Re: [OAUTH-WG] Call for adoption - SD-JWT

Neil Madden <neil.madden@forgerock.com> Mon, 01 August 2022 10:56 UTC

Return-Path: <neil.madden@forgerock.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 363B3C13CCC8 for <oauth@ietfa.amsl.com>; Mon, 1 Aug 2022 03:56:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=forgerock.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id wF8vLOx_dun1 for <oauth@ietfa.amsl.com>; Mon, 1 Aug 2022 03:56:02 -0700 (PDT)
Received: from mail-wr1-x42f.google.com (mail-wr1-x42f.google.com [IPv6:2a00:1450:4864:20::42f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D7887C13CCC6 for <oauth@ietf.org>; Mon, 1 Aug 2022 03:56:02 -0700 (PDT)
Received: by mail-wr1-x42f.google.com with SMTP id q30so9212275wra.11 for <oauth@ietf.org>; Mon, 01 Aug 2022 03:56:02 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=forgerock.com; s=google; h=from:message-id:mime-version:subject:date:in-reply-to:cc:to :references; bh=lRntNRcbewh0vjavoBADFVCsvMsup04frKva4JG/HOU=; b=bReoQPMG/RinaasQ3WBpLNa83lX4C7d8vkb5UALUQ/fUJVXFa7/R5K9cMuvpLbWf8D zXg4n8/snzdZTaWWhMrJvvsxwvxBLivVmHgyAuOE/Qa2v8QttadXhxbRJv4ZHg/E0R0u hCRbHp2MFKjvBka3Y3mCp822FDu7/VHaAkPUI=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:message-id:mime-version:subject:date :in-reply-to:cc:to:references; bh=lRntNRcbewh0vjavoBADFVCsvMsup04frKva4JG/HOU=; b=W1T0aG7nH9lJdrhWjZnlJZYipkA/d61DzE9kDkKC0KTPOJz1JDnGZA6jX52Mc/TL4B cjMiQshdI4XMbl0hGQWnWw8EMctSqTwBpxeKsTfhsNxYajqHggmwxlykmQYp7alYx3yh On4DC4ronLAo91NqPsS3XnoBrNTSuVkzCBj4PYlFnIcEasOEihYcC6iYS+1dtfcbZ3Ht 3VV2bjq5MPJ/Cf2+wMX4H5+nUH90OoKMrTI4g7VWiaikevB0SfZUKpTvww5l+QAW/cSS ktn3PpTopzbWcXqyB+qu21gS3pMuNFIL5dOaQcBDL+3wyichif2+bde703aXMxQ29IUp ElJQ==
X-Gm-Message-State: ACgBeo1IBi3tX77+PBHT0GC9wGowfYkODCM2K8aQ6GHBXtzTs/wTCM/T lLN9cHVIQpEF/6GEV/Oi6s0uWQ==
X-Google-Smtp-Source: AA6agR7PAhOhHBd3+jM9Gu0Ojd4IoLtPpjruOgs5qpuHveElxhEIYY/j8cQz96jCqlIDeah7WX+XAw==
X-Received: by 2002:adf:f004:0:b0:21f:fdad:deb2 with SMTP id j4-20020adff004000000b0021ffdaddeb2mr6400367wro.279.1659351360976; Mon, 01 Aug 2022 03:56:00 -0700 (PDT)
Received: from smtpclient.apple ([195.224.190.250]) by smtp.gmail.com with ESMTPSA id t1-20020a5d42c1000000b0021e6b62fde2sm11425705wrr.59.2022.08.01.03.56.00 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Mon, 01 Aug 2022 03:56:00 -0700 (PDT)
From: Neil Madden <neil.madden@forgerock.com>
Message-Id: <75CB47D6-EB35-40EB-A3AE-0487C0405DC7@forgerock.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_9941CC63-03EF-4E63-AD42-43BC4A66D1C8"
Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.100.31\))
Date: Mon, 01 Aug 2022 11:55:58 +0100
In-Reply-To: <CAODMz5F7wBwkemtRK71RBHG8-=D_ezjxSkECtYmMU0OSX5n4nw@mail.gmail.com>
Cc: oauth <oauth@ietf.org>
To: Jaimandeep Singh <jaimandeep.phdcs21=40nfsu.ac.in@dmarc.ietf.org>
References: <CADNypP9xSXWKV=0nj803fW9xdqgguLWLOpMMQd0Uw3P16LQpfQ@mail.gmail.com> <CA+k3eCSCaSUUhbNe9G74a_g=ZnGFcz7iQHBGNMzWYFNmvskYPQ@mail.gmail.com> <CAODMz5F7wBwkemtRK71RBHG8-=D_ezjxSkECtYmMU0OSX5n4nw@mail.gmail.com>
X-Mailer: Apple Mail (2.3696.100.31)
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/yYeIfZhxJNrAU_gUnOd3I66urb0>
Subject: Re: [OAUTH-WG] Call for adoption - SD-JWT
X-BeenThere: oauth@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: OAUTH WG <oauth.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/oauth>, <mailto:oauth-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth/>
List-Post: <mailto:oauth@ietf.org>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/oauth>, <mailto:oauth-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 01 Aug 2022 10:56:08 -0000

