Minutes IETF121: spice: Tue 13:00
minutes-121-spice-202411051300-00
Meeting Minutes | Secure Patterns for Internet CrEdentials (spice) WG | |
---|---|---|
Date and time | 2024-11-05 13:00 | |
Title | Minutes IETF121: spice: Tue 13:00 | |
State | Active | |
Other versions | markdown | |
Last updated | 2024-11-06 |
SPICE @ IETF 121
Tuesday 2024-11-05 13:00Z
Welcome & What is SPICE - chairs
https://datatracker.ietf.org/doc/slides-121-spice-chair-slides/
The SPICE Working Group session at IETF 121 centered on refining
Selective Disclosure for CBOR Web Tokens (SD-CWT), introducing the
concept of Global Unique Enterprise Identifiers (GLUE), and improving
CBOR data structures for enhanced security and interoperability.
Discussions included selective disclosure mechanics, the complexities of
nested redactions, and risks associated with issuer-verifier collusion
in corporate identity verification.
Topics Discussed
-
Introduction to SPICE and Scope
SPICE’s mission is to fill gaps in digital credentials, particularly
by ensuring both human and non-human identities are securely and
privately represented. The chairs explained that while digital
credentials are widely discussed, many specifications fail to
address specific use cases. SPICE aims to bridge these gaps by
developing profiles tailored to varied needs. The scope covers
security and privacy, including in non-human contexts (e.g., IoT
devices), but explicitly excludes key discovery and the creation of
new cryptographic primitives. New attendees were encouraged to
explore related groups (e.g., RATS, OAUTH, COSE) to see how SPICE
integrates with these efforts. -
Selective Disclosure for CBOR Web Tokens (SD-CWT)
Rohan Mahy introduced SD-CWT, a method allowing selective disclosure
of claims in a CBOR Web Token. He described SD-CWT as a solution for
enabling users to selectively reveal information based on the
verifier's needs. This structure involves a 'redaction' process,
where claims are either fully disclosed or hidden (blinded) using a
16-byte salt for consistency and security.- Technical Details: For disclosure, the issuer generates a
random salt and combines it with the claim, creating a
three-element array: the salt, claim key, and claim value. This
ensures that while claims are present, the verifier only sees
what’s intentionally revealed. - Syntax Options: Rohan outlined syntax considerations,
especially for nested structures, and Orie Steele added insights
on structuring arrays for hierarchical claims. Discussion
highlighted syntax compatibility with both JSON and CBOR, aiming
to prevent data leakage and unwanted covert channels (data
encoded without user consent). - Key Binding: Orie discussed the importance of ‘key binding’
to counter replay attacks, ensuring that only the intended
verifier can access specific disclosures. This approach aims to
bind disclosures directly to the holder's private key, making it
difficult to duplicate or share unauthorized access.
- Technical Details: For disclosure, the issuer generates a
-
CBOR and Syntax Optimization
This segment examined ways to handle redactions in CBOR data
structures without disrupting interoperability with CWTs. Orie
Steele presented various methods for redacting keys within CBOR maps
using unique integer identifiers. He cautioned about balancing data
size and complexity with the risk of hidden data channels.- Challenges: Orie and Carsten Bormann discussed concerns
about potential covert channels, especially when nested data is
redacted. The group debated if using unique integers for
redactions could prevent hidden communication between issuer and
verifier, ultimately leaning towards maintaining transparency by
limiting data redactions to standardized integer or string
values. - Redaction Techniques: Carsten noted that while JSON often
uses strings for keys, CBOR’s unique syntax requires different
considerations. He proposed using pre-set values (e.g.,
‘undefined’ in CBOR major type 7) as placeholders to signal
redactions, which could be easier to parse and less prone to
unintended use.
- Challenges: Orie and Carsten Bormann discussed concerns
-
Global Unique Enterprise Identifiers (GLUE)
https://datatracker.ietf.org/doc/draft-zundel-spice-glue-id/Brent Zundel presented GLUE as a solution to address corporate
identities by associating identifiers with specific organizations.
He proposed a structure for consistent, globally unique identifiers
that can distinguish between corporate entities, supporting
scenarios where multiple identifiers need to coexist within a single
domain.- Audience Feedback: Attendees raised questions about how GLUE
differs from existing Uniform Resource Names (URNs). Brent
explained that GLUE aims to provide more context by combining an
identifier with a registry, allowing entities to verify details
about the identity (e.g., what organization it represents).
Concerns were raised about potential "land grabs" of short
identifiers and how multiple schemas might conflict within one
domain. Brent noted that this remains an open question. - Next Steps: Attendees suggested further investigation into
GLUE’s overlap with URN registries, particularly for
multi-domain usage. The group agreed to explore adopting GLUE as
a formal working item and refine it to meet broader needs.
- Audience Feedback: Attendees raised questions about how GLUE
-
OpenID Connect Standard Claims Registration for CBOR Web Tokens
https://datatracker.ietf.org/doc/draft-maldant-spice-oidc-cwt/Beltram Maldant presented his work on aligning OpenID Connect (OIDC)
standard claims for CBOR Web Tokens (CWT), emphasizing the need for
a streamlined approach to personal data claims within CWT. He
highlighted the gap in current CWT and ANI registries where standard
claims related to personal information (as defined by OIDC) are
missing, which impacts use cases involving Personally Identifiable
Information (PII).-
Draft Proposal: Maldant proposed registering 19 of the 20
OIDC-defined claims in the CWT registry (subject claim already
exists), aiming for two-byte range identifiers due to CBOR’s
payload size constraints. This registration is intended to make
frequently used claims more efficient in CWT. -
Feedback and Suggestions: Mike Jones expressed support,
noting that standardizing these claims in CBOR would enhance
utility across multiple use cases. Philip raised the question of
whether address claims were intentionally excluded, to which
Maldant confirmed they were retained in the draft. Orie Steele
clarified the history of these claims in JWT and suggested that
although they traditionally focused on human users, they might
be adapted for other entities (e.g., devices or organizations). -
Further Considerations: Discussion touched on expanding
claims to support corporate or device identities while
maintaining the intended semantics. Participants suggested that
prefixing these claims (e.g., “OIDC”) could help clarify their
usage in CBOR. Roy Williams raised the need for clear
differentiation between user and corporate identifiers, as some
claims like “name” may apply differently to individuals versus
organizations.
-
-
Audience Q&A and Discussions
Throughout the session, audience members engaged with various edge
cases in selective disclosure. Points raised included:- Nested Disclosure Complexity: One attendee highlighted the
challenges of nested claims, asking if claims could be disclosed
selectively at different hierarchy levels. Orie confirmed that
this would require careful structuring to ensure clarity across
levels without compromising data integrity. - Differences from SD-JWT: Some participants questioned if
SD-CWT’s syntax would diverge from Selective Disclosure JWT
(SD-JWT) standards, which use similar selective disclosure
mechanisms. Orie explained that SD-CWT aims for more versatility
in CBOR environments, potentially using unique CBOR tags to mark
redactions without impacting compatibility. - Preventing Collusion: Mike Prorock raised concerns about
issuer-verifier collusion, especially where hidden data or
patterns might lead to covert exchanges. He recommended clear
syntax standards that limit discretionary control over data
elements to mitigate this risk. - Registry and Adoption: Attendees requested a clearer
understanding of registry structures and whether GLUE would rely
on a URN-based system or require new conventions. Some suggested
that SPICE adopt GLUE to enable more feedback-driven
improvements.
- Nested Disclosure Complexity: One attendee highlighted the
Speaker Contributions
- Rohan Mahy: Introduced SD-CWT concepts, discussed selective
disclosure mechanics, and outlined syntax for salt-based arrays,
emphasizing the role of selective redactions in user-controlled data
sharing. - Orie Steele: Provided insights into CBOR syntax challenges,
introduced GLUE concepts, and addressed security considerations for
structuring nested disclosures. - Brent Zundel: Presented GLUE, discussed its relevance for
corporate identity schemas, and addressed audience questions on
registry overlap and multi-domain management. - Mike Prorock: Voiced concerns about issuer-verifier collusion,
and offered insights on maintaining consistent standards for SD-JWT
syntax comparisons.
Open Questions and Action Items
- CBOR Redactions: Continue discussions on effective methods for
CBOR data redactions without compromising compatibility with CWT and
preventing covert data channels. - GLUE Registry Exploration: Further explore possible registry
structures for GLUE identifiers, considering potential overlaps with
existing URN conventions and avoiding “land grab” issues. - Syntax Feedback: Gather community feedback on specific syntax
options, particularly for handling redactions and nested disclosures
within CBOR environments. - Collusion Prevention: Address security concerns regarding
issuer-verifier collusion by developing syntax standards that limit
discretionary data control.