IETF Logo Mail Archive

Re: [OAUTH-WG] Call for adoption - SD-JWT

Warren Parad <wparad@rhosys.ch> Mon, 01 August 2022 12:24 UTC

Return-Path: <wparad@rhosys.ch>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id DB2AFC13C506 for <oauth@ietfa.amsl.com>; Mon, 1 Aug 2022 05:24:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_FILL_THIS_FORM_SHORT=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rhosys.ch
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VKsPNd-XVPG7 for <oauth@ietfa.amsl.com>; Mon, 1 Aug 2022 05:24:46 -0700 (PDT)
Received: from mail-yb1-xb36.google.com (mail-yb1-xb36.google.com [IPv6:2607:f8b0:4864:20::b36]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CE41FC13CCC9 for <oauth@ietf.org>; Mon, 1 Aug 2022 05:24:46 -0700 (PDT)
Received: by mail-yb1-xb36.google.com with SMTP id e127so17880906yba.12 for <oauth@ietf.org>; Mon, 01 Aug 2022 05:24:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhosys.ch; s=google; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :from:to:cc; bh=4aKXv/LRNn7rL9BnY+HKD219SzQCME/juNIVlx9kg3g=; b=HNhMkPeW4npk63M0+6df1HJYa93U/ShHLRVjdcAvw/5ULY1yc4R7l9BirsYQqEuQZk 0nMsGdp142optu8B0/UXh72UWvHamV7SJ/uGsOrYULitZkx2zHR9mhf9LNUVg8UFiuWe c/Mc3lJujw0fSNDaxSov3bRXTIaw9G9va+rQIDL/Opo6O5LToq0JQFJAONbJJ/nDOi8a eOaHGKPKsihOWL7Iyg1whPQSrSHiQCL1fho7zEDukrVZCUXqNracWamFHbMQLkPoKtDb 5yrwQmGNK24v/lK6YVU862JjKDOuMFzaR14vok99r3d1jC9GvwKtXUzLuLSgt8vVFMQX p8GQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:subject:message-id:date:from:in-reply-to:references:mime-version :x-gm-message-state:from:to:cc; bh=4aKXv/LRNn7rL9BnY+HKD219SzQCME/juNIVlx9kg3g=; b=WK3AuHYgrcu9HXo0jDF4iXdq0DXy176eQS488p46zuPp1yGA56rvTe+yqX79MaZcu1 9tX1U6wqwMuCaSXHLFfLdV2cLobEj+TdKAdGDJAzbgc3R9ZUqGeCaSrxhi3/192b9YXc 0G7lSH8UlwByzjqjxqNsnQV16CpISUTphB6zT7fJS5zIs+sJRhOrDhyNNm1K8/nkFugH cC+8fJSFAtzerYGVIDGcIIsyomO+zOSXygahOoHIjcAIeInn4yWov335cVFwXtvcVtA+ 8OWNB2I0d950n5vT9MlseL2s+NOgvzWYw6yffmzLmBH4XJz+1z3P/K8NE/IysXqwCciW XeaA==
X-Gm-Message-State: ACgBeo3SDM6L+kTNAyI35kJYS8qUXhdFd2D2JGO6XQG7eDoiOvtzYpBX WaDfN+e280FOSWFrAszfFT8U116Q+3ha81HDidKy2rXRNvRa0Gw=
X-Google-Smtp-Source: AA6agR6gqF7nD7meiWROCt0mH4wjw/jhTWLOu1BjW2sKl+VC51cU6zvqM4jP0lPfcBJnrHjGDfKs/qyCSaRYWWg2yx8=
X-Received: by 2002:a25:7307:0:b0:671:73f0:f772 with SMTP id o7-20020a257307000000b0067173f0f772mr9952174ybc.567.1659356685546; Mon, 01 Aug 2022 05:24:45 -0700 (PDT)
MIME-Version: 1.0
References: <CADNypP9xSXWKV=0nj803fW9xdqgguLWLOpMMQd0Uw3P16LQpfQ@mail.gmail.com> <CA+k3eCSCaSUUhbNe9G74a_g=ZnGFcz7iQHBGNMzWYFNmvskYPQ@mail.gmail.com> <CAODMz5F7wBwkemtRK71RBHG8-=D_ezjxSkECtYmMU0OSX5n4nw@mail.gmail.com> <75CB47D6-EB35-40EB-A3AE-0487C0405DC7@forgerock.com> <7acfa69a-f4a2-fbab-2868-6c68c2c970a4@verifiablecredentials.info>
In-Reply-To: <7acfa69a-f4a2-fbab-2868-6c68c2c970a4@verifiablecredentials.info>
From: Warren Parad <wparad@rhosys.ch>
Date: Mon, 01 Aug 2022 14:24:34 +0200
Message-ID: <CAJot-L0fxxo25bK1QK6Bqcg8WQ53P-tZgG2isFst072t1WrWbQ@mail.gmail.com>
To: oauth@ietf.org
Content-Type: multipart/alternative; boundary="000000000000cc51ab05e52d1595"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/W14cROliZrbFxZ-lDHichTuz6uY>
Subject: Re: [OAUTH-WG] Call for adoption - SD-JWT
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Aug 2022 12:24:51 -0000

>
> This is done because network availability and privacy concerns may
> separate the act of acquiring the SD-JWT of a license from the issuing
> authority, and presenting it (such as days later during a traffic stop on a
> mountain road).


