Re: [OAUTH-WG] Call for adoption - SD-JWT
Warren Parad <wparad@rhosys.ch> Fri, 05 August 2022 10:25 UTC
Return-Path: <wparad@rhosys.ch>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A046BC15A727 for <oauth@ietfa.amsl.com>; Fri, 5 Aug 2022 03:25:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.105
X-Spam-Level:
X-Spam-Status: No, score=-7.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rhosys.ch
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id FA-27NOsVf5A for <oauth@ietfa.amsl.com>; Fri, 5 Aug 2022 03:25:17 -0700 (PDT)
Received: from mail-yb1-xb2f.google.com (mail-yb1-xb2f.google.com [IPv6:2607:f8b0:4864:20::b2f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 94984C159480 for <oauth@ietf.org>; Fri, 5 Aug 2022 03:25:17 -0700 (PDT)
Received: by mail-yb1-xb2f.google.com with SMTP id k12so3140229ybk.6 for <oauth@ietf.org>; Fri, 05 Aug 2022 03:25:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhosys.ch; s=google; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc; bh=JLm1T5v24Fx6NmHoK090ZqAb9il9mzX4d8hRbVFnjUg=; b=La2lnBdrvX9xuoprXKfN7QtVplHqUhlCoCsbBNLQgGjgAqInwHvsXbsclv14/tH7Wi asWHg1+Mf7l5PvufrZQXSTAHuZEePBjAarNe7j3vP2Z4wgee+FAraovZtOD9y5RqW6DL k77XxPqlX9dxQ3rff5W5HfrveCPJ/S2hIELV1RHiODmt0fYgPDc8ASNSfSgtrf+QAfzm 1rxpkxX9nOvLXaj2NMVjEhcA8v0NdYIeWUJVZTMoS8GCW0UfhjjwfrO7rOJnw1iBHWm+ XoS5e74SbCykWzET3kKJQgb2MrmTQKXc7PMKhVgbHxMqmwevBm3bJP/kd2Mrruhp5LhD p7ow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc; bh=JLm1T5v24Fx6NmHoK090ZqAb9il9mzX4d8hRbVFnjUg=; b=aYyVIOQnRDuL2vdrqRM9/tfwIUEMCBk8NzAhbSKf+s/36gmOv9ZqUHTP/PuL1oYpd6 ym7sC1ZaeC6wYQ7Zolxc53hFELhaeZEa3IZpPbJvnKyDex3jITTj6/HPZbLqVGDloIi9 sOG3Os2RHjtp8BBvYifBwOQJEJNOcYLnXMyVVzlfNIiVOPECZzGXxKx087bbP/BQ34r8 hXQKkyz6OkjSEnOuXqDQ8apGy1eBpKGvVopcxkPdmWhc8HPE5dgk0FgoID84/9HjZLCd KL/FsRLlcp5R/eqq4hs9aRdyjHVyQpSLHC7+RBVEJ3gUcQhatUmjMsAIsrvxYF7ttWku VvIg==
X-Gm-Message-State: ACgBeo2CgoUSA/3O1Bap7NZ3owkVG2ndTJuPQ8WOxeJN4VEPDdeS977a 98zbdBP9QsD3V4GrztmlZ/yV0aAF/iMiKCiQ+e3Pp0iXcAqlqfs=
X-Google-Smtp-Source: AA6agR6ADKm+adNgXJEctsC8QEHOTMX1GdsBqpiwvD3TKxE3Wvd0GW97qxqEfWFcz6tTliU7Jmo54K10XcW1ZRecRac=
X-Received: by 2002:a25:7307:0:b0:671:73f0:f772 with SMTP id o7-20020a257307000000b0067173f0f772mr4307848ybc.567.1659695116298; Fri, 05 Aug 2022 03:25:16 -0700 (PDT)
MIME-Version: 1.0
References: <7f46f3f1-d384-37ef-9e76-8cb80995fb4c@verifiablecredentials.info> <1D2C56C5-8155-40A3-BC00-2EF7D12C9122@lodderstedt.net> <9c1c8d86-ed98-a4e3-e864-a00c82a24134@verifiablecredentials.info> <CAODMz5EKYo19JK8Zs0=UhCNdHZM9SddOpCNjqOAA=LpeMXPJ_Q@mail.gmail.com> <5c0091b0-a8ed-3690-fc86-3fa662af0d15@danielfett.de> <CAJot-L3ZQQa0Rragt+ds8bkhHtjXM1hMVgvcShGYxdxYFYAhhg@mail.gmail.com> <937ef7f5-163c-aaab-3f62-bdffb17bf150@danielfett.de> <CAJot-L2vBxsEhPt55o6cxrrdT1TvfWpQKwxGH49UnXK2FqG8Vg@mail.gmail.com> <BAA30BFB-A157-40AC-8199-A1FC0B3DF9DD@danielfett.de>
In-Reply-To: <BAA30BFB-A157-40AC-8199-A1FC0B3DF9DD@danielfett.de>
