IETF Logo Mail Archive

Re: [SPICE] BoF: Problem Statements

Orie Steele <orie@transmute.industries> Wed, 13 September 2023 15:59 UTC

Return-Path: <orie@transmute.industries>
X-Original-To: spice@ietfa.amsl.com
Delivered-To: spice@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7EC94C151997 for <spice@ietfa.amsl.com>; Wed, 13 Sep 2023 08:59:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 9Iz79esgotsO for <spice@ietfa.amsl.com>; Wed, 13 Sep 2023 08:59:53 -0700 (PDT)
Received: from mail-ej1-x631.google.com (mail-ej1-x631.google.com [IPv6:2a00:1450:4864:20::631]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6FD9FC1519A6 for <spice@ietf.org>; Wed, 13 Sep 2023 08:59:53 -0700 (PDT)
Received: by mail-ej1-x631.google.com with SMTP id a640c23a62f3a-9ad8bba8125so1174766b.3 for <spice@ietf.org>; Wed, 13 Sep 2023 08:59:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; t=1694620792; x=1695225592; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=HxNXdyB6a0T2q2CjIJi49qW2IQfunQ8MvNiTJv7t1d0=; b=CoItPwcZjckrVpPF1Fa4x3PRfPKLMnkJPzr7WdxurlZbZTIxxIGe2jcS+mPfjKCWob Dz6B4T1aE7VfyEcEc37k9H5MXm31HziLvjgtcHCPezDPxcbSpSwn+XmPUpA6b5psEII+ EyTGxHlYLu7sNabzFfvuCgzEFhhABKvTr1tN56Rd9XIFv92nhe3Q6JztTthbjqYk44vI aM17XBDUG/yiVaA/q4flD4seBOoKrfqSDfMuQos8aZgqSAGC8nuSIhDmwxbYIpY4p+Iz aqY0PTmhIRnXlD+pZDcxyUf0YqY0hvverIn2LukLwmxcUvwJlTsf+sNJvSkWDuBPXhBb ZISA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1694620792; x=1695225592; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=HxNXdyB6a0T2q2CjIJi49qW2IQfunQ8MvNiTJv7t1d0=; b=mEjcnc0d6p8uAehdTWtwRUkPy3vydlehXipSBzvRH9TzuWhM01so/d+xiXp7VFnim0 GsxYyUWZVykH0fSihqwc9sqLP2vQ1F9lkPIv6TwpNzYvAfg0tjzOGTnlIa2pV6Hg830N yJO8/6Zy3rBTREC/1WMr5hE4C0O869aW91oNFovDkKp20dIt0MjlyBirH3EOn4bYdHz1 6m+WEp4/dZ+1Wq+qjrkm2SYjen9Ld11h/a+JVR5sTmczNu9FeHG3w31fQKSaAOw7qXdK 9kI2LKNCsga6DFZqPDlG5n60uVh3XzMqFqQ1ktghl0aaZaGLdWd8yGkXNMo9KC+8aexG F/+Q==
X-Gm-Message-State: AOJu0YyI63Qje0AS7IMfh8X0ZQUeow6hdZukbkLvk8dTYPSOFxCMrjO3 +YEdQhjlR7aWltFManXLua9ixupfT7mtQhGzydeZ8A==
X-Google-Smtp-Source: AGHT+IEwCOsYzcE75GqV/EMakuGg8yFpVzyc4wYeZLrrJEps6vbKsit/Zhp9asmBe+m4po0oLwUPFIEoNaxad6RUeGA=
X-Received: by 2002:a17:906:5181:b0:9ad:7f8b:21b with SMTP id y1-20020a170906518100b009ad7f8b021bmr2514068ejk.13.1694620791517; Wed, 13 Sep 2023 08:59:51 -0700 (PDT)
MIME-Version: 1.0
References: <CAN8C-_+uTsNRFrBZXnPx_6CYk7SOg7cyr5DYBDrK=1A+DRVc9w@mail.gmail.com> <e8d5d62a-ff68-3786-b651-e50e65a064e5@sit.fraunhofer.de>
In-Reply-To: <e8d5d62a-ff68-3786-b651-e50e65a064e5@sit.fraunhofer.de>
From: Orie Steele <orie@transmute.industries>
Date: Wed, 13 Sep 2023 10:59:40 -0500
Message-ID: <CAN8C-_+h4oCywXamjnAaXYhz4Zt+DCrevbSHr14RjUr3e0spYQ@mail.gmail.com>
To: Henk Birkholz <henk.birkholz@sit.fraunhofer.de>
Cc: spice@ietf.org, Hannes Tschofenig <Hannes.Tschofenig@gmx.net>, Justin Richer <justin@bspk.io>
Content-Type: multipart/alternative; boundary="0000000000004ec99206053fa6aa"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spice/OBYmx7-H0S1HJnt6I0R35bf6qL0>
Subject: Re: [SPICE] BoF: Problem Statements
X-BeenThere: spice@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Secure Patterns for Internet CrEdentials <spice.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spice>, <mailto:spice-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spice/>
List-Post: <mailto:spice@ietf.org>
List-Help: <mailto:spice-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spice>, <mailto:spice-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 13 Sep 2023 15:59:57 -0000

