the Wallet Instance to acquire a new Digital > Credential for a specific presentation. Even if similar to the OAuth Status > List Token, the Status Attestations enable the User to persistently use > their preexistent Digital Credentials, as long as the linked Status > Attestation is available and presented to the Verifier, and not expired. > > OK. > > > > - What about the support of "blinded link secrets" and "link secrets" > (used with anonymous credentials) ? > > > Unfortunately I don't have these in the EUDI ARF and in my implementative > asset but this doesn't prevent us to not include it in the draft. > > When writing this, I had the use case of BBS+ in mind. > > Published versions of the ARF is available here: > https://github.com/eu-digital-identity-wallet/eudi-doc-architecture-and-reference-framework/blob/main/docs/arf.md > > The word "privacy" is used once in a single sentence copied below which is: > > Attestation exchange Protocol. This protocol defines how to request and > present the PID and the (Q)EAA in a secure and *privacy* preserving > fashion. > > In the context of a single data controller, ISO 29100 identifies eleven > privacy principles: > > 1. Consent and choice > 2. Purpose legitimacy and specification > 3. Collection limitation > 4. Data minimization > 5. Use, retention and disclosure limitation > 6. Accuracy and quality > 7. Openness, transparency and notice > 8. Individual participation and access > 9. Accountability > 10. Information security > 11. Privacy compliance > > None of them is being addressed. > > In addition, when considering a distributed system used by human beings, *two > additional **privacy principles *need to be taken into consideration > and none of them is mentioned: > > * Unlinkability *of holders between verifiers > > * Untrackability* of holders by a server, (i.e., a property ensuring > that it is not possible for a server to know by which verifier the > information it issues to a caller, > or derivations from it, will be consumed. > In other words : Can the server act as Big Brother ? > > Margrethe *Vestager*, [former] Executive Vice-President for a Europe Fit > for the Digital Age said: > > * “The European digital identity will enable us to do in any Member > State as we do at home without any extra cost and fewer hurdles. * > * Be that renting a flat or opening a bank account outside of our > home country. And do this in a way that is secure and transparent. * > * So that we will decide how much information we wish to share about > ourselves, with whom and for what purpose.* > > Source: https://ec.europa.eu/commission/presscorner/detail/en/ip_21_2663 > > This statement is not mentioned in the ARF. > > An additional important *security consideration *needs to be addressed: > > * Collusions between **holders *(natural persons), which is > difficult to support while at the same time the "*collection limitation*" > privacy principle is considered. > > This can be illustrated by the following example: > > Can Alice (12) collude with Bob (25) to access to a verifier > delivering age-restricted services or products (e.g., like the condition of > being over 18) ? > Since Bob is over 25, he can obtain some "proof" that he is over 18. > Can Alice (12) can advantage of this proof to access to age-restricted > services or products ? > > Would you like to propose your idea in the current text (github issue or > PR) about the possibility to enable this technology? > > On page 45 from COM(2021) 281 final, ( > https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:52021PC0281) > there is the following statement: > > " A strengthened *privacy-by-design approach* could yield > additional benefits since the wallet would not require intermediaries > in the process of asserting the attributes, thus enabling the > citizen to communicate directly with the service and credential providers". > > Every IETF draft now includes both a *Security Consideration* section and > a *Privacy Consideration *section. There is no such sections in ARF > 1.0.X. > > Since ARF 1.0.X has not listed any privacy principle, it could not follow > a *privacy-by-design approach.