From: Warren Parad <wparad@rhosys.ch>
Date: Fri, 05 Aug 2022 12:25:05 +0200
Message-ID: <CAJot-L2+t-7-==+22=sqaC7y7A5O7yGzojRnJF5M8oUHSRJP6g@mail.gmail.com>
To: Daniel Fett <mail=40danielfett.de@dmarc.ietf.org>
Cc: Daniel Fett <fett@danielfett.de>, oauth@ietf.org
Content-Type: multipart/alternative; boundary="000000000000d7c50705e57be102"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/IKZafOEAH9PSf9d4GFdoqvUalss>
Subject: Re: [OAUTH-WG] Call for adoption - SD-JWT
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Aug 2022 10:25:21 -0000
It's clear that good thought has been put into the core of it, more so than other drafts submitted, but not yet feature complete. For example there is no sense of how the private/public key exchange actually happens. In *holder binding *scenario, it isn't detailed how to actually include the public key in the sub_jwk claim, or what a "reference" to the public key actually means. Is the server an AS as in OAuth?, or are we building on top of another token creation standard? If it is OAuth, It isn't clear if we need a new indicator in the token response that tells us that the salt container is attached to the token and that it shouldn't blindly be passed along. It isn't clear from this discussion if we need token revocation. Assuming it is the OAuth token exchange that we are building on top of, there are lots of open questions of interoperability. I.e. Does the digest go in the access token? If it isn't OAuth, we don't have any guide on how to actually do the token generation, how to verify the signature of the token with the digest, and I'm sure there are more things. We don't need to have both in the same WG, that wasn't my point, the point is if there is a concrete reason that others aren't working on it, I wanted to know why. There are JWPs, I don't know anything about them, but it doesn't really matter if they have different approaches, different cryptos, etc... Let's look at the features, that's at the core of what matters. So far the only feature we've been able to nail down is *offline claim transmission*. Will JWPs support *offline claim transmission*? On Fri, Aug 5, 2022 at 11:55 AM Daniel Fett <mail= 40danielfett.de@dmarc.ietf.org> wrote: > It's not that the people I have spoken to didn't like the idea of SD-JWT. > It's just on a different layer than JWPs, using a different approach, > different crypto, providing different features, and on a different > timeline. There's no compelling reason to have both in the same WG. There > are nonetheless good reasons to have SD-JWT. Having SD-JWT in OAuth WG is > not an attempt to "backdoor" anything in! > > I also didn't say that we should adopt SD-JWT because it has been > implemented. You took my statement out of context. I wanted to underline > that the spec is practically feature-complete and can be implemented today, > providing