Re: [SPICE] Revised Charter

I have pulled those suggestions into a PR here:
https://github.com/transmute-industries/ietf-spice-charter/pull/23

Mike Prorock
CTO, Founder
https://mesur.io/

On Tue, Feb 6, 2024 at 12:20 PM Michael Prorock <mprorock@mesur.io> wrote:

> Thanks Roman,
> That google doc is extremely helpful.
>
> Orie (and list) I will take a stab at a PR that reflects this feedback.
>
> Mike Prorock
> CTO, Founder
> https://mesur.io/
>
>
>
> On Tue, Feb 6, 2024 at 11:52 AM Roman Danyliw <rdd@cert.org> wrote:
>
>> Hi!
>>
>>
>>
>> Thanks so much for this PR and the related discussion.  I have a bit more
>> feedback:
>>
>>
>>
>> (1) Editorially, this overall charter text is too long and includes
>> things that I don’t believe help constrain the scope.  I wanted to be
>> constructive with a proposal but I didn’t know how to best convey proposed
>> editorial changes on a PR with an explanation.  I made a GDoc with track
>> changes/suggestions,
>> https://docs.google.com/document/d/1mmaB4Ll8jEpgmuoGNLwks51Set5yxLX7Cc3btq4q_9k/edit?usp=sharing.
>> If this is not usable, I can find a different way to pass along the changes.
>>
>>
>>
>> A few motivating ideas include reducing the background and reducing the
>> number of times parts of the architecture defined.  I also proposed the
>> removal of all individual documents as I wasn’t sure how “related
>> documents” helped narrow the scope.
>>
>>
>>
>> (2) The “Goals” section includes a long list of “topics will be
>> considered in the milestones”.  While I can see how these would be
>> important properties of digital credentials, it wasn’t clear to me who they
>> constrain the future solution.  For example:
>>
>>
>>
>> -- What does "consider" mean? Using a dictionary definition, "consider"
>> means the solution wouldn't have to deliver any of these properties.
>>
>>
>>
>> -- Are these properties going to be provided by unique specifications
>> produced by the WG?
>>
>>
>>
>> -- These topics are described in a level of detail that would make it
>> challenging to assess whether the property was realized.  For example,
>> "Confidentiality (ensuring information is protected from unauthorized
>> access" is the textbook definition of confidentiality.  What is
>> "unauthorized" in the context of the architecture framed above?
>> "Availability (efficiently information processing, minimizing data in
>> flight ...", what's "efficient enough", how many bits "in flight" is too
>> many or few?
>>
>>
>>
>> I wonder if this list could be much shorter?  Perhaps some reduced set of
>> properties can be woven in the text to describe the desired framework.
>>
>>
>>
>> (3) Per the “Meta Discovery”:
>>
>>
>>
>> -- As design guidance or constraining the solution space, the current
>> text would benefit from refinement.  It doesn't commit to HTTP; or define
>> or commit to supporting constrained device
>>
>>
>>
>> --  Per the link draft-ietf-oauth-sd-jwt-vc, my superficial read of the
>> abstract suggests that it is a “data format”.  Is that work that will be
>> done here too?  I’m confused primarily because the current charter text
>> talks about HTTP and device types but the OAuth document seems more
>> concrete on the support token type, omits the protocol and device types
>>
>>
>>
>> -- Per the “not limited to JSON”, what ecosystem does this text intend to
>> support? Is it only the artifact described in the “selective disclosure of
>> claims” program of work?
>>
>>
>>
>> (4) Per the “Selective Disclosure of Claims”, I had trouble understanding
>> what kind of solution is being described. Specifically, I wasn’t sure what
>> underlying technologies were being built on.
>>
>>
>>
>> -- JOSE/COSE was mentioned in the “Goals/In Scope” section.  Is that a
>> dependency?
>>
>>
>>
>> -- Is this deliverable defining new token format?  Augmenting the CWT
>> claim registry?  Adding claims into the COSE registries?  CBOR tags?
>>
>>
>>
>> -- The existing JOSE charter (https://datatracker.ietf.org/wg/jose/about/)
>> already has in scope:
>>
>>
>>
>> -- "Standards Track document(s) specifying representation(s) of
>> JSON-based claims and/or proofs enabling selective disclosure of these
>> claims and/or proofs, and that also aims to prevent the ability to
>> correlate by different verifiers."
>>
>> -- Standards Track document(s) defining CBOR-based representations
>> corresponding to all the above, building upon the COSE and CWT
>> specifications in the same way that the above build on JOSE and JWT.