I agree with many of these points that Jaimandeep Singh raises. 

It would be good to know exactly what the intended use-cases within OAuth are. In particular, in OAuth it’s normally the case that the client is relatively untrusted and a privacy goal is to avoid revealing information/PII to the client unnecessarily. In SD-JWT it seems that this is turned on its head somewhat and we trust the client (holder) with everything and instead want to keep some information private from the resource servers?

I think there are also some questions about exactly which claims can be selectively disclosed - e.g., it would be a very bad idea to allow security constraints like “exp”, “aud” or “cnf” to be selectively (not) disclosed. But the problem is that the set of security constraints is not fixed in any way, and new ones may be added by future specs or application-specific ones. So the issuer will need to be careful not to allow such constraints to be selectively disclosed.

Ultimately, I just don’t find this idea of fine-grained pick ’n’ mix selective disclosure of individual claims to be very compelling compared to the much simpler solution of just issuing multiple JWTs in the first place (with appropriate subsets of claims in them). 

— Neil

> On 29 Jul 2022, at 03:15, Jaimandeep Singh <jaimandeep.phdcs21=40nfsu.ac.in@dmarc.ietf.org> wrote:
> 
> Dear All,
> 1. At the outset I must compliment  Daniel Fett and Kristina Yasudafor and all the contributors for the wonderful work done on SD-JWT.
> 2. However, in my opinion there is no clear motivation for using SD-JWT in the present oAuth 2.0/2.1 ecosystem. We already have JWS and JWE which more or less satisfy the requirements.
> 3. The focus and time of the WG-OAUTH should be more aligned to the work directly impacting the improvements or BCP in the oAuth 2.0/2.1 specs.
> 4. WG-JWP (JSON Web Proofs) may be a more suitable place for the adoption of SD-JWT as they are working on a similar set of problems. They are actively seeking participation in the area of SD-JWT.
> 5. In view of above I am presently not in favour of its adoption in WG-OAUTH. 
> 
> Regards
> Jaimandeep Singh
> 
> On Fri, Jul 29, 2022 at 6:43 AM Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org <mailto:40pingidentity.com@dmarc.ietf.org>> wrote:
> I support adoption.
> 
> On Thu, Jul 28, 2022, 8:17 PM Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com <mailto:rifaat.s.ietf@gmail.com>> wrote:
> All,
> 
> This is a call for adoption for the SD-JWT document
> https://datatracker.ietf.org/doc/draft-fett-oauth-selective-disclosure-jwt/ <https://datatracker.ietf.org/doc/draft-fett-oauth-selective-disclosure-jwt/>
> 
> Please, provide your feedback on the mailing list by August 12th.
> 
> Regards,
>  Rifaat & Hannes
> 
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
> 
> CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited.  If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._______________________________________________
> OAuth mailing list
> OAuth@ietf.org <mailto:OAuth@ietf.org>
> https://www.ietf.org/mailman/listinfo/oauth <https://www.ietf.org/mailman/listinfo/oauth>
> _______________________________________________
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth