IETF Logo Mail Archive

[OAUTH-WG] Re: SD-JWT VC Issuer Signature Profiles/Mechanisms/Somethings

Brian Campbell <bcampbell@pingidentity.com> Tue, 10 June 2025 21:10 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@mail2.ietf.org
Delivered-To: oauth@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 3F3B4335EEA2 for <oauth@mail2.ietf.org>; Tue, 10 Jun 2025 14:10:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 3uX7IDl-f_Na for <oauth@mail2.ietf.org>; Tue, 10 Jun 2025 14:10:00 -0700 (PDT)
Received: from mail-vk1-xa2f.google.com (mail-vk1-xa2f.google.com [IPv6:2607:f8b0:4864:20::a2f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id 9E9A4335EE9B for <oauth@ietf.org>; Tue, 10 Jun 2025 14:10:00 -0700 (PDT)
Received: by mail-vk1-xa2f.google.com with SMTP id 71dfb90a1353d-527a2b89a11so2255899e0c.2 for <oauth@ietf.org>; Tue, 10 Jun 2025 14:10:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; t=1749589800; x=1750194600; darn=ietf.org; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc:subject:date:message-id:reply-to; bh=lfKgZGcXWNymbWyKq1lDsRRoDrMRHbC+60sDFP8a/Io=; b=avrg8nVXVCk8ATGGLn+g8R1ay8uiYKdvFtUGVLP5UL4ebpgc9jGHNUXSS/q7V2zXZC FcR1n3i0sT4qEbHxfvkff+hF2Wj1BB9gYv2dvDWfgrJVuE/evwkiUhHz9+m2/i2yHxzz t7i3t9Xs7UOBebnp6T7NCZ3mh3lHsL8xgkrkha6S6PxW9Mp5t9UCjjfd2Kt0FjBkyZ+o 03zNACyyQHX7KmWauI83wMN+N6kcEz3UjAulu4nvEyO2iV0EUmYLrnPoyq8OmoM88FaA YQVse4wGD5XLgU12/rHluh+UD8nWpkujmUbqae+vcwEbb2bRbcnE4yq9ikSBuNuhQd3f vbwg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1749589800; x=1750194600; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=lfKgZGcXWNymbWyKq1lDsRRoDrMRHbC+60sDFP8a/Io=; b=w+hnop1G9kRkufHSXMHXGsVuUQxMHkKXWa5fEAkSdeu01vi4Q4h6g5AvJukQn1ZGJK Xx4c18ew2asCizyj0djy7zGZSt6tk9U6+posP76twfXJouoEV3o8+bwf3nzDgJ06BWJU raDe4xpbYZXMDU2gxmSGUz34ULVsYbh94qE8WI1zk6eHJS6IKg0/BlCy6dNrqts2goeJ HBTqtu43M5Ksox5NZT/+MHUGTgr+QFiKCv3pTSyvVuoIZN8LgLYDD10r0Ks5YtbwfJqG SULyz85jMxGY3lTMewndRgrwZHIWWritFtY0QIc0h0d44bAGkV4HhxOrSv1tlFYCiJ4f JBjw==
X-Gm-Message-State: AOJu0YyL/JTcKXUpd+IAknbSlotwgp2JqC4aH7xKIJMt4jL2kQebcNvM y8n+3HMFi5eDKO73LdT7QWG/bk0wrlssxHfmhgmuex9N2e/nUjMezOmOapcb6T15mQ916MkHJBf ryIsABxWUzcsxCbRW9UvZFMS4xiQuVc2thvFkcy2F/v93TXJ4VVnwHb7/iOikGOTNBRjgpvYVQE OdXyFI1reNz6IHA2qhkQ5uzVJBxtLGuA==
X-Gm-Gg: ASbGncs0miYJMGleXMkJZgfiYEt/hp76+/PurZyqYHknek2K00+iRQjkoxdas3cWbKC ZLq7TUqpUjn1sKq+9kc4tSYLdm56YmqXTzRehlguBlW8zlmVbgn/ZCvl39joffSNCkPyIoALpVz nsoyC+/SQsH+t4If1MxMwASPKfFUR+gAE+tQaIOmdJUDtZ
X-Google-Smtp-Source: AGHT+IGC6SFzG4nz33lEpdCUZ9pKNYTQNXXAMA1um1j/Iog/XiunOJqYe03xKQqsA543eqff2OVixvWny6gKAjEXHG8=
X-Received: by 2002:a05:6122:641b:10b0:52f:bef8:deff with SMTP id 71dfb90a1353d-53122380333mr839410e0c.8.1749589799763; Tue, 10 Jun 2025 14:09:59 -0700 (PDT)
MIME-Version: 1.0
References: <CA+k3eCTnWQQjbO+WeYNG=gx268wnV2DSu8zSrSvbn8n38zeqkg@mail.gmail.com>
In-Reply-To: <CA+k3eCTnWQQjbO+WeYNG=gx268wnV2DSu8zSrSvbn8n38zeqkg@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Tue, 10 Jun 2025 15:09:33 -0600
X-Gm-Features: AX0GCFtOwlhJo9DFPHTkfSM673eYg0e0gaAEJxR1pEH9eReoXJJF-4zI5KI_bs8
Message-ID: <CA+k3eCT-0NOQSZRw3TMBBQVWX=XpQC8RwhYdkd0KQ6BqLeKsiw@mail.gmail.com>
To: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000084993606373e1ecb"
Message-ID-Hash: UXZYH6ZUYBDDGBZRZJZHXGRZVWNPPVZI
X-Message-ID-Hash: UXZYH6ZUYBDDGBZRZJZHXGRZVWNPPVZI
X-MailFrom: bcampbell@pingidentity.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Re: SD-JWT VC Issuer Signature Profiles/Mechanisms/Somethings
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/RgJNoMaOjLOOA2YpOasIUnaLEoc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Some of those pesky details of life came up again and it took me longer to
get to this than I'd hoped but this pull request has this work:
https://github.com/oauth-wg/oauth-sd-jwt-vc/pull/316

