Re: [SPICE] Deliverables, implementability, formats
Orie Steele <orie@transmute.industries> Mon, 22 January 2024 16:23 UTC
Return-Path: <orie@transmute.industries>
X-Original-To: spice@ietfa.amsl.com
Delivered-To: spice@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9F1D5C14F6E8 for <spice@ietfa.amsl.com>; Mon, 22 Jan 2024 08:23:47 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.084
X-Spam-Level:
X-Spam-Status: No, score=-2.084 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_REMOTE_IMAGE=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id JGOuVy5L7X-b for <spice@ietfa.amsl.com>; Mon, 22 Jan 2024 08:23:43 -0800 (PST)
Received: from mail-yb1-xb36.google.com (mail-yb1-xb36.google.com [IPv6:2607:f8b0:4864:20::b36]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1BFE5C14F6E1 for <spice@ietf.org>; Mon, 22 Jan 2024 08:23:43 -0800 (PST)
Received: by mail-yb1-xb36.google.com with SMTP id 3f1490d57ef6-da7ea62e76cso2501344276.3 for <spice@ietf.org>; Mon, 22 Jan 2024 08:23:43 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; t=1705940622; x=1706545422; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=paeGeucc5WitRe7gJhI4PtjD/kV8TcOzZ8fbLxttRDg=; b=gdqrFdgdxOY539qCkhYxaMc1wmfALs2s93cCNJJio3venHCFjJRerzopqfNRHr34iI xbQMRBQsC/krN/oFaQtAZZQzdqgYJiIxFocd7NTRhb3kNPiB+1xgFBpYbPMpgtUKWVjM lrVTw4zchZo9oTvMEHXLLtOuJ0/qn4JXfqk00rI/l7aVMvDzLaGPmFBV5uwmpgkO6oJa XkOldOEn4A4KIPND+LU4fRyFWAWhTerrDpSXt0OvHvwQyBjV78saoOJRgA9FkkP9axVK jpDwwpDMuN6O0jv4G4C4+TPv9hwMHm6p9oqj9VQwCAvWNP6Hmbipbl26nBSAgO+zfz9r pOpg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1705940622; x=1706545422; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=paeGeucc5WitRe7gJhI4PtjD/kV8TcOzZ8fbLxttRDg=; b=Dw9x6UqVfQJNs8IoNIi41y+TAagiR6GAekkYzs5gdF0cfkwPfXcIqBlM4rNwHewHj0 RO+2ITn+5hw/c3Z/Ldg1VsZ4UTbJWGeYnlnOalRjWTXJ2Tp6B6eekPAbYDtrnGAo028d 74v81xf7RIK9f3/8n64QPKRYakeSLDTHdeecpGtfnB5iIlgckFN1z2bVZ4IhS2zrfbdg NHsn1DG40QzowImm5eUyen3sQHa+gppyWTezZJoTvxa+cc8iNqubiuMGlovtqOGlFM4A XFu+iM/iFr2ayLogF/TpQXwriZRHEn8WSIsAEVU6Iki41vxzMfXGYUd56M9WiA+GSbhH oGMQ==
X-Gm-Message-State: AOJu0YxHo1dT/2dyHGVCRywu3S/MGu8tdGFzbge1K6nvXpWZVWv8CZZB eZRQl8ulb4BSmfZxqyuJA1hXM0NYxQfpAmFRfEMYheYKRO4GQmTdbf7M8ZO1soArPpZbquRiPQq x7jmu1Luh6+gWKJ6OSN0tuCCklWqusiWqwLdGn+697pHCrF93GHE=
X-Google-Smtp-Source: AGHT+IF3ZvvGdUYMjPKkduzorGu2G/Bl5RX5aVBw5bn23jZZoXaypS3/VA+xkm1me1YrcwaymGp7dQ6E5HFgl4xVFLk=
X-Received: by 2002:a25:4cc8:0:b0:dc2:418d:279b with SMTP id z191-20020a254cc8000000b00dc2418d279bmr1990793yba.13.1705940622104; Mon, 22 Jan 2024 08:23:42 -0800 (PST)
MIME-Version: 1.0
References: <CACsn0c=ZQCSK6f6ZKZoa5ewYd1oyx4u=QURrTofhdtONmULQrg@mail.gmail.com>
In-Reply-To: <CACsn0c=ZQCSK6f6ZKZoa5ewYd1oyx4u=QURrTofhdtONmULQrg@mail.gmail.com>
From: Orie Steele <orie@transmute.industries>
Date: Mon, 22 Jan 2024 10:23:30 -0600
Message-ID: <CAN8C-_LBo5TW_myV+iuRyq4=1y8h78fwkcg6ggc4xaKQqgVQWw@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Cc: spice@ietf.org
Content-Type: multipart/alternative; boundary="000000000000c9f435060f8b4064"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spice/mxMDdgulE7p-bJQek3SRlL4Mn2g>
Subject: Re: [SPICE] Deliverables, implementability, formats
X-BeenThere: spice@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Secure Patterns for Internet CrEdentials <spice.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spice>, <mailto:spice-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spice/>
List-Post: <mailto:spice@ietf.org>
List-Help: <mailto:spice-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spice>, <mailto:spice-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 22 Jan 2024 16:23:47 -0000
Thanks for your comments. Inline: On Fri, Jan 19, 2024 at 6:20 PM Watson Ladd <watsonbladd@gmail.com> wrote: > Dear flavoring enthusiasts, > > I'm writing in response to the charter text, and must confess to not > having read all of the enormous flow of emails over the past few days > as comprehensively as they deserved. I am concerned that the > distinction between SPICE and the other related working groups (only > one of which I know much about!) is based around largely irrelevant > distinctions, that our deliverables are too far from an actual > interoperable specification, and that there's a gap between the > architecture doc and our deliverables that opens the question of where > the work to fill them will be. I'll expound in reverse order, but > these points do overlap somewhat. > > First the architecture doc discusses issuance and presentation, as > well as extensibility points for key discovery and choices of formats. > I am not sure which document you are referring to... none of the drafts I have published to the data tracker were meant to be a "starting point for an architecture that the working group might adopt". The drafts were meant to take the shortest path possible to explaining how complex and evolving this space is. > This strikes me as very ambitious, and we're only promising to deliver > metadata discovery (something i am very dubious about) and selective > disclosure. If we can't do well with small tasks, I fear we should not attempt to charter for larger ones. > Who exactly is going to be responsible for the issuance > protocol, the presentation protocol for other sorts of formats, the > key discovery, and picking between JSON and CBOR (something that I > don't understand why it matters so much: aren't they supposed to be > the same semantically, or did we decide to nest representations inside > for crypto reasons...)