IETF Logo Mail Archive

Re: [OAUTH-WG] [SPICE] OAuth Digital Credential Status Attestations (typo)

Giuseppe De Marco <demarcog83@gmail.com> Thu, 18 January 2024 16:58 UTC

Return-Path: <demarcog83@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AEF57C14F616; Thu, 18 Jan 2024 08:58:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.845
X-Spam-Level:
X-Spam-Status: No, score=-1.845 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 23oE4qM98W24; Thu, 18 Jan 2024 08:58:48 -0800 (PST)
Received: from mail-ed1-x52c.google.com (mail-ed1-x52c.google.com [IPv6:2a00:1450:4864:20::52c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B50B9C14F5FD; Thu, 18 Jan 2024 08:58:48 -0800 (PST)
Received: by mail-ed1-x52c.google.com with SMTP id 4fb4d7f45d1cf-559de6145c3so2153127a12.1; Thu, 18 Jan 2024 08:58:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1705597127; x=1706201927; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=myGMC4vJf3lvO4DXbPNVx8wDqc2XV0olHMwXqTSAGOA=; b=hVKlPcCYs7zXE+EFXYpVorwhXk7Yokkhhh2iMk278DAC6nws4dK7sXJhQFp8emX5tu 9T2Kfiz6lkuEkfg7NGHGrB0zeBCckqXVeypBOol5is/1qO95F3TBuPF6QgpcX6TlztSp dAKkhWn2T5b6M1B8Gnz8n0GzLZuN9fwJVjvI6oWisjIauwETHXcRNCxZS+8tL0Vh7ggS SRNvPWAxONDT5zjrvgIoXnYB1qVJa6bdCPz2mkznHlkgq9OF8SxQkUAGMPGyZBtCwAHB PX5jEospRKzbQXboiBC3KjHe038Q+OGd406+9CCwJ5ZwUoIXBhMAzhMioY4XpBRplTJA GXIg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705597127; x=1706201927; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=myGMC4vJf3lvO4DXbPNVx8wDqc2XV0olHMwXqTSAGOA=; b=l1dHX9HYNSn8nY2mRkd7sG0ib0zELINrXMumIRejcHi5VMpz7ffd51Zz1InXRAovKZ viQrHbQZzADsaJ+jUrr517/nk1KWYl8/surrx+iuPh5SZTEEUaZd5dlfrIgYFPhY5xAf TTrTIlnUo2jemPKEgAk9d2koOhJX5AUwnsFmZOHVck111Uaj5MbU1rTiFaGj7hQtdJp4 2bll2lrXlp63Pu3/WoJTrCsuDBQHTZzOw1DHxlyGJms1ssuqjdSFIlqpdbnNeK0q13LT NFyE62EFNPunccrvOWsWOoene+MTkXQxjoWE2LFsgReMDqMgC10g1RWFeAhdaUxYfNnq njJg==
X-Gm-Message-State: AOJu0Yy5vp+/SEwi5rTzsRyWAUzhx8ADF6EagR5QGER/3r/hDISr/8Pg z5Li/OzNk4LMyxKGESgm3fkgUjX34YRee32vsGsewfEsaKHSDk+S/1Mc3mWO1P5t/siirOjhIYB efwAzSFDbXIegDwk+WUDnOPd9OAI=
X-Google-Smtp-Source: AGHT+IHX97pXlV44h6yc6ii5/4zzdgzMy7gs7nDlmmu+G9jIOqhMfm21a8fyoqCi/HQiwS63m8+QyK44Qx4HFNue7Pg=
X-Received: by 2002:a05:6402:644:b0:559:bd86:c946 with SMTP id u4-20020a056402064400b00559bd86c946mr708755edx.30.1705597126911; Thu, 18 Jan 2024 08:58:46 -0800 (PST)
MIME-Version: 1.0
References: <CAN8C-_+5mSFAion-e4Ta6AZLVGadr7cdSWjw-UpnBvH9Z98ohw@mail.gmail.com> <05d901da4980$8c8021e0$a58065a0$@gmx.net> <CAP_qYy=Dh0wDJ1JwOkvLiRR==7ZJTH+oLtzSU=egho1L0===hQ@mail.gmail.com> <3a80e0ce-682e-e3c5-8f39-7f3731aa9c1f@free.fr> <a5a530c8-bf2d-1edb-8ba7-cb05b18ac151@free.fr>
In-Reply-To: <a5a530c8-bf2d-1edb-8ba7-cb05b18ac151@free.fr>
From: Giuseppe De Marco <demarcog83@gmail.com>
Date: Thu, 18 Jan 2024 17:58:35 +0100
Message-ID: <CAP_qYymC=dWbVjQjQmJC7fFkQki5nN3D646TNCO8=JWXC-TOOQ@mail.gmail.com>
To: Denis <denis.ietf@free.fr>
Cc: hannes.tschofenig=40gmx.net@dmarc.ietf.org, spice@ietf.org, fa.marino@ipzs.it, gi.demarco@innovazione.gov.it, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e12a99060f3b4663"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/nIZ82TOYZW37B0WxInAniP9uTBY>
Subject: Re: [OAUTH-WG] [SPICE] OAuth Digital Credential Status Attestations (typo)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Jan 2024 16:58:52 -0000

Ciao Denis,

thank you for the quick reply and for your contribution.
The scope of the current draft is to provide a verifiable artifact that
give the proof that a specific credential is active, then not revoked.

>From your sequence diagram I read a digital credential issuance, while this
is not in the scope of the draft.
best


Il giorno gio 18 gen 2024 alle ore 10:26 Denis <denis.ietf@free.fr> ha
scritto:

> Typo: Change: "proof *or* origin of wallet instance"
> into               : "proof *of* origin of wallet instance".
>
> The figure has been corrected below.
>
> Denis
>
> Hi Giuseppe,
>
> The current figure in the Introduction from
> draft-demarco-status-attestations-latest is:
>
> +-----------------+                             +-------------------+
> |                 | Requests Status Attestation |                   |
> |                 |---------------------------->|                   |
> | Wallet Instance |                             | Credential Issuer |
> |                 | Status Attestation          |                   |
> |                 |<----------------------------|                   |
> +-----------------+                             +-------------------+
>
>
> +-- ----------------+                             +----------+
> |                   | Presents credential and     |          |
> |  Wallet Instance  | Status Attestation          | Verifier |
> |                   |---------------------------->|          |
> +-------------------+                             +----------+
>
> IMO, using the vocabulary agreed during the last BoF video conference,
> this figure should be modified as follows:
>
>
> +------------+
> +-------------------+
> |            | Requests *Digital Credential*            |
> |
> |            | and presents proof of knowledge of     |
> |
> |            | either a private key or a link secret  |
> |
> |            | and proof *of* origin of wallet instance | Credential
> Issuer |
> |   Holder   |--------------------------------------->|
> |
> |            |                                        |
> |
> |            |    *Digital Credential*                  |
> |
> |            |<---------------------------------------|
> |
> +------------+
> +-------------------+
>
>
> +-- ---------+
> +-------------------+
> |            | Presents *Credential proof*              |
>        |
> |   Holder   |                                        |      Verifier
> |
> |            |--------------------------------------->|
> |
> +------------+
> +-------------------+
>
> Denis
>
>
> Hi Hannes,
>
> Thank you for your quick reaction and also to Orie for sharing.
> I've submitted the draft, here:
> https://datatracker.ietf.org/doc/draft-demarco-status-attestations/
>
> Regarding the term Attestation: good point. We have decided to use this
> term since in several IETF and OpenID drafts this term seems pretty
> established, the term Attestation is found at least in the following
> specifications:
>   - Attestation based client-authentication (it's in the title)
>   - OpenID4VC High Assurance Interoperability Profile with SD-JWT VC
> (wallet attestation)
>   - OpenID for Verifiable Presentations - draft 20 (verifier attestation)
>   - OpenID for Verifiable Credential Issuance (section "Trust between
> Wallet and Issuer": Device Attestation)
>
> Meantime in the eIDAS Expert group this term is going to be changed to
> "Wallet Trust Evidence".
>
> <https://datatracker.ietf.org/doc/draft-demarco-status-attestations/>
> I don't have a strong opinion on what would be the best semantic for this,
> I just have realized the functional difference between a Digital Credential
> and an Attestation:
> the first requires the user to be authenticated and give consent for using
> the secure storage. The second is obtained with a machine2machine flow
> where no user interaction is required, the secure storage is not required,
> no user information is contained in it since the subject is the wallet
> instance and not the user, it cannot be (re)used without the cryptographic
> proof of possession. Probably a discussion could start about this term
> aiming to align several specifications on the same terminology. I could say
> that Status Attestation is a specific artifact defined for a specific
> context, other attestations can be defined outside the functional perimeter
> of this specification. Let's talk about it, it doesn't matters changing
> terms (eventually mindsets on perceivable meanings).
>
> Here I share some notes I picked along the last two months about this
