Re: [SPICE] Call for consensus on SPICE charter
Orie Steele <orie@transmute.industries> Fri, 09 February 2024 23:03 UTC
Return-Path: <orie@transmute.industries>
X-Original-To: spice@ietfa.amsl.com
Delivered-To: spice@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 24D85C15152B for <spice@ietfa.amsl.com>; Fri, 9 Feb 2024 15:03:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.095
X-Spam-Level:
X-Spam-Status: No, score=-2.095 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_KAM_HTML_FONT_INVALID=0.01, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=transmute.industries
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id jDF8KsGP3_Hc for <spice@ietfa.amsl.com>; Fri, 9 Feb 2024 15:02:56 -0800 (PST)
Received: from mail-pj1-x102f.google.com (mail-pj1-x102f.google.com [IPv6:2607:f8b0:4864:20::102f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B8AECC151084 for <spice@ietf.org>; Fri, 9 Feb 2024 15:02:56 -0800 (PST)
Received: by mail-pj1-x102f.google.com with SMTP id 98e67ed59e1d1-2906773c7e9so1053363a91.1 for <spice@ietf.org>; Fri, 09 Feb 2024 15:02:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=transmute.industries; s=google; t=1707519776; x=1708124576; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=uijnpzL0E4941r8ra2DF4shRDg/rrk848uYztSlwxpg=; b=PYyPLI8X7AV+5HScRgAvTy0NbND100eDQB03R0s0wZOvC6p2Q44pl8hVXotW/WSF8u ioMGcjWTKm5HkwwvgsQnMSxk5VnP4n7M4VXIKiaaOu3oHxzk5F0K0WTLhXFx7Pt93oYH G5Hdz77RStts7My+tuRov90htsk1REa7nT+OEz+8C+tKUoTkgp0BihV5jyeWRyL01yfV YTNsPxHZNEE0wMwDoQfxAhG2E9fMKh26+cQf3itI8Q+8vDvrWKTcMu5CCDyCEKxPS6yN SDnlq7MNFlIAEaxVDIcugaGCyDIM9ktD5eLsYc+s50t8QPMVkH9gbbvrICl/LbUn5o/4 A2vg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1707519776; x=1708124576; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=uijnpzL0E4941r8ra2DF4shRDg/rrk848uYztSlwxpg=; b=blWxTP6sQ0JMdDZ+SFku9r9p9bQISlAMAi67hYyCIU/gcis+tu0xDV1hkgoE//m/Xm 9pbk05uuQhWQ2/jWmbqKIFnSNSdop6wSZcUPiBPZQfuZA+1ceM4qEeQPEU9cST0BWvgR NOINXHrytkrE1uLBCYSOi30QtxAEtT50884FkPmsMruxBfXNWjApo9WIg4/hQrR/tNM6 aTr/8fH1yyc2jnPOcfIdL1uDNd5DLBUJj9Jly+s1CAe275qHj+oTo/n9hkYdQrjXSZOd c/n2d8QJ/D0QpvEqdbANpEQMOqDoCW3VRXEqyxDjFXBfiXxZNZh0yt0e0e6hHN1FPkWO /4Hw==
X-Gm-Message-State: AOJu0Yzd1jB9QD/Q6r39Qjr8RXwIYkTFCObfPEnk/WsaCoVhJE6fy00E vpG1OUgCjaEieYo20vYnG6akxey282M4VZOoaq+HIN0qKKPNW0th0LKzkjpY4VJlnCBZuVyJdqv HUtFd0c6dWl9cJVnMpfMjjZ8VYRrNrJtyjttfjopzaGBmxFD343c=
X-Google-Smtp-Source: AGHT+IGQktf0mZd/BOoZ5sksGa06m64Z+qz6gBzxHu9mYTXm7Oc/9MrjkSlANAdSt7kaI656jFp8HnDJ6zVQsDmgKVE=
X-Received: by 2002:a17:90b:3617:b0:296:58bd:1eea with SMTP id ml23-20020a17090b361700b0029658bd1eeamr429875pjb.15.1707519775866; Fri, 09 Feb 2024 15:02:55 -0800 (PST)
MIME-Version: 1.0
References: <MN2PR00MB08634013D5E87AEEAB12A187E54B2@MN2PR00MB0863.namprd00.prod.outlook.com> <CAN8C-_JRJ4wcF+dzGCLHuc8p-wWauXxgpwVQV19ddgwG8_ZVAA@mail.gmail.com> <DM6PR00MB0859F486BEF195F04CDD4994E54B2@DM6PR00MB0859.namprd00.prod.outlook.com>
In-Reply-To: <DM6PR00MB0859F486BEF195F04CDD4994E54B2@DM6PR00MB0859.namprd00.prod.outlook.com>
From: Orie Steele <orie@transmute.industries>
Date: Fri, 09 Feb 2024 17:02:44 -0600
Message-ID: <CAN8C-_KqA2sOKK3kTFr9MdjXTQqJrySROGXgJ1H32oXGRuoNCw@mail.gmail.com>
To: Kristina Yasuda <Kristina.Yasuda@microsoft.com>
Cc: "spice@ietf.org" <spice@ietf.org>
Content-Type: multipart/alternative; boundary="000000000000b013600610faed7e"
Archived-At: <https://mailarchive.ietf.org/arch/msg/spice/qFzHtxPRvdEifFv-xRwvesIT9tw>
Subject: Re: [SPICE] Call for consensus on SPICE charter
