IETF Logo Mail Archive

Re: [OAUTH-WG] Call for adoption - SD-JWT

Torsten Lodderstedt <torsten@lodderstedt.net> Wed, 03 August 2022 13:57 UTC

Return-Path: <torsten@lodderstedt.net>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 21B39C14CF03 for <oauth@ietfa.amsl.com>; Wed, 3 Aug 2022 06:57:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.004
X-Spam-Level:
X-Spam-Status: No, score=-2.004 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, MIME_QP_LONG_LINE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=lodderstedt.net
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id AHk9BtiNYMfs for <oauth@ietfa.amsl.com>; Wed, 3 Aug 2022 06:57:08 -0700 (PDT)
Received: from mail-ej1-x635.google.com (mail-ej1-x635.google.com [IPv6:2a00:1450:4864:20::635]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ACE96C14CF01 for <oauth@ietf.org>; Wed, 3 Aug 2022 06:57:07 -0700 (PDT)
Received: by mail-ej1-x635.google.com with SMTP id a7so18672637ejp.2 for <oauth@ietf.org>; Wed, 03 Aug 2022 06:57:07 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=lodderstedt.net; s=google; h=content-transfer-encoding:from:mime-version:subject:date:message-id :references:cc:in-reply-to:to; bh=8PXCjpB+QJ6A9cYCAQ/a17l3oqKYEptc0oq93JZZZ9w=; b=PYIUGpFhc5MPpChANwqlrAvgs2aE+obUVFSLBIRdsXec5M1DE23CbgWImdYSQZ/XeG kSFiBgRRYn+g1hXveLh1Z0q1YnPHbjwV0GhGnT2bVT+0S9LAUZJiROmXPsXqvXFIp4AD f+1xbKRXiZGTNOOxtIEmBz4IGmLUWPRukazsHgp/GKv4g/HN6rq4MFDpm9POq+7IEh1s 82pHvrOWgZlLqQd9aUN4m3Oq2OQS9pH3fbdY7l+lJO4PwIZrnMk53Yfo9tAJq2jzQjM/ 5ZDriju+Lnt7tZkw9Ll0l45bhrIj0FvSRafiJiPD8gWeD/+79dhbj6S8Q2x/Di8n8MhE ey0Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:content-transfer-encoding:from:mime-version :subject:date:message-id:references:cc:in-reply-to:to; bh=8PXCjpB+QJ6A9cYCAQ/a17l3oqKYEptc0oq93JZZZ9w=; b=uJWWL8WpMgOWLm2pmPkMJd0rKxUpX7IxrNyhvgVHOZPjJNObrmOPUYKqp6/IlhYLiv 5tOBzVAxdNREgdQeZh11mtKhQ0nUnSmw4Q+WDl2iIxWQ/rC1C4+rsJmhA9rNw+oZJGyc yoziXcpO76rsu7c/aa+uWsW/NaB0oUezfNcYW06Wse+JzM+j59QNouQ7hWmKv1IMonA7 JK26oH0sQZUz0LYJHqV1KAL+IfbNFuSzw2P7SlZon3x0Rc+irY6FZfX+ATcXgS5tuORQ L4HrLRZ0hIrS7PToSC+7NskYFRGguxbzScMtj8hqXyhC2h5QtSeBHW1MPLcsfPfcqghz UVXQ==
X-Gm-Message-State: AJIora+4K1S6Zh04KQP3jmBO42ECUh7dHrYEG4HcMLwEiAfhuQ82U4O8 R098cH6cO/sIvSC/KPD3vJ5Ztw==
X-Google-Smtp-Source: AGRyM1sm78e0Bh+cScF12eDGln7rjsl/9i6yu6S1O0qAyLxKKP9nucU1NmKN0vqcvpuW9GWYIZFFgA==
X-Received: by 2002:a17:907:1b1f:b0:72f:56db:cce9 with SMTP id mp31-20020a1709071b1f00b0072f56dbcce9mr20034181ejc.605.1659535025086; Wed, 03 Aug 2022 06:57:05 -0700 (PDT)
Received: from smtpclient.apple ([31.45.206.175]) by smtp.gmail.com with ESMTPSA id g26-20020a170906539a00b0073080c22898sm3584449ejo.15.2022.08.03.06.57.03 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 03 Aug 2022 06:57:04 -0700 (PDT)
Content-Type: multipart/alternative; boundary="Apple-Mail-0B52BE59-4F35-4C88-943A-B0873DAF6ADD"
Content-Transfer-Encoding: 7bit
From: Torsten Lodderstedt <torsten@lodderstedt.net>
Mime-Version: 1.0 (1.0)
Date: Wed, 03 Aug 2022 15:57:01 +0200
Message-Id: <1D2C56C5-8155-40A3-BC00-2EF7D12C9122@lodderstedt.net>
References: <7f46f3f1-d384-37ef-9e76-8cb80995fb4c@verifiablecredentials.info>
Cc: oauth@ietf.org
In-Reply-To: <7f46f3f1-d384-37ef-9e76-8cb80995fb4c@verifiablecredentials.info>
To: David Chadwick <d.w.chadwick@verifiablecredentials.info>
X-Mailer: iPad Mail (19F77)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/szYnuAThbjdydrnJ5ffym5CNcas>
Subject: Re: [OAUTH-WG] Call for adoption - SD-JWT
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 03 Aug 2022 13:57:12 -0000

