Skip to main content

Minutes IETF121: spice: Tue 13:00
minutes-121-spice-202411051300-00

Meeting Minutes Secure Patterns for Internet CrEdentials (spice) WG
Date and time 2024-11-05 13:00
Title Minutes IETF121: spice: Tue 13:00
State Active
Other versions markdown
Last updated 2024-11-06

minutes-121-spice-202411051300-00

SPICE @ IETF 121

Tuesday 2024-11-05 13:00Z

Welcome & What is SPICE - chairs

https://datatracker.ietf.org/doc/slides-121-spice-chair-slides/

The SPICE Working Group session at IETF 121 centered on refining
Selective Disclosure for CBOR Web Tokens (SD-CWT), introducing the
concept of Global Unique Enterprise Identifiers (GLUE), and improving
CBOR data structures for enhanced security and interoperability.
Discussions included selective disclosure mechanics, the complexities of
nested redactions, and risks associated with issuer-verifier collusion
in corporate identity verification.

Topics Discussed

  1. Introduction to SPICE and Scope
    SPICE’s mission is to fill gaps in digital credentials, particularly
    by ensuring both human and non-human identities are securely and
    privately represented. The chairs explained that while digital
    credentials are widely discussed, many specifications fail to
    address specific use cases. SPICE aims to bridge these gaps by
    developing profiles tailored to varied needs. The scope covers
    security and privacy, including in non-human contexts (e.g., IoT
    devices), but explicitly excludes key discovery and the creation of
    new cryptographic primitives. New attendees were encouraged to
    explore related groups (e.g., RATS, OAUTH, COSE) to see how SPICE
    integrates with these efforts.

  2. Selective Disclosure for CBOR Web Tokens (SD-CWT)
    Rohan Mahy introduced SD-CWT, a method allowing selective disclosure
    of claims in a CBOR Web Token. He described SD-CWT as a solution for
    enabling users to selectively reveal information based on the
    verifier's needs. This structure involves a 'redaction' process,
    where claims are either fully disclosed or hidden (blinded) using a
    16-byte salt for consistency and security.

    • Technical Details: For disclosure, the issuer generates a
      random salt and combines it with the claim, creating a
      three-element array: the salt, claim key, and claim value. This
      ensures that while claims are present, the verifier only sees
      what’s intentionally revealed.
    • Syntax Options: Rohan outlined syntax considerations,
      especially for nested structures, and Orie Steele added insights
      on structuring arrays for hierarchical claims. Discussion
      highlighted syntax compatibility with both JSON and CBOR, aiming
      to prevent data leakage and unwanted covert channels (data
      encoded without user consent).
    • Key Binding: Orie discussed the importance of ‘key binding’
      to counter replay attacks, ensuring that only the intended
      verifier can access specific disclosures. This approach aims to
      bind disclosures directly to the holder's private key, making it
      difficult to duplicate or share unauthorized access.
  3. CBOR and Syntax Optimization
    This segment examined ways to handle redactions in CBOR data
    structures without disrupting interoperability with CWTs. Orie
    Steele presented various methods for redacting keys within CBOR maps
    using unique integer identifiers. He cautioned about balancing data
    size and complexity with the risk of hidden data channels.

    • Challenges: Orie and Carsten Bormann discussed concerns
      about potential covert channels, especially when nested data is
      redacted. The group debated if using unique integers for
      redactions could prevent hidden communication between issuer and
      verifier, ultimately leaning towards maintaining transparency by
      limiting data redactions to standardized integer or string
      values.
    • Redaction Techniques: Carsten noted that while JSON often
      uses strings for keys, CBOR’s unique syntax requires different
      considerations. He proposed using pre-set values (e.g.,
      ‘undefined’ in CBOR major type 7) as placeholders to signal
      redactions, which could be easier to parse and less prone to
      unintended use.
  4. Global Unique Enterprise Identifiers (GLUE)
    https://datatracker.ietf.org/doc/draft-zundel-spice-glue-id/

    Brent Zundel presented GLUE as a solution to address corporate
    identities by associating identifiers with specific organizations.
    He proposed a structure for consistent, globally unique identifiers
    that can distinguish between corporate entities, supporting
    scenarios where multiple identifiers need to coexist within a single
    domain.