* > > Before defining technical solutions, requirements would first need to be > identified and agreed. At the moment, none of the five experiments is > considering > the previously identified privacy principles (nor the above security > consideration). > > There should first be an agreement to add both a *Security Consideration* > section and a *Privacy Consideration *section to the ARF. > > Another consideration has been raised: the cryptographic algorithms being > used should be quantum resistant. > > This is a good wish but nobody knows when this would really be needed. > > BBS+ is not believed to be quantum resistant. However, if one-time digital > signatures are considered, they can be quantum resistant > (e.g., using SHA-3 and Lamport signatures). This would natively prevent > verifiers to use the public key present in a credential proof to link > accesses from > the same holder on different servers. This would mandate to issue batches > of credentials in advance, which is only considered at a possible *option* > at the moment. This would also prevent using a "digital credential serial > number" to perform a linkage between different digital proofs. > > For signing digital credentials, the FIPS 204 (DRAFT) > MODULE-LATTICE-BASED DIGITAL SIGNATURE STANDARD might be considered. > > This does not mean in anyway that these algorithms should be used *now*, > but it would be good to already know which kinds algorithms will be usable > when it will become really necessary to achieve quantum resistance. > > I mean, the current text satisfies the security requirements, in addition > to this we can explore and enable additional methods, in particular when > these brings additional benefits. > > > - A major section is missing: "*Privacy considerations*". > > > yes, the best is yet to come �� > > When doing a *privacy-and-security-by-design *approach*, *once the model > and the key actors have be identified, these two sections should be > filled-in first. > > :-) > > > > - One of many privacy principles is: "unlinkability between > verifiers". > > > yes. The scope of this specs is providing a "static" way to give a > verifiable proof. In the privacy consideration I would start with the sotry > of Giuseppe that presents his credential of org affiliation to an RP, > giving org name, entitlements and position. Having the url and the index of > the revocation status of that credential, the RP is technically able to > continuosly check that Giuseppe is still emploied in that organization, > even outside of a resonable time windows for the authorized > authentication/session. > > then, the scopes of this draft is all about revocation and tracking > prevention about the revocation checks. The problem of linkability belongs > to the credential and not to the status attestation (if I didn't miss > anything). > > Let us now come back to Status Attestations when using one-time digital > credentials. > Let us consider two cases: whether the status attestation request is done > by the holder or by the verifier. > > 1) If the status attestation request is done by the holder, this means > that it is online and in such a case, it could ask for a batch of one-time > digital credentials > with short expiration dates without the need to request Status > Attestations. > > 2) If the status attestation request is done by the verifier *and if the > server able to provide Status Attestations is different from the server > issuing the digital credential*, > then a query to that other server will prevent the issuer to know > where the digital proof has been presented by the holder. This would allow > the holder to get > digital credentials with longer expiration dates. > > Seen from the wallet, the following strategy would be used: > > - If the wallet knows that it is on-line, it will use or request a > digital credential with a short expiration date. > This will avoid the verifier to make a call when it receives the > digital proof. > > - If the wallet knows that it is off-line, it will use an already > stored digital credential with a long expiration date. > If the server able to provide Status Attestations is, in fact, not > really independent from the server issuing the digital credential, > the linkability between verifiers will be limited to servers accessed > using NFC. Hence, the risk will be mitigated. > > Both types of digital credential will then have their own merits. > > Yes, I will, The sections Rationale and Privacy Consideration are the most > funny and we'll continue on those. Thank you for the hints, I appreciate! > > In this rather long email, you have further hints. > > :-) > > Denis > > > > ------------------------------ > *Da:* Denis <denis.ietf@free.fr> <denis.ietf@free.fr> > *Inviato:* giovedì 18 gennaio 2024 19:25 > *A:* demarcog83 <demarcog83@gmail.com> <demarcog83@gmail.com> > *Cc:* spice@ietf.org <spice@ietf.org> <spice@ietf.org>; Giuseppe De Marco > <gi.demarco@innovazione.gov.it> <gi.demarco@innovazione.gov.it>; oauth > <oauth@ietf.org> <oauth@ietf.org> > *Oggetto:* Re: [SPICE] [OAUTH-WG] OAuth Digital Credential Status > Attestations (typo) > > > Non si ricevono spesso messaggi di posta elettronica da denis.ietf@free.fr. > Informazioni sul perché è importante > <https://aka.ms/LearnAboutSenderIdentification> > > Questa email arriva da un mittente insolito. Assicurati che sia qualcuno > di cui ti fidi. > Giuseppe, > > You are perfectly right, I read your draft too quickly. > > 1) The text mentions near the end: > > OAuth Status List can be accessed by a Verifier when an internet > connection is present. > > This does not correspond to the flows of the figure. > > 2) The text states: > > " The proof of possession MUST be signed with the private key > corresponding to the *public key* attested by the Issuer > and contained within the Credential". > > What about the support of "blinded link secrets" and "link secrets" (used > with anonymous credentials) ? > > 3) A major section is missing: "*Privacy considerations*". > > One of many privacy principles is: "unlinkability between verifiers". > > If or when the status attestation allows to support this privacy > principle, it should be indicated how it can be supported. > If or when it does not, this should be mentioned as well. > > Denis > > Ciao Denis, > > thank you for the quick reply and for your contribution. > The scope of the current draft is to provide a verifiable artifact that > give the proof that a specific credential is active, then not revoked. > > From your sequence diagram I read a digital credential issuance, while > this is not in the scope of the draft. > best > > > Il giorno gio 18 gen 2024 alle ore 10:26 Denis <denis.ietf@free.fr> ha > scritto: > > Typo: Change: "proof *or* origin of wallet instance" > into : "proof * of* origin of wallet instance". > > The figure has been corrected below. > > Denis > > Hi Giuseppe, > > The current figure in the Introduction from > draft-demarco-status-attestations-latest is: > > +-----------------+ +-------------------+ > | | Requests Status Attestation | | > | |---------------------------->| | > | Wallet Instance | | Credential Issuer | > | | Status Attestation | | > | |<----------------------------| | > +-----------------+ +-------------------+ > > > +-- ----------------+ +----------+ > | | Presents credential and | | > | Wallet Instance | Status Attestation | Verifier | > | |---------------------------->| | > +-------------------+ +----------+ > > IMO, using the vocabulary agreed during the last BoF video conference, > this figure should be modified as follows: > > > +------------+ > +-------------------+ > | | Requests *Digital Credential* | > | > | | and presents proof of knowledge of | > | > | | either a private key or a link secret | > | > | | and proof *of* origin of wallet instance | Credential > Issuer | > | Holder |--------------------------------------->| > | > | | | > | > | | *Digital Credential* | > | > | |<---------------------------------------| > | > +------------+ > +-------------------+ > > > +-- ---------+ > +-------------------+ > | | Presents *Credential proof* | > | > | Holder | | Verifier > | > | |--------------------------------------->| > | > +------------+ > +-------------------+ > > Denis > > > Hi Hannes, > > Thank you for your quick reaction and also to Orie for sharing. > I've submitted the draft, here: > https://datatracker.ietf.org/doc/draft-demarco-status-attestations/ > > > <https://urlsand.esvalabs.com/?u=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-demarco-status-attestations%2F&e=bcb9f84b&h=6cfb1966&f=n&p=y> > Regarding the term Attestation: good point. We have decided to use this > term since in several IETF and OpenID drafts this term seems pretty > established, the term Attestation is found at least in the following > specifications: > - Attestation based client-authentication (it's in the title) > - OpenID4VC High Assurance Interoperability Profile with SD-JWT VC > (wallet attestation) > - OpenID for Verifiable Presentations - draft 20 (verifier attestation) > - OpenID for Verifiable Credential Issuance (section "Trust between > Wallet and Issuer": Device Attestation) > > Meantime in the eIDAS Expert group this term is going to be changed to > "Wallet Trust Evidence". > > > <https://urlsand.esvalabs.com/?u=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-demarco-status-attestations%2F&e=bcb9f84b&h=6cfb1966&f=n&p=y> > I don't have a strong opinion on what would be the best semantic for this, > I just have realized the functional difference between a Digital Credential > and an Attestation: > the first requires the user to be authenticated and give consent for using > the secure storage. The second is obtained with a machine2machine flow > where no user interaction is required, the secure storage is not required, > no user information is contained in it since the subject is the wallet > instance and not the user, it cannot be (re)used without the cryptographic > proof of possession. Probably a discussion could start about this term > aiming to align several specifications on the same terminology. I could say > that Status Attestation is a specific artifact defined for a specific > context, other attestations can be defined outside the functional perimeter > of this specification. Let's talk about it, it doesn't matters changing > terms (eventually mindsets on perceivable meanings). > > Here I share some notes I picked along the last two months about this > brand new individual draft: > > - it is related to digital credential only, I don't expect to use it in > legacy infrastructure different from wallet. I really don't need this kind > of mechanism in OIDC or any other traditional infrastructure since these > doesn't show the privacy issues the wallet ecosystem has; > - it would interesting mentioning in the introduction that's pratically an > ocsp stapling like mechanism, just to give some context (credit: Paul > Bastien); > - The Rationale section needs to clarify better problems and solutions, where > it seems that the problem does not exist or that it is weak. A review is > necessary to clearly bring the benefits; > - Editorials mistake are still along the reading. > > thank you for your time and interest, > best > > > > > > > Il giorno mer 17 gen 2024 alle ore 21:06 <hannes.tschofenig= > 40gmx.net@dmarc.ietf.org> ha scritto: > > Hi Guiseppe, Francesco, Orie, > > > > @Orie: Thanks for sharing the draft. > > > > As a quick reaction: It would be good to invent a new term for > “attestation” in draft-demarco-status-attestations.html because this term > is already widely used in a different context (see RFC 9334). > > > > @Guiseppe and Francesco: It would be great if you could submit your draft > to OAuth or SPICE for discussion. > > > > Ciao > > Hannes > > > > > > *From:* OAuth <oauth-bounces@ietf.org> *On Behalf Of *Orie Steele > *Sent:* Mittwoch, 17. Jänner 2024 19:07 > *To:* spice@ietf.org > *Cc:* oauth <oauth@ietf.org> > *Subject:* [OAUTH-WG] OAuth Digital Credential Status Attestations > > > > Hello Digital Credential Enthusiasts, > > See: > https://peppelinux.github.io/draft-demarco-status-attestations/draft-demarco-status-attestations.html > <https://urlsand.esvalabs.com/?u=https%3A%2F%2Fpeppelinux.github.io%2Fdraft-demarco-status-attestations%2Fdraft-demarco-status-attestations.html&e=bcb9f84b&h=09ac1782&f=n&p=y> > > Note the use of the term digital credential, and the alignment to CWT > based credentials and CWT based credential status lists. > > As a quick summary of the editors draft above: > > It is basically a refresh-token-like approach to dynamic state, where the > holder retrieves updated state from the issuer at regular intervals, and > can then present that dynamic state directly to the verifier. > > This eliminates the herd privacy and phone home issues associated with W3C > Bitstring Status Lists. > > And it informs the holder of dynamic state, so the digital wallet can > provide a better user experience. > > However, an issuer (government or ngo) could use the interval of > requesting dynamic state, to track the holder... so the guidance from > https://datatracker.ietf.org/doc/draft-steele-spice-oblivious-credential-state/ > <https://urlsand.esvalabs.com/?u=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-steele-spice-oblivious-credential-state%2F&e=bcb9f84b&h=31ec3f83&f=n&p=y> > > Is also relevant to this draft. > > I also learned that > https://datatracker.ietf.org/doc/draft-ietf-oauth-sd-jwt-vc/ > <https://urlsand.esvalabs.com/?u=https%3A%2F%2Fdatatracker.ietf.org%2Fdoc%2Fdraft-ietf-oauth-sd-jwt-vc%2F&e=bcb9f84b&h=1dd20f32&f=n&p=y> > > Has defined a new property for expressing "Verifiable Credential" "type" > `vct`, which is different from how W3C defines credential types. > > W3C uses the expanded IRI for the graph