> Am 02.08.2022 um 19:30 schrieb David Chadwick <d.w.chadwick@verifiablecredentials.info>:
> 
> 
> Hi Torsten
> 
> your use case sounds like an online use case, not an offline one. So its a question of balancing a long lived SD-JWT along with a revocation mechanism vs a short lived minimal JWT containing just the claims that are needed.
> 
That’s correct. 
> I thought that SAML, OAuth2 and OIDC had opted for short lived non-revocable claims rather than long lived revocable ones due to the experiences of using revocation with X.509 PKCs.
> 
SAML and OIDC are considerably simple, flexible, and secure solutions to the challenges of selective disclosure, direct identifiers, and current claim values. They are an excellent solution for Web SSO. However, they require the IDP to be always on, an online connection to the RP, and share a lot of metadata with the IDP. 

X.509 certificate never had those problems, but are inflexible and require revocation. Verifiable Credentials to me are more like X.509 certs but with more flexibility, simpler to use data formats, and the option to selectively disclose claims.

So the question merely is what parameters to optimize for.

The current thinking I perceive is to give users long lived credentials, which means the issuer doesn’t need to be always on, there is no need for online connection, and the issuer does not get any metadata on when, what kind of claims is being used. This also makes offline use of such credentials an obvious option.

However, the lifecycle of such credentials needs to be managed. I think revocation lists are an ok solution to that problem. I don’t see how the issuer could learn where a credential is being used with revocation lists as the verifier will just download the whole list for evaluation and revocation lists typically do not authenticate the verifier. Which leaves the IP address of the verifier as metadata without any further context.

I think the issuer part of it is more complex than people currently believe since issuers need to maintain a list of the credentials they issued (not needed in OIDC). Updates to credential data need to be published and last but not least, there needs to be away to let credentials be revoked. E.g. an user or a wallet provider might need to ask an issuer to revoke a certain credential because of abuse. That’s gone be though.

