Re: [OAUTH-WG] Call for adoption - SD-JWT
David Chadwick <d.w.chadwick@verifiablecredentials.info> Tue, 02 August 2022 09:44 UTC
Return-Path: <d.w.chadwick@verifiablecredentials.info>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 06323C1907AA for <oauth@ietfa.amsl.com>; Tue, 2 Aug 2022 02:44:20 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.007
X-Spam-Level:
X-Spam-Status: No, score=-2.007 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, MIME_HTML_ONLY=0.1, NICE_REPLY_A=-0.001, RCVD_IN_DNSWL_BLOCKED=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=verifiablecredentials.info
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6dPmQtla2ayQ for <oauth@ietfa.amsl.com>; Tue, 2 Aug 2022 02:44:16 -0700 (PDT)
Received: from client-mail1.aiso.net (client-mail1.aiso.net [199.19.158.251]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 206A0C14CF14 for <oauth@ietf.org>; Tue, 2 Aug 2022 02:44:16 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=verifiablecredentials.info; s=mail; h=Content-Transfer-Encoding: Content-Type:In-Reply-To:From:References:To:Subject:MIME-Version:Date: Message-ID:Sender:Reply-To:Cc:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=L9AhpoyJ6CV//0GsPpQd2l1dsuUOqr1Z9x5beMAY50s=; b=EjjCs/dqwJ1HynQFjLcWnelQzm KIKeKZNtOfGl4fZe1DblAfJlgs+Sf1dTpHuEZBs6O75IFdrw1wxxH/Fx/l+uocyN6yLcm//rHt9Od Qmqmn+pV09lkc0Y93ddsbDGfi0Gt40/BkQY4V7Ggeraix8OYTnEy7ffnQv3GFasIERNM=;
Received: from [195.213.197.250] (helo=[192.168.1.75]) by client-mail1.aiso.net (envelope-from <d.w.chadwick@verifiablecredentials.info>) with esmtpsa (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.94.2) id 1oIoRk-0000WF-0z for oauth@ietf.org; Tue, 02 Aug 2022 02:44:15 -0700
Message-ID: <7a4eaa5d-ec59-e13d-2d36-f8bcac48c0f2@verifiablecredentials.info>
Date: Tue, 02 Aug 2022 10:44:12 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:91.0) Gecko/20100101 Thunderbird/91.11.0
Content-Language: en-GB
To: oauth@ietf.org
References: <CAGBSGjoAFr7E=m6i8qv8XWjkraApPxMsDxqWwyNRU5K51Gbq9Q@mail.gmail.com> <6F68CD19-E97D-4584-A12B-F5710A06C4C1@forgerock.com> <CAJot-L1dpuTGsm=yGy03LsUOhmr3GgZvaqGMyzgUB=mt=fBuVA@mail.gmail.com>
From: David Chadwick <d.w.chadwick@verifiablecredentials.info>
Organization: Verifiable Credentials Ltd
In-Reply-To: <CAJot-L1dpuTGsm=yGy03LsUOhmr3GgZvaqGMyzgUB=mt=fBuVA@mail.gmail.com>
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-AISO-Id: info@verifiablecredentials.info
X-AISO-Outbound-SA-Spam-Score: 3.7
X-AISO-Outbound-SA-Spam-Score-Int: 37
X-AISO-Outbound-SA-Spam-Report: BAYES_50=6, HTML_MESSAGE=0.001, KAM_INFOUSMEBIZ=0.5, MIME_HTML_ONLY=0.1, NICE_REPLY_A=-2.888, T_SCC_BODY_TEXT_LINE=-0.01
X-AISO-Report-Abuse: abuse@aiso.net
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/P7ZB1HGvSJ_QFuSsxPgbD9IkQMA>
Subject: Re: [OAUTH-WG] Call for adoption - SD-JWT
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Aug 2022 09:44:20 -0000
So the question is how many offline interactions are there, and what do those look like?