Copied from the PR description, here are some highlights of this proposed
change:

   - Renames 'Issuer-signed JWT Verification Key Validation' to 'Issuer
   Signature Mechanisms' and reworks some text accordingly.
   - Provides a web-based metadata resolution mechanism and an inline x509
   mechanism.
   - A DID-based mechanism is not explicitly provided but still possible
   via profile/extension.
   - Is more explicit that the employed Issuer Signature Mechanism has to
   be one that is permitted for the Issuer according to policy.
   - Is more clear that one permitted Issuer Signature Mechanism is
   sufficient.



On Fri, Apr 25, 2025 at 4:28 PM Brian Campbell <bcampbell@pingidentity.com>
wrote:

> While not new, the subject of how an issuer signs an SD-JWT VC and how a
> verifier properly finds the public key and checks the signature has come
> more into focus recently. Slides 7 and 8 of the SD-JWT VC presentation at
> the Friday WG session
> <https://datatracker.ietf.org/meeting/122/materials/slides-122-oauth-sessb-sd-jwt-vc-00>
> of the last IETF were about PRs/issues/ideas in the area. During the
> session I'd indicated intent to work towards generally what was presented
> there. However, after the session some of the pesky details of life came up
> and I'd not gotten to acting on that intent. In the meantime, Oliver
> proposed some thoughts on the same topic in this google doc
> <https://docs.google.com/document/d/1rROkQ8V0azVpXrab7M2CmVkh5EKZxrm4rwYSlNbI2MY/edit?usp=sharing>
> that could pretty much obviate what I was otherwise planning on doing.
> While I did add a metric junkload of comments to that document, I do think
> it's conceptually the right direction and am now planning on working from
> the content and discussion therein as the basis for upcoming changes.
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.31.3 | Report a Bug | By Email | System Status