>>
>>
>>
>> In what way will this selective disclosure document be different from a
>> JWP?
>>
>>
>>
>> -- Is this work going to profile other/existing token formats to describe
>> how to extend/augment them into being digital credentials?  Put into
>> another way, is this working going to specify a new “envelope” for
>> selective disclosure of claims (e.g., alternative to JWP), or is it going
>> to profile/reuse an “envelope” (e.g., JWP) described elsewhere and provide
>> guidance on how specific industries can add their own claims into it to
>> construct digital credential?
>>
>>
>>
>> (5) Editorial. In whatever way this program of work text is refined, that
>> needs to be summarized back in the “Goals” section.
>>
>>
>>
>> Regards,
>>
>> Roman
>>
>>
>>
>> *From:* Orie Steele <orie@transmute.industries>
>> *Sent:* Friday, January 19, 2024 2:05 PM
>> *To:* Roman Danyliw <rdd@cert.org>
>> *Cc:* spice@ietf.org
>> *Subject:* Re: [SPICE] Revised Charter
>>
>>
>>
>> Roman,
>>
>> Thank you for your detailed comments.
>>
>> I have raised this PR which I believe addresses all of them:
>>
>> https://github.com/transmute-industries/ietf-spice-charter/pull/22
>>
>> However, some of your comments are questions, which I feel it is better
>> to answer on the list, in case no text change is needed to address them.
>>
>> Inline for the rest:
>>
>>
>>
>> On Thu, Jan 18, 2024 at 4:44 PM Roman Danyliw <rdd@cert.org> wrote:
>>
>> Hi!
>>
>>
>>
>> Thanks for all of the iteration to get to this text.  I have a few
>> questions and comments.
>>
>>
>>
>> ** Per the “Background” Section:
>>
>>
>>
>> -- “Some sets of claim names are registered with IANA and originate from
>> the IETF, OIDF and other standards organizations.”
>>
>>
>>
>> o Editorially, at no point in the text so far has there been any link
>> made between “sets of claims” and a “digital credential”.  The introductory
>> paragraph talks about “values” and “attributes” of claims.  I recommend
>> some bridging text.
>>
>>
>>
>> I have added some text to the introduction to address this.
>>
>>
>>
>>
>> o As a reader, I’m not sure why I am being told this detail.  No
>> subsequent text in the deliverables mentions that claims from other SDOs
>> need to be used or that they are being built upon.
>>
>>
>> I added references to the existing registries, and highlighted that JWT
>> claims focus on people, whereas many of the CWT claims focus on devices.
>>
>> The background context for this is that we think that organizations other
>> than the IETF, will likely need to describe claims, because a single global
>> registry won't fit all of them... and would likely overwhelm the designated
>> experts who might not be able to evaluate if a new claim in needed for
>> every element in the periodic table, or for every organic chemistry
>> molecule, or for claims specific to a regional government.
>>
>>
>>
>>
>> -- “IETF and IRTF working groups have developed foundational building
>> blocks with BBS Signatures, RSA Blind Signatures, Verifiable Random
>> Functions, or other Selective-Disclosure and collection limitation
>> techniques.”
>>
>>
>>
>> o Editorial nit.  IRTF doesn’t have WGs, it has research groups. The IESG
>> will flag this.
>>
>>
>> Thanks, I have clarified that IRTF has research groups.
>>
>>
>>
>>
>> o There are assertions of foundational building blocks but the text
>> doesn’t narrative how this work would build on them.  One can infer that
>> BBS/VRF/etc are the crypto that will be used.  The IETF WG references of
>> “Selective-Disclosure” and “collection limitation techniques” is what?
>> Recommend either citing WGs or RFC/drafts if this link is important.
>>
>>
>> I have added citations.
>>
>>
>>
>>
>> o I’m trying to keep the IETF/IRTF lanes clear.  Coordination with CFRG
>> is noted later.  Is there coordination, or reuse?  What planned activities
>> in this WG would alter the course of CFRG?
>>
>>
>> I clarified how we think SPICE will consume work from CRFG, and how we
>> might provide comments on use cases, for example:
>>
>> A use case for BBS Blind Signatures is privacy preserving credentials,
>> such as proving that a human passed a captcha previously and should not be
>> challenged again, like is done with privacy pass.
>>
>>
>>
>>
>> ** Per the “Key Design Properties of Digital Credentials” section
>>
>>
>>
>> -- What is the intended use of this section?  In what way does this text
>> scope the planned work?  For example, will the WG deliver some version of
>> those as part of the “A document specifying the selective disclosure of
>> claims in a secure and privacy-friendly manner”? Are those related to the
>> planned architecture deliverable?)