X-BeenThere: spice@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Secure Patterns for Internet CrEdentials <spice.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/spice>, <mailto:spice-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/spice/>
List-Post: <mailto:spice@ietf.org>
List-Help: <mailto:spice-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/spice>, <mailto:spice-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Feb 2024 23:03:01 -0000
Inline: On Fri, Feb 9, 2024 at 4:09 PM Kristina Yasuda < Kristina.Yasuda@microsoft.com> wrote: > Hi Orie, > Thank you. Guess my question was why can’t mdocs be used for the use-cases > that SD-CWT is being designed for? And the answer seems to be “because one > needs to purchase an ISO standard where mdoc is being defined”? > That's my answer at this point in time, but that doesn't mean it needs to be a working group's answer. > mdocs are not exactly CWTs, rather CBOR structure signed using COSE, but > they already have a salt-hash based selective disclosure mechanism. > COSE Sign1 as defined in 9052 can be verified with certificates or public keys, and there are different protected header hints to make this easy. A CWT is a COSE Sign1 that has a payload that is a CBOR map, where the labels in that map are defined in a registry. My guess would be that ISO did not create such a requirement for mDoc, and the payload is something other than a CBOR map, or, if it is a CBOR map, that some of the cbor map keys might already have collisions with https://www.iana.org/assignments/cwt/cwt.xhtml The collisions would be a problem, however we have a possible escape hatch. https://datatracker.ietf.org/doc/draft-ietf-cose-cwt-claims-in-headers/ ^ using this draft, you could have "SD-*" style disclosures to a protected header (assuming mDoc allows you to set protected headers), and you could leave the mDoc payload as is. The current SD-CWT approach also uses the unprotected header of the cose-sign1... not sure if ISO mDoc allows that. This is just guessing about how we might attempt to address this challenge. As an aside, it's very nice that an unprotected header exists in COSE since we don't need to do the disclosure encodings with `~` like we do in SD-JWT. As "SD-CWT" is a "CWT", whereas an SD-JWT, is a "JWT" with a "~". If the WG formed and SD-CWT was adopted, ISO could be normatively referenced, and although it would make implementing from the IETF document alone impossible, we do occasionally see normative references to specifications that are behind paywalls, not just from ISO, but from IEEE, and ASTM, etc... That said, I am generally not in favor of relying on paywalled specifications for security, I agree with what John wrote here: https://mailarchive.ietf.org/arch/msg/cfrg/aHDFKTVRAKYsjdkW7yK6fmSh_2U/ > mdocs also define issuer PKI to be x509 and holder key binding to be raw > COSE key, which helps with interop but could be turned into an > extensibility point. > Addressing details like these, is exactly why we feel the metadata document is essential. Another draft which might be helpful for doing key binding with cose key is https://datatracker.ietf.org/doc/draft-ietf-cose-key-thumbprint/ Thinking a bit more about your comment... a new COSE key claim could be defined, and you could possibly use the cose-key format to pass along additional data, but I would be cautious blending media types like application/cose-key with custom extensions, that could lead to unpredictable polyglot formats. For those not familiar, W3C has struggled with a similar challenge in Verifiable