Review of verification algorithms

[jyasskin]

While reviewing https://github.com/w3c/vc-jose-cose/pull/190, I had to understand some of the SD-JWT verification algorithms. I noticed some issues, which I've listed here. I haven't filed individual issues yet because I'm not sure how you'll want to group them. Thanks to @OR13 for doing a first pass; any remaining mistakes are probably because I didn't take his advice.

5.1. Issuer-signed JWT Payload

• [x] This should follow https://www.rfc-editor.org/rfc/rfc7515.html#section-7 by specifying "what serialization and serialization features are used". I see that 1.1. Feature Summary mentions the compact serialization, but that doesn't clearly say that this embedded JWT uses it.

5.2.1. Disclosures for Object Properties

• [x] "The claim name, or key, as it would be used in a regular JWT payload. The value MUST be a string." <- I assume the "value" is the key, and not the key's value in the JSON object?
• [x] Why is 128 bits only recommended and not required for the salt?

5.3. Key Binding JWT

• [x] This should follow https://www.rfc-editor.org/rfc/rfc7515.html#section-7 by specifying "what serialization and serialization features are used". I see that 1.1. Feature Summary mentions the compact serialization, but that doesn't clearly say that this embedded JWT uses it.

5.3.1. Integrity Protection of the Presentation

• [x] This mentions "bytes preceding the KB-JWT in the Presentation", but several other places mention "Key Binding is provided by means not defined in this specification", in which case the relevant bytes don't precede the KB-JWT. These should be consistent.

8.1. Verification of the SD-JWT

• [x] Are "Upon receiving an SD-JWT, a Holder or a Verifier MUST ensure that" and "The Holder or the Verifier MUST perform the following (or equivalent) steps when receiving an SD-JWT" accomplishing the same thing?
• [x] "Separate the SD-JWT" should cite an algorithm for doing that. I think it's "5. SD-JWT Data Formats" which implies it's just "split on '~'"?
• [x] "Ensure that a signing algorithm was used that was deemed secure" <- This should probably be an input to the algorithm … although I think there are algorithm confusion attacks that imply that the algorithm should actually be picked based on the key the verifier has cached for the issuer rather than the claim in the JWT. I know this hasn't changed compared to JWS, but we know more about how JWS and other cryptography fails, so it'd be good to incorporate modern best practices in the interfaces here.
• [x] "Validate the signature over the Issuer-signed JWT" should cite an algorithm for doing that. Is that https://www.rfc-editor.org/rfc/rfc7515.html#section-5.2?
• [x] How should the application "Validate the Issuer and that the signing key belongs to this Issuer"? I see that the details of distribution are out of scope (Section 11.9), but this should say something about the application having a map from (issuer ID, key ID) pairs to public keys, and which fields of the Issuer-signed JWT are used to look up keys in this map.
• [x] How should the application "Check that the _sd_alg claim value is understood"? Where should it find the _sd_alg, in the JWT's header or payload? 5.1.1. Hash Function Claim answers this, so you could just reference that, but it would be even better to accept a set of acceptable algorithms as an argument, look up the particular field in the payload object, and save that in a variable if it's in the input set.
• [x] What's a "claim"? https://www.rfc-editor.org/rfc/rfc7519#section-4 says the claims are the members of the JWT's payload, but the algorithm here also uses "claim" to describe nested object members and array elements.
• [x] I would probably have written the algorithm to build a map of hash->disclosure and then call a recursive element-processing-and-replacing function, but this isn't too bad.
• [x] "Remove all array elements for which the digest was not found" probably won't confuse anyone for long, but my first reading said that an array in the payload like [1, 2, 3] would wind up empty since no digests were found for the elements.
• [x] "Check that the SD-JWT is valid using claims such as nbf, iat, and exp" should say where those claims are defined and what part of which object they appear on. (https://www.iana.org/assignments/jwt/jwt.xhtml#claims, and the top level of the payload, not the header, right?)
• [x] The "required validity-controlling claim"s should probably be an input parameter to this algorithm. Possibly all the IANA-registered JWT claim handling should be passed in, or this algorithm should return all the claims for the caller to deal with.

8.2. Processing by the Holder

• [x] "create a Key Binding JWT" <- refer to the section that says how to do this.
• [x] "Assemble the SD-JWT for Presentation" <- This should at least refer to "5. SD-JWT Data Formats" and possibly just write out the algorithm of "make an array of the Issuer-signed JWT, the selected Disclosures and, if applicable, the Key Binding JWT, and join the array with '~'."