the features promised. Meanwhile, JWP is not there yet. > > But, SD-JWT is not in production yet. If the OAuth WG decides that > substantial changes are required, now is the best time for that. > > Also, I wanted to highlight with my statement that SD-JWT is easy to > implement due to its simplicity. > > -Daniel > > Am 5. August 2022 11:28:49 MESZ schrieb Warren Parad <wparad= > 40rhosys.ch@dmarc.ietf.org>: >> >> Maybe they have a good reason for not wanting it, and then we shouldn't >> be the WG that backdoor's it in. Also: "other people have already >> implemented it" is a cognitive fallacy, so let's not use that as a >> justification we have to make the standard. >> >> We should get a concrete reason why a WG that seems like the appropriate >> one, thinks it wouldn't make sense. If it is just a matter of timing, then >> whatever. But if there are concrete recommendations from that group, I >> would love to hear them. >> >> On Fri, Aug 5, 2022 at 10:26 AM Daniel Fett <fett= >> 40danielfett.de@dmarc.ietf.org> wrote: >> >>> Am 05.08.22 um 10:22 schrieb Warren Parad: >>> >>> > and nobody involved in the JWP effort thinks that SD-JWT should be in >>> that WG once created >>> >>> Why? >>> >>> For the reasons listed, I guess? >>> >>> Also, mind the "As far as I am aware" part, but I don't remember any >>> discussions in that direction at IETF114. >>> >>> -Daniel >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >>> >>
- [OAUTH-WG] Call for adoption - SD-JWT Rifaat Shekh-Yusef
- Re: [OAUTH-WG] Call for adoption - SD-JWT Dick Hardt
- Re: [OAUTH-WG] Call for adoption - SD-JWT Brian Campbell
- Re: [OAUTH-WG] Call for adoption - SD-JWT Jaimandeep Singh
- Re: [OAUTH-WG] Call for adoption - SD-JWT Warren Parad
- Re: [OAUTH-WG] Call for adoption - SD-JWT Torsten Lodderstedt
- Re: [OAUTH-WG] Call for adoption - SD-JWT Daniel Fett
- Re: [OAUTH-WG] Call for adoption - SD-JWT Steinar Noem
- Re: [OAUTH-WG] Call for adoption - SD-JWT Leif Johansson
- Re: [OAUTH-WG] Call for adoption - SD-JWT Jaromir Talir
- Re: [OAUTH-WG] Call for adoption - SD-JWT David Waite
- Re: [OAUTH-WG] Call for adoption - SD-JWT Mike Jones
- Re: [OAUTH-WG] Call for adoption - SD-JWT Giuseppe De Marco
- Re: [OAUTH-WG] Call for adoption - SD-JWT Wayne Chang
- Re: [OAUTH-WG] Call for adoption - SD-JWT Joseph Heenan
- Re: [OAUTH-WG] Call for adoption - SD-JWT Neil Madden
- Re: [OAUTH-WG] Call for adoption - SD-JWT David Chadwick
- Re: [OAUTH-WG] Call for adoption - SD-JWT Warren Parad
- Re: [OAUTH-WG] Call for adoption - SD-JWT David Chadwick
- Re: [OAUTH-WG] Call for adoption - SD-JWT Giuseppe De Marco
- Re: [OAUTH-WG] Call for adoption - SD-JWT David Chadwick
- Re: [OAUTH-WG] Call for adoption - SD-JWT Aaron Parecki
- Re: [OAUTH-WG] Call for adoption - SD-JWT David Chadwick
- Re: [OAUTH-WG] Call for adoption - SD-JWT Warren Parad
- Re: [OAUTH-WG] Call for adoption - SD-JWT Neil Madden
