Mike presented the motivations for standardizing an additional JSON-based cryptographic format capable of selective disclosure, zero-knowledge proofs, and unlinkability.
Mike made the case that re-forming the JOSE working group is the best venue for doing the work. JOSE brings existing expertise creating simple JSON-based cryptographic formats. Whereas COSE primarily focuses on compact binary representations.
JSON is actually harder than CBOR, and so it makes to start with the JSON-based representation. CBOR can follow.
Mike reviewed the proposed JOSE charter https://github.com/json-web-proofs/json-web-proofs/blob/main/charter-ietf-jose-03.md
Yaron Sheffer: Scope and specifically not a JWP working group, but JOSE restart. If you come up with a new algorithm, would that be in scope?
Roman Danyliw: This BOF is called JWP rather than JOSE because of a datatracker issue.
John Bradley (Chair): Restating the question: Would the new working group include the old JOSE charter scope for bringing in new algorithms?; possibly, but that hasn't been discussed.
[liberal editorial freedom capturing this bit of the conversation]
Richard Barnes: A design goal should be to minimize redesigning new things and use the existing JWS, etc.
Mike Jones: We need new formats to support the new cryptographic structures. The JWS and JWE formats cannot represent the inputs and outputs needed for the newer cryptographic techniques, hence the need for the new JWP format. That said, these new formats will reuse elements of the existing formats, where appropriate.
Barnes: Some the representations of the functionalities, even though its a new cryptographic primitive, can be represented in existing JOSE formats, but not all of them; we should reuse where possible.
Mike Jones: In some cases; come participate in the working group to develop the specific representations.
Henk Birkholz: There might be a natural progression from JWP to CBOR, because CBOR is easier; will that be in the charter?
Mike Jones: It is.
Henk Birkholz: Great.
Described the three-party issuer, holder, verifier model being used by Verifiable Credentials and its improved privacy properties over the two-party issuer/receipient model used by JWTs.
Described the desire of the W3C Verifiable Credentials V2 working group to use JSON Web Proofs as standardized by the IETF.
Described industry privacy-driven demand for selective disclosure, such as for mobile driver licenses where only the claims needed for the interaction are released.
John Bradley (Chair): Is the Selective-Disclosure JWT (SD-JWT) work in OAuth comptetive with or collaborative to the JSON Web Proof (JWP) work?
Kristina: Somewhat both; certain parts are out of scope of the SD-JWT work. View them as more complementary efforts. Differences in use cases, timeline, capabilities, and complexity.
Richard Barnes: Can you put a finer point on what isn't possible to put into a JWT / SD-JWT?
Kristina: Great question, but rather defer to Jeremie and Tobias, who are going to describe the new format and new algorithms.
JWP enables new capabilities that aren't possible with JWS, JWE. That's why we need to define the new JWP format.
Showed examples of the JWP representation.
Gave links to the IETF drafts for the three specifications.
Richard Barnes: Unlinkability: you want the holder to be able to make new presentations that are unlinkable by the verifiers.
Described BBS work happening in CFRG and elsewhere and how it needs a JSON-based representation, such as JWP.
Ben Kaduk: With BBS signature, when you go to present, does the issuer need to have all the information you're trying to present?
Tobias: In some cases, the issuer would have all the information (selective disclosure, e.g. drivers license) but also supports pre-commit values, so it wouldn't be necessary in all cases.
Brian Campbell: Selective disclosure with normal JWT using conventional cryptography is very doable (draft-fett-oauth-selective-disclosure-jwt describes one relatively straightforward approach). I read the JWP drafts and it looked like the multiple JWS values construct supports selective but not unlinkability. Which would mean that different "kinds" of JWPs have different security/privacy properties. This seems similar to one of the current criticisms of JWT/JOSE on type confusion/ambiguity that should be avoided in JWP to the extent possible. For that reason and others, I'd suggest that JWP focus only on newer cypto and the things JWS really cannot currently achieve and have JWP in general provide a consistent set of security/privacy properties.
Richard Barnes: Disagree that selective disclosure and unlinkability are highly related; they're not. Unlinkability brings new scary abilities that the holder can now reissue new derivates and on down the line with these; separately from the issuing authority; still need to understand the crypto a little better.
Tobias: The new cryptographic techniques enable both selective disclosure and unlinkability at the same time.
Brent Zundel: My company's roadmap looks like JWP is the stuff we want to do for the next 6-months and then we want to adopt JWP. We can't represent what we need to do with JWTs.
Nick Sullivan: Have you talked to the privacy pass WG?; because it seems like there is overlap.
Ben Schwartz: Chair of Privacy Pass: haven't really seen this in Privacy Pass, that he's aware of. These both have parallel efforts in the W3C. Are we coordinating with W3C?
Brent (W3C VCWG co-chair): Not as much as we'd like (W3C) but there will be more.
Kristina (W3C VCWG co-chair): Agreed on increasing coordination. The W3C Verifiable Credentials WG wants JWP from the IETF and then it will build on top of it.
We ran out of time to ask the BoF questions; and we need more time to discuss. Roman Danyliw (sponsoring Area Director) suggested that we schedule a virtual interm BoF to continue the discussions.
Roman: Please use the JOSE mailing list for discussions.
Collin Jennings: Should more clearly define the W3C collaboration.
Ben Schwartz: Please cross announce to Privacy Pass
Is the work appropriate for the IETF?
Is there sufficient interest in doing the work?
What are the assumptions coming in?
What are the security properties?
(Foundational charter questions)
Progress after that if warranted.