Thanks Henk, I agree with your improvements.

To me they boil down to the need for IETF to address the concept of "data
model" and "exchange mechanisms" for digital credentials, particularly ones
that rely on other IETF documents.

Tackling these problems will help achieve compliance and
certification goals, especially in complex domains like physical and
software supply chains, where we see a mix of technologies providing
overlapping and non overlapping functionality.

It would be nice to understand how WIMSE fits into this picture.

Regards,

OS


On Wed, Sep 13, 2023 at 9:51 AM Henk Birkholz <
henk.birkholz@sit.fraunhofer.de> wrote:

> Hi Orie,
> hi list!
>
> I tried to map your problem statements (which I like in a ton, in
> principle! but they could be more problem'esque) to my individual
> understanding of spice.
>
> As a result, I went kinda off-trail and wrote my version of the problem
> statements. Not sure, if that is of help, but what I felt was a bit
> absent were the different dimension of the spice work - of which I think
> the most important ones are probably: credential-type data
> models/encodings, activities performed with respect to credentials, and
> the bigger picture how to re-combine data model specific activities
> across data models.
>
> Here's the result. Please bash. It's a very early pass.
>
>
> 0. Businesses lack a consistent way to create and present credentials.
> For example, there is no coherent interoperability between credential
> solutions based on X.509, CWT, and JWT with respect to the typical
> activities related to them, such as certification, transparency, or
> presentation. Each of these activities deviate slightly from each other
> depending on the credential format/data model used.
>
> 1. Other credentials that exist or are emerging today, such as Digital
> Drivers Licenses, Vaxination QR codes, or Verifable Credentials as a
> whole do not come with all the acitvities illustrated in (0.) and also
> lack uniform handling, correspondingly. For example, credential
> formats/data model often don't come with consistent credential delivery
> or presentation protocols.
>
> 2. There is no guided procedure enabling the transformation of
> credentials from one format/data model to another. For example,
> presenting a digital drivers license using one format & data model to
> obtain the classes of vehicles that operation of is permitted in another
> format & data model
>
> 3. There is no architectural documentation about which types of
> activities apply to all or some of the credential format/data models
> that exist or are emerging. Similarly, there is no rules set defined
> that businesses can use to nest methods related to different credential
> data models, e.g., protecting arbitrary content along with registered
> claim names in CWT or JWT. Or presenting an ISO mDoc with OAuth or via
> mTLS.
>
> How does this work? It is far from perfect, but does it get the scope
> across? Maybe I went beyond intended scope.
>
>
> Viele Grüße,
>
> Henk
>
> On 08.09.23 01:04, Orie Steele wrote:
> > Hello Fremen (dune reference... sorry).
> >
> > As we continue to try to find the relationships between SPICE, OAUTH,
> > COSE, JOSE, WIMSE etc...
> >
> > I am sharing some problem statements and solutions to help us refine our
> > BoF request... Please help bash them.
> >
> > 0. Businesses need a consistent set of building blocks for securing
> > artifacts and enabling certification, transparency and presentation of
> > credentials to preserve privacy and confidentiality, and reduce friction
> > and improve automation and compliance.
> >
> > 1. Digital wallets need a consistent vocabulary and terminology that can
