-
Notifications
You must be signed in to change notification settings - Fork 27
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Separate token and presentation formats #374
Comments
To be clear, I don't think we need actual technical changes here (aside from maybe moving a (This is an exact parallel to So my proposal here would basically be to change some terminology and rearrange some text:
I admit that I have not done the work to see how the current text would map to this structure. If people are on board in principle, I could work up a PR that would make a more concrete proposal. |
There are indeed similarities to to There's a lot of text about the verifier policy decisions with respect to requiring key binding at https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-06.html#name-key-binding and also some push to loosing (or contextualize) it #368 We actually worked to consolidate the validation rules for Holder and Verifier here because there's so much commonality. With the key binding check here being the one part that's verifier specific (and yes, whether or not Key Binding is required is a policy decision of the verifier). Consolidation of the format and calling that SD-JWT was also part of that. Not saying that was necessarily the right or best thing to do but it was intentional with some thought behind it. |
On the general principle at a high level I think we have quite similar end goals of avoiding "cross-contamination" type confusion. I might quibble with some of the details and names and stuff. And I suspect the current text doesn't map easily at all. I'm not necessarily opposed to trying something here. But need to be conscientiousness of lots of (sometimes competing) factors including the current content of the whole draft and especially not breaking things. I realize that's not a very concrete statement - sorry! - but it's the best I could articulate. |
I think this is not very comparable to the alg none "flaw" at all. The problem with alg none is that it seemingly is a signature, its just a "bad" algorithm. When the KB-JWT is missing, a major part of the verification would not work. |
I think that the current encoding design, which had a lot of thought put into it, does a good job balancing many real engineering tradeoffs. It would be unnecessarily disruptive to change it at this point. With respect to
It's the JWS library's job to determine if a JWS is syntactically correct. It's the application's job to determine if it's semantically correct. Applications that don't do this are abdicating their security responsibilities. |
@danielfett The specific text that is freaking me out here is:
This invites people to write code that is insecure unless the operator writes a policy that corrects for the deficiencies of the code. As @selfissued points out, when things are structured that way, people will fail to write those policies in a safe way, and you get security defects. To frame it in terms of API design:
The point being that the Net of all that ranting, though, all I'm saying here is that we should split the current verification algorithm in two, where one algorithm covers validation of the base SD-JWT properties (issuer JWT valid, all disclosures accounted for), and the other first validates the key binding, then calls the first algorithm. |
I think that makes sense. as it sounds like we agree that "verifier can have both |
Yeah, I think I can live with that. It still makes me a little queasy to have the Verifier accepting documents with two different sets of security properties, but I'll take an antacid :) We might want to split the Holder->Verifier arrow in Figure 1 into two arrows, one for each type of object. I would also still prefer we had separate terms for "SD-JWT without KB-JWT" and "SD-JWT with KB-JWT", since these have distinct formats and algorithms. |
Thinking on this more, in light of #356, I'm feeling increasingly confident that Token and Presentation are good terms for "SD-JWT-without-KB" and "SD-JWT-with-KB", respectively. Or perhaps to be more streamlined, "SD-JWT" for "without KB" and "[SD-JWT] Presentation" for "with KB". Token / SD-JWT makes sense for "without-KB" because it has basically the same dynamics as a JWT. It's something the Issuer hands to the Holder, and the Holder passes on to other people. And importantly, it shares with JWT the property of replayability. The only difference here is that the Holder can drop some disclosures. Presentation makes sense for "with-KB" because the Holder needs to take an additional operation, making a new thing using the Token and the You can still call the Holder--Verifier interaction "presentation", you just say that the Holder presents either a Presentation or a bare Token. The slightly awkwardness of the latter construction is productive, because it tacitly implies that you really ought to be using a Presentation to get the full security properties.
|
In the common/typical/expected case the key needed to verify the key binding JWT is in the |
Strongly disagree with Token and Presentation being good terms in this context.
Maybe. If we decide to have separate terms. Which we have not. |
Sorry for the ambiguity, I was including "check that the bound public key matches |
The small point I was trying make there is that typically the "validation of the base SD-JWT properties" needs to happen first because the bound public key needed for the "validate the key binding" comes out of the former process. So the order of "first validates the key binding, then calls the first algorithm" probably needs to be reversed. The meta-point is that such a suggestion to "split the current verification algorithm" may not resonate well with those who already question its necessity. |
This document actually defines two object formats, with distinct formats and validation processes:
IssuerJWT~disclosure~...~disclosure~
Type1Object+KBJWT = IssuerJWT~disclosure~...~disclosure~KBJWT
cnf
, then validate the type-(1) objectRight now, the document refers to only one format, SD-JWT, which may or may not have a KB-JWT. The document should name these two things differently and make the different processes clear. In my notes, I have called these a "token" and a "presentation", respectively, but I don't have strong feelings about terminology.
The text was updated successfully, but these errors were encountered: