Re: [OAUTH-WG] Call for adoption - SD-JWT
Jaromir Talir <jaromir.talir@nic.cz> Tue, 02 August 2022 11:02 UTC
Return-Path: <jaromir.talir@nic.cz>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id B3D3CC14F75F for <oauth@ietfa.amsl.com>; Tue, 2 Aug 2022 04:02:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.11
X-Spam-Level:
X-Spam-Status: No, score=-7.11 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_MSPIKE_H2=-0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=nic.cz
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Oh1VM9cY9Ju2 for <oauth@ietfa.amsl.com>; Tue, 2 Aug 2022 04:02:15 -0700 (PDT)
Received: from mail.nic.cz (mail.nic.cz [217.31.204.67]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 003C4C14CF14 for <oauth@ietf.org>; Tue, 2 Aug 2022 04:02:14 -0700 (PDT)
Received: from [IPv6:2001:1488:fffe:2:35c0:7ad9:aac7:611] (unknown [IPv6:2001:1488:fffe:2:35c0:7ad9:aac7:611]) by mail.nic.cz (Postfix) with ESMTPSA id 53901148315 for <oauth@ietf.org>; Tue, 2 Aug 2022 13:02:11 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=nic.cz; s=default; t=1659438131; bh=ELeZLqZi1aGkpy9JzpvOYiv9zCTUF9meuOJu3apm9g8=; h=Subject:From:To:Date:From; b=U2sBdTvz20DWoBnj/65N9XG2L4y2PBE2CSvsf/A/Fvl05A/4w2ka23uZI6DYMThM/ 4MAu+/XYj0ZyW1WmY0+vSLxgCwaSeTEEUAXT765e5cGHrWG3xFcpFliB/xTgsX1a5a HMA//BDNug1KM9IFdwEJrgTEEnAn7bzHb+EAXmTo=
Message-ID: <6295a6a5aa8b40dda13c480766f3a29baef536c5.camel@nic.cz>
From: Jaromir Talir <jaromir.talir@nic.cz>
To: oauth@ietf.org
Date: Tue, 02 Aug 2022 13:02:11 +0200
In-Reply-To: <C1C33532-850E-44CF-AFB8-5AF1438F96F1@lodderstedt.net>
References: <CAGBSGjoAFr7E=m6i8qv8XWjkraApPxMsDxqWwyNRU5K51Gbq9Q@mail.gmail.com> <6F68CD19-E97D-4584-A12B-F5710A06C4C1@forgerock.com> <CAJot-L1dpuTGsm=yGy03LsUOhmr3GgZvaqGMyzgUB=mt=fBuVA@mail.gmail.com> <7a4eaa5d-ec59-e13d-2d36-f8bcac48c0f2@verifiablecredentials.info> <C1C33532-850E-44CF-AFB8-5AF1438F96F1@lodderstedt.net>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
User-Agent: Evolution 3.44.3 (3.44.3-1.fc36)
MIME-Version: 1.0
X-Virus-Scanned: clamav-milter 0.103.6 at mail
X-Virus-Status: Clean
X-Spamd-Bar: /
X-Rspamd-Server: mail
X-Rspamd-Queue-Id: 53901148315
X-Spamd-Result: default: False [0.00 / 99.00]; WHITELISTED_IP(0.00)[2001:1488:fffe:2:35c0:7ad9:aac7:611]; ASN(0.00)[asn:25192, ipnet:2001:1488::/32, country:CZ]
Authentication-Results: mail.nic.cz; auth=pass smtp.auth=jaromir.talir@nic.cz smtp.mailfrom=jaromir.talir@nic.cz
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/cd92PxEbIHlQMtR00S6O0sT-SzQ>
Subject: Re: [OAUTH-WG] Call for adoption - SD-JWT
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 02 Aug 2022 11:02:19 -0000
On Tue, 2022-08-02 at 12:02 +0200, Torsten Lodderstedt wrote: > > > > Am 02.08.2022 um 11:44 schrieb David Chadwick > > <d.w.chadwick@verifiablecredentials.info>: > > > > > > > > On 01/08/2022 18:39, Warren Parad wrote: > > > > > So the question is how many offline interactions are there, and > > > what do those look like? > > > > This to me is the key question. If the vast majority of > > transactions between the user/wallet and the RP are online (which I > > believe that most will be), then the client/wallet/user can request > > a short lived credential on demand from the RS containing just the > > claims that the RP is requesting. The same access token should be > > usable for this. This also solves the pair-wise ID issue between > > the wallet/user and the RP, as the user's key inserted into the > > credential will be ephemeral. > > > > That is certainly feasible and it would solve selective disclosure > and unlinkability on