Re: [SPICE] BoF: Problem Statements
Hesham ElBakoury <helbakoury@gmail.com> Fri, 15 September 2023 01:52 UTC
Return-Path: <helbakoury@gmail.com>
X-Original-To: spice@ietfa.amsl.com
Delivered-To: spice@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8E29C15152B for <spice@ietfa.amsl.com>; Thu, 14 Sep 2023 18:52:13 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ays5auN-AYxM for <spice@ietfa.amsl.com>; Thu, 14 Sep 2023 18:52:09 -0700 (PDT)
Received: from mail-pf1-x42e.google.com (mail-pf1-x42e.google.com [IPv6:2607:f8b0:4864:20::42e]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9EDD5C15108D for <spice@ietf.org>; Thu, 14 Sep 2023 18:52:09 -0700 (PDT)
Received: by mail-pf1-x42e.google.com with SMTP id d2e1a72fcca58-68fb898ab3bso1340942b3a.3 for <spice@ietf.org>; Thu, 14 Sep 2023 18:52:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1694742729; x=1695347529; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=SMh8AWP3uk4rDyUBg0+I8dIv6E51yB0C40KAIQXOrj4=; b=FlFvHeEHMR86a35VoO0WkffaK+LdOYTdTSRDRbuS+PgGBW8hOlpLPISUpg/ZNz48V8 UxkuXBd0owPqgw+KnzTFwYZh55y4E5dNpXIzYNmsLLy1RzcnXpTC8Uc/3ueY19MpYv3y vPhRj2h/3kU4yq6Q/AHidsQIckKsBR6azK+x0a388knOwKXvHGsBoE60MSyjpBFWmClK selA1duDbSEQmv5m1UsXQQh7JIF+C1LZOQqYN6xiqkS/mm9kntsHujbDr2g3iiGtgXjt yqrsOWd73dSnkqH+LDqsCysxqYli6xow0O4HKzOyFlOlLPvunZRi/VgiUCNDGWKgCF9T b7ig==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694742729; x=1695347529; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=SMh8AWP3uk4rDyUBg0+I8dIv6E51yB0C40KAIQXOrj4=; b=Oo7aYBD7pEmntX38ja+Ljj1A8fxS8y3DJGHIGbga4AswkDjIc2bRji3Df2gCjIc8Xs slECRQop78Hk6ToSuAuOdLRBYoN24I5etnox23IUsCQgnzmmwOaRYVRFCar1IqhHRLB1 ud2y8RjSAyGg9EhoWXkFpiHJHI9tqmPuzXOK9EA5e6+HZNksQrKIF/zGzj9XpRaGhqOQ si0wxbZHjcgZDQ8eAF1vescGV/J9uHU9IGm7+Rlyje+K8Psu1XGlN+qHCQet3N3THW+G YWHtIAyVGA8zyAbLS2HTB9OIXlJ9ox7E6rFk+FPEmhOhWBMZj4EkKsl+Mp1d8olB6EUG xEbg==
X-Gm-Message-State: AOJu0Yx/F2dQ1Ui25EWruB1l9vqcwMBkF8I7S5OSvwSfkQpJF/d81pEr tuc+O11pknbKydOAEya6SP0EyGAUiMo2Wo8g66Q=
X-Google-Smtp-Source: AGHT+IE6yAC9I9FqerE3DYDlew42J78kj/HWx+UUbNl1YSb4S2siQS81Zq+K+MuWCqvGrwIezsfjkGVKlaZg3u9db08=
X-Received: by 2002:a05:6a21:272f:b0:151:991c:84b6 with SMTP id rm47-20020a056a21272f00b00151991c84b6mr356876pzb.59.1694742728532; Thu, 14 Sep 2023 18:52:08 -0700 (PDT)
MIME-Version: 1.0
References: <CAN8C-_+uTsNRFrBZXnPx_6CYk7SOg7cyr5DYBDrK=1A+DRVc9w@mail.gmail.com> <e8d5d62a-ff68-3786-b651-e50e65a064e5@sit.fraunhofer.de>
In-Reply-To: <e8d5d62a-ff68-3786-b651-e50e65a064e5@sit.fraunhofer.de>
From: Hesham ElBakoury <helbakoury@gmail.com>
Date: Thu, 14 Sep 2023 18:51:57 -0700
Message-ID: <CAFvDQ9rEAraFU+q2Sif_mE9yNp6MbDAFTWUrpzGVZnw4oYQ2VA@mail.gmail.com>
To: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
Cc: Orie Steele <orie@transmute.industries>, spice@ietf.org
Content-Type: multipart/alternative; boundary="00000000000051e8c906055c0a0a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spice/O71EFTUDzSkEPn85w7e8_8m7lBY>
Subject: Re: [SPICE] BoF: Problem Statements
X-BeenThere: spice@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Secure Patterns for Internet CrEdentials <spice.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spice>, <mailto:spice-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spice/>
List-Post: <mailto:spice@ietf.org>
List-Help: <mailto:spice-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spice>, <mailto:spice-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 15 Sep 2023 01:52:13 -0000
Hi Henk, I sent an email about using digital driver license to the identity-discuss group which spurs good discussion that you may want to follow. Thanks Hesham On Wed, Sep 13, 2023, 7:52 AM Henk Birkholz <henk.birkholz@sit.fraunhofer.de> wrote: > Hi Orie, > hi list! > > I tried to map your problem statements (which I like in a ton, in > principle! but they could be more problem'esque) to my individual > understanding of spice. > > As a result, I went kinda off-trail and wrote my version of the problem > statements. Not sure, if that is of help, but what I felt was a bit > absent were the different dimension of the spice work - of which I think > the most important ones are probably: credential-type data > models/encodings, activities performed with respect to credentials, and > the bigger picture how to re-combine data model specific activities > across data models. > > Here's the result. Please bash. It's a very early pass. > > > 0. Businesses lack a consistent way to create and present credentials. > For example, there is no coherent interoperability between credential > solutions based on X.509, CWT, and JWT with respect to the typical > activities related to them, such as certification, transparency, or > presentation. Each of these activities deviate slightly from each other > depending on the credential format/data model used. > > 1. Other credentials that exist or are emerging today, such as Digital > Drivers Licenses, Vaxination QR codes, or Verifable Credentials as a > whole do not come with all the acitvities illustrated in (0.) and also > lack uniform handling, correspondingly. For example, credential > formats/data model often don't come with consistent credential delivery > or presentation protocols. > > 2. There is no guided procedure enabling the transformation of > credentials from one format/data model to another. For example, > presenting a digital drivers license using one format & data model to > obtain the classes of vehicles that operation of is permitted in another > format & data model > > 3. There is no architectural documentation about which types of > activities apply to all or some of the credential format/data models > that exist or are emerging. Similarly, there is no rules set defined > that businesses can use to nest methods related to different credential > data models, e.g., protecting arbitrary content along with registered > claim names in CWT or JWT. Or presenting an ISO mDoc with OAuth or via > mTLS. > > How does this work? It is far from perfect, but does it get the scope > across? Maybe I went beyond intended scope. > > > Viele Grüße, > > Henk > > On 08.09.23 01:04, Orie Steele wrote: > > Hello Fremen (dune reference... sorry). > > > > As we continue to try to find the relationships between SPICE, OAUTH, > > COSE, JOSE, WIMSE etc... > > > > I am sharing some problem statements and solutions to help us refine our > > BoF request... Please help bash them. > > > > 0. Businesses need a consistent set of building blocks for securing > > artifacts and enabling certification, transparency and presentation of > > credentials to preserve privacy and confidentiality, and reduce friction > > and improve automation and compliance. > > > > 1. Digital wallets need a consistent vocabulary and terminology that can > > be leveraged to build 3 party model protocols, where the trust can > > travel with the data, instead of just in the channels that move the data. > > > > 2. Credential exchange protocols need to support high volume business to > > business communications, in addition to user consent oriented OAuth / > > OpenID Connect based flows. > > > > These boil down to fresh looks at some topics that have been previously > > explored with IETF. > > > > OAuth helped define how to identify issuers (iss), subjects (sub), and > > verifiers (aud)... JOSE and JWT have a set of data model building blocks > > that work well for JSON based information models, and many of the same > > conventions have been ported to COSE for use with CWT / CBOR. > > > > OAuth also addressed some details around delivering tokens from > > "issuers" to "clients".... In the latest OAuth documents, we see > > "wallets" show up as clients, and the audience binding gives way to the > > 3 party model, where a credential with key binding can be presented or > > partially disclosed to verifiers that the original credential issuer may > > never have imagined. > > > > There have been various recent IETF drafts that focused on "shapes" of > > credentials, for example > > https://datatracker.ietf.org/doc/draft-ietf-rats-eat/ > > <https://datatracker.ietf.org/doc/draft-ietf-rats-eat/> and > > https://openid.net/specs/openid-connect-userinfo-vc-1_0-00.html > > <https://openid.net/specs/openid-connect-userinfo-vc-1_0-00.html> and > > https://datatracker.ietf.org/doc/draft-looker-oauth-jwt-cwt-status-list/ > > < > https://datatracker.ietf.org/doc/draft-looker-oauth-jwt-cwt-status-list/> and > https://datatracker.ietf.org/doc/draft-ietf-oauth-sd-jwt-vc/ < > https://datatracker.ietf.org/doc/draft-ietf-oauth-sd-jwt-vc/> > > > > The JSON based information models are built on JWT / SD-JWT > > The CBOR based information models are built on CWT. (maybe SD-CWT in the > > future). > > > > There are other expressions of digital credentials, particularly ISO > > mDOC and W3C Verifiable Credentials, but they don't build on IETF > standards. > > > > It was before my time at IETF, but I have heard stories about attribute > > certificates and urn's that seem to be earlier ancestors of these > > current technology standards. > > > > The challenges are not new. > > > > How to express claims in ways that verifiers can understand? > > > > How to exchange credentials, how to discover verification or encryption > > keys, what transports and protocols to use? > > > > How can we leverage the expertise of IETF to address these challenges, > > without reinventing wheels unless there is an opportunity to make a > > worthy improvement? > > > > Can SPICE be a home to credential data modeling concerns for both the > > JOSE and COSE communities? > > > > What parts of OAuth and OIDC are working well for credential exchange, > > and what is the best way to handle the scenarios that require more > > automation and higher volume? > > > > How can we improve our problem statement and solution description and > > refine what we have in > > > https://datatracker.ietf.org/doc/bofreq-prorock-secure-patterns-for-internet-credentials-spice/ > < > https://datatracker.ietf.org/doc/bofreq-prorock-secure-patterns-for-internet-credentials-spice/> > today? > > > > Regards, > > > > OS > > > > > > -- > > > > > > ORIE STEELE > > Chief Technology Officer > > www.transmute.industries > > > > <https://transmute.industries> > > > > > > -- > SPICE mailing list > SPICE@ietf.org > https://www.ietf.org/mailman/listinfo/spice >
- [SPICE] BoF: Problem Statements Orie Steele
- Re: [SPICE] BoF: Problem Statements Henk Birkholz
- Re: [SPICE] BoF: Problem Statements Orie Steele
- Re: [SPICE] BoF: Problem Statements Michael Richardson
- Re: [SPICE] About DIDComm. Was "Clarifying the sc… Denis
- Re: [SPICE] BoF: Problem Statements Denis
- Re: [SPICE] BoF: Problem Statements Hesham ElBakoury