[{"author": "Roman Danyliw", "text": "

On site tool login = https://meetecho-sin.ietf.org/lite/?group=oauth

", "time": "2024-03-19T23:34:19Z"}, {"author": "Roman Danyliw", "text": "

Is there a volunteer to take meeting minutes?

", "time": "2024-03-19T23:38:38Z"}, {"author": "Justin Richer", "text": "

i'll take notes

", "time": "2024-03-19T23:39:34Z"}, {"author": "Pieter Kasselman", "text": "

Love that description of SD0-WT

", "time": "2024-03-19T23:39:34Z"}, {"author": "Roman Danyliw", "text": "

Thanks Justin!

", "time": "2024-03-19T23:40:22Z"}, {"author": "Justin Richer", "text": "

would love some help if anyone can

", "time": "2024-03-19T23:41:06Z"}, {"author": "Justin Richer", "text": "

i'm using the notes.ietf tool

", "time": "2024-03-19T23:41:13Z"}, {"author": "Pieter Kasselman", "text": "

@justin - dropping in the occasional observation

", "time": "2024-03-19T23:44:42Z"}, {"author": "Richard Barnes", "text": "
\n
", "time": "2024-03-19T23:46:24Z"}, {"author": "Richard Barnes", "text": "
\n
", "time": "2024-03-19T23:46:34Z"}, {"author": "Richard Barnes", "text": "

ETOOMANYTILDES

", "time": "2024-03-19T23:46:41Z"}, {"author": "Chunchi Liu", "text": "

correct me if im wrong, there is no algrebraic comparison capability of the claims right, like comparing age?>=18

", "time": "2024-03-19T23:47:30Z"}, {"author": "Richard Barnes", "text": "

@Chunchi Liu - Correct

", "time": "2024-03-19T23:48:20Z"}, {"author": "Richard Barnes", "text": "

The holder can present either the whole claim or nothing. Not a predicate on the claim.

", "time": "2024-03-19T23:48:41Z"}, {"author": "Nick Doty", "text": "

but the claim could be a predicate, if the signer pre-considered that possibility, right? age_over_18 could be a claim?

", "time": "2024-03-19T23:49:55Z"}, {"author": "Richard Barnes", "text": "

yeah, that's right.

", "time": "2024-03-19T23:50:05Z"}, {"author": "Richard Barnes", "text": "

but the JWT issuer would have to do the combinations, once it's signed you can only reveal / not

", "time": "2024-03-19T23:50:26Z"}, {"author": "Richard Barnes", "text": "

if you wanted to be able to prove age > 18 or age > 21, you would need age_over_18 and age_over_20 claims. you couldn't just have an age claim and prove things without revealing it

", "time": "2024-03-19T23:51:25Z"}, {"author": "Atul Tulshibagwale", "text": "

If you had \"age_over_21\", you wouldn't need \"age_over_18\" within the same SD-JWT

", "time": "2024-03-19T23:52:59Z"}, {"author": "Justin Richer", "text": "

that seems to have broken chat
\nimage.png

\n
", "time": "2024-03-19T23:53:58Z"}, {"author": "Richard Barnes", "text": "

or we could just remove recursive redaction, which was my original suggestion

", "time": "2024-03-19T23:55:13Z"}, {"author": "Richard Barnes", "text": "

whole bunch of unnecessary complexity

", "time": "2024-03-19T23:55:31Z"}, {"author": "Richard Barnes", "text": "

i really like SD-JWT~KB, but Brian thinks it's too cute

", "time": "2024-03-19T23:56:20Z"}, {"author": "Justin Richer", "text": "

I'm not enough of a cryptonerd for this but I wonder if there's a confusion attack of getting the KB confused with a disclosure or vice versa, if the values can be forced in either way.

", "time": "2024-03-19T23:57:05Z"}, {"author": "Kristina Yasuda", "text": "

disclosure is a base64url encoded string and KB JWT is a JWS, tho..?

", "time": "2024-03-19T23:57:40Z"}, {"author": "Daniel Fett", "text": "

The places to put the disclosure and the KB-JWT are different (there's always a tilda at the end if there is no KB-JWT).

