Re: [OAUTH-WG] [SPICE] OAuth Digital Credential Status Attestations (typo)
Giuseppe De Marco <demarcog83@gmail.com> Thu, 18 January 2024 16:58 UTC
Return-Path: <demarcog83@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AEF57C14F616; Thu, 18 Jan 2024 08:58:52 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.845
X-Spam-Level:
X-Spam-Status: No, score=-1.845 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 23oE4qM98W24; Thu, 18 Jan 2024 08:58:48 -0800 (PST)
Received: from mail-ed1-x52c.google.com (mail-ed1-x52c.google.com [IPv6:2a00:1450:4864:20::52c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B50B9C14F5FD; Thu, 18 Jan 2024 08:58:48 -0800 (PST)
Received: by mail-ed1-x52c.google.com with SMTP id 4fb4d7f45d1cf-559de6145c3so2153127a12.1; Thu, 18 Jan 2024 08:58:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1705597127; x=1706201927; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=myGMC4vJf3lvO4DXbPNVx8wDqc2XV0olHMwXqTSAGOA=; b=hVKlPcCYs7zXE+EFXYpVorwhXk7Yokkhhh2iMk278DAC6nws4dK7sXJhQFp8emX5tu 9T2Kfiz6lkuEkfg7NGHGrB0zeBCckqXVeypBOol5is/1qO95F3TBuPF6QgpcX6TlztSp dAKkhWn2T5b6M1B8Gnz8n0GzLZuN9fwJVjvI6oWisjIauwETHXcRNCxZS+8tL0Vh7ggS SRNvPWAxONDT5zjrvgIoXnYB1qVJa6bdCPz2mkznHlkgq9OF8SxQkUAGMPGyZBtCwAHB PX5jEospRKzbQXboiBC3KjHe038Q+OGd406+9CCwJ5ZwUoIXBhMAzhMioY4XpBRplTJA GXIg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705597127; x=1706201927; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=myGMC4vJf3lvO4DXbPNVx8wDqc2XV0olHMwXqTSAGOA=; b=l1dHX9HYNSn8nY2mRkd7sG0ib0zELINrXMumIRejcHi5VMpz7ffd51Zz1InXRAovKZ viQrHbQZzADsaJ+jUrr517/nk1KWYl8/surrx+iuPh5SZTEEUaZd5dlfrIgYFPhY5xAf TTrTIlnUo2jemPKEgAk9d2koOhJX5AUwnsFmZOHVck111Uaj5MbU1rTiFaGj7hQtdJp4 2bll2lrXlp63Pu3/WoJTrCsuDBQHTZzOw1DHxlyGJms1ssuqjdSFIlqpdbnNeK0q13LT NFyE62EFNPunccrvOWsWOoene+MTkXQxjoWE2LFsgReMDqMgC10g1RWFeAhdaUxYfNnq njJg==
X-Gm-Message-State: AOJu0Yy5vp+/SEwi5rTzsRyWAUzhx8ADF6EagR5QGER/3r/hDISr/8Pg z5Li/OzNk4LMyxKGESgm3fkgUjX34YRee32vsGsewfEsaKHSDk+S/1Mc3mWO1P5t/siirOjhIYB efwAzSFDbXIegDwk+WUDnOPd9OAI=
X-Google-Smtp-Source: AGHT+IHX97pXlV44h6yc6ii5/4zzdgzMy7gs7nDlmmu+G9jIOqhMfm21a8fyoqCi/HQiwS63m8+QyK44Qx4HFNue7Pg=
X-Received: by 2002:a05:6402:644:b0:559:bd86:c946 with SMTP id u4-20020a056402064400b00559bd86c946mr708755edx.30.1705597126911; Thu, 18 Jan 2024 08:58:46 -0800 (PST)
MIME-Version: 1.0
References: <CAN8C-_+5mSFAion-e4Ta6AZLVGadr7cdSWjw-UpnBvH9Z98ohw@mail.gmail.com> <05d901da4980$8c8021e0$a58065a0$@gmx.net> <CAP_qYy=Dh0wDJ1JwOkvLiRR==7ZJTH+oLtzSU=egho1L0===hQ@mail.gmail.com> <3a80e0ce-682e-e3c5-8f39-7f3731aa9c1f@free.fr> <a5a530c8-bf2d-1edb-8ba7-cb05b18ac151@free.fr>
In-Reply-To: <a5a530c8-bf2d-1edb-8ba7-cb05b18ac151@free.fr>
From: Giuseppe De Marco <demarcog83@gmail.com>
Date: Thu, 18 Jan 2024 17:58:35 +0100
Message-ID: <CAP_qYymC=dWbVjQjQmJC7fFkQki5nN3D646TNCO8=JWXC-TOOQ@mail.gmail.com>
To: Denis <denis.ietf@free.fr>
Cc: hannes.tschofenig=40gmx.net@dmarc.ietf.org, spice@ietf.org, fa.marino@ipzs.it, gi.demarco@innovazione.gov.it, oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e12a99060f3b4663"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/nIZ82TOYZW37B0WxInAniP9uTBY>
Subject: Re: [OAUTH-WG] [SPICE] OAuth Digital Credential Status Attestations (typo)
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 18 Jan 2024 16:58:52 -0000
Ciao Denis, thank you for the quick reply and for your contribution. The scope of the current draft is to provide a verifiable artifact that give the proof that a specific credential is active, then not revoked. >From your sequence diagram I read a digital credential issuance, while this is not in the scope of the draft. best Il giorno gio 18 gen 2024 alle ore 10:26 Denis <denis.ietf@free.fr> ha scritto: > Typo: Change: "proof *or* origin of wallet instance" > into : "proof *of* origin of wallet instance". > > The figure has been corrected below. > > Denis > > Hi Giuseppe, > > The current figure in the Introduction from > draft-demarco-status-attestations-latest is: > > +-----------------+ +-------------------+ > | | Requests Status Attestation | | > | |---------------------------->| | > | Wallet Instance | | Credential Issuer | > | | Status Attestation | | > | |<----------------------------| | > +-----------------+ +-------------------+ > > > +-- ----------------+ +----------+ > | | Presents credential and | | > | Wallet Instance | Status Attestation | Verifier | > | |---------------------------->| | > +-------------------+ +----------+ > > IMO, using the vocabulary agreed during the last BoF video conference, > this figure should be modified as follows: > > > +------------+ > +-------------------+ > | | Requests *Digital Credential* | > | > | | and presents proof of knowledge of | > | > | | either a private key or a link secret | > | > | | and proof *of* origin of wallet instance | Credential > Issuer | > | Holder |--------------------------------------->| > | > | | | > | > | | *Digital Credential* | > | > | |<---------------------------------------| > | > +------------+ > +-------------------+ > > > +-- ---------+ > +-------------------+ > | | Presents *Credential proof* | > | > | Holder | | Verifier > | > | |--------------------------------------->| > | > +------------+ > +-------------------+ > > Denis > > > Hi Hannes, > > Thank you for your quick reaction and also to Orie for sharing. > I've submitted the draft, here: > https://datatracker.ietf.org/doc/draft-demarco-status-attestations/ > > Regarding the term Attestation: good point. We have decided to use this > term since in several IETF and OpenID drafts this term seems pretty > established, the term Attestation is found at least in the following > specifications: > - Attestation based client-authentication (it's in the title) > - OpenID4VC High Assurance Interoperability Profile with SD-JWT VC > (wallet attestation) > - OpenID for Verifiable Presentations - draft 20 (verifier attestation) > - OpenID for Verifiable Credential Issuance (section "Trust between > Wallet and Issuer": Device Attestation) > > Meantime in the eIDAS Expert group this term is going to be changed to > "Wallet Trust Evidence". > > <https://datatracker.ietf.org/doc/draft-demarco-status-attestations/> > I don't have a strong opinion on what would be the best semantic for this, > I just have realized the functional difference between a Digital Credential > and an Attestation: > the first requires the user to be authenticated and give consent for using > the secure storage. The second is obtained with a machine2machine flow > where no user interaction is required, the secure storage is not required, > no user information is contained in it since the subject is the wallet > instance and not the user, it cannot be (re)used without the cryptographic > proof of possession. Probably a discussion could start about this term > aiming to align several specifications on the same terminology. I could say > that Status Attestation is a specific artifact defined for a specific > context, other attestations can be defined outside the functional perimeter > of this specification. Let's talk about it, it doesn't matters changing > terms (eventually mindsets on perceivable meanings). > > Here I share some notes I picked along the last two months about this > brand new individual draft: > > - it is related to digital credential only, I don't expect to use it in > legacy infrastructure different from wallet. I really don't need this kind > of mechanism in OIDC or any other traditional infrastructure since these > doesn't show the privacy issues the wallet ecosystem has; > - it would interesting mentioning in the introduction that's pratically an > ocsp stapling like mechanism, just to give some context (credit: Paul > Bastien); > - The Rationale section needs to clarify better problems and solutions, where > it seems that the problem does not exist or that it is weak. A review is > necessary to clearly bring the benefits; > - Editorials mistake are still along the reading. > > thank you for your time and interest, > best > > > > > > > Il giorno mer 17 gen 2024 alle ore 21:06 <hannes.tschofenig= > 40gmx.net@dmarc.ietf.org> ha scritto: > >> Hi Guiseppe, Francesco, Orie, >> >> >> >> @Orie: Thanks for sharing the draft. >> >> >> >> As a quick reaction: It would be good to invent a new term for >> “attestation” in draft-demarco-status-attestations.html because this term >> is already widely used in a different context (see RFC 9334). >> >> >> >> @Guiseppe and Francesco: It would be great if you could submit your draft >> to OAuth or SPICE for discussion. >> >> >> >> Ciao >> >> Hannes >> >> >> >> >> >> *From:* OAuth <oauth-bounces@ietf.org> *On Behalf Of *Orie Steele >> *Sent:* Mittwoch, 17. Jänner 2024 19:07 >> *To:* spice@ietf.org >> *Cc:* oauth <oauth@ietf.org> >> *Subject:* [OAUTH-WG] OAuth Digital Credential Status Attestations >> >> >> >> Hello Digital Credential Enthusiasts, >> >> See: >> https://peppelinux.github.io/draft-demarco-status-attestations/draft-demarco-status-attestations.html >> >> Note the use of the term digital credential, and the alignment to CWT >> based credentials and CWT based credential status lists. >> >> As a quick summary