IETF Logo Mail Archive

[OAUTH-WG] Re: SD-JWT architecture feedback

Warren Parad <wparad@rhosys.ch> Sat, 21 September 2024 08:43 UTC

Return-Path: <wparad@rhosys.ch>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67934C15109E for <oauth@ietfa.amsl.com>; Sat, 21 Sep 2024 01:43:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=rhosys.ch
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id MdMe6qeXjECd for <oauth@ietfa.amsl.com>; Sat, 21 Sep 2024 01:43:37 -0700 (PDT)
Received: from mail-ed1-x52e.google.com (mail-ed1-x52e.google.com [IPv6:2a00:1450:4864:20::52e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 8F2A7C14F6AD for <oauth@ietf.org>; Sat, 21 Sep 2024 01:43:37 -0700 (PDT)
Received: by mail-ed1-x52e.google.com with SMTP id 4fb4d7f45d1cf-5c5b6161022so1087815a12.3 for <oauth@ietf.org>; Sat, 21 Sep 2024 01:43:37 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=rhosys.ch; s=google2024; t=1726908216; x=1727513016; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=C+y7JYy2C0Oo/0NPWeZFc957YG9p2ZxtgCGgAtks83U=; b=XJJvjh4rDaPD0VMnug/SIY4qPVc1SElIPVwOQskxEj6rq4167ocDdccnvQs8u1/7pA dzg7oP8ihDk8T8B7whGGXtGQneQRdBbVeloU8i6Y0DxjGE9p7rFPidqIIPX77Pw8NLJn jxPc4XDHve7R3nqkgxSePTomWgLTMfZTVJ8EpcyRNl/0eRuKq/iuvOgfVpJUmWe11dhs MSPcLu8p7Fv10S/2+Q4pCTqnL0fEIcAcSpNVZZ5bOhvcifm+lCgVlQOeB3GYzc3IZECK HAcoxZX1eyoxN3wgMrdmjyf/d98RHyvb9CuLtF59vsagovEB6ToKDTWlHtcuxjXWufTd 7SNA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1726908216; x=1727513016; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=C+y7JYy2C0Oo/0NPWeZFc957YG9p2ZxtgCGgAtks83U=; b=ZY6G8kmP5FeUlzuD5qtTIbkpEXsYWlA6R+rqnG9TYn5/ixl61IlvT2EOB56+/kPMTw qS9wlijWrcpzWMr/pPEDLIMtvJwAD9+ODGUu+wdROxlgy0N7fOeuyipm0HY+2D73b6sL YgjP4iw+fZnAtfsGrFp1EnsxqqNRkyHHMPsSuRPdww/m9gipM9y/t2o70eU3FB7p9o4y JfVu/NKlueNE+/NEEsgOyebWG3X5+r2x+ApCjjRNSJyGQA4RNJbHxNYxUdOtiYORAfH3 mNAH2zfbg8vWwOZMRDSJQVkYKmuT1CKbkw2Hz6VhKHl3DxUGR3oy5Uyxt0khZZcS0nfK +GLQ==
X-Gm-Message-State: AOJu0Yyi+biq0wK7bVqme9yviGfEVeXpr+QFU+iVp8orIGdZ3g+sjfw/ 4p+pxD2Crzp3erRc9MnwZHhhT9Y03bwAUYqwRchPzt5FVg5B1pyK65epqO2vdgzqCUIqOk2cUu9 g/gV7iKNAFpgZJVBGdcJz720GyU41IKV+0M4P
X-Google-Smtp-Source: AGHT+IFKkFwh+WZLcqeDG7PKm34MIUxKscOpDYpy1B7/cQnOBsZbJ5Tl+R9xtZtcvnmlgqOxkoPSXmm0susxsSBcneA=
X-Received: by 2002:a05:6402:51ca:b0:5c5:b85b:26b9 with SMTP id 4fb4d7f45d1cf-5c5b85ba41cmr1123104a12.19.1726908215958; Sat, 21 Sep 2024 01:43:35 -0700 (PDT)
MIME-Version: 1.0
References: <CAD9ie-s9kricU8_VBBucQMob-n1jWN5xHd5Ymck=biUWqpH9yQ@mail.gmail.com>
In-Reply-To: <CAD9ie-s9kricU8_VBBucQMob-n1jWN5xHd5Ymck=biUWqpH9yQ@mail.gmail.com>
From: Warren Parad <wparad@rhosys.ch>
Date: Sat, 21 Sep 2024 10:43:24 +0200
Message-ID: <CAJot-L3QQLbTfz5LK94oK3ZikqJk--QiGzNRv5mdO4+oPm0wXQ@mail.gmail.com>
To: Dick.Hardt@gmail.com
Content-Type: multipart/alternative; boundary="000000000000c5d7f706229d268b"
Message-ID-Hash: JLQYIZKFKT3UZFLPUK3QXAJLCIQPLJ6C
X-Message-ID-Hash: JLQYIZKFKT3UZFLPUK3QXAJLCIQPLJ6C
X-MailFrom: wparad@rhosys.ch
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth@ietf.org, kristina@sfc.keio.ac.jp
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: SD-JWT architecture feedback
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/t8N9UBQVFsFXfOzmrsnw2NCjdww>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

+1

On Sat, Sep 21, 2024 at 6:44 AM Dick Hardt <dick.hardt@gmail.com> wrote:

> Hey Brian, Kristina, Daniel
>
> I appreciate you have been working on this for a while, and this feedback
> is last minute, and people have already working code that works with it --
> so this is unlikely to be welcome feedback -- but in the spirit of wanting
> what is best long term, here it is.
>
> *Token Separators*
> It is not clear to me why the disclosures are an arbitrary array of '~'
> separated items. It seems very odd to me as a developer. Why not have a 4th
> '.' separated string that is base64 URL encoded JSON array of the
> disclosures? The header includes the 'typ' so that a parser knows what all
> the following components are and how many there are.
>
> *Disclosure Format*
> On the format of the disclosures, the implicit semantics of the order of
> items in an array is a throwback to data formats of the last century. We
> are using JSON, let's have it be an object where we name each item.
>
> *Array Disclosure*
> Is this really needed? The only example I saw was for multiple
> citizenships. Would the issuer of an SD-JWT that contains a subject's
> citizenship not be the country who they are a citizen of? Why would another
> country be authoritative that the subject is a citizen of another country?
> In the example, it is hard to imagine a verifier trusting the US to say
> someone is a DE citizen, or vice versa. The array of age claims in example
> A.3 does not need the non intuitive '...' array mechanism. Taking this out
> would simplify implementations.
>
> *Claim Names*
> Why do the claims start with '_'? Why not just 'sd' and 'sda'? Why is
> '_sd_alg' in the payload and not in the header?
>
> *Explicit Typing*
> Why leave the typing in the header to be determined by the application
> (10.11), and not just be 'sd-jwt' and be REQUIRED?
>
>
>
>
>
>
>
> _______________________________________________
> OAuth mailing list -- oauth@ietf.org
> To unsubscribe send an email to oauth-leave@ietf.org
>

v2.37.1 | Report a Bug | By Email | System Status