IETF Logo Mail Archive

Re: [OAUTH-WG] [SPICE] OAuth Digital Credential Status Attestations (typo)

Denis <denis.ietf@free.fr> Thu, 18 January 2024 09:26 UTC

Return-Path: <denis.ietf@free.fr>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C2C5C1519BB; Thu, 18 Jan 2024 01:26:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.983
X-Spam-Level:
X-Spam-Status: No, score=-1.983 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.091, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OJeyjVwl_J0f; Thu, 18 Jan 2024 01:26:39 -0800 (PST)
Received: from smtp6-g21.free.fr (smtp6-g21.free.fr [212.27.42.6]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A1FFC1519B0; Thu, 18 Jan 2024 01:26:39 -0800 (PST)
Received: from [192.168.1.11] (unknown [90.91.46.145]) (Authenticated sender: pinkas@free.fr) by smtp6-g21.free.fr (Postfix) with ESMTPSA id 793FB780508; Thu, 18 Jan 2024 10:26:32 +0100 (CET)
Content-Type: multipart/alternative; boundary="------------MmdnBO6paUZWAwKU8QqQK0Pb"
Message-ID: <a5a530c8-bf2d-1edb-8ba7-cb05b18ac151@free.fr>
Date: Thu, 18 Jan 2024 10:26:35 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.15.1
Content-Language: en-GB
From: Denis <denis.ietf@free.fr>
To: Giuseppe De Marco <demarcog83@gmail.com>, hannes.tschofenig=40gmx.net@dmarc.ietf.org
Cc: spice@ietf.org, fa.marino@ipzs.it, gi.demarco@innovazione.gov.it, oauth <oauth@ietf.org>
References: <CAN8C-_+5mSFAion-e4Ta6AZLVGadr7cdSWjw-UpnBvH9Z98ohw@mail.gmail.com> <05d901da4980$8c8021e0$a58065a0$@gmx.net> <CAP_qYy=Dh0wDJ1JwOkvLiRR==7ZJTH+oLtzSU=egho1L0===hQ@mail.gmail.com> <3a80e0ce-682e-e3c5-8f39-7f3731aa9c1f@free.fr>
In-Reply-To: <3a80e0ce-682e-e3c5-8f39-7f3731aa9c1f@free.fr>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/TGbWe-pG0y_s9cTBsUoesKQIFY4>
Subject: Re: [OAUTH-WG] [SPICE] OAuth Digital Credential Status Attestations (typo)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Jan 2024 09:26:44 -0000

Typo: Change:"proof _*or*_ origin of wallet instance"
into               : "proof _*of*_ __origin of wallet instance".

The figure has been corrected below.

