[OAUTH-WG] Re: WGLC for SD-JWT

Judith Kahrer <judith.kahrer@curity.io> Thu, 05 September 2024 13:47 UTC

Return-Path: <judith.kahrer@curity.io>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D967C14F714 for <oauth@ietfa.amsl.com>; Thu, 5 Sep 2024 06:47:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=curity.io
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id COYottsUNuWU for <oauth@ietfa.amsl.com>; Thu, 5 Sep 2024 06:47:08 -0700 (PDT)
Received: from mail-lj1-x22e.google.com (mail-lj1-x22e.google.com [IPv6:2a00:1450:4864:20::22e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 17803C16943C for <oauth@ietf.org>; Thu, 5 Sep 2024 06:47:08 -0700 (PDT)
Received: by mail-lj1-x22e.google.com with SMTP id 38308e7fff4ca-2f409c87b07so10756701fa.0 for <oauth@ietf.org>; Thu, 05 Sep 2024 06:47:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=curity.io; s=google; t=1725544026; x=1726148826; darn=ietf.org; h=message-id:in-reply-to:to:references:date:subject:mime-version:from :from:to:cc:subject:date:message-id:reply-to; bh=nPHzm3mK6EknUpd7Ta0So6Ypg31Ys3miRSieYw5MpiA=; b=QgkwCzH3fEIsDl3AJaWu9DQCQqStb9n8vVuUFXlA3ektxJV6l1ABIHImxFfYIrhE/A IEQWaokdkNaLlqvv5jPqF3TL6XuRuLKMJ1CEAqIzT/VInekJidgfjBeqmT60/FugWaas 0NJS/yuI+J7Gq+gIT+oWQ4DBK/RPy+4to5LnGXW+USk7V3IFxhc2OdfBp1SDKxERljnK xMx+Bgnm3OCGXHfy3V08CX6hmgUXDWfbjZLJdNW1vYq9dUOvLa2ntBhtX2J84JpoZWI0 HEN+huQ2w7Rav7QyRoYltDQXq9maWzqnElrW++BncxUNAQla90w74vFc6C/PEJ4eLrQZ kfQA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1725544026; x=1726148826; h=message-id:in-reply-to:to:references:date:subject:mime-version:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=nPHzm3mK6EknUpd7Ta0So6Ypg31Ys3miRSieYw5MpiA=; b=oBtQvGBuPlbxxovfcXQRUOSImcP0BWgx/UG+JpkYAGFANZC3/9OcaP4S3+qqxYSqBc iY40RmX1uJ8AFHuO1OoXrLp6yBETaQ7aLP2LAL4dXz8srWsxKTYIJQKeqLuiSWK7P7TS 6cK5YE7NIBY8efv51dhmxuuopxhaBx0EeehvN4aG6FH/fIFdzVkK+CnltEpqCx74L5Ko bwyEyYmaA9pJxpMC6Vl5/wvIVwkMquJubN7D9shhFeOTm7I5zfZ373RBGaYKVx4W/ZY4 +mNHrhU+SlVx5du4aXGjAFi1z+IuHDvofR0rVY/FfRAaqzdMuH4xrOOKefm3ALsgirjX LntQ==
X-Gm-Message-State: AOJu0YyHDCNwvIkalkydlZgt4rBVVDAxSHyjYqIx4xZ2DA8ueWn0txTJ 33BExFwl5/U0ZlX9KRaLw2YfmLkeuFaFv7Ey804bhCg8iZpcMAeBzp5E0XtrPJDMLQsQSAXPaZu R
X-Google-Smtp-Source: AGHT+IHP4zigxl5e2E7etUx/k6YoQwnnAkJl6xNL/S8fMLVMBnrXO0hV5Do51cOLaVuvhokvfJ40/Q==
X-Received: by 2002:a05:651c:4cb:b0:2f6:2858:a0b4 with SMTP id 38308e7fff4ca-2f62858a308mr124239211fa.19.1725544025894; Thu, 05 Sep 2024 06:47:05 -0700 (PDT)
Received: from smtpclient.apple (h-82-196-111-212.NA.cust.bahnhof.se. [82.196.111.212]) by smtp.gmail.com with ESMTPSA id 38308e7fff4ca-2f614ed1565sm28220781fa.6.2024.09.05.06.47.05 for <oauth@ietf.org> (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 05 Sep 2024 06:47:05 -0700 (PDT)
From: Judith Kahrer <judith.kahrer@curity.io>
Content-Type: multipart/alternative; boundary="Apple-Mail=_C2C25ACC-3B00-4716-A020-8908A389176C"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3776.700.51\))
Date: Thu, 05 Sep 2024 15:46:55 +0200
References: <CADNypP_BESkJTXfuv=G9HnLcGwhpSYRggYDZxzaq6-6AaARh0w@mail.gmail.com> <CA+k3eCQOofXBSFz_Ob6y1ZCWjnx4agvFuMOFc6vNWP4c93XTJw@mail.gmail.com> <CAD9ie-s4mhFkdTZ1G_+M4SNnTe14moiR-az+UE7JL5_dfQxYKg@mail.gmail.com>
To: oauth <oauth@ietf.org>
In-Reply-To: <CAD9ie-s4mhFkdTZ1G_+M4SNnTe14moiR-az+UE7JL5_dfQxYKg@mail.gmail.com>
Message-Id: <2E8EB0D2-E6E3-4D7B-9216-C2EFCD2929C4@curity.io>
X-Mailer: Apple Mail (2.3776.700.51)
Message-ID-Hash: EDXGYLZBSTBEXJMBNZ3PTQHY55AWEHN7
X-Message-ID-Hash: EDXGYLZBSTBEXJMBNZ3PTQHY55AWEHN7
X-MailFrom: judith.kahrer@curity.io
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: WGLC for SD-JWT
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Q9DFVHsyOHW2slL3jzqgxJeDTgQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