>>
>>
>> Yes, these are essentially topics we think the architecture will address,
>> and that SOME credential formats can support.
>>
>> There has been a lot of discussion about limiting credential formats to
>> just the ones that can do all of these (SPICE will only work on BBS
>> verifier-verifier unlinkable hardware isolated TEE credentials), but that
>> position does not have consensus in my opinion.
>>
>>
>>
>>
>> -- I’m a little confused by the framing of this section as being able
>> design properties of “digital credentials” but the
>> “In-Scope”/”Goal”/”Deliverable” sections aren’t linked to digital
>> credentials.  Some editorial bridging is needed.
>>
>>
>> I hope I have addressed this.
>>
>>
>>
>>
>> ** Strongly recommend merging “In-Scope” and “Goals” sections.  Move the
>> text currently in Goals to the end of the current “In Scope” text (i.e.,
>> reverse the order).  Editorially, charters typically first say what they
>> will do and then describe who they will work with.
>>
>>
>> Done.
>>
>>
>>
>>
>> ** Per the “Goals”
>>
>>
>>
>> -- Per the text “Additionally, the SPICE WG will coordinate with other
>> SDOs, such as ISO or W3C, on data model elements or protocols needed to
>> support existing credential use cases”
>>
>>
>>
>> o what is the thinking behind “support existing credential use cases”?
>> Are these new design goals?
>>
>>
>> An example of an existing digital credential could be the identity
>> credential based on SD-JWT or ISO mDoc described here:
>>
>> - https://github.com/WICG/identity-credential
>>
>> If SPICE develops SD-CWT, we would hope that it was influenced by the
>> work that it is attempting to improve on.
>>
>> However, unlike WIMSE, we are not trying to make a credential that is
>> "only for workloads" or "only for people".
>>
>> As an analogy, WIMSE credentials being "only for workloads" are inspired
>> by attempts to use "JWT and DPoP" which are similarly an
>> "existing credential use case".
>>
>>
>>
>>
>> o I observe that ISO is a very BIG organization.  IETF even has multiple
>> liaisons for subsets of ISO.  Can this text be more specific about the
>> relevant links?
>>
>>
>> I removed direct references to other organizations, which I imagine might
>> raise new objections however I will counter with this argument:
>>
>> Unless you are an active member of those organizations, and those
>> organizations are building digital credentials, and you are contributing to
>> both groups, I don't see a lot of value in calling out that the
>> organizations exist.
>>
>> I think Manu Fontaine has been most vocal on the desire to reference TCG
>> and CCC, but I don't understand how he plans to coordinate SPICE related
>> deliverables (as described in the charter) with those groups, so I will let
>> him argue to add this back : )
>>
>> Similarly Denis has mentioned ISO, I am not aware of anyone who is
>> actively contributing to the ISO work on mDoc / mobile drivers licenses /
>> covid vaccinations that is also planning to contribute to SPICE, but I
>> think they are welcome to contribute regardless of if ISO is mentioned
>> directly by name.
>>
>>
>>
>>
>> ** Per the “In-Scope”
>>
>>
>>
>> -- Per the text “The SPICE WG will consider the use of TEEs (Trusted
>> Execution Environments) for managing key material and digital credentials.”
>>  Can that design be made now?  Can this be deferred for future charter
>> scope?  I’m practically asking what “consider” means here.  It seems like a
>> conditional scope (i.e., “we don’t know if we want to deliver this but we
>> want it in scope”).
>>
>>
>> I removed this, it's been a recurring point of contention. Some folks
>> feel that TEE is essential, others don't. I don't see the sentence adding
>> any value to the charter, and I do see it continuing to cause confusion.
>>
>> I did move some references to it to the "design considerations" of the
>> digital credentials section.
>>
>>
>>
>> -- Per the text “Focusing on crisp technical specifications and producing
>> separate informative guidance documents helps to keep technical interested
>> parties involved”, I observe that the planned deliverables only include a
>> single informative architecture.  Is that sufficient?
>>
>>
>> I think so.
>>
>>
>>
>> Perhaps that is the lesson learned?
>>
>>
>> Much of the charter debate has reinforced this point.
>>
>> It is easy to talk about the "philosophical value" of digital
>> credentials, or even "desirable privacy properties", without discussing how
>> to build anything that can be implemented.
>>
>> I would say that this will remain the primary risk of the architecture
>> deliverable.
>>
>>
>>
>>
>> ** Per the Deliverables?