That might be the reason why ISO mDL uses expiration (I guess weeks to month) instead of revocation. And the wheel starts to turn again …
> Kind regards
> 
> David
> 
> On 02/08/2022 10:47, Torsten Lodderstedt wrote:
>> 
>>>> Am 02.08.2022 um 11:06 schrieb Warren Parad <wparad@rhosys.ch>:
>>>> 
>>>> I was following your train of thought, let me paste that here for transparency, you specifically said:
>>>>> In an OAuth scenario, the user‘s wallet would act as AS and issue access tokens (those could be short lived) that effectively are verifiable presentations (based on a verifiable credential) audience restricted for a certain RS. The client wouldn’t even know it’s a verifiable presentation since the access token is opaque to the client.
>>>> 
>>>> Which I replied:
>>>>> If the user's wallet acts as the AS issuing tokens, then there is zero need for this draft because we could pass the scopes that relate to the claims directly to the AS, and have the AS return a limited JWT, and we would actually do that every time because:
>>>>> we can
>>>>> because the tokens have short lifetime
>>>>> So that isn't a valid argument, unless there's a reason why the AS wouldn't be able to do this.
>>>> 
>>>> In this conversation, I'm still not able to parse what you are saying. Yes, of course the user having a physical device (as the AS) to issue tokens is privacy enhancing, but then we don't need this draft as I just proved. Or are you talking about a different point?
>>> 
>>> In the model I envision, OAuth clients are able to obtain access tokens for the user’s services through the user’s wallet. Since the wallet is not the AS the RS trusts, I would like to utilize verifiable credentials as basis for issuing access tokens from the wallet. That means the credential is issued by the AS and the wallet can mint access tokens containing a presentation of such a credential. From a RSs standpoint this retains the standard trust model since the RS only accepts access tokens containing a credential from an AS it trusts. 
>>> 
>>> I also assume that a single AS is managing access to several RSs as that was the case in almost all deployments I was involved with. 
>>> 
>>> I think the most efficient and flexible way to implement this scenario is to issue a single SD-JWT based credential and to mint RS-specific access token as needed by using SD-JWT’s selective disclosure capabilities. So an access token for the user’s contacts API would only include the claims needed for this service (e.g. the privilege to use the service) whereas an access token for the streaming API would include the data needed there (e.g. authorised channel lists and so on). 
>>> 
>>> 
>>> On Tue, Aug 2, 2022 at 10:54 AM Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org> wrote:
>>>> 
>>>> 
>>>>> Am 02.08.2022 um 10:48 schrieb Warren Parad <wparad=40rhosys.ch@dmarc.ietf.org>:
>>>>> 
>>>>> 
>>>>> Can you please reread what you wrote and rephrase it differently? Telling us to look at the OAuth JWT RFC isn't helpful here.
>>>> 
>>>> You say the AS can issue an access token every time and I say the wallet can issue access tokens on its own without the need to go back to the AS every time again. That’s privacy enhancing and helps scalability.
>>>> 
>>>>> Also it isn't clear which part of your statement you are trying to clarify. What does "original AS" mean? Are you suggesting a "multi AS" configuration? What does that look like?
>>>>> 
>>>>> On Tue, Aug 2, 2022 at 10:44 AM Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org> wrote:
>>>>>> 
>>>>>> 
>>>>>>> Am 02.08.2022 um 10:35 schrieb Warren Parad <wparad=40rhosys.ch@dmarc.ietf.org>:
>>>>>>> 
>>>>>>> 
>>>>>>> Why would we not include those seemingly critical details in the draft then?
>>>>>>> Let's define what a verifiable presentation is (is that already defined somewhere? I didn't see it in the draft)
>>>>>>> Require the JWTs to be signed with a private key from a certificate chain, and include the whole certificate chain in the body. (I don't think there is already a RFC for this, but I could be wrong)
>>>>>>> Let's also talk about this comment:
>>>>>>>> In an OAuth scenario, the user‘s wallet would act as AS and issue access tokens (those could be short lived) that effectively are verifiable presentations (based on a verifiable credential) audience restricted for a certain RS. The client wouldn’t even know it’s a verifiable presentation since the access token is opaque to the client.
>>>>>>> 
>>>>>>> If the user's wallet acts as the AS issuing tokens, then there is zero need for this draft because we could pass the scopes that relate to the claims directly to the AS, and have the AS return a limited JWT, and we would actually do that every time because:
>>>>>>> we can
>>>>>>> because the tokens have short lifetime
>>>>>>> So that isn't a valid argument, unless there's a reason why the AS wouldn't be able to do this.
>>>>>> 
>>>>>> Well, how many access tokens have you seen in the wild that only contain an access token? I haven’t, any of the carriers some for of user claims, e.g. a sub, in most cases some privileges/roles. Please take a look at https://www.rfc-editor.org/rfc/rfc9068.html for best current practice.
>>>>>> 
>>>>>> Using a VC in the way I described means the original AS doesn’t need to be involved in the
>>>>>> 
>>>>>>> 
>>>>>>> On Tue, Aug 2, 2022 at 10:14 AM Torsten Lodderstedt <torsten=40lodderstedt.net@dmarc.ietf.org> wrote:
>>>>>>>> 
>>>>>>>> 
>>>>>>>>> Am 02.08.2022 um 09:53 schrieb Warren Parad <wparad=40rhosys.ch@dmarc.ietf.org>:
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> If we are in a offline scenario how does the verifier got ahold of the public key associated with the id token?
>>>>>>>> 
>>>>>>>> Why id token? I would assume we are talking about verifiable presentations, right?
>>>>>>>> 
>>>>>>>> There are a couple of ways to provide the verifier with the public key needed to verify. The (raw) key could be contained in the credential or the presentation. If a trust chain is required, a x.509 certificate could serve the same purpose.
>>>>>>>> 
>>>>>>>> Beside that offline has different facets. In a Point of Sales scenario, even though the wallet would be offline the checkout counter would most likely have connectivity. That would also allow to resolve the public key on demand.
>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> They would need to be online, that defeats any benefit this could provide.
>>>>>>>>> 
>>>>>>>>> Or what if the token you have expires. Many providers issue tokens only good for 1 hour. If that expires, the user has to go through the online flow again.
>>>>>>>>> 
>>>>>>>>> Unless we can add some provisions to ensure long lived token validity, I think in practice we're cripling the usefulness.
>>>>>>>> 
>>>>>>>> Absolutely. That’s the reason a verifiable credential has a much longer lifetime simply because the user should be able to use it in a sensible way. As this makes replay more likely, all verifiable credentials formats utilize holder binding for reply detection. The public key mentioned above is part of the cryptographic holder binding that only the legitimate user is able to execute.
>>>>>>>> 
>>>>>>>> In an OAuth scenario, the user‘s wallet would act as AS and issue access tokens (those could be short lived) that effectively are verifiable presentations (based on a verifiable credential) audience restricted for a certain RS. The client wouldn’t even know it’s a verifiable presentation since the access token is opaque to the client.
>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> 
>>>>>>>>> On Tue, Aug 2, 2022, 04:21 Kristina Yasuda <Kristina.Yasuda=40microsoft.com@dmarc.ietf.org> wrote:
>>>>>>>>>> I support adoption.
>>>>>>>>>> 
>>>>>>>>>>  
>>>>>>>>>> 
>>>>>>>>>> To add some color.
>>>>>>>>>> 
>>>>>>>>>>  
>>>>>>>>>> 
>>>>>>>>>> One of the use-cases is a flow where issuance of a user credential (collection of user claims) is decoupled from presentation (where both issuance and presentation of a user credential are done using extensions of OAuth flows). The goal of this decoupling is to avoid “issuer call home”, where the user can send a user credential directly to the RP, without RP needing to contact the Issuer directly. So the motivations are not limited to offline scenarios, but are applicable to the scenarios that want to recreate in the online environment, the user experience of presenting credentials in-person.
>>>>>>>>>> 
>>>>>>>>>>  
>>>>>>>>>> 
