[secdir] Secdir ietf last call review of draft-ietf-oauth-selective-disclosure-jwt-17
Shawn Emery via Datatracker <noreply@ietf.org> Mon, 14 April 2025 06:00 UTC
Return-Path: <noreply@ietf.org>
X-Original-To: secdir@ietf.org
Delivered-To: secdir@mail2.ietf.org
Received: from [10.244.8.129] (unknown [104.131.183.230]) by mail2.ietf.org (Postfix) with ESMTP id 133A71B911B0; Sun, 13 Apr 2025 23:00:20 -0700 (PDT)
MIME-Version: 1.0
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 7bit
From: Shawn Emery via Datatracker <noreply@ietf.org>
To: secdir@ietf.org
X-Test-IDTracker: no
X-IETF-IDTracker: 12.38.0
Auto-Submitted: auto-generated
Precedence: bulk
Message-ID: <174461041991.1157384.16298540962820860242@dt-datatracker-64c5c9b5f9-hz6qg>
Date: Sun, 13 Apr 2025 23:00:19 -0700
Message-ID-Hash: 7WIXX4VZNTKRHUI5GAUYR2F3KM43C25D
X-Message-ID-Hash: 7WIXX4VZNTKRHUI5GAUYR2F3KM43C25D
X-MailFrom: noreply@ietf.org
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-secdir.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: draft-ietf-oauth-selective-disclosure-jwt.all@ietf.org, last-call@ietf.org, oauth@ietf.org
X-Mailman-Version: 3.3.9rc6
Reply-To: Shawn Emery <shawn.emery@gmail.com>
Subject: [secdir] Secdir ietf last call review of draft-ietf-oauth-selective-disclosure-jwt-17
List-Id: Security Area Directorate <secdir.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/RhG0FsYkrM8sdOWxgEW0UbGywDM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Owner: <mailto:secdir-owner@ietf.org>
List-Post: <mailto:secdir@ietf.org>
List-Subscribe: <mailto:secdir-join@ietf.org>
List-Unsubscribe: <mailto:secdir-leave@ietf.org>
Document: draft-ietf-oauth-selective-disclosure-jwt Title: Selective Disclosure for JWTs (SD-JWT) Reviewer: Shawn Emery Review result: Has Nits I have reviewed this document as part of the security directorate's ongoing effort to review all IETF documents being processed by the IESG. These comments were written primarily for the benefit of the security area directors. Document editors and WG chairs should treat these comments just like any other last call comments. This standards track draft specifies a mechanism for disclosing targeted claims in a JSON Web Token (JWT). This security considerations section does exist and provides examples of the consequences of a naive Verifier in relation to the security and correctness of the protocol. The section continues with a discussion on salt generation and hash algorithm selection. Despite specifying SHA-256 as the default hash algorithm, the protocol does not appear to be susceptible to length extension attacks because the Issuer signs the SD-JWT, which includes each of the Disclosure hashes. The security implications of the optional key binding feature (Holder proves authenticity of SDs to Verifier) are also discussed. Lastly, the section covers disclosing claim names, validity claims, verification key life-cycle, credential forwarding, SD-JWT* integrity, and type attacks. I believe that this section provides sufficient coverage for the various types of attacks and procedures to mitigate against such attacks. The authors have also included a privacy section, which includes subsections on unlinkability, SD-JWT confidentiality in transit and at rest, usage of digest decoys, and considerations of identifying Issuers. The privacy section appears to be comprehensive and the outlined procedures to protect privacy seems to be adequate. General Comments: Thank you for including examples in each of the pertinent sections of the draft. Editorial Comments: s/ecosystem/operating environment/ for those who celebrate ;)
- [secdir] Secdir ietf last call review of draft-ie… Shawn Emery via Datatracker
- [secdir] Re: Secdir ietf last call review of draf… Brian Campbell
- [secdir] Re: Secdir ietf last call review of draf… Shawn Emery