of the editors draft above: >> >> It is basically a refresh-token-like approach to dynamic state, where the >> holder retrieves updated state from the issuer at regular intervals, and >> can then present that dynamic state directly to the verifier. >> >> This eliminates the herd privacy and phone home issues associated with >> W3C Bitstring Status Lists. >> >> And it informs the holder of dynamic state, so the digital wallet can >> provide a better user experience. >> >> However, an issuer (government or ngo) could use the interval of >> requesting dynamic state, to track the holder... so the guidance from >> https://datatracker.ietf.org/doc/draft-steele-spice-oblivious-credential-state/ >> >> Is also relevant to this draft. >> >> I also learned that >> https://datatracker.ietf.org/doc/draft-ietf-oauth-sd-jwt-vc/ >> >> Has defined a new property for expressing "Verifiable Credential" "type" >> `vct`, which is different from how W3C defines credential types. >> >> W3C uses the expanded IRI for the graph node type, based on the JSON-LD >> context. >> >> For example with: >> >> { >> "@context": [ >> "https://www.w3.org/ns/credentials/v2", >> "https://www.w3.org/ns/credentials/examples/v2" >> ], >> "id": "http://university.example/credentials/1872", >> "type": ["VerifiableCredential", "ExampleAlumniCredential"], >> ... >> } >> >> The credential type in RDF becomes " >> https://www.w3.org/ns/credentials/examples#ExampleAlumniCredential" >> >> Which is different from "ExampleAlumniCredential" in JSON... More >> evidence that RDF leads to developer confusion regarding safe typing. >> >> The OAuth solution does not have this confusing issue, they set the type >> explicitly: >> >> { >> "vct": "https://credentials.example.com/identity_credential", >> "given_name": "John", >> "family_name": "Doe", >> "email": "johndoe@example.com", >> "phone_number": "+1-202-555-0101", >> "address": { >> "street_address": "123 Main St", >> "locality": "Anytown", >> "region": "Anystate", >> "country": "US" >> }, >> "birthdate": "1940-01-01", >> "is_over_18": true, >> "is_over_21": true, >> "is_over_65": true, >> "status": { >> "status_attestation": { >> "credential_hash_alg": "S256", >> } >> } >> } >> >> Regards, >> >> OS >> >> -- >> >> >> >> >> *ORIE STEELE *Chief Technology Officer >> www.transmute.industries >> >> <https://transmute.industries/> >> _______________________________________________ >> OAuth mailing list >> OAuth@ietf.org >> https://www.ietf.org/mailman/listinfo/oauth >> > > _______________________________________________ > OAuth mailing listOAuth@ietf.orghttps://www.ietf.org/mailman/listinfo/oauth > > > > >
- [OAUTH-WG] OAuth Digital Credential Status Attest… Orie Steele
- Re: [OAUTH-WG] OAuth Digital Credential Status At… hannes.tschofenig
- Re: [OAUTH-WG] OAuth Digital Credential Status At… Giuseppe De Marco
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Leif Johansson
- Re: [OAUTH-WG] OAuth Digital Credential Status At… Denis
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Denis
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Giuseppe De Marco
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Denis
- Re: [OAUTH-WG] R: [SPICE] OAuth Digital Credentia… Denis
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Paul Bastian
- Re: [OAUTH-WG] R: [SPICE] OAuth Digital Credentia… Tom Jones
- Re: [OAUTH-WG] R: [SPICE] OAuth Digital Credentia… Orie Steele
- Re: [OAUTH-WG] R: [SPICE] OAuth Digital Credentia… Tom Jones
- Re: [OAUTH-WG] R: [SPICE] OAuth Digital Credentia… Tom Jones
- Re: [OAUTH-WG] R: [SPICE] OAuth Digital Credentia… Tom Jones
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Tom Jones
- Re: [OAUTH-WG] R: [SPICE] OAuth Digital Credentia… Watson Ladd
- Re: [OAUTH-WG] R: [SPICE] OAuth Digital Credentia… Tom Jones
- Re: [OAUTH-WG] R: [SPICE] OAuth Digital Credentia… Orie Steele
- Re: [OAUTH-WG] [SPICE] R: OAuth Digital Credentia… Oliver Terbu
- Re: [OAUTH-WG] R: [SPICE] OAuth Digital Credentia… Tom Jones
- Re: [OAUTH-WG] R: [SPICE] OAuth Digital Credentia… Giuseppe De Marco
- Re: [OAUTH-WG] R: [SPICE] OAuth Digital Credentia… Giuseppe De Marco
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Denis
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Giuseppe De Marco
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Denis
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Giuseppe De Marco
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Giuseppe De Marco
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Denis
- Re: [OAUTH-WG] [SPICE] OAuth Digital Credential S… Tom Jones