[OAUTH-WG] Re: SD-JWT disclosure ordering
Brian Campbell <bcampbell@pingidentity.com> Wed, 25 September 2024 12:04 UTC
Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 561BDC19ECBF for <oauth@ietfa.amsl.com>; Wed, 25 Sep 2024 05:04:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.103
X-Spam-Level:
X-Spam-Status: No, score=-2.103 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id y1iycbZ7J0sT for <oauth@ietfa.amsl.com>; Wed, 25 Sep 2024 05:04:00 -0700 (PDT)
Received: from mail-vk1-xa34.google.com (mail-vk1-xa34.google.com [IPv6:2607:f8b0:4864:20::a34]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A2957C1CAE66 for <oauth@ietf.org>; Wed, 25 Sep 2024 05:04:00 -0700 (PDT)
Received: by mail-vk1-xa34.google.com with SMTP id 71dfb90a1353d-501192e8e12so1417097e0c.3 for <oauth@ietf.org>; Wed, 25 Sep 2024 05:04:00 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; t=1727265839; x=1727870639; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=q8iC14gLU/RGDlcVEmBojNYhAI1paL0DssVzht3PkQo=; b=RttYcqACm03JpFrZYIl6/SJUjxc1ZU5H28akKdjiKKRRb92a0bectB3lWAzAyEp6Um WbM95rRbeui1LJr7+XWydzm+oDbITdPDjUnzWKn/vewkhhH1jQ6vRoJ0djUkO9MNBoX+ 3TWGKdrp/KZ7VE7p5TkCF/2aJIQIZ/Ii22BwHzYPpzbrhQ7X9+hS6U0NQOKpIClqvaov ybQDWNwwtybwO7uY8oMqfGobY7cm5WrdCZhi3LXTrFDRZgnoiNA6qzj4DhWx4FV+L6Tl B/vfEZwhUL0z8y09WJQ6LSCOcwVh9co5EnIPISeYt5qWMlkpNk/oaVxtJsGZ+gb2lyCQ Dguw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727265839; x=1727870639; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=q8iC14gLU/RGDlcVEmBojNYhAI1paL0DssVzht3PkQo=; b=CiO9aPJUNVY2Ywm+yTi8qQdmA8eQ/GP/reB8nQPKt/q9+06zPHdtwRH6GLK8FBsH3q cJ7MAsNI9dVkDkXu1gfJbwSPfnJFBRwskYAAY3Blv/BzfOHTecciPHfYoxPhRX5q7i93 7irNjFbOPgNIIDyGhx68L+OnIyicQwBw/V5vnLY6e6NKB9+tOfDb+k0wwN6GF7Zxsi8x iLexv1e6TLpJh9hkocDvLW6Xo5WCOfw6GdZ4cft0+OFRNz4obp80hutq+f4MZ7//c5sB WNVkWkGy0GIJUy7Ca4AI8YOl4fZ6rx7PiM4+3HOena/eZWAUEkZYpbTmc3hfkXP4GN1b 5MCg==
X-Gm-Message-State: AOJu0YzKXmRLcPXqszOkoGgMiP8ayM+s8R93J8SCf0nGXLwkcnn95224 YtxeQi8pcbDkQs6gHbV3ZxRr/eTGeHxN38uPpo7uPwrg7+teYGPK2RiXU+gs8kBGiM7s48fA9oK VNNXWrJ7wvMvad50nwEJgm/3+lV/cYEOJeGjjEyHwIfQgYK/uMvgCOMqJe2uIt3ABL98IsH0XD2 z1vUpr0bhghwAQp60rnZYd
X-Google-Smtp-Source: AGHT+IHrj8yIpopdYBJTmliCroJ40xhlttld0SW32IlZhxGvZ54u5dkWPppRpkxSNBp95Ji9bwwrwhmQz4fR7pzEg2M=
X-Received: by 2002:a05:6122:181b:b0:501:2851:b3bb with SMTP id 71dfb90a1353d-505c1d60244mr1796350e0c.1.1727265838992; Wed, 25 Sep 2024 05:03:58 -0700 (PDT)
MIME-Version: 1.0
References: <2CE8DA08-0992-413D-9810-B85986B3E828@alkaline-solutions.com>
In-Reply-To: <2CE8DA08-0992-413D-9810-B85986B3E828@alkaline-solutions.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Wed, 25 Sep 2024 06:03:32 -0600
Message-ID: <CA+k3eCSR-mhTmsVKjhqzs58=eDhRKGHCLuJQ+iUz3oqUNrzWmQ@mail.gmail.com>
To: David Waite <david=40alkaline-solutions.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="000000000000c42f4b0622f06a65"
Message-ID-Hash: IISZM6YPDFVPBTE3DA6SH5YNBY3HMWCC
X-Message-ID-Hash: IISZM6YPDFVPBTE3DA6SH5YNBY3HMWCC
X-MailFrom: bcampbell@pingidentity.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: "oauth@ietf.org" <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: SD-JWT disclosure ordering
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/WJrlO--rU6vKmvRpL0LQOofRS2U>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
As it's the input to a hash, I think it should be well enough understood that the order is important in that context. On Tue, Sep 24, 2024 at 10:51 AM David Waite <david= 40alkaline-solutions.com@dmarc.ietf.org> wrote: > I didn’t see anything in SD-JWT about a canonical disclosure ordering. > > Disclosures from the issuer (and after selective disclosure) are to the > best of my understanding an unordered set - they are expressed in an order, > but that order is not meaningful for processing. The disclosures may be > sorted or randomized as part of the presentation process at the holder’s > leisure. > > However, once you do key binding JWTs, that order is meaningful because > shuffling the disclosures will break that signature. > > Can I suggest 5.3.1 be tweaked to represent this, perhaps to: > > The sd_hash value MUST be taken over the US-ASCII bytes of the encoded > SD-JWT, i.e., the Issuer-signed JWT, a tilde character, *and any > Disclosures selected for presentation to the Verifier in presented order*, > each followed by a tilde character: > > > -DW > _______________________________________________ > OAuth mailing list -- oauth@ietf.org > To unsubscribe send an email to oauth-leave@ietf.org > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
- [OAUTH-WG] SD-JWT disclosure ordering David Waite
- [OAUTH-WG] Re: SD-JWT disclosure ordering Brian Campbell