    • Audience Feedback: Attendees raised questions about how GLUE
      differs from existing Uniform Resource Names (URNs). Brent
      explained that GLUE aims to provide more context by combining an
      identifier with a registry, allowing entities to verify details
      about the identity (e.g., what organization it represents).
      Concerns were raised about potential "land grabs" of short
      identifiers and how multiple schemas might conflict within one
      domain. Brent noted that this remains an open question.
    • Next Steps: Attendees suggested further investigation into
      GLUE’s overlap with URN registries, particularly for
      multi-domain usage. The group agreed to explore adopting GLUE as
      a formal working item and refine it to meet broader needs.
  5. OpenID Connect Standard Claims Registration for CBOR Web Tokens
    https://datatracker.ietf.org/doc/draft-maldant-spice-oidc-cwt/

    Beltram Maldant presented his work on aligning OpenID Connect (OIDC)
    standard claims for CBOR Web Tokens (CWT), emphasizing the need for
    a streamlined approach to personal data claims within CWT. He
    highlighted the gap in current CWT and ANI registries where standard
    claims related to personal information (as defined by OIDC) are
    missing, which impacts use cases involving Personally Identifiable
    Information (PII).

    • Draft Proposal: Maldant proposed registering 19 of the 20
      OIDC-defined claims in the CWT registry (subject claim already
      exists), aiming for two-byte range identifiers due to CBOR’s
      payload size constraints. This registration is intended to make
      frequently used claims more efficient in CWT.

    • Feedback and Suggestions: Mike Jones expressed support,
      noting that standardizing these claims in CBOR would enhance
      utility across multiple use cases. Philip raised the question of
      whether address claims were intentionally excluded, to which
      Maldant confirmed they were retained in the draft. Orie Steele
      clarified the history of these claims in JWT and suggested that
      although they traditionally focused on human users, they might
      be adapted for other entities (e.g., devices or organizations).

    • Further Considerations: Discussion touched on expanding
      claims to support corporate or device identities while
      maintaining the intended semantics. Participants suggested that
      prefixing these claims (e.g., “OIDC”) could help clarify their
      usage in CBOR. Roy Williams raised the need for clear
      differentiation between user and corporate identifiers, as some
      claims like “name” may apply differently to individuals versus
      organizations.

  6. Audience Q&A and Discussions
    Throughout the session, audience members engaged with various edge
    cases in selective disclosure. Points raised included:

    • Nested Disclosure Complexity: One attendee highlighted the
      challenges of nested claims, asking if claims could be disclosed
      selectively at different hierarchy levels. Orie confirmed that
      this would require careful structuring to ensure clarity across
      levels without compromising data integrity.
    • Differences from SD-JWT: Some participants questioned if
      SD-CWT’s syntax would diverge from Selective Disclosure JWT
      (SD-JWT) standards, which use similar selective disclosure
      mechanisms. Orie explained that SD-CWT aims for more versatility
      in CBOR environments, potentially using unique CBOR tags to mark
      redactions without impacting compatibility.
    • Preventing Collusion: Mike Prorock raised concerns about
      issuer-verifier collusion, especially where hidden data or
      patterns might lead to covert exchanges. He recommended clear
      syntax standards that limit discretionary control over data
      elements to mitigate this risk.
    • Registry and Adoption: Attendees requested a clearer
      understanding of registry structures and whether GLUE would rely
      on a URN-based system or require new conventions. Some suggested
      that SPICE adopt GLUE to enable more feedback-driven
      improvements.

Speaker Contributions

  • Rohan Mahy: Introduced SD-CWT concepts, discussed selective
    disclosure mechanics, and outlined syntax for salt-based arrays,
    emphasizing the role of selective redactions in user-controlled data
    sharing.
  • Orie Steele: Provided insights into CBOR syntax challenges,
    introduced GLUE concepts, and addressed security considerations for
    structuring nested disclosures.
  • Brent Zundel: Presented GLUE, discussed its relevance for
    corporate identity schemas, and addressed audience questions on
    registry overlap and multi-domain management.
  • Mike Prorock: Voiced concerns about issuer-verifier collusion,
    and offered insights on maintaining consistent standards for SD-JWT
    syntax comparisons.

Open Questions and Action Items

  1. CBOR Redactions: Continue discussions on effective methods for
    CBOR data redactions without compromising compatibility with CWT and
    preventing covert data channels.
  2. GLUE Registry Exploration: Further explore possible registry
    structures for GLUE identifiers, considering potential overlaps with
    existing URN conventions and avoiding “land grab” issues.
  3. Syntax Feedback: Gather community feedback on specific syntax
    options, particularly for handling redactions and nested disclosures
    within CBOR environments.
  4. Collusion Prevention: Address security concerns regarding
    issuer-verifier collusion by developing syntax standards that limit
    discretionary data control.