? These strike me as things any real world > deployment needs to answer and we need to really nail down to have > interoperability. > > Indeed, the current text is attempting to reflect that the real world is making progress on these topics. Consider this recent PR: - https://github.com/WICG/identity-credential/pull/54/files#diff-5b2d57c713fadded2b8c7cbe949eb3d61b937b059a483ac29e6c85966cf03cf0R68 Interfaces we see developing in the wild are accounting for the format indecision, so if we want to be compatible, we need to align with what they are doing. Just to be extra clear, browser and web apis (like OIDC) are not choosing to only support CBOR or JSON, they are being built assuming both are required to support use cases, perhaps CBOR will be more popular for some use cases, and JSON will be more popular for others. Secondly privacy preserving disclosure has to be paired with issuance > to be useful, and there has to be a way to integrate it with other > protocols securely. Agreed, I expect this would end up being addressed in the details of a given cryptographic system and serialization format. PrivacyPass covers this well in their architecture document. > I think we should say something about this, or > that we're going to do something about it. There aren't terribly > generic solutions, and something about what we're doing here (is it > for the web? assuming a secure channel? what sort of binding and > anti-replay do we need?) should be said. Said in the charter? Can you propose some text? I feel that this would need to be said in deliverables, if the deliverable claims to address the design goals. > Metadata discovery scares me: > it implies that we don't have agreement on formats, protocols, etc. > I think we can say conclusively at this point that we (the people of the internet) don't have agreement on this. Note that x509, JOSE, COSE and PrivacyPass all exist. and we're just going to have a bunch of separated islands with their > own product ecosystem in each. Yes, this is true today. > I'm also skeptical given the temporal > aspects that this works: i think you are stuck with a bunch of > credentials you handed out earlier, or devices or software that was > rolled out. Interesting, typically credentials "expire" or are "revoked", and renewal does offer an opportunity for new cryptography or new serializations. You might imagine being handed back a COSE credential where you had previously had a JOSE one. > I'd prefer to see actual interoperability and some > thinking about what parts should be avoided because they involve > policy. You said "Policy", and I interpret this as "Issuer and Verifier" policies, which apply to both "proof formats" and "claim formats". We did create a draft starting to provide some guidance on this topic: https://datatracker.ietf.org/doc/draft-steele-spice-profiles-bcp/ > It's also the case I think that issuers and verifiers have a > much tighter connection than might be anticipated because the verifier > needs to accept that the issuer can talk about the facts and is doing > its job in issuance. I'm not sure how useful the generality is here. > > I don't understand your last comment here. > Thirdly I'm not sure about the relation to ongoing OAUTH work (which > I've got concerns about): is it just they do JSON and we do CBOR? that > seems pretty odd: can we just pick one? I think I have addressed this above. > Are we going to have parity, > or if we're focusing on a different set of usecases can we discuss > that explicitly in the charter? Can you say what you wish to see? We have discussed this in some depth, and it's usually boiled down to 2 world views: 1. digital credentials are for natural persons, and there are no use cases for "legal entity credentials"... this seems pretty conclusively disputed by GS1 ... https://ref.gs1.org/gs1/vc/ ... and GLEIF ... https://www.gleif.org/en/vlei/introducing-the-verifiable-lei-vlei 2. digital credentials can have claims that are tuned to an industry use case, and industries might prefer JSON to CBOR today, and might change in the future... for example places where JWT was used in the past, might use CWT in the future... again this approach seems validated by EAT: https://datatracker.ietf.org/doc/html/draft-ietf-rats-eat-25#name-eat-as-a-framework > I feel like there's a bunch of common > understanding among the group that isn't reflected here, which would > be helpful to record so that we understand and people bringing new > work understand what we are and aren't going to do. > Can you propose some text that you would like to see in the charter? or deliverables you think that are needed to address this? > > Sincerely, > Watson Ladd > > -- > Astra mortemque praestare gradatim > > -- > SPICE mailing list > SPICE@ietf.org > https://www.ietf.org/mailman/listinfo/spice > -- ORIE STEELE Chief Technology Officer www.transmute.industries <https://transmute.industries>
- [SPICE] Deliverables, implementability, formats Watson Ladd
- Re: [SPICE] Deliverables, implementability, forma… Orie Steele
- Re: [SPICE] Deliverables, implementability, forma… Watson Ladd