Tuesday 2024-11-05 13:00Z
https://datatracker.ietf.org/doc/slides-121-spice-chair-slides/
The SPICE Working Group session at IETF 121 centered on refining
Selective Disclosure for CBOR Web Tokens (SD-CWT), introducing the
concept of Global Unique Enterprise Identifiers (GLUE), and improving
CBOR data structures for enhanced security and interoperability.
Discussions included selective disclosure mechanics, the complexities of
nested redactions, and risks associated with issuer-verifier collusion
in corporate identity verification.
Introduction to SPICE and Scope
SPICE’s mission is to fill gaps in digital credentials, particularly
by ensuring both human and non-human identities are securely and
privately represented. The chairs explained that while digital
credentials are widely discussed, many specifications fail to
address specific use cases. SPICE aims to bridge these gaps by
developing profiles tailored to varied needs. The scope covers
security and privacy, including in non-human contexts (e.g., IoT
devices), but explicitly excludes key discovery and the creation of
new cryptographic primitives. New attendees were encouraged to
explore related groups (e.g., RATS, OAUTH, COSE) to see how SPICE
integrates with these efforts.
Selective Disclosure for CBOR Web Tokens (SD-CWT)
Rohan Mahy introduced SD-CWT, a method allowing selective disclosure
of claims in a CBOR Web Token. He described SD-CWT as a solution for
enabling users to selectively reveal information based on the
verifier's needs. This structure involves a 'redaction' process,
where claims are either fully disclosed or hidden (blinded) using a
16-byte salt for consistency and security.
CBOR and Syntax Optimization
This segment examined ways to handle redactions in CBOR data
structures without disrupting interoperability with CWTs. Orie
Steele presented various methods for redacting keys within CBOR maps
using unique integer identifiers. He cautioned about balancing data
size and complexity with the risk of hidden data channels.
Global Unique Enterprise Identifiers (GLUE)
https://datatracker.ietf.org/doc/draft-zundel-spice-glue-id/
Brent Zundel presented GLUE as a solution to address corporate
identities by associating identifiers with specific organizations.
He proposed a structure for consistent, globally unique identifiers
that can distinguish between corporate entities, supporting
scenarios where multiple identifiers need to coexist within a single
domain.
OpenID Connect Standard Claims Registration for CBOR Web Tokens
https://datatracker.ietf.org/doc/draft-maldant-spice-oidc-cwt/
Beltram Maldant presented his work on aligning OpenID Connect (OIDC)
standard claims for CBOR Web Tokens (CWT), emphasizing the need for
a streamlined approach to personal data claims within CWT. He
highlighted the gap in current CWT and ANI registries where standard
claims related to personal information (as defined by OIDC) are
missing, which impacts use cases involving Personally Identifiable
Information (PII).
Draft Proposal: Maldant proposed registering 19 of the 20
OIDC-defined claims in the CWT registry (subject claim already
exists), aiming for two-byte range identifiers due to CBOR’s
payload size constraints. This registration is intended to make
frequently used claims more efficient in CWT.
Feedback and Suggestions: Mike Jones expressed support,
noting that standardizing these claims in CBOR would enhance
utility across multiple use cases. Philip raised the question of
whether address claims were intentionally excluded, to which
Maldant confirmed they were retained in the draft. Orie Steele
clarified the history of these claims in JWT and suggested that
although they traditionally focused on human users, they might
be adapted for other entities (e.g., devices or organizations).
Further Considerations: Discussion touched on expanding
claims to support corporate or device identities while
maintaining the intended semantics. Participants suggested that
prefixing these claims (e.g., “OIDC”) could help clarify their
usage in CBOR. Roy Williams raised the need for clear
differentiation between user and corporate identifiers, as some
claims like “name” may apply differently to individuals versus
organizations.
Audience Q&A and Discussions
Throughout the session, audience members engaged with various edge
cases in selective disclosure. Points raised included: