awoie
commented
11 months ago Closed awoie closed 6 months ago
awoie
commented
11 months ago awoie
commented
10 months ago @paulbastian A few options we discussed on the editor's call today (cc @danielfett @bc-pi ):
alg value specification to appear and to be registered in the IANA registry which states that the algorithm is not symmetric. One downside of this approach is that standard JOSE libs won't work today since the alg value is not supported. Note that technically one could implement this using standard HS256 if the key was agreed/derived using an ECDH/ConcatKDF schema.alg values are acceptable and when not.
paulbastian
commented
10 months ago I think #1 is the cleanest approach, but may take more time for implementations, we will try to get some experience there. #3 also doesn't sound bad to me.
bc-pi
commented
10 months ago I think I still lean towards preferring something like # 2 - just remove the explicit prohibition of symmetric algorithms from SD-JWT and not say much, if anything else about it in that spec. Let the layer above SD-JWT/JOSE (probably the presentation protocol) define how an HMAC key is agreed upon and use existing JWS HMAC algs and implementations. I.e., the verifier sends a public key in it's presentation request, which the generator uses in a key agreement with their private key to get a key that is then KDFd to produce an appropriate key for existing/established JWS HS256[384|512] algs. That layer is going to have to define much of that anyway so there's not much gain from pushing an ECDH-based MAC alg into JOSE/JWS (also note that defining and registering a new JOSE alg is far from a trivial exercise). And the prohibition of symmetric algorithms in SD-JWT makes sense from a particular perspective but is arguably just unnecessarily restrictive at the building block layer.
paulbastian
commented
10 months ago I would agree that removing the restriction is okay, as SD-JWT is an improvement of JWT and JWTs don't have this restriction.
Do you think that ECDH-ES is an anti-pattern? It has been in JWA from the beginning and you could have the same arguments there?
bc-pi
commented
10 months ago Do you think that ECDH-ES is an anti-pattern? It has been in JWA from the beginning and you could have the same arguments there?
I wouldn't take it that far. My comments/arguments here are really just in the context of the current state of JWS specs and existing library support.
awoie
commented
10 months ago @bc-pi @paulbastian if option 2 is our favorite options. Should the SD-JWT VC spec then say something about that? IMO, it would be good to say something in the security considerations at least.
awoie
commented
10 months ago I agree in general that since SD-JWT is a building block, being too restrictive there regarding symmetric algorithms is probably not necessary.
paulbastian
commented
10 months ago I don't object removing the restriction, I checked RFC7519 and there is no similar statement.
bc-pi
commented
10 months ago [...] if option 2 is our favorite options. Should the SD-JWT VC spec then say something about that? IMO, it would be good to say something in the security considerations at least.
Definitely not opposed to saying something. But it might be challenging to say something that's actually meaningful/helpful.
bc-pi
commented
9 months ago https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/400 removes the explicit prohibition on MAC from SD-JWT (which will be in the -08 draft-ietf-oauth-selective-disclosure-jwt)
awoie
commented
8 months ago Then, we need a PR that cleans up the language in this specification, so MAC is not going to be prohibited.
The specification currently uses terms like public key validation and potentially other things when it comes to the verification of the KB-JWT. We should make sure there is no language that would prohibit the use of MAC authentication for KB-JWT and Issuer-signed JWT.