- Re: [OAUTH-WG] Call for adoption - SD-JWT Warren Parad
- Re: [OAUTH-WG] Call for adoption - SD-JWT Vittorio Bertocci
- Re: [OAUTH-WG] Call for adoption - SD-JWT Kristina Yasuda
- Re: [OAUTH-WG] Call for adoption - SD-JWT Warren Parad
- Re: [OAUTH-WG] Call for adoption - SD-JWT Torsten Lodderstedt
- Re: [OAUTH-WG] Call for adoption - SD-JWT Warren Parad
- Re: [OAUTH-WG] Call for adoption - SD-JWT Torsten Lodderstedt
- Re: [OAUTH-WG] Call for adoption - SD-JWT Torsten Lodderstedt
- Re: [OAUTH-WG] Call for adoption - SD-JWT Warren Parad
- Re: [OAUTH-WG] Call for adoption - SD-JWT Torsten Lodderstedt
- Re: [OAUTH-WG] Call for adoption - SD-JWT Warren Parad
- Re: [OAUTH-WG] Call for adoption - SD-JWT Neil Madden
- Re: [OAUTH-WG] Call for adoption - SD-JWT David Chadwick
- Re: [OAUTH-WG] Call for adoption - SD-JWT Torsten Lodderstedt
- Re: [OAUTH-WG] Call for adoption - SD-JWT Warren Parad
- Re: [OAUTH-WG] Call for adoption - SD-JWT Torsten Lodderstedt
- Re: [OAUTH-WG] Call for adoption - SD-JWT Pieter Kasselman
- Re: [OAUTH-WG] Call for adoption - SD-JWT Jaromir Talir
- Re: [OAUTH-WG] Call for adoption - SD-JWT David Chadwick
- Re: [OAUTH-WG] Call for adoption - SD-JWT Warren Parad
- Re: [OAUTH-WG] Call for adoption - SD-JWT Kristina Yasuda
- Re: [OAUTH-WG] Call for adoption - SD-JWT David Chadwick
- Re: [OAUTH-WG] Call for adoption - SD-JWT David Chadwick
- Re: [OAUTH-WG] Call for adoption - SD-JWT David Chadwick
- Re: [OAUTH-WG] Call for adoption - SD-JWT Mike Jones
- Re: [OAUTH-WG] Call for adoption - SD-JWT Neil Madden
- Re: [OAUTH-WG] Call for adoption - SD-JWT Giuseppe De Marco
- Re: [OAUTH-WG] Call for adoption - SD-JWT David Chadwick
- Re: [OAUTH-WG] Call for adoption - SD-JWT Torsten Lodderstedt
- Re: [OAUTH-WG] Call for adoption - SD-JWT David Chadwick
- Re: [OAUTH-WG] Call for adoption - SD-JWT Jaimandeep Singh
- Re: [OAUTH-WG] Call for adoption - SD-JWT Daniel Fett
- Re: [OAUTH-WG] Call for adoption - SD-JWT Warren Parad
- Re: [OAUTH-WG] Call for adoption - SD-JWT Daniel Fett
- Re: [OAUTH-WG] Call for adoption - SD-JWT Warren Parad
- Re: [OAUTH-WG] Call for adoption - SD-JWT Daniel Fett
- Re: [OAUTH-WG] Call for adoption - SD-JWT Warren Parad
- Re: [OAUTH-WG] Call for adoption - SD-JWT Kristina Yasuda
- Re: [OAUTH-WG] Call for adoption - SD-JWT David Waite
- Re: [OAUTH-WG] Call for adoption - SD-JWT Warren Parad
- Re: [OAUTH-WG] Call for adoption - SD-JWT Warren Parad
- Re: [OAUTH-WG] Call for adoption - SD-JWT Kristina Yasuda
- Re: [OAUTH-WG] Call for adoption - SD-JWT Kushal Das
- Re: [OAUTH-WG] Call for adoption - SD-JWT Nat Sakimura
- Re: [OAUTH-WG] Call for adoption - SD-JWT Christian Paquin
- Re: [OAUTH-WG] Call for adoption - SD-JWT Brian Campbell
- Re: [OAUTH-WG] Call for adoption - SD-JWT Rifaat Shekh-Yusef
- Re: [OAUTH-WG] Call for adoption - SD-JWT Jaimandeep Singh
- Re: [OAUTH-WG] Call for adoption - SD-JWT Kristina Yasuda