This to me is the key question. If the vast majority of transactions between the user/wallet and the RP are online (which I believe that most will be), then the client/wallet/user can request a short lived credential on demand from the RS containing just the claims that the RP is requesting. The same access token should be usable for this. This also solves the pair-wise ID issue between the wallet/user and the RP, as the user's key inserted into the credential will be ephemeral.
For those (possible few) transactions in which the wallet is offline, then the wallet has to obtain the (possibly selectively disclosed) credential before it is needed. But this is already the case today with boarding passes. I load it onto my phone whilst I am online at home, and then I present it offline at the airport e.g. via a QR code. So using this model the user can go to the RS when online, obtain a short lived selectively disclosed credential that they know will be needed later (e.g. age over 18 for entering a nightclub) and then present it offline when they arrive at the nightclub.
For those (possibly even fewer) transactions in which the user is
suddenly caught offline e.g. on the top of a mountain by a police
officer, then I can see that the SD-JWT with blinded property
names and values is a suitable solution. The user might have a few
of these in their wallet, each being one-time use with a different
key, that once selectively disclosed are discarded. The
user/wallet can refresh the store periodically (or the wallet
could do this automatically ensuring that a small number are
always present). These would also need to be relatively short
lived otherwise a revocation mechanism would need to be introduced
(horror of horrors, especially on the top of a mountain with no
access to the revocation list).
Kind regards
David
- [OAUTH-WG] Call for adoption - SD-JWT Rifaat Shekh-Yusef
- Re: [OAUTH-WG] Call for adoption - SD-JWT Dick Hardt
- Re: [OAUTH-WG] Call for adoption - SD-JWT Brian Campbell
- Re: [OAUTH-WG] Call for adoption - SD-JWT Jaimandeep Singh
- Re: [OAUTH-WG] Call for adoption - SD-JWT Warren Parad
- Re: [OAUTH-WG] Call for adoption - SD-JWT Torsten Lodderstedt
- Re: [OAUTH-WG] Call for adoption - SD-JWT Daniel Fett
- Re: [OAUTH-WG] Call for adoption - SD-JWT Steinar Noem
- Re: [OAUTH-WG] Call for adoption - SD-JWT Leif Johansson
- Re: [OAUTH-WG] Call for adoption - SD-JWT Jaromir Talir
- Re: [OAUTH-WG] Call for adoption - SD-JWT David Waite
- Re: [OAUTH-WG] Call for adoption - SD-JWT Mike Jones
- Re: [OAUTH-WG] Call for adoption - SD-JWT Giuseppe De Marco
- Re: [OAUTH-WG] Call for adoption - SD-JWT Wayne Chang
- Re: [OAUTH-WG] Call for adoption - SD-JWT Joseph Heenan
- Re: [OAUTH-WG] Call for adoption - SD-JWT Neil Madden
- Re: [OAUTH-WG] Call for adoption - SD-JWT David Chadwick
- Re: [OAUTH-WG] Call for adoption - SD-JWT Warren Parad
- Re: [OAUTH-WG] Call for adoption - SD-JWT David Chadwick
- Re: [OAUTH-WG] Call for adoption - SD-JWT Giuseppe De Marco
- Re: [OAUTH-WG] Call for adoption - SD-JWT David Chadwick
- Re: [OAUTH-WG] Call for adoption - SD-JWT Aaron Parecki
