Re: [OAUTH-WG] OAuth Digital Credential Status Attestations
Giuseppe De Marco <demarcog83@gmail.com> Wed, 17 January 2024 22:34 UTC
Return-Path: <demarcog83@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0D1EFC14F6B4; Wed, 17 Jan 2024 14:34:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.844
X-Spam-Level:
X-Spam-Status: No, score=-6.844 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YrTTGWpFO--l; Wed, 17 Jan 2024 14:34:52 -0800 (PST)
Received: from mail-ed1-x530.google.com (mail-ed1-x530.google.com [IPv6:2a00:1450:4864:20::530]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id CF4B9C14F69B; Wed, 17 Jan 2024 14:34:52 -0800 (PST)
Received: by mail-ed1-x530.google.com with SMTP id 4fb4d7f45d1cf-55a064b4871so456a12.0; Wed, 17 Jan 2024 14:34:52 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1705530891; x=1706135691; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=zZzFUQ75fZz/dlbQN9JU351OFOUfR89elrPCWsRrYmg=; b=fjL4vs5dYq2h6NCsGOwOvFFTZCad/opOeIercPE1srwLCRIYs7eoQe2fjrYOdReG7g 6I5j+o1OAo+e1kWjC95MFWPPtlp09IUeMB+q5TB9HxDA3yw9eqDMSGmxTNydQhpHwGc/ R8USOe4m8Zb1IrLbLZQA7Cr4w2iPeHuxPgCDXrBtAwhQNH6hwpWtRDMH6ejj2LYC+HN1 yWzZAAvSmBQOsU37xnrKTgZ6wGbcWadIAyQx+rxOoc5LB4GMKwTnhJcw5QauV+WlMY7M RPscxKCkp1Dywc+Ve0vTQm+nZ7lgXQkcmJV8UzmvU2a4Jfj0PKonyNlrIe2Vuwh7tn+A SQPg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705530891; x=1706135691; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=zZzFUQ75fZz/dlbQN9JU351OFOUfR89elrPCWsRrYmg=; b=R8afW/wIoR3L8pkg85X6Mpe/rpuDI5w80yN8FmAgDtf18VC3QVVWCiypT8QgKUiPwt mIks6rSZ61DUQhMKSPnbzKJY8bPzdgjse3otcQ3Ih25WUB6tb/Ohf3wynf4fW6/TCTG7 KaIc7sXPbCryPHm1Zf0oVBKvtDYKF9XQ61CImfpaKnYGORNens0qOvRRcs4DLLvaVELx 7fO+GWN8zIbjDnkQwxD9kOKq7Onrr71tXS0RJXZCm35Z3mw/yM7O9qxNL/L0zcwOwu2a iqA57BTaxodpEb5NyGpP80kQrGqHo/uUMleIvx438EDgSbbgzLa84YA31H4Qb1GFhE2y /veA==
X-Gm-Message-State: AOJu0YwDLdg6pAFMvAErJvy9aymX/mgQFH9CDa2BDm78N+XwpWH5BgH1 cZLzGoJKNY8Cee2CE/g52SisFCwMs4559Ck/GgEanLkf21GWhmXf8knwSQ6fOn+wSBhvgM5BP7U TyVHQphcVePAfNwc0AXXrhP9HsGg=
X-Google-Smtp-Source: AGHT+IEGi4ADv+QKArcQ+U8jMWmPYOZi/6XBoaJo0sgPWzNaZE9ywHNhc46q9yY40h1yKpw91ghV7swDoofWsO0Q6U0=
X-Received: by 2002:aa7:c596:0:b0:558:ef6d:fd3d with SMTP id g22-20020aa7c596000000b00558ef6dfd3dmr4293edq.3.1705530890571; Wed, 17 Jan 2024 14:34:50 -0800 (PST)
MIME-Version: 1.0
References: <CAN8C-_+5mSFAion-e4Ta6AZLVGadr7cdSWjw-UpnBvH9Z98ohw@mail.gmail.com> <05d901da4980$8c8021e0$a58065a0$@gmx.net>
In-Reply-To: <05d901da4980$8c8021e0$a58065a0$@gmx.net>
From: Giuseppe De Marco <demarcog83@gmail.com>
Date: Wed, 17 Jan 2024 23:34:39 +0100
Message-ID: <CAP_qYy=Dh0wDJ1JwOkvLiRR==7ZJTH+oLtzSU=egho1L0===hQ@mail.gmail.com>
To: hannes.tschofenig=40gmx.net@dmarc.ietf.org
Cc: Orie Steele <orie@transmute.industries>, spice@ietf.org, oauth <oauth@ietf.org>, gi.demarco@innovazione.gov.it, fa.marino@ipzs.it
Content-Type: multipart/alternative; boundary="000000000000e2d48c060f2bdadc"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/fYiNfiTTeJWEKGma755TJajSYMs>
Subject: Re: [OAUTH-WG] OAuth Digital Credential Status Attestations
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 17 Jan 2024 22:34:57 -0000
Hi Hannes, Thank you for your quick reaction and also to Orie for sharing. I've submitted the draft, here: https://datatracker.ietf.org/doc/draft-demarco-status-attestations/ Regarding the term Attestation: good point. We have decided to use this term since in several IETF and OpenID drafts this term seems pretty established, the term Attestation is found at least in the following specifications: - Attestation based client-authentication (it's in the title) - OpenID4VC High Assurance Interoperability Profile with SD-JWT VC (wallet attestation) - OpenID for Verifiable Presentations - draft 20 (verifier