I agree, I also think the intro is hard to read. There are some more points that I want to add with regard to the introduction:

> The JSON-based representation of claims in a signed JWT is secured against modification using JWS digital signatures. A consumer of a signed JWT that has checked the signature can safely assume that the contents of the token have not been modified. However, anyone receiving an unencrypted JWT can read all the claims. Likewise, anyone with the decryption key receiving encrypted JWT can also read all the claims.

Regarding “a consumer of a signed JWT that has checked the signature”, I believe, it should say “that has validated the signature”.

> Similar to the JWT specification on which it builds, this document is a product of the Web Authorization Protocol (OAuth) working group. However, while both JWT and SD-JWT have potential OAuth 2.0 applications, their utility and application is certainly not constrained to OAuth 2.0. JWT was developed as a general-purpose token format and has seen widespread usage in a variety of applications. SD-JWT is a selective disclosure mechanism for JWT and is similarly intended to be general-purpose specification.

I believe, there is a typo in the last sentence of the paragraph. It should say “[…] to be a general-purpose specification.”

> While JWTs with claims describing natural persons are a common use case, the mechanisms defined in this document are also applicable to other use cases.

Repeating the “general-purpose specification”. Suggest to remove the sentence.

> In an SD-JWT, claims can be hidden, but cryptographically protected against undetected modification. "Claims" here refers to both object properties (name/value pairs) as well as array elements. When issuing the SD-JWT to the Holder, the Issuer includes the cleartext counterparts of all hidden claims, the so-called Disclosures, outside the signed part of the SD-JWT. 

I don’t see the contradiction between “hiding” and “cryptographic protection”. Should it say “and cryptographically protected” instead of “but”?
I find it confusing to use the term “claims” for two different things. I think, it would be more clear to use the term claim as defined in RFC 7519 (that is a name/value pair consisting of a Claim Name and Claim Value) and not to overload it. I also think, that the introduction does not have to list all the features, i.e. it’s ok to omit the fact that SD-JWT allows for hiding individual elements in an array.

> The Holder decides which claims to disclose to a particular Verifier and includes the respective Disclosures in the SD-JWT to that Verifier. The Verifier has to verify that all disclosed claim values were part of the original Issuer-signed JWT. The Verifier will not, however, learn any claim values not disclosed in the Disclosures.

To my understanding, there is no “originally Issuer-signed JWT” in an SD-JWT but simply an “Issuer-signed JWT”. Suggest to remove “originally” from the phrase. Also, “Issuer-signed JWT” appears out of the blue as it has not been introduced yet. 
The statement "The Verifier will not, however, learn any claim values not disclosed in the Disclosures.” is technically not true because the Verifier will still learn any “cleartext claims”. Suggest to update to "The Verifier will not, however, learn any hidden claim values not disclosed in the Disclosures.”

