Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selective-disclosure-jwt-06.txt: Collaborative attacks against a Verifier
Denis <denis.ietf@free.fr> Tue, 31 October 2023 16:10 UTC
Return-Path: <denis.ietf@free.fr>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 63918C16F417 for <oauth@ietfa.amsl.com>; Tue, 31 Oct 2023 09:10:54 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.992
X-Spam-Level:
X-Spam-Status: No, score=-1.992 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.091, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XobZCVqbb_dV for <oauth@ietfa.amsl.com>; Tue, 31 Oct 2023 09:10:52 -0700 (PDT)
Received: from smtp4-g21.free.fr (smtp4-g21.free.fr [212.27.42.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E7B01C16F414 for <oauth@ietf.org>; Tue, 31 Oct 2023 09:10:51 -0700 (PDT)
Received: from [192.168.1.11] (unknown [90.79.69.161]) (Authenticated sender: pinkas@free.fr) by smtp4-g21.free.fr (Postfix) with ESMTPSA id 796D219F73B; Tue, 31 Oct 2023 17:10:49 +0100 (CET)
Content-Type: multipart/alternative; boundary="------------I0aZr582CQllmLUZSvWdJp0p"
Message-ID: <bd054cc7-f8a0-6944-d447-a6360c390c6d@free.fr>
Date: Tue, 31 Oct 2023 17:10:48 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.15.1
Content-Language: en-GB
To: mail@danielfett.de
References: <169807785056.8814.13239353071835579185@ietfa.amsl.com> <defbfabc-0a6c-4ae0-8cb2-a67d4d0315b5@danielfett.de> <ced0a8c1-a4b8-e790-f5ae-9e2ae3c631e2@free.fr> <4185c8f3-e8d4-48a0-9afc-b753e386a0d8@danielfett.de>
From: Denis <denis.ietf@free.fr>
Cc: oauth@ietf.org
In-Reply-To: <4185c8f3-e8d4-48a0-9afc-b753e386a0d8@danielfett.de>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/OW_3VM0hmqO_Pe8GEJgctmTQtM0>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selective-disclosure-jwt-06.txt: Collaborative attacks against a Verifier
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Oct 2023 16:10:54 -0000
Hi Daniel, > > Hi Denis, > > a discussion on claims-based/biometric binding, probably what you're > hinting at, > I am not hinting at a discussion "on claims-based/biometric binding". > is out of the scope of this document, since we define neither > mechanisms nor rules for that. > > This should be part of a discussion with a larger scope, like the > Security & Trust document in OIDF's DCP group. > RFC 3552 (Guidelines for Writing RFC Text on Security Considerations) states in its Introduction section: All RFCs are required by RFC 2223 to contain a Security Considerations section. The purpose of this is both to encourage document authors to consider security in their designs and to inform the reader of relevant security issues. Section 5 of RFC 3552 states: 5. Writing Security Considerations Sections (...) There should be a clear description of the kinds of threats on the described protocol or technology. This should be approached as an effort to perform "due diligence" in describing *all known or foreseeable risks and threats *to potential implementers and users. Authors MUST describe 1. which attacks are out of scope (and why!) 2. which attacks are in-scope 2.1 and the protocol is susceptible to 2.2 and the protocol protects against "Collaborative attacks against a Verifier" should be added to the Security Considerations section. Denis > -Daniel > > Am 26.10.23 um 11:01 schrieb Denis: >> Hi All, >> >> Section 11.6. is about "Key Binding" which is indeed an important >> security feature. >> However, in the context of "selective disclosure" while this feature >> is essential, it is insufficient. >> >> Let us take an example: If a Token indicates that an individual has >> the nationality X, in case of a collusion between two individuals >> and when using two pieces of software specifically developed for that >> purpose, an individual would be able to compute and transmit >> a Token to another individual for the benefit of that other >> individual in order to cheat a Verifier. This is a collusion between >> two individuals. >> >> The first individual may not have the knowledge of the private key >> but since he has the use of the private key, he is in a position to sign >> anything he wants. Since the Token does not include claims allowing >> to uniquely identity the individual, "if he is not seen, he will not >> be caught". >> >> "Collaborative attacks against a Verifier" should be added to the >> Security Considerations section. >> >> There exist ways to counter collaborative attacks against a Verifier. >> These ways should be mentioned in the core of the document. >> >> Denis >> >>> Hi all, >>> >>> this release of SD-JWT includes one important normative change, >>> which is a hash in the key binding JWT to ensure the integrity of >>> presentations. The second biggest change is that we restructured >>> some sections of the document to make it more readable. >>> >>> As always, we're looking forward to discussing SD-JWT here on the >>> mailing list and in Prague. >>> >>> -Daniel >>> >>> This is the full changelog: >>> >>> -06 >>> >>> * Added hash of Issuer-signed part and Disclosures in KB-JWT >>> >>> * Fix minor issues in some examples >>> >>> * Added IANA media type registration request for the JSON >>> Serialization >>> >>> * More precise wording around storing artifacts with sensitive data >>> >>> * The claim name _sd or ... must not be used in a disclosure. >>> >>> * Added JWT claims registration requests to IANA >>> * Ensure claims that control validity are checked after decoding >>> payload >>> >>> * Restructure sections around data formats and Example 1 >>> >>> * Update JSON Serialization to remove the kb_jwt member and allow >>> for the disclosures to be conveyed elsewhere >>> >>> * Expand the Enveloping SD-JWTs section to also discuss enveloping >>> JSON serialized SD-JWTs >>> >>> Am 23.10.23 um 18:17 schrieb internet-drafts@ietf.org: >>>> Internet-Draft draft-ietf-oauth-selective-disclosure-jwt-06.txt is now >>>> available. It is a work item of the Web Authorization Protocol (OAUTH) WG of >>>> the IETF. >>>> >>>> Title: Selective Disclosure for JWTs (SD-JWT) >>>> Authors: Daniel Fett >>>> Kristina Yasuda >>>> Brian Campbell >>>> Name: draft-ietf-oauth-selective-disclosure-jwt-06.txt >>>> Pages: 90 >>>> Dates: 2023-10-23 >>>> >>>> Abstract: >>>> >>>> This specification defines a mechanism for selective disclosure of >>>> individual elements of a JSON object used as the payload of a JSON >>>> Web Signature (JWS) structure. It encompasses various applications, >>>> including but not limited to the selective disclosure of JSON Web >>>> Token (JWT) claims. >>>> >>>> The IETF datatracker status page for this Internet-Draft is: >>>> https://datatracker.ietf.org/doc/draft-ietf-oauth-selective-disclosure-jwt/ >>>> >>>> There is also an HTML version available at: >>>> https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-06.html >>>> >>>> A diff from the previous version is available at: >>>> https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-selective-disclosure-jwt-06 >>>> >>>> Internet-Drafts are also available by rsync at: >>>> rsync.ietf.org::internet-drafts >>>> >>>> >>>> _______________________________________________ >>>> OAuth mailing list >>>> OAuth@ietf.org >>>> https://www.ietf.org/mailman/listinfo/oauth >>> -- >>> Please use my new email address:mail@danielfett.de >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > -- > Please use my new email address:mail@danielfett.de > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] I-D Action: draft-ietf-oauth-selective… internet-drafts
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selec… Daniel Fett
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selec… Neil Madden
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selec… Denis
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selec… Brian Campbell
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selec… Daniel Fett
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selec… Neil Madden
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selec… Brian Campbell
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selec… Denis
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selec… Daniel Fett
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selec… Brian Campbell
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selec… Neil Madden
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selec… Watson Ladd
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selec… Neil Madden
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selec… Denis
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selec… Neil Madden
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selec… Brian Campbell
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selec… Denis
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selec… Neil Madden