Re: [OAUTH-WG] [SPICE] OAuth Digital Credential Status Attestations (typo)
Denis <denis.ietf@free.fr> Thu, 18 January 2024 09:26 UTC
Return-Path: <denis.ietf@free.fr>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2C2C5C1519BB; Thu, 18 Jan 2024 01:26:44 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.983
X-Spam-Level:
X-Spam-Status: No, score=-1.983 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, NICE_REPLY_A=-0.091, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OJeyjVwl_J0f; Thu, 18 Jan 2024 01:26:39 -0800 (PST)
Received: from smtp6-g21.free.fr (smtp6-g21.free.fr [212.27.42.6]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6A1FFC1519B0; Thu, 18 Jan 2024 01:26:39 -0800 (PST)
Received: from [192.168.1.11] (unknown [90.91.46.145]) (Authenticated sender: pinkas@free.fr) by smtp6-g21.free.fr (Postfix) with ESMTPSA id 793FB780508; Thu, 18 Jan 2024 10:26:32 +0100 (CET)
Content-Type: multipart/alternative; boundary="------------MmdnBO6paUZWAwKU8QqQK0Pb"
Message-ID: <a5a530c8-bf2d-1edb-8ba7-cb05b18ac151@free.fr>
Date: Thu, 18 Jan 2024 10:26:35 +0100
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.15.1
Content-Language: en-GB
From: Denis <denis.ietf@free.fr>
To: Giuseppe De Marco <demarcog83@gmail.com>, hannes.tschofenig=40gmx.net@dmarc.ietf.org
Cc: spice@ietf.org, fa.marino@ipzs.it, gi.demarco@innovazione.gov.it, oauth <oauth@ietf.org>
References: <CAN8C-_+5mSFAion-e4Ta6AZLVGadr7cdSWjw-UpnBvH9Z98ohw@mail.gmail.com> <05d901da4980$8c8021e0$a58065a0$@gmx.net> <CAP_qYy=Dh0wDJ1JwOkvLiRR==7ZJTH+oLtzSU=egho1L0===hQ@mail.gmail.com> <3a80e0ce-682e-e3c5-8f39-7f3731aa9c1f@free.fr>
In-Reply-To: <3a80e0ce-682e-e3c5-8f39-7f3731aa9c1f@free.fr>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/TGbWe-pG0y_s9cTBsUoesKQIFY4>
Subject: Re: [OAUTH-WG] [SPICE] OAuth Digital Credential Status Attestations (typo)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Jan 2024 09:26:44 -0000
Typo: Change:"proof _*or*_ origin of wallet instance" into : "proof _*of*_ __origin of wallet instance". The figure has been corrected below. Denis > Hi Giuseppe, > > The current figure in the Introduction from > draft-demarco-status-attestations-latest is: > > +-----------------++-------------------+ > || Requests Status Attestation || > ||---------------------------->|| > | Wallet Instance || Credential Issuer | > || Status Attestation|| > ||<----------------------------|| > +-----------------++-------------------+ > > > +-- ----------------++----------+ > || Presents credential and|| > |Wallet Instance| Status Attestation| Verifier | > ||---------------------------->|| > +-------------------++----------+ > > IMO, using the vocabulary agreed during the last BoF video conference, > this figure should be modified as follows: > > > +------------++-------------------+ > || Requests *Digital Credential* || > || and presents proof of knowledge of || > || either a private key or a link secret || > || and proof *of* origin of wallet instance | Credential Issuer | > | Holder |--------------------------------------->|| > ||| | > ||*Digital Credential*|| > ||<---------------------------------------|| > +------------++-------------------+ > > > +-- ---------++-------------------+ > || Presents *Credential proof*|| > | Holder|| Verifier| > ||--------------------------------------->|| > +------------++-------------------+ > > Denis > > >> Hi Hannes, >> >> Thank you for your quick reaction and also to Orie for sharing. >> I've submitted the draft, here: >> https://datatracker.ietf.org/doc/draft-demarco-status-attestations/ >> >> <https://datatracker.ietf.org/doc/draft-demarco-status-attestations/> >> Regarding the term Attestation: good point. We have decided to use >> this term since in several IETF and OpenID drafts this term seems >> pretty established, the term Attestation is found at least in the >> following specifications: >> - Attestation based client-authentication (it's in