Regards,
Judith

> On 4 Sep 2024, at 14:24, Dick Hardt <dick.hardt@gmail.com> wrote:
> 
> A while ago in an in-person meeting I provided feedback that the introduction was difficult to parse. It still is. A few comments inserted to illustrate.
> 
> I'll raise my hand to provide alternative text if the authors are interested.
> 
> /Dick
>  1. Introduction
> This document specifies conventions for creating JSON Web Signature (JWS) [RFC7515] structures with JSON [RFC8259] objects as the payload while supporting selective disclosure of individual elements of that JSON. Because JSON Web Token (JWT) [RFC7519] is a very prevalent application of JWS with a JSON payload, the selective disclosure of JWT claims receives primary treatment herein. However, that does not preclude the mechanism's applicability to other applications of JWS with JSON payloads.
> 
> The last two sentences add alot of noise to the first paragraph of what this document is all about
>  The JSON-based representation of claims in a signed JWT is secured against modification using JWS digital signatures. A consumer of a signed JWT that has checked the signature can safely assume that the contents of the token have not been modified. However, anyone receiving an unencrypted JWT can read all the claims. Likewise, anyone with the decryption key receiving encrypted JWT can also read all the claims.
>  One of the common use cases of a signed JWT is representing a user's identity. As long as the signed JWT is one-time use, it typically only contains those claims the user has consented to disclose to a specific Verifier. However, there is an increasing number of use cases where a signed JWT is created once and then used a number of times by the user (the "Holder" of the JWT). In such use cases, the signed JWT needs to contain the superset of all claims the user of the signed JWT might want to disclose to Verifiers at some point. The ability to selectively disclose a subset of these claims depending on the Verifier becomes crucial to ensure minimum disclosure and prevent Verifiers from obtaining claims irrelevant for the transaction at hand. SD-JWTs defined in this document enable such selective disclosure of JWT claims.
>  One example of a multi-use JWT is an Issuer-signed credential that contains the claims about a subject, and whose authenticity can be cryptographically verified.
> Similar to the JWT specification on which it builds, this document is a product of the Web Authorization Protocol (OAuth) working group. However, while both JWT and SD-JWT have potential OAuth 2.0 applications, their utility and application is certainly not constrained to OAuth 2.0. JWT was developed as a general-purpose token format and has seen widespread usage in a variety of applications. SD-JWT is a selective disclosure mechanism for JWT and is similarly intended to be general-purpose specification.
> While JWTs with claims describing natural persons are a common use case, the mechanisms defined in this document are also applicable to other use cases.
> 
> The above paragraphs are background on what problem is being solved -- but the writing is difficult to follow
>  In an SD-JWT, claims can be hidden, but cryptographically protected against undetected modification. "Claims" here refers to both object properties (name/value pairs) as well as array elements. When issuing the SD-JWT to the Holder, the Issuer includes the cleartext counterparts of all hidden claims, the so-called Disclosures, outside the signed part of the SD-JWT.
> 
>  The Holder decides which claims to disclose to a particular Verifier and includes the respective Disclosures in the SD-JWT to that Verifier. The Verifier has to verify that all disclosed claim values were part of the original Issuer-signed JWT. The Verifier will not, however, learn any claim values not disclosed in the Disclosures.
> 
> The Holder and Verifier terms are being introduced here with no context. The key difference in an SD-JWT and a JWT that the claims are encrypted in what is signed is not clearly obvious. 
>  This document also defines a format for SD-JWTs with Key Binding (SD-JWT+KB). By optionally sending an SD-JWT+KB to a Verifier, the Holder can prove to the Verifier that they hold the private key associated to the SD-JWT (i.e., using the cnf claim [RFC7800]). The strength of the binding is conditional upon the trust in the protection of the private key of the key pair an SD-JWT is bound to.
> 
> This does not read as an introduction. Assumes significant knowledge of why this is useful. 
>  
> SD-JWT can be used with any JSON-based representation of claims.
> 
> repetitive from start of intro
>  This specification aims to be easy to implement and to leverage established and widely used data formats and cryptographic algorithms wherever possible.Fluff -- are there specifications that aim to be difficult to implement?
> 
> 
> On Tue, Sep 3, 2024 at 4:06 PM Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org> wrote:
> Thanks Rifaat & Hannes,
> 
> In an effort to make the most up-to-date content available for the WGLC period, a -12 revision was just recently published, which contains a number of editorial improvements.  
> 
> https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-12.html 
> 
> Respectfully,
>  Brian, Kristina, and Dr. Fett 
> 
> 
> 
> On Tue, Sep 3, 2024 at 4:40 AM Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com> wrote:
> All,
> 
> As per the discussion in Vancouver, this is a WG Last Call for the SD-JWT document.
> https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-11.html
> 
> Please, review this document and reply on the mailing list if you have any comments or concerns, by Sep 17th.
> 
> Regards,
>   Rifaat & Hannes
> _______________________________________________
> OAuth mailing list -- oauth@ietf.org
> To unsubscribe send an email to oauth-leave@ietf.org
> 
> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._______________________________________________
> OAuth mailing list -- oauth@ietf.org
> To unsubscribe send an email to oauth-leave@ietf.org
> _______________________________________________
> OAuth mailing list -- oauth@ietf.org
> To unsubscribe send an email to oauth-leave@ietf.org