", "time": "2024-03-19T23:58:03Z"}, {"author": "Nick Doty", "text": "

did the presenter say that the Key Binding privacy considerations are included in the -08 draft? I don't see that described

", "time": "2024-03-19T23:58:14Z"}, {"author": "Richard Barnes", "text": "

@Kristina - you mean that there's no risk of confusion because the last segment is different?

", "time": "2024-03-19T23:58:16Z"}, {"author": "Kristina Yasuda", "text": "

tl;dr for this most important PR: https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/394

\n

terminology is changing: now issuer-signed JWT + Disclosures are called SD-JWT and adding KB JWT to that will be called \"SD-JWT and KB JWT\" (SD-JWT~KB for short)

", "time": "2024-03-19T23:59:24Z"}, {"author": "Richard Barnes", "text": "

to clarify the alg:none thing, i'm worried about like verify(sd_jwt, require_kb=False)

", "time": "2024-03-19T23:59:27Z"}, {"author": "Richard Barnes", "text": "

someone calls verify(sd_jwt), thinks they're getting KB, and they're not

", "time": "2024-03-19T23:59:55Z"}, {"author": "Kristina Yasuda", "text": "

@Nick Doty this PR added that text https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/354

", "time": "2024-03-20T00:00:09Z"}, {"author": "Nick Doty", "text": "

thanks @Kristina Yasuda .. is the protection always batch issuance with a different key binding key for each item in the batch?

", "time": "2024-03-20T00:01:32Z"}, {"author": "Nat Sakimura", "text": "

As always, great presso, thanks @brian

", "time": "2024-03-20T00:02:06Z"}, {"author": "Kristina Yasuda", "text": "

@Nick Doty yes, that's the simplest mitigation. there are also ZKP crypto emerging that can be added on top of SD-JWT to add unlinkability to it, too, but that is mentioned only briefly in the draft, I think.

", "time": "2024-03-20T00:03:00Z"}, {"author": "Hannes Tschofenig", "text": "

For comments we were not able to discuss, please post them to them to the list.

", "time": "2024-03-20T00:03:15Z"}, {"author": "David Waite", "text": "

While something like hash wires could be used for range proofs on top of SD-JWT without adding new cryptographic primitives, I'm not sure whether it would be better to approach such concepts in JSON Web Proofs rather than as an extension on top of JWT.

", "time": "2024-03-20T00:08:11Z"}, {"author": "Kristina Yasuda", "text": "

when i said emerging crypto, one of the things I had in mind was: https://github.com/microsoft/Nova

\n

If one can add unlinkability to sd-jwt without issuer resigning the credential, that is pretty useful and should be pursued IMO

", "time": "2024-03-20T00:11:42Z"}, {"author": "Brian Campbell", "text": "

Apologies for running over on time. I honestly thought I was going to be under time. Misjudgment on my part.

", "time": "2024-03-20T00:13:24Z"}, {"author": "Tim Cappalli", "text": "

I can commit some time

", "time": "2024-03-20T00:15:36Z"}, {"author": "Pieter Kasselman", "text": "

Noted Tim

", "time": "2024-03-20T00:16:08Z"}, {"author": "Brian Campbell", "text": "

https://www.ietf.org/archive/id/draft-ietf-oauth-transaction-tokens-01.html#section-8.1

", "time": "2024-03-20T00:25:08Z"}, {"author": "Brian Campbell", "text": "

\"A workload that invokes another workload using HTTP and needs to present a Txn-Token to the invoked workload MUST use the HTTP Header Txn-Token to communicate the Txn-Token. The value of this header MUST be the JWT that represents the Txn-Token.\"

", "time": "2024-03-20T00:25:36Z"}, {"author": "Atul Tulshibagwale", "text": "

@Dean Saxe I take blame for that line, it was supposed to be a placeholder

", "time": "2024-03-20T00:31:21Z"}, {"author": "Dean Saxe", "text": "

No worries, Atul! We'll clean it up.