Denis

> Hi Giuseppe,
>
> The current figure in the Introduction from 
> draft-demarco-status-attestations-latest is:
>
> +-----------------++-------------------+
> || Requests Status Attestation ||
> ||---------------------------->||
> | Wallet Instance || Credential Issuer |
> || Status Attestation||
> ||<----------------------------||
> +-----------------++-------------------+
>
>
> +-- ----------------++----------+
> || Presents credential and||
> |Wallet Instance| Status Attestation| Verifier |
> ||---------------------------->||
> +-------------------++----------+
>
> IMO, using the vocabulary agreed during the last BoF video conference, 
> this figure should be modified as follows:
>
>
> +------------++-------------------+
> || Requests *Digital Credential* ||
> || and presents proof of knowledge of ||
> || either a private key or a link secret ||
> || and proof *of* origin of wallet instance | Credential Issuer |
> | Holder |--------------------------------------->||
> ||| |
> ||*Digital Credential*||
> ||<---------------------------------------||
> +------------++-------------------+
>
>
> +-- ---------++-------------------+
> || Presents *Credential proof*||
> | Holder|| Verifier|
> ||--------------------------------------->||
> +------------++-------------------+
>
> Denis
>
>
>> Hi Hannes,
>>
>> Thank you for your quick reaction and also to Orie for sharing.
>> I've submitted the draft, here: 
>> https://datatracker.ietf.org/doc/draft-demarco-status-attestations/
>>
>> <https://datatracker.ietf.org/doc/draft-demarco-status-attestations/>
>> Regarding the term Attestation: good point. We have decided to use 
>> this term since in several IETF and OpenID drafts this term seems 
>> pretty established, the term Attestation is found at least in the 
>> following specifications:
>>   - Attestation based client-authentication (it's in the title)
>>   - OpenID4VC High Assurance Interoperability Profile with SD-JWT VC 
>> (wallet attestation)
>>   - OpenID for Verifiable Presentations - draft 20 (verifier attestation)
>>   - OpenID for Verifiable Credential Issuance (section "Trust between 
>> Wallet and Issuer": Device Attestation)
>>
>> Meantime in the eIDAS Expert group this term is going to be changed 
>> to "Wallet Trust Evidence".
>>
>> <https://datatracker.ietf.org/doc/draft-demarco-status-attestations/>
>> I don't have a strong opinion on what would be the best semantic for 
>> this, I just have realized the functional difference between a 
>> Digital Credential and an Attestation:
>> the first requires the user to be authenticated and give consent for 
>> using the secure storage. The second is obtained with a 
>> machine2machine flow where no user interaction is required, the 
>> secure storage is not required, no user information is contained in 
>> it since the subject is the wallet instance and not the user, it 
>> cannot be (re)used without the cryptographic proof of possession. 
>> Probably a discussion could start about this term aiming to align 
>> several specifications on the same terminology. I could say that 
>> Status Attestation is a specific artifact defined for a specific 
>> context, other attestations can be defined outside the functional 
>> perimeter of this specification. Let's talk about it, it doesn't 
>> matters changing terms (eventually mindsets on perceivable meanings).
>>
>> Here I share some notes I picked along the last two months about this 
>> brand new individual draft:
>>
>> - it is related to digital credential only, I don't expect to use it 
>> in legacy infrastructure different from wallet. I really don't need 
>> this kind of mechanism in OIDC or any other traditional 
>> infrastructure since these doesn't show the privacy issues the wallet 
>> ecosystem has;
>> - it would interesting mentioning in the introduction that's 
>> pratically an ocsp stapling like mechanism, just to give some context 
>> (credit: Paul Bastien);
>> - The Rationale section needs to clarify better problems and 
>> solutions, where it seems that the problem does not exist or that it 
>> is weak. A review is necessary to clearly bring the benefits;
>> - Editorials mistake are still along the reading.
>>
>> thank you for your time and interest,
>> best
>>
>>
>>
>>
>>
>>
>> Il giorno mer 17 gen 2024 alle ore 21:06 
>> <hannes.tschofenig=40gmx.net@dmarc.ietf.org> ha scritto:
>>
>>     Hi Guiseppe, Francesco, Orie,
>>
>>     @Orie: Thanks for sharing the draft.
>>
>>     As a quick reaction: It would be good to invent a new term for
>>     “attestation” in draft-demarco-status-attestations.html because
>>     this term is already widely used in a different context (see RFC
>>     9334).
>>
>>     @Guiseppe and Francesco: It would be great if you could submit
>>     your draft to OAuth or SPICE for discussion.
>>
>>     Ciao
>>
>>     Hannes
>>
>>     *From:*OAuth <oauth-bounces@ietf.org> *On Behalf Of *Orie Steele
>>     *Sent:* Mittwoch, 17. Jänner 2024 19:07
>>     *To:* spice@ietf.org
>>     *Cc:* oauth <oauth@ietf.org>
>>     *Subject:* [OAUTH-WG] OAuth Digital Credential Status Attestations
>>
>>     Hello Digital Credential Enthusiasts,
>>
>>     See:
>>     https://peppelinux.github.io/draft-demarco-status-attestations/draft-demarco-status-attestations.html
>>
>>     Note the use of the term digital credential, and the alignment to
>>     CWT based credentials and CWT based credential status lists.
>>
>>     As a quick summary of the editors draft above:
>>
>>     It is basically a refresh-token-like approach to dynamic state,
>>     where the holder retrieves updated state from the issuer at
>>     regular intervals, and can then present that dynamic state
>>     directly to the verifier.
>>
>>     This eliminates the herd privacy and phone home issues
>>     associated with W3C Bitstring Status Lists.
>>
>>     And it informs the holder of dynamic state, so the digital wallet
>>     can provide a better user experience.
>>
>>     However, an issuer (government or ngo) could use the interval of
>>     requesting dynamic state, to track the holder... so the guidance
>>     from
>>     https://datatracker.ietf.org/doc/draft-steele-spice-oblivious-credential-state/
>>
>>     Is also relevant to this draft.
>>
>>     I also learned that
>>     https://datatracker.ietf.org/doc/draft-ietf-oauth-sd-jwt-vc/
>>
>>     Has defined a new property for expressing "Verifiable Credential"
>>     "type" `vct`, which is different from how W3C defines credential
>>     types.
>>
>>     W3C uses the expanded IRI for the graph node type, based on the
>>     JSON-LD context.
>>
>>     For example with:
>>
>>     {
>>       "@context": [
>>         "https://www.w3.org/ns/credentials/v2",
>>         "https://www.w3.org/ns/credentials/examples/v2"
>>       ],
>>       "id": "http://university.example/credentials/1872",
>>       "type": ["VerifiableCredential", "ExampleAlumniCredential"],
>>       ...
>>     }
>>
>>     The credential type in RDF becomes
>>     "https://www.w3.org/ns/credentials/examples#ExampleAlumniCredential"
>>
>>     Which is different from "ExampleAlumniCredential" in JSON... More
>>     evidence that RDF leads to developer confusion regarding safe typing.
>>
>>     The OAuth solution does not have this confusing issue, they set
>>     the type explicitly:
>>
>>     {
>>      "vct": "https://credentials.example.com/identity_credential",
>>      "given_name": "John",
>>      "family_name": "Doe",
>>      "email": "johndoe@example.com",
>>      "phone_number": "+1-202-555-0101",
>>      "address": {
>>        "street_address": "123 Main St",
>>        "locality": "Anytown",
>>        "region": "Anystate",
>>        "country": "US"
>>      },
>>      "birthdate": "1940-01-01",
>>      "is_over_18": true,
>>      "is_over_21": true,
>>      "is_over_65": true,
>>      "status": {
>>         "status_attestation": {
>>             "credential_hash_alg": "S256",
>>         }
>>      }
>>     }
>>
>>     Regards,
>>
>>     OS
>>
>>     -- 
>>
>>     *ORIE STEELE
>>     *Chief Technology Officer
>>     www.transmute.industries <http://www.transmute.industries>
>>
>>     <https://transmute.industries/>
>>
>>     _______________________________________________
>>     OAuth mailing list
>>     OAuth@ietf.org
>>     https://www.ietf.org/mailman/listinfo/oauth
>>
>>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>
>
>

v2.23.0 | Report a Bug | By Email