Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selective-disclosure-jwt-06.txt: Collaborative attacks against a Verifier
Daniel Fett <fett@danielfett.de> Tue, 31 October 2023 14:01 UTC
Return-Path: <fett@danielfett.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4E5DDC16F3E3 for <oauth@ietfa.amsl.com>; Tue, 31 Oct 2023 07:01:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=danielfett.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DtB13Up5MUs9 for <oauth@ietfa.amsl.com>; Tue, 31 Oct 2023 07:00:56 -0700 (PDT)
Received: from mout-p-102.mailbox.org (mout-p-102.mailbox.org [IPv6:2001:67c:2050:0:465::102]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5639CC169506 for <oauth@ietf.org>; Tue, 31 Oct 2023 07:00:55 -0700 (PDT)
Received: from smtp102.mailbox.org (smtp102.mailbox.org [10.196.197.102]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-102.mailbox.org (Postfix) with ESMTPS id 4SKWxs3ftQz9spZ for <oauth@ietf.org>; Tue, 31 Oct 2023 15:00:49 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=MBO0001; t=1698760849; h=from:from:reply-to:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:mime-version:mime-version: content-type:content-type:in-reply-to:in-reply-to: references:references; bh=UJVQ3SYiSFpvqg96OdAtVHFfUxfvunQCgrCt2IiD7m8=; b=RgsIQa7Ny3lVpnjT8Bdxq4pxkVm3f8ON4RUaEderIHjYOz41Qs490tHuHbSXoe3MGHoywl Rvh4sluAr6rux7y6BaR/NbzX/NWVI65U3dPl4q2w8FCNAaw6v51+u0Mdq2xZCFkKqJO+GW gWsUGbONYZQfCYxrYA0ehsR1cykU5EsfaDAWFUkdkZWQE+X6B0izjqI0WYY7GcYx77AB5y 803n3jVAxfq7Idto/gLMLm6Hv3xv2RP1ST7BFo0Z9osta8veYPhoTpMDTdqQHquMPpMU4v XnjB7OdSjtmYq5yw++tiqZP4mWRlXI0Jub3fU9hia9NrTpV2uHhju1GSoUd7vQ==
Content-Type: multipart/alternative; boundary="------------L09UbgN3fz9xGBEAHTEBsS5e"
Message-ID: <4185c8f3-e8d4-48a0-9afc-b753e386a0d8@danielfett.de>
Date: Tue, 31 Oct 2023 15:00:48 +0100
MIME-Version: 1.0
Reply-To: mail@danielfett.de
To: oauth@ietf.org
References: <169807785056.8814.13239353071835579185@ietfa.amsl.com> <defbfabc-0a6c-4ae0-8cb2-a67d4d0315b5@danielfett.de> <ced0a8c1-a4b8-e790-f5ae-9e2ae3c631e2@free.fr>
From: Daniel Fett <fett@danielfett.de>
Content-Language: de-DE
In-Reply-To: <ced0a8c1-a4b8-e790-f5ae-9e2ae3c631e2@free.fr>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/e04Zg-jBvgMiDvJRK56ACdQqQwA>
Subject: Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selective-disclosure-jwt-06.txt: Collaborative attacks against a Verifier
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 31 Oct 2023 14:01:01 -0000
Hi Denis, a discussion on claims-based/biometric binding, probably what you're hinting at, is out of the scope of this document, since we define neither mechanisms nor rules for that. This should be part of a discussion with a larger scope, like the Security & Trust document in OIDF's DCP group. -Daniel Am 26.10.23 um 11:01 schrieb Denis: > Hi All, > > Section 11.6. is about "Key Binding" which is indeed an important > security feature. > However, in the context of "selective disclosure" while this feature > is essential, it is insufficient. > > Let us take an example: If a Token indicates that an individual has > the nationality X, in case of a collusion between two individuals > and when using two pieces of software specifically developed for that > purpose, an individual would be able to compute and transmit > a Token to another individual for the benefit of that other individual > in order to cheat a Verifier. This is a collusion between two individuals. > > The first individual may not have the knowledge of the private key but > since he has the use of the private key, he is in a position to sign > anything he wants. Since the Token does not include claims allowing to > uniquely identity the individual, "if he is not seen, he will not be > caught". > > "Collaborative attacks against a Verifier" should be added to the > Security Considerations section. > > There exist ways to counter collaborative attacks against a Verifier. > These ways should be mentioned in the core of the document. > > Denis > >> Hi all, >> >> this release of SD-JWT includes one important normative change, which >> is a hash in