node type, based on the JSON-LD > context. > > For example with: > > { > "@context": [ > "https://www.w3.org/ns/credentials/v2 > <https://urlsand.esvalabs.com/?u=https%3A%2F%2Fwww.w3.org%2Fns%2Fcredentials%2Fv2&e=bcb9f84b&h=f582aa55&f=n&p=y> > ", > "https://www.w3.org/ns/credentials/examples/v2 > <https://urlsand.esvalabs.com/?u=https%3A%2F%2Fwww.w3.org%2Fns%2Fcredentials%2Fexamples%2Fv2&e=bcb9f84b&h=09fd0c99&f=n&p=y> > " > ], > "id": "http://university.example/credentials/1872 > <https://urlsand.esvalabs.com/?u=http%3A%2F%2Funiversity.example%2Fcredentials%2F1872&e=bcb9f84b&h=a4458b13&f=n&p=y> > ", > "type": ["VerifiableCredential", "ExampleAlumniCredential"], > ... > } > > The credential type in RDF becomes " > https://www.w3.org/ns/credentials/examples#ExampleAlumniCredential > <https://urlsand.esvalabs.com/?u=https%3A%2F%2Fwww.w3.org%2Fns%2Fcredentials%2Fexamples%23ExampleAlumniCredential&e=bcb9f84b&h=d975b89f&f=n&p=y> > " > > Which is different from "ExampleAlumniCredential" in JSON... More evidence > that RDF leads to developer confusion regarding safe typing. > > The OAuth solution does not have this confusing issue, they set the type > explicitly: > > { > "vct": "https://credentials.example.com/identity_credential > <https://urlsand.esvalabs.com/?u=https%3A%2F%2Fcredentials.example.com%2Fidentity_credential&e=bcb9f84b&h=4de83001&f=n&p=y> > ", > "given_name": "John", > "family_name": "Doe", > "email": "johndoe@example.com", > "phone_number": "+1-202-555-0101", > "address": { > "street_address": "123 Main St", > "locality": "Anytown", > "region": "Anystate", > "country": "US" > }, > "birthdate": "1940-01-01", > "is_over_18": true, > "is_over_21": true, > "is_over_65": true, > "status": { > "status_attestation": { > "credential_hash_alg": "S256", > } > } > } > > Regards, > > OS > > -- > > > > > *ORIE STEELE *Chief Technology Officer > www.transmute.industries > <https://urlsand.esvalabs.com/?u=http%3A%2F%2Fwww.transmute.industries&e=bcb9f84b&h=5399df5d&f=n&p=y> > > > <https://urlsand.esvalabs.com/?u=https%3A%2F%2Ftransmute.industries%2F&e=bcb9f84b&h=1f9092b6&f=n&p=y> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth > <https://urlsand.esvalabs.com/?u=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&e=bcb9f84b&h=b6441af9&f=n&p=y> > > > _______________________________________________ > OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth <https://urlsand.esvalabs.com/?u=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&e=bcb9f84b&h=b6441af9&f=n&p=y> > > > > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] OAuth Digital Credential Status Attest… Orie Steele
- Re: [OAUTH-WG] OAuth Digital Credential Status At… hannes.tschofenig
- Re: [OAUTH-WG] OAuth Digital Credential Status At… Giuseppe De Marco
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Leif Johansson
- Re: [OAUTH-WG] OAuth Digital Credential Status At… Denis
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Denis
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Giuseppe De Marco
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Denis
- Re: [OAUTH-WG] R: [SPICE] OAuth Digital Credentia… Denis
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Paul Bastian
- Re: [OAUTH-WG] R: [SPICE] OAuth Digital Credentia… Tom Jones
- Re: [OAUTH-WG] R: [SPICE] OAuth Digital Credentia… Orie Steele
- Re: [OAUTH-WG] R: [SPICE] OAuth Digital Credentia… Tom Jones
- Re: [OAUTH-WG] R: [SPICE] OAuth Digital Credentia… Tom Jones
- Re: [OAUTH-WG] R: [SPICE] OAuth Digital Credentia… Tom Jones
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Tom Jones
- Re: [OAUTH-WG] R: [SPICE] OAuth Digital Credentia… Watson Ladd
- Re: [OAUTH-WG] R: [SPICE] OAuth Digital Credentia… Tom Jones
- Re: [OAUTH-WG] R: [SPICE] OAuth Digital Credentia… Orie Steele
- Re: [OAUTH-WG] [SPICE] R: OAuth Digital Credentia… Oliver Terbu
- Re: [OAUTH-WG] R: [SPICE] OAuth Digital Credentia… Tom Jones
- Re: [OAUTH-WG] R: [SPICE] OAuth Digital Credentia… Giuseppe De Marco
- Re: [OAUTH-WG] R: [SPICE] OAuth Digital Credentia… Giuseppe De Marco
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Denis
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Giuseppe De Marco
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Denis
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Giuseppe De Marco
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Giuseppe De Marco
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Denis
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Tom Jones