IETF Logo Mail Archive

[secdir] Re: Secdir ietf last call review of draft-ietf-oauth-selective-disclosure-jwt-17

Brian Campbell <bcampbell@pingidentity.com> Fri, 18 April 2025 20:49 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: secdir@mail2.ietf.org
Delivered-To: secdir@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 3AF6D1E4B0C6 for <secdir@mail2.ietf.org>; Fri, 18 Apr 2025 13:49:07 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.097
X-Spam-Level:
X-Spam-Status: No, score=-2.097 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Btv93i2u2TEb for <secdir@mail2.ietf.org>; Fri, 18 Apr 2025 13:49:06 -0700 (PDT)
Received: from mail-vk1-xa32.google.com (mail-vk1-xa32.google.com [IPv6:2607:f8b0:4864:20::a32]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id CC8E21E494F7 for <secdir@ietf.org>; Fri, 18 Apr 2025 13:43:04 -0700 (PDT)
Received: by mail-vk1-xa32.google.com with SMTP id 71dfb90a1353d-52413efd0d3so848842e0c.2 for <secdir@ietf.org>; Fri, 18 Apr 2025 13:43:04 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; t=1745008984; x=1745613784; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=wmnRguQ+DvaANDb3w0vmRzHLHFED5F/DDll55/vQ8RM=; b=QsvKFl2qrjjW/K+tr445iozZuh4ZS9LNhRlxskBs7nN79xMpZq3U9gP45rAAgyinoq HRqsX0c9hlUucC8XjBFUF32OE2PuEo75vVCeyk2xu3fk3ICnzKE+AatuTnUruj2GLNOC wiJVshj9AVxME+KL30dXq3+zRgO9OgEfL+pbOLmgIAtYFxwrjktZyPLYSWYJmHmV30cV T3/D3K8CeSFhTzrUDFlyWxbYsIU6Mbhfc0lqbpWuVL91B5nY4oeH4KNnTuociJrMKltv IIJUxWYVT8kh/MYq7Su0PNaOSoiCV2Nsw1IAgU/yuKVBb212L/ZEvKL03lKuomYb89b4 0yCQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1745008984; x=1745613784; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=wmnRguQ+DvaANDb3w0vmRzHLHFED5F/DDll55/vQ8RM=; b=pvYiSmtIRtrtenhjXshN/mEhoN8IDl0XScmMcxOL/ytEwb4AbQ2OjhwqTIIO3fTzLO 149iwM+Q/n+4TUrNWyKNWXmw5kffVfLzSvZmRuaIhn2CyZ0zFTmDBAGR64luLQn1qUCU IlOnQ4p4FJyTW+akIpswhvLgCdlOhgDBXA0hm2O7sBGFfoeK7+dqTJwDPWccPHMrCxqv 5mIh/vj1D0k6oEDrBp+XLSikjDGFcoe4TWbVHLkLIAqzSG9ydJUNyHPpGkY05QeiVmES 1T7uYNGcxfJopEWERrag7+p/Zh5X3fCL3AEBYR4YVNT7T6ebA9DP7bwfXyy9ESGT3lt7 i8Wg==
X-Gm-Message-State: AOJu0YytPehV3wGgvEiZaFGue2lTGNaTwR6ytvBGX/VFWVPbTeONBoXX iOGbqcmBEIzA0ig4FQl6UjTx49+2As9fz9KQjUW1xzKXI3SXx3LcSRhox8wkXLKPjyRrLlf4BSX FQi4V2bM4JUyjNYAWLAfTUCsQ9Xo3/uVb8quP8Wy8DyPxxv3E/xVGY6QtlWKvO1HtxG6mNcHtxA G+qzlWf2ob2V8=
X-Gm-Gg: ASbGncv+M0nuhi2ajc+p4SwDCiBqfQu7aZE6J158/WzYQyVVq22cnGg9axFTz4NzBRT Czlmhjr4MswL2wQNLICEHgK8cXmlvTKq7RcH44mmnn6N8l0ncjuP+jJH0qmNp1HGIFUS19EzV4t XzySouYIPPVK5/GGte1Ml71xSGoyb30cxIbH1VsJHXmGS3iW4KkESPhg==
X-Google-Smtp-Source: AGHT+IF2xZn0BiXDZnb6EglUwJlrLnBXnRbJu/ZzX2sq2WX7CYnsOR9C3zFfZUc2J7S3liSDKz+aDT+a11OxS3MlBQg=
X-Received: by 2002:a05:6122:3c54:b0:529:24f8:dbdd with SMTP id 71dfb90a1353d-529253da601mr4214501e0c.4.1745008983914; Fri, 18 Apr 2025 13:43:03 -0700 (PDT)
MIME-Version: 1.0
References: <174461041991.1157384.16298540962820860242@dt-datatracker-64c5c9b5f9-hz6qg>
In-Reply-To: <174461041991.1157384.16298540962820860242@dt-datatracker-64c5c9b5f9-hz6qg>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Fri, 18 Apr 2025 14:42:38 -0600
X-Gm-Features: ATxdqUHd-62zCvYm2OKLNnguvbalmbgdb_KPvWecXDCP6kIJB-KMapwtVVjgjc0
Message-ID: <CA+k3eCRxL3hfpcFuwMCGnwC2_cbJ44AxPYsD+NtWE-L42W+6pg@mail.gmail.com>
To: Shawn Emery <shawn.emery@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000009dd2c10633139055"
Message-ID-Hash: H3FP7NEEJ2GHFEOHFBAEDIGYDH63BAXF
X-Message-ID-Hash: H3FP7NEEJ2GHFEOHFBAEDIGYDH63BAXF
X-MailFrom: bcampbell@pingidentity.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-secdir.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: secdir@ietf.org, draft-ietf-oauth-selective-disclosure-jwt.all@ietf.org, last-call@ietf.org, oauth@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [secdir] Re: Secdir ietf last call review of draft-ietf-oauth-selective-disclosure-jwt-17
List-Id: Security Area Directorate <secdir.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/BaWrtf6Tf7PqJpIcdaRi6m6J_d8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Owner: <mailto:secdir-owner@ietf.org>
List-Post: <mailto:secdir@ietf.org>
List-Subscribe: <mailto:secdir-join@ietf.org>
List-Unsubscribe: <mailto:secdir-leave@ietf.org>

