IETF Logo Mail Archive

Re: [OAUTH-WG] Call for adoption - SD-JWT

David Chadwick <d.w.chadwick@verifiablecredentials.info> Tue, 02 August 2022 09:44 UTC

Return-Path: <d.w.chadwick@verifiablecredentials.info>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06323C1907AA for <oauth@ietfa.amsl.com>; Tue, 2 Aug 2022 02:44:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.007
X-Spam-Level:
X-Spam-Status: No, score=-2.007 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=verifiablecredentials.info
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6dPmQtla2ayQ for <oauth@ietfa.amsl.com>; Tue, 2 Aug 2022 02:44:16 -0700 (PDT)
Received: from client-mail1.aiso.net (client-mail1.aiso.net [199.19.158.251]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 206A0C14CF14 for <oauth@ietf.org>; Tue, 2 Aug 2022 02:44:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=verifiablecredentials.info; s=mail; h=Content-Transfer-Encoding: Content-Type:In-Reply-To:From:References:To:Subject:MIME-Version:Date: Message-ID:Sender:Reply-To:Cc:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=L9AhpoyJ6CV//0GsPpQd2l1dsuUOqr1Z9x5beMAY50s=; b=EjjCs/dqwJ1HynQFjLcWnelQzm KIKeKZNtOfGl4fZe1DblAfJlgs+Sf1dTpHuEZBs6O75IFdrw1wxxH/Fx/l+uocyN6yLcm//rHt9Od Qmqmn+pV09lkc0Y93ddsbDGfi0Gt40/BkQY4V7Ggeraix8OYTnEy7ffnQv3GFasIERNM=;
Received: from [195.213.197.250] (helo=[192.168.1.75]) by client-mail1.aiso.net (envelope-from <d.w.chadwick@verifiablecredentials.info>) with esmtpsa (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.94.2) id 1oIoRk-0000WF-0z for oauth@ietf.org; Tue, 02 Aug 2022 02:44:15 -0700
Message-ID: <7a4eaa5d-ec59-e13d-2d36-f8bcac48c0f2@verifiablecredentials.info>
Date: Tue, 02 Aug 2022 10:44:12 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.11.0
Content-Language: en-GB
To: oauth@ietf.org
References: <CAGBSGjoAFr7E=m6i8qv8XWjkraApPxMsDxqWwyNRU5K51Gbq9Q@mail.gmail.com> <6F68CD19-E97D-4584-A12B-F5710A06C4C1@forgerock.com> <CAJot-L1dpuTGsm=yGy03LsUOhmr3GgZvaqGMyzgUB=mt=fBuVA@mail.gmail.com>
From: David Chadwick <d.w.chadwick@verifiablecredentials.info>
Organization: Verifiable Credentials Ltd
In-Reply-To: <CAJot-L1dpuTGsm=yGy03LsUOhmr3GgZvaqGMyzgUB=mt=fBuVA@mail.gmail.com>
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-AISO-Id: info@verifiablecredentials.info
X-AISO-Outbound-SA-Spam-Score: 3.7
X-AISO-Outbound-SA-Spam-Score-Int: 37
X-AISO-Outbound-SA-Spam-Report: BAYES_50=6, HTML_MESSAGE=0.001, KAM_INFOUSMEBIZ=0.5, MIME_HTML_ONLY=0.1, NICE_REPLY_A=-2.888, T_SCC_BODY_TEXT_LINE=-0.01
X-AISO-Report-Abuse: abuse@aiso.net
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/P7ZB1HGvSJ_QFuSsxPgbD9IkQMA>
Subject: Re: [OAUTH-WG] Call for adoption - SD-JWT
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Aug 2022 09:44:20 -0000


On 01/08/2022 18:39, Warren Parad wrote:
So the question is how many offline interactions are there, and what do those look like?

This to me is the key question. If the vast majority of transactions between the user/wallet and the RP are online (which I believe that most will be), then the client/wallet/user can request a short lived credential on demand from the RS containing just the claims that the RP is requesting. The same access token should be usable for this. This also solves the pair-wise ID issue between the wallet/user and the RP, as the user's key inserted into the credential will be ephemeral.

For those (possible few) transactions in which the wallet is offline, then the wallet has to obtain the (possibly selectively disclosed) credential before it is needed. But this is already the case today with boarding passes. I load it onto my phone whilst I am online at home, and then I present it offline at the airport e.g. via a QR code. So using this model the user can go to the RS when online, obtain a short lived selectively disclosed credential that they know will be needed later (e.g. age over 18 for entering a nightclub) and then present it offline when they arrive at the nightclub.

For those (possibly even fewer) transactions in which the user is suddenly caught offline e.g. on the top of a mountain by a police officer, then I can see that the SD-JWT with blinded property names and values is a suitable solution. The user might have a few of these in their wallet, each being one-time use with a different key, that once selectively disclosed are discarded. The user/wallet can refresh the store periodically (or the wallet could do this automatically ensuring that a small number are always present). These would also need to be relatively short lived otherwise a revocation mechanism would need to be introduced (horror of horrors, especially on the top of a mountain with no access to the revocation list).

Kind regards

David

v2.23.0 | Report a Bug | By Email