the key binding JWT to ensure the integrity of >> presentations. The second biggest change is that we restructured some >> sections of the document to make it more readable. >> >> As always, we're looking forward to discussing SD-JWT here on the >> mailing list and in Prague. >> >> -Daniel >> >> This is the full changelog: >> >> -06 >> >> * Added hash of Issuer-signed part and Disclosures in KB-JWT >> >> * Fix minor issues in some examples >> >> * Added IANA media type registration request for the JSON >> Serialization >> >> * More precise wording around storing artifacts with sensitive data >> >> * The claim name _sd or ... must not be used in a disclosure. >> >> * Added JWT claims registration requests to IANA >> * Ensure claims that control validity are checked after decoding >> payload >> >> * Restructure sections around data formats and Example 1 >> >> * Update JSON Serialization to remove the kb_jwt member and allow >> for the disclosures to be conveyed elsewhere >> >> * Expand the Enveloping SD-JWTs section to also discuss enveloping >> JSON serialized SD-JWTs >> >> Am 23.10.23 um 18:17 schrieb internet-drafts@ietf.org: >>> Internet-Draft draft-ietf-oauth-selective-disclosure-jwt-06.txt is now >>> available. It is a work item of the Web Authorization Protocol (OAUTH) WG of >>> the IETF. >>> >>> Title: Selective Disclosure for JWTs (SD-JWT) >>> Authors: Daniel Fett >>> Kristina Yasuda >>> Brian Campbell >>> Name: draft-ietf-oauth-selective-disclosure-jwt-06.txt >>> Pages: 90 >>> Dates: 2023-10-23 >>> >>> Abstract: >>> >>> This specification defines a mechanism for selective disclosure of >>> individual elements of a JSON object used as the payload of a JSON >>> Web Signature (JWS) structure. It encompasses various applications, >>> including but not limited to the selective disclosure of JSON Web >>> Token (JWT) claims. >>> >>> The IETF datatracker status page for this Internet-Draft is: >>> https://datatracker.ietf.org/doc/draft-ietf-oauth-selective-disclosure-jwt/ >>> >>> There is also an HTML version available at: >>> https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-06.html >>> >>> A diff from the previous version is available at: >>> https://author-tools.ietf.org/iddiff?url2=draft-ietf-oauth-selective-disclosure-jwt-06 >>> >>> Internet-Drafts are also available by rsync at: >>> rsync.ietf.org::internet-drafts >>> >>> >>> _______________________________________________ >>> OAuth mailing list >>> OAuth@ietf.org >>> https://www.ietf.org/mailman/listinfo/oauth >> -- >> Please use my new email address:mail@danielfett.de >> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth > > > > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth -- Please use my new email address:mail@danielfett.de
- [OAUTH-WG] I-D Action: draft-ietf-oauth-selective… internet-drafts
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selec… Daniel Fett
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selec… Neil Madden
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selec… Denis
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selec… Brian Campbell
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selec… Daniel Fett
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selec… Neil Madden
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selec… Brian Campbell
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selec… Denis
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selec… Daniel Fett
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selec… Brian Campbell
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selec… Neil Madden
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selec… Watson Ladd
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selec… Neil Madden
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selec… Denis
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selec… Neil Madden
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selec… Brian Campbell
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selec… Denis
- Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selec… Neil Madden