IETF Logo Mail Archive

[OAUTH-WG] How to get the benefits of BBS+, without its drawbacks while using conventional cryptography ? (Was SD-JWT and Unlinkability)

Denis <denis.ietf@free.fr> Mon, 23 September 2024 07:00 UTC

Return-Path: <denis.ietf@free.fr>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7398CC19ECBE for <oauth@ietfa.amsl.com>; Mon, 23 Sep 2024 00:00:36 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.905
X-Spam-Level:
X-Spam-Status: No, score=-6.905 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id QYGsY5CRbGuJ for <oauth@ietfa.amsl.com>; Mon, 23 Sep 2024 00:00:35 -0700 (PDT)
Received: from smtp6-g21.free.fr (smtp6-g21.free.fr [212.27.42.6]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E8B36C15199D for <oauth@ietf.org>; Mon, 23 Sep 2024 00:00:34 -0700 (PDT)
Received: from [192.168.1.11] (unknown [90.91.46.145]) (Authenticated sender: pinkas@free.fr) by smtp6-g21.free.fr (Postfix) with ESMTPSA id D4F9278050F; Mon, 23 Sep 2024 09:00:29 +0200 (CEST)
Content-Type: multipart/alternative; boundary="------------hxz9ubmYiUGo5qnWwGtYJkta"
Message-ID: <7d2d4abe-6767-4996-938c-34b07f53fd5e@free.fr>
Date: Mon, 23 Sep 2024 09:00:29 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Daniel Fett <mail@danielfett.de>
References: <CAD9ie-s_gFmkCC8uKXQXC0W1u_zcaktvvNV6wEC4RtJQMarnng@mail.gmail.com> <51d9e2b2-e766-4eea-8b31-a0ae5b2cfae4@danielfett.de> <CAD9ie-sLcUPPdj4Y0KEeq7C_Nb1ah1GiUbz1sOZEyDPyFbGSZw@mail.gmail.com>
Content-Language: en-GB
From: Denis <denis.ietf@free.fr>
In-Reply-To: <CAD9ie-sLcUPPdj4Y0KEeq7C_Nb1ah1GiUbz1sOZEyDPyFbGSZw@mail.gmail.com>
Message-ID-Hash: BLYOPWYOGU5DKKPPITHKY777D45NN7TQ
X-Message-ID-Hash: BLYOPWYOGU5DKKPPITHKY777D45NN7TQ
X-MailFrom: denis.ietf@free.fr
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth@ietf.org, kristina@sfc.keio.ac.jp, Dick.Hardt@gmail.com
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] How to get the benefits of BBS+, without its drawbacks while using conventional cryptography ? (Was SD-JWT and Unlinkability)
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/X4fZ-RMAfcC_5vAxl_qAnSBu8T0>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Batches of digital credentials prevent collaborating Verifiers to link 
accesses from the same End-User.

However, there is another advantage which would be worthwhile to 
mention: getting the benefits of BBS+ ... without its drawbacks
(poor performances, large key sizes, large memory sizes, high 
computational power required, not "green" and not resistant to quantum 
attacks).

There exist use cases where claims contained in digital credentials 
issued by different Issuers need to be presented to one Verifier.

Using BBS +, when a Holder requests a digital credential to several 
digital credential issuers, for each request, it uses a different 
blinded link secret
and hence each issued digital credential will contain a different 
blinded link secret. This value does not allow anybody to correlate 
digital credentials
issued by different digital credential issuers for the same Holder.

An important benefit of the use of link secrets is the ability for a 
Holder to demonstrate to a Verifier that credentials issued by different 
digital credential issuers
were indeed issued to the same Holder.

When using the "traditional SD-JWT" model, the Holder generates one key 
pair for each Issuer. In this way, a digital credential issued by the 
Issuer A
cannot be linked between collaborative Verifiers to a digital credential 
issued by the Issuer B. So far, so good.

Now, let us suppose that Issuer A is a government, while Issuer B is a 
University. An End-User would like to demonstrate to a Verifier
that that he lives in California and that he got one diploma (among 
several) from the University.

For that specific use case, the Holder will generate one new key pair 
and use the same private key to request a digital credential from each 
Issuer.
The two issued digital credentials will contain the same public key and, 
using the corresponding private key, the Holder will be able to demonstrate
to one Verifier that the two presentations of the digital credentials 
originate from the same Holder.

Since that key pair will only be used once towards a single Verifier, a 
linkage between different collaborative Verifiers using the framing of 
the claims is not possible.

This means that you can have your cake and it eat !

Obviously, this means that the key pair SHALL be generated by a TA 
running in a TEE that is part of the Holder (application).
Both Issuers and Verifiers MUST be able to know these characteristics. 
See one of my earlier comments:

    The key pair SHALL be generated by a secure cryptographic
    application that is part of the Holder and the characteristics
    of that application SHALL be included in SD-JWT using the claim
    "scac" (secure cryptographic application characteristics).

Section 5.1.2 (Key Binding) currently states:

    It is out of the scope of this document to describe how the Holder 
key pair is established.

This section should be reconsidered and rewritten.

Denis

> I understand it has become the accepted approach. It still comes 
> across as a hack, and there is no guidance on how many to issue, nor 
> how a holder chooses when to reissue the same ones.
>
> I'm amused by the decision to use implicit typing in a disclosure to 
> save a few bytes, but we will send dozens of credentials to minimize 
> the chance of linking :)
>
> On Sat, Sep 21, 2024 at 4:29 PM Daniel Fett <mail@danielfett.de> wrote:
>
>     Hi Dick,
>
>     Batch credential (not claims) issuing has become the default
>     approach to circumvent the inherent limitations of
>     salted-hash-based credentials formats. This was neither invented
>     by us, nor is it unreasonable to ask implementers to do it.
>     Protocols such as OpenID4VCI support it.
>
>     -Daniel
>
>     Am 21.09.24 um 06:42 schrieb Dick Hardt:
>>     Is it really going to be practical to batch issue claims, and
>>     have the holder randomly choose between them on presentation?
>>
>>     As an implementer, what is the right number of claims to be in a
>>     batch?
>>
>>     This section of the draft reads as a hack to add a new capability
>>     (unlinkability) to a mechanism that did not have that as a design
>>     objective.
>>
>>     This is going to be like the "alg":"null" for SD-JWT. :-)
>>
>>
>
> _______________________________________________
> OAuth mailing list --oauth@ietf.org
> To unsubscribe send an email tooauth-leave@ietf.org

v2.46.0 | Report a Bug | By Email | System Status