>>>>>>>>>> Driver’s Licence just happens to be an example familiar to many, and there is no reason it cannot be a diploma, or an employee card, or a training certificate, etc. But it is worth highlighting that SD-JWT work becomes critical if we are to enable ISO-compliant mobile Driver Licences expressed in JSON to enable online scenarios and make life of the Web developers easier (as opposed processing data encoded as CBOR and signed as a COSE message). Selective disclosure is a requirement in many government issued credentials, while the usage of advanced cryptography is not always encouraged by the national cybersecurity agencies.
>>>>>>>>>> 
>>>>>>>>>>  
>>>>>>>>>> 
>>>>>>>>>>  
>>>>>>>>>> 
>>>>>>>>>> Regarding an approach where issuer issues multiple JWTs of a same type but with different subset of claims, it is not an ideal way to do selective disclosure with JWTs (type as a way to differentiate credential with one data structure/syntax from another). It complicates implementations that try to provide RP-U unlinkability (RPs cannot collude to track the user). The simplest way to achieve unlinkability with JWTs without using advanced cryptography is to issue multiple credentials of the same type but with varying use identifiers and enable pairwise identifiers per RP. Now there are multiple copies of each JWT with subset of claims of the same type. This greatly complicates presentation of these credentials too – since credentials are of the same type, now wallet needs to manage the combination of a subset of claims + pairwise identifier…
>>>>>>>>>> 
>>>>>>>>>>  
>>>>>>>>>> 
>>>>>>>>>> What if the implementation also wants predicates property, where age_over_XX boolean is sent instead of a birthdate string? The simplest way to do predicates with JWTs without using advanced cryptography is to have issuers to issue multiple age_over_xx booleans so that an appropriate one can be selectively disclosed to the RP. How many “JWTs with subset of claims” does the issuer needs to issue to account for all possible age requirements? Note that it’s not just age_over_21 to start gambling, it’s also age_over_65 to get pension benefits.
>>>>>>>>>> 
>>>>>>>>>>  
>>>>>>>>>> 
>>>>>>>>>> Managing the combinatorial explosion of sets of claims in speculatively issued JWTs, many of which will never be used, seems unwieldy, to say the least. "A conventional JWT with a subset of claims" approach could be taken in some implementations, but it should not prevent a simpler, extensible alternative of SD-JWT.
>>>>>>>>>> 
>>>>>>>>>>  
>>>>>>>>>> 
>>>>>>>>>>  
>>>>>>>>>> 
>>>>>>>>>> Finally, as Giuseppe pointed out, an option to blind claim names is on the table. As discussed on this list previously, we should analyze privacy properties of the mechanism and decide if we want to mandate it – which can be discussed after the adoption.
>>>>>>>>>> 
>>>>>>>>>>  
>>>>>>>>>> 
>>>>>>>>>> Best,
>>>>>>>>>> 
>>>>>>>>>> Kristina
>>>>>>>>>> 
>>>>>>>>>>  
>>>>>>>>>> 
>>>>>>>>>>  
>>>>>>>>>> 
>>>>>>>>>> From: OAuth <oauth-bounces@ietf.org> On Behalf Of Rifaat Shekh-Yusef
>>>>>>>>>> Sent: Thursday, July 28, 2022 8:17 PM
>>>>>>>>>> To: oauth <oauth@ietf.org>
>>>>>>>>>> Subject: [OAUTH-WG] Call for adoption - SD-JWT
>>>>>>>>>> 
>>>>>>>>>>  
>>>>>>>>>> 
>>>>>>>>>> All,
>>>>>>>>>> 
>>>>>>>>>>  
>>>>>>>>>> 
>>>>>>>>>> This is a call for adoption for the SD-JWT document
>>>>>>>>>> 
>>>>>>>>>> https://datatracker.ietf.org/doc/draft-fett-oauth-selective-disclosure-jwt/
>>>>>>>>>> 
>>>>>>>>>>  
>>>>>>>>>> 
>>>>>>>>>> Please, provide your feedback on the mailing list by August 12th.
>>>>>>>>>> 
>>>>>>>>>>  
>>>>>>>>>> 
>>>>>>>>>> Regards,
>>>>>>>>>> 
>>>>>>>>>>  Rifaat & Hannes
>>>>>>>>>> 
>>>>>>>>>>  
>>>>>>>>>> 
>>>>>>>>>> _______________________________________________
>>>>>>>>>> OAuth mailing list
>>>>>>>>>> OAuth@ietf.org
>>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>>>>>> _______________________________________________
>>>>>>>>> OAuth mailing list
>>>>>>>>> OAuth@ietf.org
>>>>>>>>> https://www.ietf.org/mailman/listinfo/oauth
>>>>> _______________________________________________
>>>>> OAuth mailing list
>>>>> OAuth@ietf.org
>>>>> https://www.ietf.org/mailman/listinfo/oauth
>> 
>> 
>> 
>> _______________________________________________
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth

v2.23.0 | Report a Bug | By Email