the RP side. > > However, it comes at a price. It will tell the issuer a lot about the > frequency, the time, and the claims a user uses for accessing > service, degrading privacy towards issuers. > > That’s the reason I would not expect a lot of deployments to embrace > this pattern. e.g. I would doubt eIDAS 2 goes that way. Agree. It definitely doesn't go this way. Here is citation from regulation proposal: "Wallet shall ensure that trust service providers of qualified attestations of attributes cannot receive any information about the use of these attributes" http://timspeelman.nl/eidas/#A6a(4)(b) I could also use another citation: "Wallet shall enable user to securely request and obtain, store, SELECT, combine and share, in a manner that is transparent to and traceable by the user, the necessary legal person identification data and electronic attestation of attributes to authenticate online and offline in order to use online public and private services" http://timspeelman.nl/eidas/#A6a(3)(a) To emphasize this, regarding discussion whether there are use cases for SD-JWT or not - there are 27 member states of EU that are working on regulation where it looks like SD-JWT fits it's requirements. > > For those (possible few) transactions in which the wallet is > > offline, then the wallet has to obtain the (possibly selectively > > disclosed) credential before it is needed. But this is already the > > case today with boarding passes. I load it onto my phone whilst I > > am online at home, and then I present it offline at the airport > > e.g. via a QR code. So using this model the user can go to the RS > > when online, obtain a short lived selectively disclosed credential > > that they know will be needed later (e.g. age over 18 for entering > > a nightclub) and then present it offline when they arrive at the > > nightclub. > > For those (possibly even fewer) transactions in which the user is > > suddenly caught offline e.g. on the top of a mountain by a police > > officer, then I can see that the SD-JWT with blinded property names > > and values is a suitable solution. The user might have a few of > > these in their wallet, each being one-time use with a different > > key, that once selectively disclosed are discarded. The user/wallet > > can refresh the store periodically (or the wallet could do this > > automatically ensuring that a small number are always present). > > These would also need to be relatively short lived otherwise a > > revocation mechanism would need to be introduced (horror of > > horrors, especially on the top of a mountain with no access to the > > revocation list). > > Kind regards > > David > > _______________________________________________ > > OAuth mailing list > > OAuth@ietf.org > > https://www.ietf.org/mailman/listinfo/oauth > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth
- [OAUTH-WG] Call for adoption - SD-JWT Rifaat Shekh-Yusef
- Re: [OAUTH-WG] Call for adoption - SD-JWT Dick Hardt
- Re: [OAUTH-WG] Call for adoption - SD-JWT Brian Campbell
- Re: [OAUTH-WG] Call for adoption - SD-JWT Jaimandeep Singh
- Re: [OAUTH-WG] Call for adoption - SD-JWT Warren Parad
- Re: [OAUTH-WG] Call for adoption - SD-JWT Torsten Lodderstedt
- Re: [OAUTH-WG] Call for adoption - SD-JWT Daniel Fett
- Re: [OAUTH-WG] Call for adoption - SD-JWT Steinar Noem
- Re: [OAUTH-WG] Call for adoption - SD-JWT Leif Johansson
- Re: [OAUTH-WG] Call for adoption - SD-JWT Jaromir Talir
- Re: [OAUTH-WG] Call for adoption - SD-JWT David Waite
- Re: [OAUTH-WG] Call for adoption - SD-JWT Mike Jones
- Re: [OAUTH-WG] Call for adoption - SD-JWT Giuseppe De Marco