I think we keep pointing to "offline drivers license" as the only reason we
have this draft. But we still haven't made clear why the "offline drivers
license" actually needs this. I spent some real time thinking about and
came up with two hypotheticals that helped me.

*Hypothetical 1:*
You are on a mountain road and a police officer pulls you over, it's late
at night, you have no internet, and your driver license is 100% digital.

The officer wants to know if you live in the area, or if you are from out
of state. You don't want to tell the police officer your name, you click
some magic buttons on your device, and a QR code pops up. This QR code
contains only:

   - "id_token" with salted fields
   - selective disclosure for: *address city + state*


The police officer's magic new special SD-JWT device tells them you have a
valid driver's license and that you live in the area. The officer is either:

   - Okay with that
   - Asks for further disclosure, which you can agree to or risk being
   arrested and brought in for questioning.


*Hypothetical 2:*
You live in the US and going out to a bar. Bars in the US are infamous for
carding people. You want to tell them that you are over 21, but don't want
to tell them anything else. So you take out your digital wallet and show
them a QR code that only contains:

   - "id_token" with salted fields
   - selective disclosure for: *over 21*

The bouncer uses their magic new SD-JWT device to verify that information,
and can either say:

   - That's sufficient, come on in
   - I don't believe that is yours, I need to see your picture (including
   details), your name as well as another form of identification.


*Problem from 2:*
The bouncer says, I need to know you have been vaccinated against covid in
the last 6 months. Here's where things start to get challenging, did the
issuer have this information available to create a claim that could be
selectively disclosed?

Do we need to maintain a registry of all the allowed claims, or are
countries some how going to be on top of this?

What happens when different countries have different "standard claims"?


On Mon, Aug 1, 2022 at 1:29 PM David Chadwick <
d.w.chadwick@verifiablecredentials.info> wrote:

>
> On 01/08/2022 11:55, Neil Madden wrote:
>
> I agree with many of these points that Jaimandeep Singh raises.
>
> It would be good to know exactly what the intended use-cases within OAuth
> are. In particular, in OAuth it’s normally the case that the client is
> relatively untrusted and a privacy goal is to avoid revealing
> information/PII to the client unnecessarily. In SD-JWT it seems that this
> is turned on its head somewhat and we trust the client (holder) with
> everything and instead want to keep some information private from the
> resource servers?
>
> I think there are also some questions about exactly which claims can be
> selectively disclosed - e.g., it would be a very bad idea to allow security
> constraints like “exp”, “aud” or “cnf” to be selectively (not) disclosed.
> But the problem is that the set of security constraints is not fixed in any
> way, and new ones may be added by future specs or application-specific
> ones. So the issuer will need to be careful not to allow such constraints
> to be selectively disclosed.
>
> Ultimately, I just don’t find this idea of fine-grained pick ’n’ mix
> selective disclosure of individual claims to be very compelling compared to
> the much simpler solution of just issuing multiple JWTs in the first place
> (with appropriate subsets of claims in them).
>
> +1. This is exactly what we do
>
> David
>
>
> — Neil
>
> On 29 Jul 2022, at 03:15, Jaimandeep Singh <
> jaimandeep.phdcs21=40nfsu.ac.in@dmarc.ietf.org> wrote:
>
> Dear All,
> 1. At the outset I must compliment  Daniel Fett and Kristina Yasudafor and
> all the contributors for the wonderful work done on SD-JWT.
> 2. However, in my opinion there is no clear motivation for using SD-JWT in
> the present oAuth 2.0/2.1 ecosystem. We already have JWS and JWE which more
> or less satisfy the requirements.
> 3. The focus and time of the WG-OAUTH should be more aligned to the work
> directly impacting the improvements or BCP in the oAuth 2.0/2.1 specs.
> 4. WG-JWP (JSON Web Proofs) may be a more suitable place for the adoption
> of SD-JWT as they are working on a similar set of problems. They are
> actively seeking participation in the area of SD-JWT.
> 5. In view of above I am presently not in favour of its adoption in
> WG-OAUTH.
>
> Regards
> Jaimandeep Singh
>
> On Fri, Jul 29, 2022 at 6:43 AM Brian Campbell <bcampbell=
> 40pingidentity.com@dmarc.ietf.org> wrote:
>
>> I support adoption.
>>
>> On Thu, Jul 28, 2022, 8:17 PM Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
>> wrote:
>>
>>> All,
>>>
>>> This is a call for adoption for the *SD-JWT* document
>>>
>>> https://datatracker.ietf.org/doc/draft-fett-oauth-selective-disclosure-jwt/
>>>
>>> Please, provide your feedback on the mailing list by *August 12th*.
>>>
>>> Regards,
>>>  Rifaat & Hannes
>>>
>>> _______________________________________________
>>> OAuth mailing list
>>> OAuth@ietf.org
>>> https://www.ietf.org/mailman/listinfo/oauth
>>>
>>
>> *CONFIDENTIALITY NOTICE: This email may contain confidential and
>> privileged material for the sole use of the intended recipient(s). Any
>> review, use, distribution or disclosure by others is strictly prohibited.
>> If you have received this communication in error, please notify the sender
>> immediately by e-mail and delete the message and any file attachments from
>> your computer. Thank you.*_______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
>
> _______________________________________________
> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email