the title) >> - OpenID4VC High Assurance Interoperability Profile with SD-JWT VC >> (wallet attestation) >> - OpenID for Verifiable Presentations - draft 20 (verifier attestation) >> - OpenID for Verifiable Credential Issuance (section "Trust between >> Wallet and Issuer": Device Attestation) >> >> Meantime in the eIDAS Expert group this term is going to be changed >> to "Wallet Trust Evidence". >> >> <https://datatracker.ietf.org/doc/draft-demarco-status-attestations/> >> I don't have a strong opinion on what would be the best semantic for >> this, I just have realized the functional difference between a >> Digital Credential and an Attestation: >> the first requires the user to be authenticated and give consent for >> using the secure storage. The second is obtained with a >> machine2machine flow where no user interaction is required, the >> secure storage is not required, no user information is contained in >> it since the subject is the wallet instance and not the user, it >> cannot be (re)used without the cryptographic proof of possession. >> Probably a discussion could start about this term aiming to align >> several specifications on the same terminology. I could say that >> Status Attestation is a specific artifact defined for a specific >> context, other attestations can be defined outside the functional >> perimeter of this specification. Let's talk about it, it doesn't >> matters changing terms (eventually mindsets on perceivable meanings). >> >> Here I share some notes I picked along the last two months about this >> brand new individual draft: >> >> - it is related to digital credential only, I don't expect to use it >> in legacy infrastructure different from wallet. I really don't need >> this kind of mechanism in OIDC or any other traditional >> infrastructure since these doesn't show the privacy issues the wallet >> ecosystem has; >> - it would interesting mentioning in the introduction that's >> pratically an ocsp stapling like mechanism, just to give some context >> (credit: Paul Bastien); >> - The Rationale section needs to clarify better problems and >> solutions, where it seems that the problem does not exist or that it >> is weak. A review is necessary to clearly bring the benefits; >> - Editorials mistake are still along the reading. >> >> thank you for your time and interest, >> best >> >> >> >> >> >> >> Il giorno mer 17 gen 2024 alle ore 21:06 >> <hannes.tschofenig=40gmx.net@dmarc.ietf.org> ha scritto: >> >> Hi Guiseppe, Francesco, Orie, >> >> @Orie: Thanks for sharing the draft. >> >> As a quick reaction: It would be good to invent a new term for >> “attestation” in draft-demarco-status-attestations.html because >> this term is already widely used in a different context (see RFC >> 9334). >> >> @Guiseppe and Francesco: It would be great if you could submit >> your draft to OAuth or SPICE for discussion. >> >> Ciao >> >> Hannes >> >> *From:*OAuth <oauth-bounces@ietf.org> *On Behalf Of *Orie Steele >> *Sent:* Mittwoch, 17. Jänner 2024 19:07 >> *To:* spice@ietf.org >> *Cc:* oauth <oauth@ietf.org> >> *Subject:* [OAUTH-WG] OAuth Digital Credential Status Attestations >> >> Hello Digital Credential Enthusiasts, >> >> See: >> https://peppelinux.github.io/draft-demarco-status-attestations/draft-demarco-status-attestations.html >> >> Note the use of the term digital credential, and the alignment to >> CWT based credentials and CWT based credential status lists. >> >> As a quick summary of the editors draft above: >> >> It is basically a refresh-token-like approach to dynamic state, >> where the holder retrieves updated state from the issuer at >> regular intervals, and can then present that dynamic state >> directly to the verifier. >> >> This eliminates the herd privacy and phone home issues >> associated with W3C Bitstring Status Lists. >> >> And it informs the holder of dynamic state, so the digital wallet >> can provide a better user