search

intarchboard / proposed-program-whodis

Proposed program on Wholistic Human-Oriented Discussions on Identity Systems (WHODIS)
9 stars 4 forks source link

DIDs, VCs, OAuth and Transparency Services #25

Open OR13 opened 1 year ago

OR13 commented 1 year ago

I'm sorry to post so many concepts in 1 issue.

There are a lot of existing IETF WGs that have a part of this picture, and I wanted to paint how I see them being related.

flowchart

    subgraph ietf [IETF]
        subgraph oauth [OAUTH]
            oauth_dpop["DPoP"]
            oauth_jwt["JWT"]
            oauth_sd_jwt["SD-JWT"]
            oauth_vc["SD-JWT Verifiable Credentials"]
            oauth_status_list["JWT / CWT Status Lists"]
            oauth_client_attestation["Client Attestation"]

            oauth_client_attestation -.-> oauth_dpop
            oauth_sd_jwt -.-> oauth_dpop

            oauth_sd_jwt -.-> oauth_vc

            oauth_status_list -.-> oauth_jwt
            oauth_status_list -.-> oauth_sd_jwt
            oauth_status_list -.-> oauth_vc

        end
        subgraph rats [RATs]
            rats_client_attestation["? Client Attestation"]
            rats_device_id["? EUID"]
            rats_device_id -.-> rats_client_attestation
        end
        subgraph scitt [SCITT]
            scitt_ts["Transparency Service"]
        end
        subgraph kt [KEY TRANS]
            kt_ts["Transparency Service"]
        end
        subgraph satp [SATP]
            satp_gateway["SATP Gateway"]
        end
        subgraph cose [COSE]
            cose_sign1["COSE Sign1"]
            cose_cwt["CWT"]
            cose_sd_cwt["? SD-CWT"]
            cose_key["COSE Key"]
        end
        subgraph jose [JOSE]
            jose_jwk["JWK"]
            jose_jwp["JWP"]
        end
        subgraph openpgp [OpenPGP]
            openpgp_keys["PGP Keys"]
            openpgp_signatures["PGP Signatures"]
            openpgp_keys -.-> openpgp_signatures
        end
        subgraph whodis [WHODIS]
            whodis_arch["???"]
        end
    end

    subgraph w3c [W3C]
        w3c_vc["Verifiable Credentials"]
        w3c_vc_di["Data Integrity Verifiable Credentials"]
        w3c_vc_jose_cose["JOSE / COSE Verifiable Credentials"]
        w3c_did["JSON-LD Decentralized Identifiers"]
        w3c_status_list["JSON-LD Status Lists"]

        w3c_status_list <-.-> w3c_vc 
        w3c_vc -.-> w3c_vc_di 
        w3c_vc -.-> w3c_vc_jose_cose 
        w3c_vc -.-> w3c_did 
        w3c_vc_jose_cose -.-> oauth_vc
        w3c_vc_jose_cose -.-> cose_sign1
        w3c_vc_jose_cose -.-> oauth_jwt
    end

    subgraph w3c_ccg [W3C CCG]
        w3c_ccg_did_web["DID Web"]
        w3c_ccg_did_key["DID Key"]
    end

    subgraph external [Misc Community]
        did_jwk["DID JWK"]
    end

    subgraph abstract [Generic Concepts]
        identity["Identity"]
        identity_docs["Identity Documents (Signed Public Keys)"]
        identity_claims["Identity Claims (Attributes bound to Identity Documents)"]
        identity --> identity_docs
        identity --> identity_claims
    end

identity_docs -.-> w3c_did
identity_claims -.-> w3c_vc
identity_claims -.-> oauth_jwt
identity_claims -.-> oauth_sd_jwt
identity_claims -.-> oauth_vc
identity_claims -.-> cose_sign1
identity_claims -.-> cose_cwt
identity_claims -.-> cose_sd_cwt
identity_claims -.-> jose_jwp
identity_claims -.-> oauth_status_list
identity_claims -.-> oauth_client_attestation
identity_claims -.-> rats_client_attestation
identity_claims -.-> openpgp_keys
identity_claims -.-> openpgp_signatures

w3c_did -.-> did_jwk
w3c_did -.-> w3c_ccg_did_key
w3c_did -.-> w3c_ccg_did_web
w3c_did -.-> satp_gateway
w3c_did -.-> jose_jwk

jose_jwk -.-> did_jwk

jose_jwk -- ? --> kt_ts
openpgp_keys -- ? --> kt_ts
cose_key -- ? --> kt_ts

jose_jwk -.-> scitt_ts
openpgp_keys -.-> scitt_ts
cose_key -.-> scitt_ts

cose_sign1 -.-> scitt_ts
cose_cwt -.-> scitt_ts
cose_sd_cwt -.-> scitt_ts

w3c_ccg_did_web -.-> scitt_ts
did_jwk -.-> scitt_ts

Summarizing some of key takeaways from the picture.

iss and kid are critical in the context of identity at IETF.

key and signature formats are also critical.

transparency services are interested in key material and claims.

W3C "DIDs" and "VCs" are very interested in JSON-LD / RDF.

IETF concept of "identifiers and claims" tend to follow an existing format, like JOSE / COSE / x509 or OpenPGP.

Some of the W3C work relies on IETF work for security foundation.

Some IETF work relies on W3C for data modeling (DIDs are supported in SATP and SCITT, possibly also relevant to other work).

mirjak commented 1 year ago

Thanks a lot for this summary. It's really interesting. I think we should concentrate on the protocols that are directly developed for identify management (like oauth) and not necessarily consider all work that uses a notion of identity.

OR13 commented 1 year ago

@mirjak I'd caution believing that OAuth is "identity / identifier" management... It is authorization management, and that has been used to build federated identity systems, like OpenID Connect... The important parts of this, work have been done outside of IETF for the most part.

I do think focusing on "identifiers" is one possible lens to look at this through, since identifiers show up everywhere, as names for things.

Some identifiers have strong connections to IETF protocols, and others have weaker ones.

URLs show up a lot of places, URNs show up a few places... Thumbprints show up wherever cryptographic keys are found.

Throwing a concrete proposal on the table for something I would like to see exist:

I want self sovereign / user controlled identifiers built on key transparency, with portability across multiple identity providers... this would either replace DID, or be another instance of it... and would build on IETF expertise in OAUTH, KEYTRANS and JOSE / COSE.