Credentials: https://tess.oconnor.cx/2023/09/polyglots-and-interoperability I would be concerned that blending SD-CWT and mDoc together could end up destroying their unique value. But it is an intriguing idea! I don't have enough visibility into mDoc to see exactly how it could work. At a minimum I think it would be excellent to clearly define the edge between SD-CWT and mDoc, based on my limited understanding of mDoc, I think that boils down to a paywalled algorithm for disclosing commitments that an issuer has made to claims, in other words, the disclosure algorithm and its verification process are the only parts of mDoc, that are security oriented, that are not built on top of RFC9052... but again, I am guessing about a document I have not read. > > Best, > Kristina > > > ------------------------------ > *From:* Orie Steele <orie@transmute.industries> > *Sent:* Friday, February 9, 2024 12:31:38 PM > *To:* Kristina Yasuda <Kristina.Yasuda@microsoft.com> > *Cc:* spice@ietf.org <spice@ietf.org> > *Subject:* Re: [SPICE] Call for consensus on SPICE charter > > Hey Kristina, > > I'm not an mDoc expert so I expect you will be able to answer that > question better than I can. > > To save you the trouble of reading the "SD-CWT/SD-CWT-VC" draft (and there > is an experimental implementation I developed based on OAuth's SD-JWT > reference implementation". > > "SD-CWT/SD-CWT-VC" basically just takes the OAuth SD-JWT approach and > makes it work with CWT claimsets instead of JWT claimsets. > > So where OAuth registers: > > - > https://datatracker.ietf.org/doc/html/draft-ietf-oauth-selective-disclosure-jwt-07#name-json-web-token-claims-regis > > Spice would register similar properties in: > > - https://www.iana.org/assignments/cwt/cwt.xhtml > > You said: "Personally, I would like to see SD-CWT/SD-CWT-VC to be > backwards compatible with mdocs, but that can be discussed once in the > draft. > > I don't know the content type of the ISO mDoc cose-sign1 payload, is it a > CBOR map? Could it be a CWT claimset? If the answer to both of those is > yes, I see a possibility to align, but there could be lots of other > challenges. > > Having not read the ISO spec in question, I can't answer more than that. > > Thanks for your comment about the W3C VC Data Model v2, I filed an issue > to track it here: > > https://github.com/transmute-industries/ietf-spice-charter/issues/29 > > Feel free to pile on any additional changes you would like to see there. > > OS > > > > On Fri, Feb 9, 2024 at 2:22 PM Kristina Yasuda <Kristina.Yasuda= > 40microsoft.com@dmarc.ietf.org> wrote: > > Hi, > > What is the relationship between SD-CWT/SD-CWT-VC and mdocs defined in > ISO/IEC 18013-5? > At least, mdocs should be mentioned in the charter. > Personally, I would like to see SD-CWT/SD-CWT-VC to be backwards > compatible with mdocs, but that can be discussed once in the draft. > > small nits in the charter text: > VCDM 2.0 has not yet been published, so the last paragraph in the > Introduction should be rephrased. > Best, > Kristina > -- > SPICE mailing list > SPICE@ietf.org > https://www.ietf.org/mailman/listinfo/spice > > > > -- > > > ORIE STEELE > Chief Technology Officer > www.transmute.industries > > <https://transmute.industries/> > -- ORIE STEELE Chief Technology Officer www.transmute.industries <https://transmute.industries>
- [SPICE] Call for consensus on SPICE charter Roman Danyliw
- Re: [SPICE] Call for consensus on SPICE charter Michael Prorock
- Re: [SPICE] Call for consensus on SPICE charter Kristina Yasuda