", "time": "2024-03-20T00:34:06Z"}, {"author": "Hannes Tschofenig", "text": "

Yaron & Joe volunteered to review the transaction tokens draft.

", "time": "2024-03-20T00:34:48Z"}, {"author": "Dean Saxe", "text": "

is there a github repo to file issues?

", "time": "2024-03-20T00:34:55Z"}, {"author": "Dean Saxe", "text": "

I'l file my concerns for discussion and tracking.

", "time": "2024-03-20T00:35:11Z"}, {"author": "Adam Bradley", "text": "

I'd love to contribute to a review, this is a topic close to my heart

", "time": "2024-03-20T00:35:13Z"}, {"author": "Dean Saxe", "text": "

I have a few other nits on the text

", "time": "2024-03-20T00:35:23Z"}, {"author": "Hannes Tschofenig", "text": "

Perfect. Thanks, Adam.

", "time": "2024-03-20T00:35:34Z"}, {"author": "Adam Bradley", "text": "

But does his code compile?

", "time": "2024-03-20T00:36:08Z"}, {"author": "Brian Campbell", "text": "

@Dean https://github.com/oauth-wg/oauth-transaction-tokens is the repo

", "time": "2024-03-20T00:36:09Z"}, {"author": "Adam Bradley", "text": "

(jk)

", "time": "2024-03-20T00:36:13Z"}, {"author": "Roman Danyliw", "text": "

https://github.com/oauth-wg/oauth-transaction-tokens

", "time": "2024-03-20T00:36:17Z"}, {"author": "Hannes Tschofenig", "text": "

you can also post your review notes to the mailing list. Of course, filing PRs will be appreciated by the draft editors...

", "time": "2024-03-20T00:36:53Z"}, {"author": "A.J. Stein", "text": "

Heads up to its authors, very minor thing: the transaction tokens I-D in datatrack doesn't have the GitHub metadata on the page to find the repo for this draft, so it could help to save me 1-2 Google searches like the others (I lurk and getting my legs, not a frequent OAUTH contributor yet or would have guessed the GH repo org).

", "time": "2024-03-20T00:38:21Z"}, {"author": "Dean Saxe", "text": "

Thanks Roman.

", "time": "2024-03-20T00:39:08Z"}, {"author": "Hannes Tschofenig", "text": "

We can fix that, A.J.

", "time": "2024-03-20T00:39:50Z"}, {"author": "Atul Tulshibagwale", "text": "

A.J. Stein said:

\n
\n

Heads up to its authors, very minor thing: the transaction tokens I-D in datatrack doesn't have the GitHub metadata on the page to find the repo for this draft, so it could help to save me 1-2 Google searches like the others (I lurk and getting my legs, not a frequent OAUTH contributor yet or would have guessed the GH repo org).

\n
\n

Added this issue to track: https://github.com/oauth-wg/oauth-transaction-tokens/issues/72

", "time": "2024-03-20T00:41:26Z"}, {"author": "Pieter Kasselman", "text": "

added to notes

", "time": "2024-03-20T00:41:57Z"}, {"author": "A.J. Stein", "text": "

Atul Tulshibagwale said:

\n
\n

Added this issue to track: https://github.com/oauth-wg/oauth-transaction-tokens/issues/72

\n
\n

Oh wait I am tired and getting loopy. I forgot this is YAML metadata, I can easily pitch in there. :laughing:

", "time": "2024-03-20T00:43:10Z"}, {"author": "Pieter Kasselman", "text": "

:)

", "time": "2024-03-20T00:43:27Z"}, {"author": "Aaron Parecki", "text": "

sorry AJ I beat you to it ;-)

", "time": "2024-03-20T00:43:57Z"}, {"author": "A.J. Stein", "text": "

Aaron Parecki said:

\n
\n

sorry AJ I beat you to it ;-)

\n
\n

Sigh you people are fast, I forked in vain!