- Re: [OAUTH-WG] Call for adoption - SD-JWT Wayne Chang
- Re: [OAUTH-WG] Call for adoption - SD-JWT Joseph Heenan
- Re: [OAUTH-WG] Call for adoption - SD-JWT Neil Madden
- Re: [OAUTH-WG] Call for adoption - SD-JWT David Chadwick
- Re: [OAUTH-WG] Call for adoption - SD-JWT Warren Parad
- Re: [OAUTH-WG] Call for adoption - SD-JWT David Chadwick
- Re: [OAUTH-WG] Call for adoption - SD-JWT Giuseppe De Marco
- Re: [OAUTH-WG] Call for adoption - SD-JWT David Chadwick
- Re: [OAUTH-WG] Call for adoption - SD-JWT Aaron Parecki
- Re: [OAUTH-WG] Call for adoption - SD-JWT David Chadwick
- Re: [OAUTH-WG] Call for adoption - SD-JWT Warren Parad
- Re: [OAUTH-WG] Call for adoption - SD-JWT Neil Madden
- Re: [OAUTH-WG] Call for adoption - SD-JWT Warren Parad
- Re: [OAUTH-WG] Call for adoption - SD-JWT Vittorio Bertocci
- Re: [OAUTH-WG] Call for adoption - SD-JWT Kristina Yasuda
- Re: [OAUTH-WG] Call for adoption - SD-JWT Warren Parad
- Re: [OAUTH-WG] Call for adoption - SD-JWT Torsten Lodderstedt
- Re: [OAUTH-WG] Call for adoption - SD-JWT Warren Parad
- Re: [OAUTH-WG] Call for adoption - SD-JWT Torsten Lodderstedt
- Re: [OAUTH-WG] Call for adoption - SD-JWT Torsten Lodderstedt
- Re: [OAUTH-WG] Call for adoption - SD-JWT Warren Parad
- Re: [OAUTH-WG] Call for adoption - SD-JWT Torsten Lodderstedt
- Re: [OAUTH-WG] Call for adoption - SD-JWT Warren Parad
- Re: [OAUTH-WG] Call for adoption - SD-JWT Neil Madden
- Re: [OAUTH-WG] Call for adoption - SD-JWT David Chadwick
- Re: [OAUTH-WG] Call for adoption - SD-JWT Torsten Lodderstedt
- Re: [OAUTH-WG] Call for adoption - SD-JWT Warren Parad
- Re: [OAUTH-WG] Call for adoption - SD-JWT Torsten Lodderstedt
- Re: [OAUTH-WG] Call for adoption - SD-JWT Pieter Kasselman
- Re: [OAUTH-WG] Call for adoption - SD-JWT Jaromir Talir
- Re: [OAUTH-WG] Call for adoption - SD-JWT David Chadwick
- Re: [OAUTH-WG] Call for adoption - SD-JWT Warren Parad
- Re: [OAUTH-WG] Call for adoption - SD-JWT Kristina Yasuda
- Re: [OAUTH-WG] Call for adoption - SD-JWT David Chadwick
- Re: [OAUTH-WG] Call for adoption - SD-JWT David Chadwick
- Re: [OAUTH-WG] Call for adoption - SD-JWT David Chadwick
- Re: [OAUTH-WG] Call for adoption - SD-JWT Mike Jones
- Re: [OAUTH-WG] Call for adoption - SD-JWT Neil Madden
- Re: [OAUTH-WG] Call for adoption - SD-JWT Giuseppe De Marco
- Re: [OAUTH-WG] Call for adoption - SD-JWT David Chadwick
- Re: [OAUTH-WG] Call for adoption - SD-JWT Torsten Lodderstedt
- Re: [OAUTH-WG] Call for adoption - SD-JWT David Chadwick
- Re: [OAUTH-WG] Call for adoption - SD-JWT Jaimandeep Singh
- Re: [OAUTH-WG] Call for adoption - SD-JWT Daniel Fett
- Re: [OAUTH-WG] Call for adoption - SD-JWT Warren Parad
- Re: [OAUTH-WG] Call for adoption - SD-JWT Daniel Fett
- Re: [OAUTH-WG] Call for adoption - SD-JWT Warren Parad
- Re: [OAUTH-WG] Call for adoption - SD-JWT Daniel Fett
- Re: [OAUTH-WG] Call for adoption - SD-JWT Warren Parad
- Re: [OAUTH-WG] Call for adoption - SD-JWT Kristina Yasuda
- Re: [OAUTH-WG] Call for adoption - SD-JWT David Waite
- Re: [OAUTH-WG] Call for adoption - SD-JWT Warren Parad
- Re: [OAUTH-WG] Call for adoption - SD-JWT Warren Parad
- Re: [OAUTH-WG] Call for adoption - SD-JWT Kristina Yasuda
- Re: [OAUTH-WG] Call for adoption - SD-JWT Kushal Das
- Re: [OAUTH-WG] Call for adoption - SD-JWT Nat Sakimura
- Re: [OAUTH-WG] Call for adoption - SD-JWT Christian Paquin
- Re: [OAUTH-WG] Call for adoption - SD-JWT Brian Campbell
- Re: [OAUTH-WG] Call for adoption - SD-JWT Rifaat Shekh-Yusef
- Re: [OAUTH-WG] Call for adoption - SD-JWT Jaimandeep Singh
- Re: [OAUTH-WG] Call for adoption - SD-JWT Kristina Yasuda