- Re: [SPICE] Call for consensus on SPICE charter Orie Steele
- Re: [SPICE] Call for consensus on SPICE charter Michael Richardson
- Re: [SPICE] Call for consensus on SPICE charter Kristina Yasuda
- Re: [SPICE] Call for consensus on SPICE charter Orie Steele
- Re: [SPICE] Call for consensus on SPICE charter Watson Ladd
- Re: [SPICE] Call for consensus on SPICE charter Henk Birkholz
- Re: [SPICE] Call for consensus on SPICE charter Watson Ladd
- Re: [SPICE] Call for consensus on SPICE charter Henk Birkholz
- Re: [SPICE] Call for consensus on SPICE charter Michael Jones
- Re: [SPICE] Call for consensus on SPICE charter Henk Birkholz
- Re: [SPICE] Call for consensus on SPICE charter Michael Jones
- Re: [SPICE] Call for consensus on SPICE charter Henk Birkholz
- Re: [SPICE] Call for consensus on SPICE charter Henk Birkholz
- Re: [SPICE] Call for consensus on SPICE charter Michael Richardson
- Re: [SPICE] Call for consensus on SPICE charter Kristina Yasuda
- Re: [SPICE] Call for consensus on SPICE charter Michael Prorock
- Re: [SPICE] [OAUTH-WG] FW: Call for consensus on … Mahmoud Alkhraishi
- Re: [SPICE] Call for consensus on SPICE charter Kristina Yasuda
- Re: [SPICE] Call for consensus on SPICE charter Christopher Allen
- Re: [SPICE] [OAUTH-WG] FW: Call for consensus on … Brent Zundel
- Re: [SPICE] Call for consensus on SPICE charter Kaliya Identity Woman
- Re: [SPICE] Call for consensus on SPICE charter Giuseppe De Marco
- Re: [SPICE] Call for consensus on SPICE charter Jon Geater
- Re: [SPICE] Call for consensus on SPICE charter Justin Richer
- Re: [SPICE] Call for consensus on SPICE charter Michael Jones
- Re: [SPICE] [COSE] FW: Call for consensus on SPIC… Christopher Allen
- Re: [SPICE] [COSE] FW: Call for consensus on SPIC… Manu Fontaine
- Re: [SPICE] Call for consensus on SPICE charter Denis
- Re: [SPICE] Call for consensus on SPICE charter Christopher Allen
- Re: [SPICE] Call for consensus on SPICE charter Denis
- Re: [SPICE] [OAUTH-WG] FW: Call for consensus on … Denis
- Re: [SPICE] Call for consensus on SPICE charter Margaret Cullen
- Re: [SPICE] [saag] Call for consensus on SPICE ch… Ira McDonald
- Re: [SPICE] [saag] Call for consensus on SPICE ch… Denis
- Re: [SPICE] [saag] Call for consensus on SPICE ch… Denis
- Re: [SPICE] [saag] Call for consensus on SPICE ch… Ira McDonald
- Re: [SPICE] Call for consensus on SPICE charter Nick Doty
- Re: [SPICE] [saag] Call for consensus on SPICE ch… Michael Richardson
- Re: [SPICE] Call for consensus on SPICE charter Alexander Stein
- Re: [SPICE] Call for consensus on SPICE charter Christopher Allen
- Re: [SPICE] Call for consensus on SPICE charter Watson Ladd
- Re: [SPICE] Call for consensus on SPICE charter Orie Steele
- Re: [SPICE] Call for consensus on SPICE charter Henk Birkholz
- Re: [SPICE] Call for consensus on SPICE charter Manu Fontaine
- Re: [SPICE] Call for consensus on SPICE charter Henk Birkholz
- Re: [SPICE] Call for consensus on SPICE charter Nick Doty
- Re: [SPICE] [saag] FW: Call for consensus on SPIC… Denis
- Re: [SPICE] Call for consensus on SPICE charter Orie Steele
- [SPICE] Fwd: [OAUTH-WG] FW: Call for consensus on… Denis
- Re: [SPICE] [saag] Call for consensus on SPICE ch… Denis
- Re: [SPICE] [saag] Call for consensus on SPICE ch… Kaliya Identity Woman
- Re: [SPICE] Call for consensus on SPICE charter Manu Fontaine
- Re: [SPICE] Call for consensus on SPICE charter Denis
- Re: [SPICE] Call for consensus on SPICE charter Watson Ladd
- Re: [SPICE] Call for consensus on SPICE charter Orie Steele