attestation) - OpenID for Verifiable Credential Issuance (section "Trust between Wallet and Issuer": Device Attestation) Meantime in the eIDAS Expert group this term is going to be changed to "Wallet Trust Evidence". <https://datatracker.ietf.org/doc/draft-demarco-status-attestations/> I don't have a strong opinion on what would be the best semantic for this, I just have realized the functional difference between a Digital Credential and an Attestation: the first requires the user to be authenticated and give consent for using the secure storage. The second is obtained with a machine2machine flow where no user interaction is required, the secure storage is not required, no user information is contained in it since the subject is the wallet instance and not the user, it cannot be (re)used without the cryptographic proof of possession. Probably a discussion could start about this term aiming to align several specifications on the same terminology. I could say that Status Attestation is a specific artifact defined for a specific context, other attestations can be defined outside the functional perimeter of this specification. Let's talk about it, it doesn't matters changing terms (eventually mindsets on perceivable meanings). Here I share some notes I picked along the last two months about this brand new individual draft: - it is related to digital credential only, I don't expect to use it in legacy infrastructure different from wallet. I really don't need this kind of mechanism in OIDC or any other traditional infrastructure since these doesn't show the privacy issues the wallet ecosystem has; - it would interesting mentioning in the introduction that's pratically an ocsp stapling like mechanism, just to give some context (credit: Paul Bastien); - The Rationale section needs to clarify better problems and solutions, where it seems that the problem does not exist or that it is weak. A review is necessary to clearly bring the benefits; - Editorials mistake are still along the reading. thank you for your time and interest, best Il giorno mer 17 gen 2024 alle ore 21:06 <hannes.tschofenig= 40gmx.net@dmarc.ietf.org> ha scritto: > Hi Guiseppe, Francesco, Orie, > > > > @Orie: Thanks for sharing the draft. > > > > As a quick reaction: It would be good to invent a new term for > “attestation” in draft-demarco-status-attestations.html because this term > is already widely used in a different context (see RFC 9334). > > > > @Guiseppe and Francesco: It would be great if you could submit your draft > to OAuth or SPICE for discussion. > > > > Ciao > > Hannes > > > > > > *From:* OAuth <oauth-bounces@ietf.org> *On Behalf Of *Orie Steele > *Sent:* Mittwoch, 17. Jänner 2024 19:07 > *To:* spice@ietf.org > *Cc:* oauth <oauth@ietf.org> > *Subject:* [OAUTH-WG] OAuth Digital Credential Status Attestations > > > > Hello Digital Credential Enthusiasts, > > See: > https://peppelinux.github.io/draft-demarco-status-attestations/draft-demarco-status-attestations.html > > Note the use of the term digital credential, and the alignment to CWT > based credentials and CWT based credential status lists. > > As a quick summary of the editors draft above: > > It is basically a refresh-token-like approach to dynamic state, where the > holder retrieves updated state from the issuer at regular intervals, and > can then present that dynamic state directly to the verifier. > > This eliminates the herd privacy and phone home issues associated with W3C > Bitstring Status Lists. > > And it informs the holder of dynamic state, so the digital wallet can > provide a better user experience. > > However, an issuer (government or ngo) could use the interval of > requesting dynamic state, to track the holder... so the guidance from > https://datatracker.ietf.org/doc/draft-steele-spice-oblivious-credential-state/ > > Is also relevant to this draft. > > I also learned that > https://datatracker.ietf.org/doc/draft-ietf-oauth-sd-jwt-vc/ > > Has defined a new property for expressing "Verifiable Credential" "type" > `vct`, which is different from how W3C defines credential types. > > W3C uses the expanded IRI for the graph node type, based on the JSON-LD > context. > > For example with: > > { > "@context": [ > "https://www.w3.org/ns/credentials/v2", > "https://www.w3.org/ns/credentials/examples/v2" > ], > "id": "http://university.example/credentials/1872", > "type": ["VerifiableCredential", "ExampleAlumniCredential"], > ... > } > > The credential type in RDF becomes " > https://www.w3.org/ns/credentials/examples#ExampleAlumniCredential" > > Which is different from "ExampleAlumniCredential" in JSON... More evidence > that RDF leads to developer confusion regarding safe typing. > > The OAuth solution does not have this confusing issue, they set the type > explicitly: > > { > "vct": "https://credentials.example.com/identity_credential", > "given_name": "John", > "family_name": "Doe", > "email": "johndoe@example.com", > "phone_number": "+1-202-555-0101", > "address": { > "street_address": "123 Main St", > "locality": "Anytown", > "region": "Anystate", > "country": "US" > }, > "birthdate": "1940-01-01", > "is_over_18": true, > "is_over_21": true, > "is_over_65": true, > "status": { > "status_attestation": { > "credential_hash_alg": "S256", > } > } > } > > Regards, > > OS > > -- > > > > > *ORIE STEELE*Chief Technology Officer > www.transmute.industries > > <https://transmute.industries/> > _______________________________________________ > OAuth mailing list > OAuth@ietf.org > https://www.ietf.org/mailman/listinfo/oauth >
- [OAUTH-WG] OAuth Digital Credential Status Attest… Orie Steele
- Re: [OAUTH-WG] OAuth Digital Credential Status At… hannes.tschofenig
- Re: [OAUTH-WG] OAuth Digital Credential Status At… Giuseppe De Marco
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Leif Johansson
- Re: [OAUTH-WG] OAuth Digital Credential Status At… Denis
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Denis
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Giuseppe De Marco
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Denis
- Re: [OAUTH-WG] R: [SPICE] OAuth Digital Credentia… Denis
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Paul Bastian
- Re: [OAUTH-WG] R: [SPICE] OAuth Digital Credentia… Tom Jones
- Re: [OAUTH-WG] R: [SPICE] OAuth Digital Credentia… Orie Steele
- Re: [OAUTH-WG] R: [SPICE] OAuth Digital Credentia… Tom Jones
- Re: [OAUTH-WG] R: [SPICE] OAuth Digital Credentia… Tom Jones
- Re: [OAUTH-WG] R: [SPICE] OAuth Digital Credentia… Tom Jones
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Tom Jones
- Re: [OAUTH-WG] R: [SPICE] OAuth Digital Credentia… Watson Ladd
- Re: [OAUTH-WG] R: [SPICE] OAuth Digital Credentia… Tom Jones
- Re: [OAUTH-WG] R: [SPICE] OAuth Digital Credentia… Orie Steele
- Re: [OAUTH-WG] [SPICE] R: OAuth Digital Credentia… Oliver Terbu
- Re: [OAUTH-WG] R: [SPICE] OAuth Digital Credentia… Tom Jones
- Re: [OAUTH-WG] R: [SPICE] OAuth Digital Credentia… Giuseppe De Marco
- Re: [OAUTH-WG] R: [SPICE] OAuth Digital Credentia… Giuseppe De Marco
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Denis
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Giuseppe De Marco
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Denis
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Giuseppe De Marco
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Giuseppe De Marco
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Denis
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Tom Jones