experience. >> >> However, an issuer (government or ngo) could use the interval of >> requesting dynamic state, to track the holder... so the guidance >> from >> https://datatracker.ietf.org/doc/draft-steele-spice-oblivious-credential-state/ >> >> Is also relevant to this draft. >> >> I also learned that >> https://datatracker.ietf.org/doc/draft-ietf-oauth-sd-jwt-vc/ >> >> Has defined a new property for expressing "Verifiable Credential" >> "type" `vct`, which is different from how W3C defines credential >> types. >> >> W3C uses the expanded IRI for the graph node type, based on the >> JSON-LD context. >> >> For example with: >> >> { >> "@context": [ >> "https://www.w3.org/ns/credentials/v2", >> "https://www.w3.org/ns/credentials/examples/v2" >> ], >> "id": "http://university.example/credentials/1872", >> "type": ["VerifiableCredential", "ExampleAlumniCredential"], >> ... >> } >> >> The credential type in RDF becomes >> "https://www.w3.org/ns/credentials/examples#ExampleAlumniCredential" >> >> Which is different from "ExampleAlumniCredential" in JSON... More >> evidence that RDF leads to developer confusion regarding safe typing. >> >> The OAuth solution does not have this confusing issue, they set >> the type explicitly: >> >> { >> "vct": "https://credentials.example.com/identity_credential", >> "given_name": "John", >> "family_name": "Doe", >> "email": "johndoe@example.com", >> "phone_number": "+1-202-555-0101", >> "address": { >> "street_address": "123 Main St", >> "locality": "Anytown", >> "region": "Anystate", >> "country": "US" >> }, >> "birthdate": "1940-01-01", >> "is_over_18": true, >> "is_over_21": true, >> "is_over_65": true, >> "status": { >> "status_attestation": { >> "credential_hash_alg": "S256", >> } >> } >> } >> >> Regards, >> >> OS >> >> -- >> >> *ORIE STEELE >> *Chief Technology Officer >> www.transmute.industries <http://www.transmute.industries> >> >> <https://transmute.industries/> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > >
- [OAUTH-WG] OAuth Digital Credential Status Attest… Orie Steele
- Re: [OAUTH-WG] OAuth Digital Credential Status At… hannes.tschofenig
- Re: [OAUTH-WG] OAuth Digital Credential Status At… Giuseppe De Marco
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Leif Johansson
- Re: [OAUTH-WG] OAuth Digital Credential Status At… Denis
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Denis
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Giuseppe De Marco
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Denis
- Re: [OAUTH-WG] R: [SPICE] OAuth Digital Credentia… Denis
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Paul Bastian
- Re: [OAUTH-WG] R: [SPICE] OAuth Digital Credentia… Tom Jones
- Re: [OAUTH-WG] R: [SPICE] OAuth Digital Credentia… Orie Steele
- Re: [OAUTH-WG] R: [SPICE] OAuth Digital Credentia… Tom Jones
- Re: [OAUTH-WG] R: [SPICE] OAuth Digital Credentia… Tom Jones
- Re: [OAUTH-WG] R: [SPICE] OAuth Digital Credentia… Tom Jones
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Tom Jones
- Re: [OAUTH-WG] R: [SPICE] OAuth Digital Credentia… Watson Ladd
- Re: [OAUTH-WG] R: [SPICE] OAuth Digital Credentia… Tom Jones
- Re: [OAUTH-WG] R: [SPICE] OAuth Digital Credentia… Orie Steele
- Re: [OAUTH-WG] [SPICE] R: OAuth Digital Credentia… Oliver Terbu
- Re: [OAUTH-WG] R: [SPICE] OAuth Digital Credentia… Tom Jones
- Re: [OAUTH-WG] R: [SPICE] OAuth Digital Credentia… Giuseppe De Marco
- Re: [OAUTH-WG] R: [SPICE] OAuth Digital Credentia… Giuseppe De Marco
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Denis
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Giuseppe De Marco
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Denis
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Giuseppe De Marco
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Giuseppe De Marco
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Denis
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Tom Jones