> brand new individual draft:
>
> - it is related to digital credential only, I don't expect to use it in
> legacy infrastructure different from wallet. I really don't need this kind
> of mechanism in OIDC or any other traditional infrastructure since these
> doesn't show the privacy issues the wallet ecosystem has;
> - it would interesting mentioning in the introduction that's pratically an
> ocsp stapling like mechanism, just to give some context (credit: Paul
> Bastien);
> - The Rationale section needs to clarify better problems and solutions, where
> it seems that the problem does not exist or that it is weak. A review is
> necessary to clearly bring the benefits;
> - Editorials mistake are still along the reading.
>
> thank you for your time and interest,
> best
>
>
>
>
>
>
> Il giorno mer 17 gen 2024 alle ore 21:06 <hannes.tschofenig=
> 40gmx.net@dmarc.ietf.org> ha scritto:
>
>> Hi Guiseppe, Francesco, Orie,
>>
>>
>>
>> @Orie: Thanks for sharing the draft.
>>
>>
>>
>> As a quick reaction: It would be good to invent a new term for
>> “attestation” in draft-demarco-status-attestations.html because this term
>> is already widely used in a different context (see RFC 9334).
>>
>>
>>
>> @Guiseppe and Francesco: It would be great if you could submit your draft
>> to OAuth or SPICE for discussion.
>>
>>
>>
>> Ciao
>>
>> Hannes
>>
>>
>>
>>
>>
>> *From:* OAuth <oauth-bounces@ietf.org> *On Behalf Of *Orie Steele
>> *Sent:* Mittwoch, 17. Jänner 2024 19:07
>> *To:* spice@ietf.org
>> *Cc:* oauth <oauth@ietf.org>
>> *Subject:* [OAUTH-WG] OAuth Digital Credential Status Attestations
>>
>>
>>
>> Hello Digital Credential Enthusiasts,
>>
>> See:
>> https://peppelinux.github.io/draft-demarco-status-attestations/draft-demarco-status-attestations.html
>>
>> Note the use of the term digital credential, and the alignment to CWT
>> based credentials and CWT based credential status lists.
>>
>> As a quick summary of the editors draft above:
>>
>> It is basically a refresh-token-like approach to dynamic state, where the
>> holder retrieves updated state from the issuer at regular intervals, and
>> can then present that dynamic state directly to the verifier.
>>
>> This eliminates the herd privacy and phone home issues associated with
>> W3C Bitstring Status Lists.
>>
>> And it informs the holder of dynamic state, so the digital wallet can
>> provide a better user experience.
>>
>> However, an issuer (government or ngo) could use the interval of
>> requesting dynamic state, to track the holder... so the guidance from
>> https://datatracker.ietf.org/doc/draft-steele-spice-oblivious-credential-state/
>>
>> Is also relevant to this draft.
>>
>> I also learned that
>> https://datatracker.ietf.org/doc/draft-ietf-oauth-sd-jwt-vc/
>>
>> Has defined a new property for expressing "Verifiable Credential" "type"
>> `vct`, which is different from how W3C defines credential types.
>>
>> W3C uses the expanded IRI for the graph node type, based on the JSON-LD
>> context.
>>
>> For example with:
>>
>> {
>>   "@context": [
>>     "https://www.w3.org/ns/credentials/v2",
>>     "https://www.w3.org/ns/credentials/examples/v2"
>>   ],
>>   "id": "http://university.example/credentials/1872",
>>   "type": ["VerifiableCredential", "ExampleAlumniCredential"],
>>   ...
>> }
>>
>> The credential type in RDF becomes "
>> https://www.w3.org/ns/credentials/examples#ExampleAlumniCredential"
>>
>> Which is different from "ExampleAlumniCredential" in JSON... More
>> evidence that RDF leads to developer confusion regarding safe typing.
>>
>> The OAuth solution does not have this confusing issue, they set the type
>> explicitly:
>>
>> {
>>  "vct": "https://credentials.example.com/identity_credential",
>>  "given_name": "John",
>>  "family_name": "Doe",
>>  "email": "johndoe@example.com",
>>  "phone_number": "+1-202-555-0101",
>>  "address": {
>>    "street_address": "123 Main St",
>>    "locality": "Anytown",
>>    "region": "Anystate",
>>    "country": "US"
>>  },
>>  "birthdate": "1940-01-01",
>>  "is_over_18": true,
>>  "is_over_21": true,
>>  "is_over_65": true,
>>  "status": {
>>     "status_attestation": {
>>         "credential_hash_alg": "S256",
>>     }
>>  }
>> }
>>
>> Regards,
>>
>> OS
>>
>> --
>>
>>
>>
>>
>> *ORIE STEELE *Chief Technology Officer
>> www.transmute.industries
>>
>> <https://transmute.industries/>
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>
> _______________________________________________
> OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth
>
>
>
>
>

v2.23.0 | Report a Bug | By Email