IETF Logo Mail Archive

[secdir] Re: Secdir ietf last call review of draft-ietf-oauth-selective-disclosure-jwt-17

Shawn Emery <shawn.emery@gmail.com> Mon, 21 April 2025 23:20 UTC

Return-Path: <shawn.emery@gmail.com>
X-Original-To: secdir@mail2.ietf.org
Delivered-To: secdir@mail2.ietf.org
Received: from localhost (localhost [127.0.0.1]) by mail2.ietf.org (Postfix) with ESMTP id 703F51F12E1F; Mon, 21 Apr 2025 16:20:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at ietf.org
X-Spam-Flag: NO
X-Spam-Score: -2.098
X-Spam-Level:
X-Spam-Status: No, score=-2.098 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: mail2.ietf.org (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail2.ietf.org ([166.84.6.31]) by localhost (mail2.ietf.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id XQRUxkCX9ZIQ; Mon, 21 Apr 2025 16:20:17 -0700 (PDT)
Received: from mail-il1-x12d.google.com (mail-il1-x12d.google.com [IPv6:2607:f8b0:4864:20::12d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by mail2.ietf.org (Postfix) with ESMTPS id BCB731F12E17; Mon, 21 Apr 2025 16:20:17 -0700 (PDT)
Received: by mail-il1-x12d.google.com with SMTP id e9e14a558f8ab-3d81ca1d436so37985805ab.2; Mon, 21 Apr 2025 16:20:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1745277617; x=1745882417; darn=ietf.org; h=in-reply-to:from:content-language:references:cc:to:subject :user-agent:mime-version:date:message-id:from:to:cc:subject:date :message-id:reply-to; bh=JSnT88BErlWmJ1Rhmmkqm1tAVSgzg5I6c5MCg0HDAck=; b=aak7VjITpdan8AVieDD/NZd4du8S9ZEHo+WCvc4/Zy4djjI2Q/reG/SlNfeW5s5LL2 cseQbYapfK8c0JQgNtmQ2P38ghqRkbGmbCSLtJ0GzZcm0xei38qp4/0a+Q+SViJVwYDD HdTrv3XyA5wg+ic6bvE1pq6cpI2rKTBCmBCUReQdlPiU6eDN5VF3YTBh+YvP75q8LIoH g+VRxJe+qALbeqyCQcoDkELFp+XukBN10lk5WeIgrU0uXQJnHRXgkrpSHS54tAbHF9Zi 13zQnYyZQ3EJg9fwZeOeB+AKqYVW/KTLi0fI2BQzqu+R/p0TnWl9u+avf85Y1XxxETch VhIg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1745277617; x=1745882417; h=in-reply-to:from:content-language:references:cc:to:subject :user-agent:mime-version:date:message-id:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=JSnT88BErlWmJ1Rhmmkqm1tAVSgzg5I6c5MCg0HDAck=; b=tVjPh5/ekH8C6ZyvGZzGM9LwNKlsWCzmGdoZ7bEsMBxD96MMzfsC3cN9yRPVEfjEsJ hrMYzBgVT3O5BW6rEVtsc2Seo34NI756xTWcnsA4f6cDjwyqhqTQWF3h9Gf5ff9006FR M3TSsDT6U9w2OGN8U7yVUm494G94OR+lpxBVBwpctHZEhTf7bHYhg6KID9A0Hllxk2tC eq1PB1b2Z/bAgFI89IgA5F4h9X9ZINFjKqrCAC67O4gHftUqx7MT6+l/OjcH2azpAMBW 7ntbPdYu74vYTaLGNCYGw7hXALA7MnavmZeS3RN1kVKpj74HoBDYpBzL1beRlFD5bBKn 1JgA==
X-Forwarded-Encrypted: i=1; AJvYcCUznFwZKlsCljFMNBANSiZF1ohaykUgcKH2nOmO/8ZNdKjwD3NZLJl63Evyg159C0LpPCsOU4cOsiNkfUFPB4mPXtxqes7v6blmSc1G0ijv1YyiZG8olkE9n9Xvdh8=@ietf.org, AJvYcCVqHFuSi2in17AX3sZvN/MT3BsL/2ldKk24RpCCJH+Fc/3YAYAoIXPJHzoxCSv+PJbKvHN6C/k=@ietf.org, AJvYcCXwHdlbjA4uzMmmHSlAcmWCBm4kmWW1HQo/UML33yT74ag3nvbYs9ol3VI71kt/yXxDNxcQNajzz9p4@ietf.org
X-Gm-Message-State: AOJu0YzhpyywSHkLN7MddYvmvlA9Wddmgdo1sOmSCprFMQHiuaJzJyFi bO8ZjcIMgjBn6K7TZoUa7aw9O4qod/3W/K6EU+Eq1NcaQiK2Z5kX
X-Gm-Gg: ASbGnctL8RD4zO96nBjvbfOnvff32iVxovxEI/ukzWRyinUNQt+0J2/KbbepALWtX6K ExwPTuw7q8ZqBW+EKsOsFPzOVThbu5L4fXCj6uetclrx5zstsIzffxs3LlyEeR3jJeEQgVQMxjA XKPv5vYIXidln0/WJkAOyGuEN9kKgsCp64Szm3VWcveDiO2dTCe5IyUI5dnhx73kNQrlTcwIZu5 Po4EF8dkEpOobqAU+wo0mBjDgjGh74O3AEGas4j1GI5aekHqRJd477gh8Z+Nd9+uBy3g+qjeq3M WAWFgisFsl3iNSBB+M0GtYQeDz/n1DsCoJ4mPGg+izk=
X-Google-Smtp-Source: AGHT+IF8vcsGh0kb5RYROgFNoyOYElFnKka2vzKVQ0no3Y40dNFBBczvreT143uztv6qvJ32iBVjoA==
X-Received: by 2002:a05:6e02:2163:b0:3ce:8ed9:ca94 with SMTP id e9e14a558f8ab-3d894188f96mr99996145ab.14.1745277616997; Mon, 21 Apr 2025 16:20:16 -0700 (PDT)
Received: from [192.168.4.91] (174-29-180-141.hlrn.qwest.net. [174.29.180.141]) by smtp.gmail.com with ESMTPSA id e9e14a558f8ab-3d821d1d7d5sm20202545ab.6.2025.04.21.16.20.16 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Mon, 21 Apr 2025 16:20:16 -0700 (PDT)
Content-Type: multipart/alternative; boundary="------------0lRfmuOE2ZUe0U60qC11x5F0"
Message-ID: <645a4137-38dd-41ee-a028-8439930f9680@gmail.com>
Date: Mon, 21 Apr 2025 17:20:15 -0600
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Brian Campbell <bcampbell@pingidentity.com>
References: <174461041991.1157384.16298540962820860242@dt-datatracker-64c5c9b5f9-hz6qg> <CA+k3eCRxL3hfpcFuwMCGnwC2_cbJ44AxPYsD+NtWE-L42W+6pg@mail.gmail.com>
Content-Language: en-US
From: Shawn Emery <shawn.emery@gmail.com>
In-Reply-To: <CA+k3eCRxL3hfpcFuwMCGnwC2_cbJ44AxPYsD+NtWE-L42W+6pg@mail.gmail.com>
Message-ID-Hash: UZJQQE54GXOKLIJPVZ6VZSXLIHHNHDJY
X-Message-ID-Hash: UZJQQE54GXOKLIJPVZ6VZSXLIHHNHDJY
X-MailFrom: shawn.emery@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-secdir.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: secdir@ietf.org, draft-ietf-oauth-selective-disclosure-jwt.all@ietf.org, last-call@ietf.org, oauth@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [secdir] Re: Secdir ietf last call review of draft-ietf-oauth-selective-disclosure-jwt-17
List-Id: Security Area Directorate <secdir.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/secdir/pLuHC3_ZKCNdw1t-e_DiFB3rG1A>
List-Archive: <https://mailarchive.ietf.org/arch/browse/secdir>
List-Help: <mailto:secdir-request@ietf.org?subject=help>
List-Owner: <mailto:secdir-owner@ietf.org>
List-Post: <mailto:secdir@ietf.org>
List-Subscribe: <mailto:secdir-join@ietf.org>
List-Unsubscribe: <mailto:secdir-leave@ietf.org>

