SPICE @ IETF 121

Tuesday 2024-11-05 13:00Z

Welcome & What is SPICE - chairs

https://datatracker.ietf.org/doc/slides-121-spice-chair-slides/

The SPICE Working Group session at IETF 121 centered on refining
Selective Disclosure for CBOR Web Tokens (SD-CWT), introducing the
concept of Global Unique Enterprise Identifiers (GLUE), and improving
CBOR data structures for enhanced security and interoperability.
Discussions included selective disclosure mechanics, the complexities of
nested redactions, and risks associated with issuer-verifier collusion
in corporate identity verification.

Topics Discussed

  1. Introduction to SPICE and Scope
    SPICE’s mission is to fill gaps in digital credentials, particularly
    by ensuring both human and non-human identities are securely and
    privately represented. The chairs explained that while digital
    credentials are widely discussed, many specifications fail to
    address specific use cases. SPICE aims to bridge these gaps by
    developing profiles tailored to varied needs. The scope covers
    security and privacy, including in non-human contexts (e.g., IoT
    devices), but explicitly excludes key discovery and the creation of
    new cryptographic primitives. New attendees were encouraged to
    explore related groups (e.g., RATS, OAUTH, COSE) to see how SPICE
    integrates with these efforts.

  2. Selective Disclosure for CBOR Web Tokens (SD-CWT)
    Rohan Mahy introduced SD-CWT, a method allowing selective disclosure
    of claims in a CBOR Web Token. He described SD-CWT as a solution for
    enabling users to selectively reveal information based on the
    verifier's needs. This structure involves a 'redaction' process,
    where claims are either fully disclosed or hidden (blinded) using a
    16-byte salt for consistency and security.

  3. CBOR and Syntax Optimization
    This segment examined ways to handle redactions in CBOR data
    structures without disrupting interoperability with CWTs. Orie
    Steele presented various methods for redacting keys within CBOR maps
    using unique integer identifiers. He cautioned about balancing data
    size and complexity with the risk of hidden data channels.

  4. Global Unique Enterprise Identifiers (GLUE)
    https://datatracker.ietf.org/doc/draft-zundel-spice-glue-id/

    Brent Zundel presented GLUE as a solution to address corporate
    identities by associating identifiers with specific organizations.
    He proposed a structure for consistent, globally unique identifiers
    that can distinguish between corporate entities, supporting
    scenarios where multiple identifiers need to coexist within a single
    domain.

  5. OpenID Connect Standard Claims Registration for CBOR Web Tokens
    https://datatracker.ietf.org/doc/draft-maldant-spice-oidc-cwt/

    Beltram Maldant presented his work on aligning OpenID Connect (OIDC)
    standard claims for CBOR Web Tokens (CWT), emphasizing the need for
    a streamlined approach to personal data claims within CWT. He
    highlighted the gap in current CWT and ANI registries where standard
    claims related to personal information (as defined by OIDC) are
    missing, which impacts use cases involving Personally Identifiable
    Information (PII).

  6. Audience Q&A and Discussions
    Throughout the session, audience members engaged with various edge
    cases in selective disclosure. Points raised included:

Speaker Contributions

Open Questions and Action Items

  1. CBOR Redactions: Continue discussions on effective methods for
    CBOR data redactions without compromising compatibility with CWT and
    preventing covert data channels.
  2. GLUE Registry Exploration: Further explore possible registry
    structures for GLUE identifiers, considering potential overlaps with
    existing URN conventions and avoiding “land grab” issues.
  3. Syntax Feedback: Gather community feedback on specific syntax
    options, particularly for handling redactions and nested disclosures
    within CBOR environments.
  4. Collusion Prevention: Address security concerns regarding
    issuer-verifier collusion by developing syntax standards that limit
    discretionary data control.