- Re: [SPICE] Call for consensus on SPICE charter Leif Johansson
- Re: [SPICE] Call for consensus on SPICE charter Kaliya Identity Woman
- Re: [SPICE] Call for consensus on SPICE charter Manu Fontaine
- Re: [SPICE] Call for consensus on SPICE charter Michael Richardson
- Re: [SPICE] Call for consensus on SPICE charter Michael Prorock
- Re: [SPICE] Call for consensus on SPICE charter Orie Steele
- Re: [SPICE] [COSE] FW: Call for consensus on SPIC… Christopher Allen
- Re: [SPICE] [saag] Call for consensus on SPICE ch… Ira McDonald
- Re: [SPICE] [COSE] FW: Call for consensus on SPIC… Manu Fontaine
- Re: [SPICE] Call for consensus on SPICE charter Heather Flanagan
- Re: [SPICE] Call for consensus on SPICE charter Roman Danyliw
- Re: [SPICE] Call for consensus on SPICE charter Orie Steele
- Re: [SPICE] Call for consensus on SPICE charter Roman Danyliw
- Re: [SPICE] Call for consensus on SPICE charter Watson Ladd
- Re: [SPICE] Call for consensus on SPICE charter Denis
- Re: [SPICE] Call for consensus on SPICE charter Manu Fontaine
- Re: [SPICE] Call for consensus on SPICE charter Denis
- [SPICE] 00-01 charter comments (was Re: Call for … Michael Richardson
- Re: [SPICE] Call for consensus on SPICE charter Roman Danyliw
- Re: [SPICE] Call for consensus on SPICE charter Roman Danyliw
- Re: [SPICE] Call for consensus on SPICE charter Watson Ladd
- Re: [SPICE] Call for consensus on SPICE charter Manu Fontaine
- Re: [SPICE] Call for consensus on SPICE charter Roman Danyliw
- Re: [SPICE] Call for consensus on SPICE charter Christopher Allen
- Re: [SPICE] Call for consensus on SPICE charter Denis
- Re: [SPICE] Call for consensus on SPICE charter Michael Prorock
- Re: [SPICE] Call for consensus on SPICE charter Tschofenig, Hannes
- Re: [SPICE] Call for consensus on SPICE charter Denis
- Re: [SPICE] Call for consensus on SPICE charter Henk Birkholz
- Re: [SPICE] Call for consensus on SPICE charter Tschofenig, Hannes
- Re: [SPICE] Call for consensus on SPICE charter Denis
- Re: [SPICE] Call for consensus on SPICE charter Orie Steele
- Re: [SPICE] Call for consensus on SPICE charter Brent Zundel
- Re: [SPICE] Call for consensus on SPICE charter Manu Fontaine
- Re: [SPICE] Call for consensus on SPICE charter Michael Prorock
- Re: [SPICE] Call for consensus on SPICE charter Orie Steele
- Re: [SPICE] Call for consensus on SPICE charter Manu Fontaine
- Re: [SPICE] Call for consensus on SPICE charter Michael Prorock
- Re: [SPICE] Call for consensus on SPICE charter Denis
- Re: [SPICE] Call for consensus on SPICE charter Orie Steele
- Re: [SPICE] Call for consensus on SPICE charter Manu Fontaine
- Re: [SPICE] Call for consensus on SPICE charter Roman Danyliw
- Re: [SPICE] Call for consensus on SPICE charter Orie Steele
- Re: [SPICE] Call for consensus on SPICE charter Michael Prorock
- Re: [SPICE] Call for consensus on SPICE charter Kaliya Identity Woman
- Re: [SPICE] Call for consensus on SPICE charter Roman Danyliw
- Re: [SPICE] Call for consensus on SPICE charter Watson Ladd
- Re: [SPICE] Call for consensus on SPICE charter Henk Birkholz
- Re: [SPICE] Call for consensus on SPICE charter Michael Prorock
- Re: [SPICE] Call for consensus on SPICE charter Christopher Allen
- Re: [SPICE] Call for consensus on SPICE charter Denis
- Re: [SPICE] Call for consensus on SPICE charter Watson Ladd
- Re: [SPICE] Call for consensus on SPICE charter Alexander Stein
- Re: [SPICE] Call for consensus on SPICE charter Roman Danyliw
- Re: [SPICE] Call for consensus on SPICE charter Denis
- Re: [SPICE] Call for consensus on SPICE charter Michael Prorock