Looks good.  Thank you for the update.

On 4/18/25 2:42 PM, Brian Campbell wrote:
> Thanks Shawn, I appreciate the review and the acknowledgement of the 
> little touch of humor :)
>
> This PR addresses the editorial comments 
> https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/565
>
> On Mon, Apr 14, 2025 at 12:00 AM Shawn Emery via Datatracker 
> <noreply@ietf.org> wrote:
>
>     Document: draft-ietf-oauth-selective-disclosure-jwt
>     Title: Selective Disclosure for JWTs (SD-JWT)
>     Reviewer: Shawn Emery
>     Review result: Has Nits
>
>     I have reviewed this document as part of the security
>     directorate's ongoing
>     effort to review all IETF documents being processed by the IESG. 
>     These
>     comments were written primarily for the benefit of the security
>     area directors.
>      Document editors and WG chairs should treat these comments just
>     like any other
>     last call comments.
>
>     This standards track draft specifies a mechanism for disclosing
>     targeted claims
>     in a JSON Web Token (JWT).
>
>     This security considerations section does exist and provides
>     examples of the
>     consequences of a naive Verifier in relation to the security and
>     correctness of
>     the protocol.  The section continues with a discussion on salt
>     generation and
>     hash algorithm selection.  Despite specifying SHA-256 as the
>     default hash
>     algorithm, the protocol does not appear to be susceptible to
>     length extension
>     attacks because the Issuer signs the SD-JWT, which includes each
>     of the
>     Disclosure hashes.  The security implications of the optional key
>     binding
>     feature (Holder proves authenticity of SDs to Verifier) are also
>     discussed.
>     Lastly, the section covers disclosing claim names, validity claims,
>     verification key life-cycle, credential forwarding, SD-JWT*
>     integrity, and type
>     attacks.  I believe that this section provides sufficient coverage
>     for the
>     various types of attacks and procedures to mitigate against such
>     attacks.
>
>     The authors have also included a privacy section, which includes
>     subsections on
>     unlinkability, SD-JWT confidentiality in transit and at rest,
>     usage of digest
>     decoys, and considerations of identifying Issuers.  The privacy
>     section appears
>     to be comprehensive and the outlined procedures to protect privacy
>     seems to be
>     adequate.
>
>     General Comments:
>
>     Thank you for including examples in each of the pertinent sections
>     of the draft.
>
>     Editorial Comments:
>
>     s/ecosystem/operating environment/
>
>     for those who celebrate ;)
>
>
>
>
> /CONFIDENTIALITY NOTICE: This email may contain confidential and 
> privileged material for the sole use of the intended recipient(s). Any 
> review, use, distribution or disclosure by others is strictly 
> prohibited.  If you have received this communication in error, please 
> notify the sender immediately by e-mail and delete the message and any 
> file attachments from your computer. Thank you./

v2.30.2 | Report a Bug | By Email | System Status