8.3. Verification by the Verifier

• [x] This is clearer that "Verifiers MUST ensure that" is accomplished by the steps in the following algorithm, but I don't like the redundant MUST. You can just say "Verifiers need to ensure that" and then leave the normative requirements to the algorithm.
• [x] "according to the Verifier's policy" should be an input parameter to this algorithm, that the verifier provides along with the bytes of the presentation.
• [x] "verify the Key Binding according to the method used" <- how? This might be https://www.rfc-editor.org/rfc/rfc9449.html#section-6, but you should cite the details.
• [x] "Determine the public key for the Holder" <- how? This might be the 'cnf' claim, but you should say so.
• [x] "Ensure that a signing algorithm was used that was deemed secure" <- as above, this should be an input parameter to this algorithm or computed from the public key.
• [x] "Validate the signature" <- again, cite how to do this.
• [x] "the typ of the Key Binding JWT" <- is that in the header or payload? (cite 5.3. Key Binding JWT and possibly https://www.rfc-editor.org/rfc/rfc8725.html#name-use-explicit-typing)
• [x] "within an acceptable window." <- should be an input parameter
• [x] "validating nonce and aud claims" <- The instructions for doing this should be an input parameter to this algorithm.
• [x] "Check that the Key Binding JWT is valid in all other respects" should call a particular algorithm from the other specs that it cites.

16. Informative References

• [x] Many of these should be normative. For example, base64url is used all over the normative parts of this specification, and it comes from [RFC7515] in this section.

[bc-pi]

Thanks for the review Jeffrey! I'm acknowledging it with this comment but also noting that there's a lot here so response/action will take some time.

[bc-pi]

Many of these should be normative. For example,...

1c1f165ab821dea5350f62225f103bdceff31532 one was an oversight and one was a tooling issue and oversight. I think that covers them tho.

[bc-pi]

"Check that the Key Binding JWT is valid in all other respects" should call a particular algorithm from the other specs that it cites.

Those other specs don't have algorithms that can be called nor do they have suitable sections to reference directly.

[bc-pi]

Why is 128 bits only recommended and not required for the salt?

Some contributors want to leave open the option of a more computationally expensive hash with smaller salt values.

[bc-pi]

"The claim name, or key, as it would be used in a regular JWT payload. The value MUST be a string." <- I assume the "value" is the key, and not the key's value in the JSON object?

Yes and I've tried to remove any ambiguity there by just not using the word "value" with d015a3de2ae50623b4a294590fb2d0249e7d33b5

[bc-pi]

5.1. Issuer-signed JWT / 5.3. Key Binding JWT ... should follow https://www.rfc-editor.org/rfc/rfc7515.html#section-7 by specifying "what serialization and serialization features are used" ...

Per RFC7519, "JWTs are always represented using the JWS Compact Serialization" the compact serialization is already specified.

[bc-pi]

5.3.1. Integrity Protection of the Presentation

This mentions "bytes preceding the KB-JWT in the Presentation", but several other places mention "Key Binding is provided by means not defined in this specification", in which case the relevant bytes don't precede the KB-JWT. These should be consistent.

That is for the sd_hash claim in Key Binding JWT so isn't relevant elsewhere.

[bc-pi]

Are "Upon receiving an SD-JWT, a Holder or a Verifier MUST ensure that" and "The Holder or the Verifier MUST perform the following (or equivalent) steps when receiving an SD-JWT" accomplishing the same thing?

&

This is clearer that "Verifiers MUST ensure that" is accomplished by the steps in the following algorithm, but I don't like the redundant MUST. You can just say "Verifiers need to ensure that" and then leave the normative requirements to the algorithm.

Yeah, with 2a0e270f2e1dbfa9664bb5ce4989a2f6a1765217 I basically applied your suggestion to both places.

[bc-pi]

"Validate the signature over the Issuer-signed JWT" should cite an algorithm for doing that. Is that https://www.rfc-editor.org/rfc/rfc7515.html#section-5.2?

Yup 7d68d4ed9b91e49a0aa00254475bf7c116669dd6

[bc-pi]

"Separate the SD-JWT" should cite an algorithm for doing that. I think it's "5. SD-JWT Data Formats" which implies it's just "split on '~'"?

Yes but I believe it's sufficiently clear in the context of the draft.

[bc-pi]

This draft is not structured such that it has input parameters to algorithms so suggestions to make something an input parameter to an algorithm are not actionable or practical.