", "time": "2024-03-20T00:44:16Z"}, {"author": "Adam Bradley", "text": "

Is there effort / prior art to formalize naming / develop a schema for \"scopes\", explicit and clear mappings at the boundary between systems around entitlement meaning would be useful

", "time": "2024-03-20T00:46:48Z"}, {"author": "Adam Bradley", "text": "

This question might be better raised in a more \"general\" forum

", "time": "2024-03-20T00:47:07Z"}, {"author": "Adam Bradley", "text": "

Or for me to do more research

", "time": "2024-03-20T00:49:46Z"}, {"author": "George Fletcher", "text": "

Unfortunately, there isn\u2019t much for scopes. RFC 6749 defines scope as effectively a space delimited list of strings.

", "time": "2024-03-20T00:55:57Z"}, {"author": "Dmitry Izumskiy", "text": "

it this presentation available?

", "time": "2024-03-20T00:56:04Z"}, {"author": "A.J. Stein", "text": "

Dmitry Izumskiy said:

\n
\n

it this presentation available?

\n
\n

Isn't it this one in the agenda?

\n

https://datatracker.ietf.org/meeting/119/session/oauth/

\n

https://datatracker.ietf.org/meeting/119/materials/slides-119-oauth-sessb-identity-assertion-authorization-grant

", "time": "2024-03-20T00:57:51Z"}, {"author": "Dmitry Izumskiy", "text": "

Thanks

", "time": "2024-03-20T00:59:42Z"}, {"author": "Brian Campbell", "text": "

\"for reasons\"

", "time": "2024-03-20T01:01:49Z"}, {"author": "Brian Campbell", "text": "

sorry...

", "time": "2024-03-20T01:01:55Z"}, {"author": "George Fletcher", "text": "

:grinning:

", "time": "2024-03-20T01:02:05Z"}, {"author": "George Fletcher", "text": "

Hmm\u2026 that was supposed to be just a smiley face\u2026 I will avoid emojis from now on

", "time": "2024-03-20T01:02:51Z"}, {"author": "Atul Tulshibagwale", "text": "

using the full chat client helps (I learned the hard way)

", "time": "2024-03-20T01:03:18Z"}, {"author": "David Waite", "text": "

:grinning:

", "time": "2024-03-20T01:04:20Z"}, {"author": "Kristina Yasuda", "text": "

the reason why this should be a separate doc that is a profile of a chaining draft was pretty clear to me..

", "time": "2024-03-20T01:06:00Z"}, {"author": "Atul Tulshibagwale", "text": "

I feel the same way

", "time": "2024-03-20T01:06:24Z"}, {"author": "Arndt Schwenkschuster", "text": "

+1

", "time": "2024-03-20T01:06:32Z"}, {"author": "Adam Bradley", "text": "

+1

", "time": "2024-03-20T01:06:49Z"}, {"author": "Kristina Yasuda", "text": "

(but would appreciate if the naming of the drafts would be more aligned - right now it is not intuitive that one is the profile of the other..)

", "time": "2024-03-20T01:06:53Z"}, {"author": "Adam Bradley", "text": "

Looks great, preserve explicit consent without loss of fidelity or intent at the API side

", "time": "2024-03-20T01:07:32Z"}, {"author": "Kristina Yasuda", "text": "

ok, i suck at naming and I need to read Aaron's draft, but \"Identity Assertion to Authorization Grant profile of oauth chaining\" or something..? :sweat_smile:

", "time": "2024-03-20T01:15:13Z"}, {"author": "Pieter Kasselman", "text": "

Ther eis s limit to how much the document can help avoid this issue - there are other mechainsm like conformance testing etc that further helps verifiy correct implementation. I do agree the sepc needs to be clear as possible, but perhaps we need to also think about conformance test ssuites?

", "time": "2024-03-20T01:30:23Z"}, {"author": "Nat Sakimura", "text": "

Thanks!

", "time": "2024-03-20T01:31:30Z"}, {"author": "Atul Tulshibagwale", "text": "

Thanks!

", "time": "2024-03-20T01:31:36Z"}, {"author": "Arndt Schwenkschuster", "text": "

Thank you!

", "time": "2024-03-20T01:31:46Z"}]