IETF Logo Mail Archive

Re: [OAUTH-WG] Call for adoption - SD-JWT

Warren Parad <wparad@rhosys.ch> Fri, 29 July 2022 09:35 UTC

Return-Path: <wparad@rhosys.ch>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E992CC13C505 for <oauth@ietfa.amsl.com>; Fri, 29 Jul 2022 02:35:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rhosys.ch
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id g5e5iyydO6TG for <oauth@ietfa.amsl.com>; Fri, 29 Jul 2022 02:35:46 -0700 (PDT)
Received: from mail-yw1-x112f.google.com (mail-yw1-x112f.google.com [IPv6:2607:f8b0:4864:20::112f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id DED97C13CCCA for <oauth@ietf.org>; Fri, 29 Jul 2022 02:35:46 -0700 (PDT)
Received: by mail-yw1-x112f.google.com with SMTP id 00721157ae682-31f443e276fso45546397b3.1 for <oauth@ietf.org>; Fri, 29 Jul 2022 02:35:46 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhosys.ch; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=cury7Xq6YkPAeZ0o847t/LdmWkRKNOZU3UQBKLgnKAQ=; b=Znm+a1eWje3NnAq5+45zSg/vmSN7bYBdYY9WOR0+YP+Snn8TCl5hBXs2dT6xX8AYyo 7iuKDlwyIpu8ixM8eKsd7DfKQB3WkVzhkjNQVAccxsz4hatsOniqRC4OsKWTXxskZi99 8hEZhuq9MlPHp/9vs+OmYjcnqtFCbMPneMFH5wb+NHbuMFqNp/BMiQz4l7oasyJ9XNea Vk1g8YKiOBI/X1ORYZ9FRx8mX0cFOUfnyFcpyCMgAXE5Neq6je4N+RuUfZaOzRsMNt9J zfF71RX7dkrqeiHHYOkDlToRvvnyGx52/2CkGfeFUmn73+nDuwf97w6Uz9cnBUu7qdtC 72qA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=cury7Xq6YkPAeZ0o847t/LdmWkRKNOZU3UQBKLgnKAQ=; b=gb7JSmJL4tESmg4EBLDk0EngWFldGiHiJlqKi/z63CUs5DjBQkAqlfq8nn+xM1F/Mh GYqoNtd9gPUB6eV2Q8mH3JRETYLJnbuW5uk2eQBqj36OQWg+oGjGrlzFWsdV8QSiFHY0 gKlNJGW1NNcG7Pg8Nfwk6JYGHKjnzoloapr13EmND4Anxe5UGQ5AC6Q6IVJIJnHndTra 1WETtYTRThfNd2tutrX0cUVxYpW4FygMw4uhFjseHkZ60f9AjznLBAPNRAZ6mjsBPlZB 7wBVCQcXVzJQVNpgSxAvCECjXQ9B2pTL2ILsW+ADfqnDPk2Xx1SiqtZoMH9EWBe0gTA+ q6iQ==
X-Gm-Message-State: ACgBeo0IBpMrrQmrNvrwqV+hDROSN+fF8RutoD7gJ4iaaqkhJtLVIohm TB99x9xXeQ5y3jNkg0eIqwGGVk4RCoPQILAzLJDW9+cXYhw4ozY=
X-Google-Smtp-Source: AA6agR6rVsZpHnKsm5oqocUpyVXzX7yeAACsBh2Og3JiqkdNnb+3s+0qYgLv52Yf6zPK71wFNDWwmGN7cp0tqybi56s=
X-Received: by 2002:a0d:f503:0:b0:31d:5651:b564 with SMTP id e3-20020a0df503000000b0031d5651b564mr2376647ywf.449.1659087345897; Fri, 29 Jul 2022 02:35:45 -0700 (PDT)
MIME-Version: 1.0
References: <CADNypP9xSXWKV=0nj803fW9xdqgguLWLOpMMQd0Uw3P16LQpfQ@mail.gmail.com>
In-Reply-To: <CADNypP9xSXWKV=0nj803fW9xdqgguLWLOpMMQd0Uw3P16LQpfQ@mail.gmail.com>
From: Warren Parad <wparad@rhosys.ch>
Date: Fri, 29 Jul 2022 11:35:35 +0200
Message-ID: <CAJot-L3KuetkQWXn_LAtMOzOF1Pwv1KGPO=CHiZrnnmKXCO1Qw@mail.gmail.com>
To: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
Cc: oauth <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000e771d505e4ee5f5a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/r7qsyemXfvaYffiZB4fvXt1lsPE>
Subject: Re: [OAUTH-WG] Call for adoption - SD-JWT
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 29 Jul 2022 09:35:51 -0000

I too do not support adoption.

Something is "off" for me, I don't quite get the expectation on the secure
flow, in this draft, doesn't the issuer have to know the claims that could
be requested up front? If the goal is to not have the issuer contain any of
this data, but let the holder "add in their claims in a verifiable way",
the simple solution is just sharto share the access token with the actual
data. I think I would really want to see a concrete expectation about how
this would be used.

The other part is I want to challenge that it will actually have the
benefit that we want it to have (above and beyond JWEs).

For example, let's take the cornerstone argument from the draft:

> However, when a signed JWT is
>    intended to be multi-use, it needs to contain the superset of all
>    claims the user might want to release to verifiers at some point.
>    The ability to selectively disclose a subset of these claims
>    depending on the verifier becomes crucial to ensure minimum
>    disclosure and prevent verifiers from obtaining claims irrelevant for
>    the transaction at hand.
>
>
We already have a parallel today with *scopes*. Normally, we expect that
there can be progressive scope increases, via new interactions with the
user agent and the AS. However, in practice, Resource Servers ask User
Agents to approve all scopes up front, and worse still AS don't allow the
user agent to select which scopes they want to grant. In practice, theory
and practice are not the same.

Selective disclosure is only a small subset of the problem posed by scopes,
because scopes actually convey permissions. If we are going to improve
anything, it should be restricting any and all data in not just the
id_token but also the access_token. And the solution could be this draft's
implementation, or maybe it is something similar to macaroons
<https://en.wikipedia.org/wiki/Macaroons_(computer_science)>. I don't think
this draft get's us closer to that unfortunately.

Second, I challenge the perspective of multi-use. While I completely agree
tokens are multi-use, they tend to be multi-use inside of an opaque
"platform", the user-agent interacts with RSs in the platform in an
indistinguishable way, so meaningfully, RS will request all the scopes they
know about all the time, even if they don't need them. The platform will
still request everything, and the user-agent will be forced to share the
SD-JWT-R for all the claims.

If there are multiple RS or clients involved, then the process would be to
generate multiple tokens, one for each client interaction, as we do today.
The only way out of this I can see, is like macaroons you can selectively
restrict further information for the next hop. But that's based on
delegation and legal trust, not security.

If we can have a macaroon like solution for any relevant claim in a JWT,
then I would definitely support adoption.

Alternatively, I think a much stronger solution would be to have the
encrypted claims data in the JWT, and be individually decryptable (I
haven't looked at JWEs in a while, but I didn't think that was possible)

- Warren

On Fri, Jul 29, 2022 at 2:17 AM Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
wrote:

> All,
>
> This is a call for adoption for the *SD-JWT* document
> https://datatracker.ietf.org/doc/draft-fett-oauth-selective-disclosure-jwt/
>
> Please, provide your feedback on the mailing list by *August 12th*.
>
> Regards,
>  Rifaat & Hannes
>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>

v2.23.0 | Report a Bug | By Email