[bc-pi]

"Validate the signature" <- again, cite how to do this.

e9acd5ed665b107776b6b41355680470cde89f2c

[bc-pi]

"the typ of the Key Binding JWT" <- is that in the header or payload? (cite 5.3. Key Binding JWT ...

typ is a JOSE header. Will cite sec 5.3. where that's more explicit 64a4c4519668c7a63f1a0be215176657895fa0c8

[bc-pi]

"verify the Key Binding according to the method used" <- how? This might be https://www.rfc-editor.org/rfc/rfc9449.html#section-6, but you should cite the details.

That sentence starts with "If Key Binding is provided by means not defined in this specification," so there are not specific details to cite. Alternatives to a Key Binding JWT mentions that other ways of proving Key Binding are possible.

DPoP/rfc9449 is one possibility but not the only one. Nor a particularly likely one. At least not likely enough to warrant mention here.

[bc-pi]

"Check that the SD-JWT is valid using claims such as nbf, iat, and exp" should say where those claims are defined and what part of which object they appear on. (https://www.iana.org/assignments/jwt/jwt.xhtml#claims, and the top level of the payload, not the header, right?)

The very next part of that sentence says "in the processed payload" and that's a non-exhaustive list of JWT claims for which a citation/reference isn't really needed.

[bc-pi]

"Remove all array elements for which the digest was not found" probably won't confuse anyone for long, but my first reading said that an array in the payload like [1, 2, 3] would wind up empty since no digests were found for the elements.

I feel like it's sufficiently clear from context and shouldn't confuse anyone for too long.

[bc-pi]

I would probably have written the algorithm to build a map of hash->disclosure and then call a recursive element-processing-and-replacing function, but this isn't too bad.

Noted.

[bc-pi]

How should the application "Validate the Issuer and that the signing key belongs to this Issuer"? I see that the details of distribution are out of scope (Section 11.9), but this should say something about the application having a map from (issuer ID, key ID) pairs to public keys, and which fields of the Issuer-signed JWT are used to look up keys in this map.

This draft intentionally doesn't prescribe how keys are distributed, identified, selected, trusted, etc. any more than JWT/JWS do (e.g. https://datatracker.ietf.org/doc/html/rfc7515#section-6, https://datatracker.ietf.org/doc/html/rfc7515#appendix-D, etc). A map from (issuer ID, key ID) pairs to public keys is one application but certainly not the only one.

[bc-pi]

How should the application "Check that the _sd_alg claim value is understood"? Where should it find the _sd_alg, in the JWT's header or payload? 5.1.1. Hash Function Claim answers this, so you could just reference that ...

referencing that 072a0605bcb62937e343aaa7812aa8ef86d8379f

[bc-pi]

What's a "claim"? https://www.rfc-editor.org/rfc/rfc7519#section-4 says the claims are the members of the JWT's payload, but the algorithm here also uses "claim" to describe nested object members and array elements.

That's a somewhat existential and loaded question but common usage of the word doesn't preclude it describing nested items and array elements. And this draft is not alone in that. In the intro it also says, '"Claims" here refers to both object properties (name-value pairs) as well as array elements.'

[bc-pi]

8.2. Processing by the Holder "create a Key Binding JWT" <- refer to the section that says how to do this. "Assemble the SD-JWT for Presentation" <- This should at least refer to "5. SD-JWT Data Formats"

cbee5f8457f447574400377dc6f7c9fe7f1c3c18

[bc-pi]

"Determine the public key for the Holder" <- how? This might be the 'cnf' claim, but you should say so.

a474e2b0b0ff7635af38c2ac95e70b40b2f82798 makes things a little more a bit more prescriptive about suggesting RFC7800 cnf/jwk be used to convey the Key Binding key and references that section from the "Verification by the Verifier" section.

[Sakurann]

Thank you so much, Brian! overall, agree with all the responses. I made few comments on the PR, but one thing to note here too: I think recommending cnf claim per comment here is inconsistent with a comment here that says that "this draft intentionally doesn't prescribe how keys are distributed, identified, selected, trusted, etc. any more than JWT/JWS do. so I think recommending is redundant and using cnf in examples is sufficient.

[bc-pi]

That latter comment was about (and in reply to a suggestion about) validating the signature on the Issuer-signed JWT and checking that the signing key belongs to this Issuer. While the former comment is about the holder's public key inside the Issuer-signed JWT itself. Different things so I don't believe there's really an inconsistency in my statements. Nor do I think that being a little more a bit more prescriptive and more clear about using RFC7800 cnf/jwk to convey the Key Binding key is redundant. Rather this review of a review seemed like a good opportunity to provide a little more clarity and guidance in an area the draft that could benefit from such.