- Re: [OAUTH-WG] Call for adoption - SD-JWT David Chadwick
- Re: [OAUTH-WG] Call for adoption - SD-JWT Warren Parad
- Re: [OAUTH-WG] Call for adoption - SD-JWT Neil Madden
- Re: [OAUTH-WG] Call for adoption - SD-JWT Warren Parad
- Re: [OAUTH-WG] Call for adoption - SD-JWT Vittorio Bertocci
- Re: [OAUTH-WG] Call for adoption - SD-JWT Kristina Yasuda
- Re: [OAUTH-WG] Call for adoption - SD-JWT Warren Parad
- Re: [OAUTH-WG] Call for adoption - SD-JWT Torsten Lodderstedt
- Re: [OAUTH-WG] Call for adoption - SD-JWT Warren Parad
- Re: [OAUTH-WG] Call for adoption - SD-JWT Torsten Lodderstedt
- Re: [OAUTH-WG] Call for adoption - SD-JWT Torsten Lodderstedt
- Re: [OAUTH-WG] Call for adoption - SD-JWT Warren Parad
- Re: [OAUTH-WG] Call for adoption - SD-JWT Torsten Lodderstedt
- Re: [OAUTH-WG] Call for adoption - SD-JWT Warren Parad
- Re: [OAUTH-WG] Call for adoption - SD-JWT Neil Madden
- Re: [OAUTH-WG] Call for adoption - SD-JWT David Chadwick
- Re: [OAUTH-WG] Call for adoption - SD-JWT Torsten Lodderstedt
- Re: [OAUTH-WG] Call for adoption - SD-JWT Warren Parad
- Re: [OAUTH-WG] Call for adoption - SD-JWT Torsten Lodderstedt
- Re: [OAUTH-WG] Call for adoption - SD-JWT Pieter Kasselman
- Re: [OAUTH-WG] Call for adoption - SD-JWT Jaromir Talir
- Re: [OAUTH-WG] Call for adoption - SD-JWT David Chadwick
- Re: [OAUTH-WG] Call for adoption - SD-JWT Warren Parad
- Re: [OAUTH-WG] Call for adoption - SD-JWT Kristina Yasuda
- Re: [OAUTH-WG] Call for adoption - SD-JWT David Chadwick
- Re: [OAUTH-WG] Call for adoption - SD-JWT David Chadwick
- Re: [OAUTH-WG] Call for adoption - SD-JWT David Chadwick
- Re: [OAUTH-WG] Call for adoption - SD-JWT Mike Jones
- Re: [OAUTH-WG] Call for adoption - SD-JWT Neil Madden
- Re: [OAUTH-WG] Call for adoption - SD-JWT Giuseppe De Marco
- Re: [OAUTH-WG] Call for adoption - SD-JWT David Chadwick
- Re: [OAUTH-WG] Call for adoption - SD-JWT Torsten Lodderstedt
- Re: [OAUTH-WG] Call for adoption - SD-JWT David Chadwick
- Re: [OAUTH-WG] Call for adoption - SD-JWT Jaimandeep Singh
- Re: [OAUTH-WG] Call for adoption - SD-JWT Daniel Fett
- Re: [OAUTH-WG] Call for adoption - SD-JWT Warren Parad
- Re: [OAUTH-WG] Call for adoption - SD-JWT Daniel Fett
- Re: [OAUTH-WG] Call for adoption - SD-JWT Warren Parad
- Re: [OAUTH-WG] Call for adoption - SD-JWT Daniel Fett
- Re: [OAUTH-WG] Call for adoption - SD-JWT Warren Parad
- Re: [OAUTH-WG] Call for adoption - SD-JWT Kristina Yasuda
- Re: [OAUTH-WG] Call for adoption - SD-JWT David Waite
- Re: [OAUTH-WG] Call for adoption - SD-JWT Warren Parad
- Re: [OAUTH-WG] Call for adoption - SD-JWT Warren Parad
- Re: [OAUTH-WG] Call for adoption - SD-JWT Kristina Yasuda
- Re: [OAUTH-WG] Call for adoption - SD-JWT Kushal Das
- Re: [OAUTH-WG] Call for adoption - SD-JWT Nat Sakimura
- Re: [OAUTH-WG] Call for adoption - SD-JWT Christian Paquin
- Re: [OAUTH-WG] Call for adoption - SD-JWT Brian Campbell
- Re: [OAUTH-WG] Call for adoption - SD-JWT Rifaat Shekh-Yusef
- Re: [OAUTH-WG] Call for adoption - SD-JWT Jaimandeep Singh
- Re: [OAUTH-WG] Call for adoption - SD-JWT Kristina Yasuda