>>
>>
>>
>> -- Will the meta-discovery document describe a single protocol? multiple
>> protocols for discovery?  Does it build on any prior work protocol work
>> (e.g., is it an HTTP API? COAP?)
>>
>>
>> Short answer is we don't know.
>>
>> It seems very likely that HTTP will be a component, but we don't want to
>> preclude other transports such as QR Codes, NFC, Bluetooth, etc...
>>
>> The point of this document is not to address all of these, but to provide
>> a concrete way to discover the optionality that exists in the wild today.
>>
>> I added some related drafts that we have worked on trying to characterize
>> this challenge.
>>
>>
>>
>> -- Per a “document specifying the selective disclosure of claims in a
>> secure and privacy-friendly manner”:
>>
>>
>>
>> o What is the relation between this document and digital credential (the
>> substance of the front matter)?  Is this providing a framework/set of
>> claims to let others produce their own digital credentials with particular
>> security properties?
>>
>>
>> Yes, I added some references, and extra text to try to make this clearer.
>>
>>
>>
>>
>> o What is the relationship between the “security” and “privacy-friendly”
>> properties and the more detailed key design properties?
>>
>>
>> I think it's mostly just repeating the design properties, I think the new
>> text addresses this.
>>
>>
>>
>>
>> o What is the encoding of the claims for this document? JSON and CBOR are
>> noted in the lesson learned but not in the explicit scoping.
>>
>>
>> At this point, we don't seem to be able to agree to pick just one, but
>> there does seem to be consensus to pull the useful digital credential parts
>> from each, and harmonize them.
>>
>> As an example, SCITT built "receipts" which SD-JWT does not support,
>> OAuth built SD-JWT which COSE does not support, so SCITT cannot use it.
>>
>> Both rely on the `iss` , `sub` and `cnf` claims, which are supported in
>> JOSE and COSE, and are essential to the "3 roles", issuer (AS), holder
>> (client) (of credentials, maker of presentations) and verifier (RP)...
>>
>> Another example would be how JWT supported claims in headers, but CWT did
>> not until recently, and when that feature was added, we learned that kccs
>> had already ported part of it... for those who want the details:
>>
>> - https://datatracker.ietf.org/doc/draft-ietf-lake-edhoc/22/
>> -
>> https://datatracker.ietf.org/doc/draft-ietf-cose-cwt-claims-in-headers/10/
>>
>> in https://www.iana.org/assignments/cose/cose.xhtml#header-parameters
>>
>> The claims disclosure document, will address this kind of challenge, when
>> deploying credentials based on CWT and JWT, in a similar way to how EAT
>> attempted to address this in:
>>
>>
>> https://datatracker.ietf.org/doc/html/draft-ietf-rats-eat-25#name-the-claims
>>
>> Hopefully these comments are helpful, if you like I can merge the PR or I
>> can leave it open and make adjustments in case you have further comments.
>>
>> Regards,
>>
>> OS
>>
>>
>>
>>
>> Roman
>>
>>
>>
>> *From:* Orie Steele <orie@transmute.industries>
>> *Sent:* Thursday, January 18, 2024 1:19 PM
>> *To:* spice@ietf.org
>> *Subject:* [SPICE] Revised Charter
>>
>>
>>
>> Hello Spice Enthusiasts,
>>
>> Our revised draft charter can be found here:
>>
>> -
>> https://github.com/transmute-industries/ietf-spice-charter/blob/8f140a014ed13a21ff308b4d48d745ead67d8c54/charter.md
>>
>> Thanks to everyone who contributed text on github and through the mailing
>> list.
>>
>> As mentioned on our calls, I will submit a bof request with the draft
>> charter text as of today.
>>
>> If anyone has objections to the current charter text, please provide NEW
>> and OLD suggestions through the mailing list (on a seperate thread), so we
>> can finalize any remaining gaps.
>>
>> If you support the current draft charter text, please reply to this email
>> indicating that you support the current text.
>>
>> I support the current charter text.
>>
>> Regards,
>>
>> OS
>>
>>
>>
>> --
>>
>>
>>
>>
>> *ORIE STEELE *Chief Technology Officer
>> www.transmute.industries
>>
>> [image: Image removed by sender.] <https://transmute.industries/>
>>
>>
>>
>>
>> --
>>
>>
>>
>>
>> *ORIE STEELE *Chief Technology Officer
>> www.transmute.industries
>>
>> [image: Image removed by sender.] <https://transmute.industries/>
>> --
>> SPICE mailing list
>> SPICE@ietf.org
>> https://www.ietf.org/mailman/listinfo/spice
>>
>

Re: [SPICE] Revised Charter

Attachment: image001.jpg