Thanks Shawn, I appreciate the review and the acknowledgement of the little
touch of humor :)

This PR addresses the editorial comments
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/565

On Mon, Apr 14, 2025 at 12:00 AM Shawn Emery via Datatracker <
noreply@ietf.org> wrote:

> Document: draft-ietf-oauth-selective-disclosure-jwt
> Title: Selective Disclosure for JWTs (SD-JWT)
> Reviewer: Shawn Emery
> Review result: Has Nits
>
> I have reviewed this document as part of the security directorate's ongoing
> effort to review all IETF documents being processed by the IESG.  These
> comments were written primarily for the benefit of the security area
> directors.
>  Document editors and WG chairs should treat these comments just like any
> other
> last call comments.
>
> This standards track draft specifies a mechanism for disclosing targeted
> claims
> in a JSON Web Token (JWT).
>
> This security considerations section does exist and provides examples of
> the
> consequences of a naive Verifier in relation to the security and
> correctness of
> the protocol.  The section continues with a discussion on salt generation
> and
> hash algorithm selection.  Despite specifying SHA-256 as the default hash
> algorithm, the protocol does not appear to be susceptible to length
> extension
> attacks because the Issuer signs the SD-JWT, which includes each of the
> Disclosure hashes.  The security implications of the optional key binding
> feature (Holder proves authenticity of SDs to Verifier) are also
> discussed.
> Lastly, the section covers disclosing claim names, validity claims,
> verification key life-cycle, credential forwarding, SD-JWT* integrity, and
> type
> attacks.  I believe that this section provides sufficient coverage for the
> various types of attacks and procedures to mitigate against such attacks.
>
> The authors have also included a privacy section, which includes
> subsections on
> unlinkability, SD-JWT confidentiality in transit and at rest, usage of
> digest
> decoys, and considerations of identifying Issuers.  The privacy section
> appears
> to be comprehensive and the outlined procedures to protect privacy seems
> to be
> adequate.
>
> General Comments:
>
> Thank you for including examples in each of the pertinent sections of the
> draft.
>
> Editorial Comments:
>
> s/ecosystem/operating environment/
>
> for those who celebrate ;)
>
>
>
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.30.2 | Report a Bug | By Email | System Status