> > be leveraged to build 3 party model protocols, where the trust can
> > travel with the data, instead of just in the channels that move the data.
> >
> > 2. Credential exchange protocols need to support high volume business to
> > business communications, in addition to user consent oriented OAuth /
> > OpenID Connect based flows.
> >
> > These boil down to fresh looks at some topics that have been previously
> > explored with IETF.
> >
> > OAuth helped define how to identify issuers (iss), subjects (sub), and
> > verifiers (aud)... JOSE and JWT have a set of data model building blocks
> > that work well for JSON based information models, and many of the same
> > conventions have been ported to COSE for use with CWT / CBOR.
> >
> > OAuth also addressed some details around delivering tokens from
> > "issuers" to "clients".... In the latest OAuth documents, we see
> > "wallets" show up as clients, and the audience binding gives way to the
> > 3 party model, where a credential with key binding can be presented or
> > partially disclosed to verifiers that the original credential issuer may
> > never have imagined.
> >
> > There have been various recent IETF drafts that focused on "shapes" of
> > credentials, for example
> > https://datatracker.ietf.org/doc/draft-ietf-rats-eat/
> > <https://datatracker.ietf.org/doc/draft-ietf-rats-eat/> and
> > https://openid.net/specs/openid-connect-userinfo-vc-1_0-00.html
> > <https://openid.net/specs/openid-connect-userinfo-vc-1_0-00.html> and
> > https://datatracker.ietf.org/doc/draft-looker-oauth-jwt-cwt-status-list/
> > <
> https://datatracker.ietf.org/doc/draft-looker-oauth-jwt-cwt-status-list/> and
> https://datatracker.ietf.org/doc/draft-ietf-oauth-sd-jwt-vc/ <
> https://datatracker.ietf.org/doc/draft-ietf-oauth-sd-jwt-vc/>
> >
> > The JSON based information models are built on JWT / SD-JWT
> > The CBOR based information models are built on CWT. (maybe SD-CWT in the
> > future).
> >
> > There are other expressions of digital credentials, particularly ISO
> > mDOC and W3C Verifiable Credentials, but they don't build on IETF
> standards.
> >
> > It was before my time at IETF, but I have heard stories about attribute
> > certificates and urn's that seem to be earlier ancestors of these
> > current technology standards.
> >
> > The challenges are not new.
> >
> > How to express claims in ways that verifiers can understand?
> >
> > How to exchange credentials, how to discover verification or encryption
> > keys, what transports and protocols to use?
> >
> > How can we leverage the expertise of IETF to address these challenges,
> > without reinventing wheels unless there is an opportunity to make a
> > worthy improvement?
> >
> > Can SPICE be a home to credential data modeling concerns for both the
> > JOSE and COSE communities?
> >
> > What parts of OAuth and OIDC are working well for credential exchange,
> > and what is the best way to handle the scenarios that require more
> > automation and higher volume?
> >
> > How can we improve our problem statement and solution description and
> > refine what we have in
> >
> https://datatracker.ietf.org/doc/bofreq-prorock-secure-patterns-for-internet-credentials-spice/
> <
> https://datatracker.ietf.org/doc/bofreq-prorock-secure-patterns-for-internet-credentials-spice/>
> today?
> >
> > Regards,
> >
> > OS
> >
> >
> > --
> >
> >
> > ORIE STEELE
> > Chief Technology Officer
> > www.transmute.industries
> >
> > <https://transmute.industries>
> >
> >
>


-- 


ORIE STEELE
Chief Technology Officer
www.transmute.industries

<https://transmute.industries>

v2.23.0 | Report a Bug | By Email