https://www.linkedin.com/in/manusporny/
> Founder/CEO - Digital Bazaar, Inc.
> https://www.digitalbazaar.com/
>
> ___
> media-types mailing list -- media-ty...@ietf.org
> To unsubscribe send an email to media-types-le...@ietf.org
>
In SPICE and SCITT, we have discussed similar proposals for "identity
documents", which are essentially a signed collection of keys and
attributes.
I think a generic building block that works for JOSE and COSE would be
great.
I don't think OAuth is the right place to develop general purpose
scovering key material
> (references go here),
>
>
>
> *From:* Orie Steele
> *Sent:* Tuesday, February 20, 2024 10:18 AM
> *To:* nada...@prodigy.net
> *Cc:* Roman Danyliw ; oauth
> *Subject:* Re: [OAUTH-WG] FW: Call for consensus on SPICE charter
>
>
>
document to the IESG
>for publication
>- 10-2025 - Submit a proposed standard document covering a JWP/CWP
>profile for digital credentials to the IESG for publication
>- 10-2025 - Submit a proposed standard document defining SD-CWT to the
>IESG for publication
>
igitalbazaar.com/
___
media-types mailing list
media-ty...@ietf.org
https://www.ietf.org/mailman/listinfo/media-types
--
ORIE STEELE
Chief Technology Officer
www.transmute.industries
<https://transmute.industries>
--
ORIE STEELE
Chief Technology Officer
www.transm
gt;
>
>
> I still think this charter needs more clarity as I point out
>
Can you suggest text?
>
>
>
>
> *From:* Orie Steele
> *Sent:* Friday, February 16, 2024 10:11 AM
> *To:* nada...@prodigy.net
> *Cc:* Roman Danyliw ; oauth
> *Subject:* Re: [OAUT
igitalbazaar.com/
___
media-types mailing list
media-ty...@ietf.org
https://www.ietf.org/mailman/listinfo/media-types
--
ORIE STEELE
Chief Technology Officer
www.transmute.industries
<https://transmute.industries>
___
OA
ementing the WG drafts?
>
> I'm willing to see how we can use these outputs with the other industry
> technologies.
>
>
Thank you for your comments.
>
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
--
ORIE STEELE
Chief Technology Officer
www.transmute.industries
<https://transmute.industries>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
gt;
> Disclosures for nationalities
> Contents: ["lklxF5jMYlGTPUovMNIvCA", $['nationalities'][0],"US"]
> Contents: ["nPuoQnkRFq3BIeAm7AnXFA", $['nationalities'][1],"DE"]
>
> Each attribute of the streat address can be easily represented as a
> different disclosure
> Co
eil Madden
wrote:
> RFC8693 didn't register anything for CWT at all. Some other document has
> registered scope for CWT and pointed at that RFC as the reference for some
> reason.
>
> -- Neil
>
> On 24 Jan 2024, at 18:37, Orie Steele wrote:
>
> I'm working on a document
ignments/jwt/jwt.xhtml
- https://www.iana.org/assignments/cwt/cwt.xhtml
How can I use "client_id" in CWT ?
OS
--
ORIE STEELE
Chief Technology Officer
www.transmute.industries
<https://transmute.industries>
___
OAuth mailing li
;> >>>
>> >>> +-+ +---+
>> >>> | | Requests Status Attestation | |
>> >>> | |>| |
&g
ntations - draft 20 (verifier attestation)
>> - OpenID for Verifiable Credential Issuance (section "Trust between
>> Wallet and Issuer": Device Attestation)
>>
>> Meantime in the eIDAS Expert group this term is going to be changed to
>> "Wallet
ohn",
"family_name": "Doe",
"email": "john...@example.com",
"phone_number": "+1-202-555-0101",
"address": {
"street_address": "123 Main St",
"locality": "Anytown",
"r
ate.
-
https://datatracker.ietf.org/doc/html/draft-ietf-oauth-sd-jwt-vc-01#section-3.5
It seems that based on the OAUTH guidance, the SCITT guidance should match
the OAUTH guidance.
Regards,
OS
On Tue, Jan 16, 2024 at 7:46 PM Orie Steele
wrote:
> There are 3 things that make up the SCITT eco
ence I would like to query about the correct approach to follow when
>> calculating the "x5t#S256" parameter. Or can we accept both these forms as
>> correct methods to calculate the mentioned field?
>>
>> Thanks in advance.
>>
>> [1] https://datatrack
status-list ?
Regards,
OS
--
ORIE STEELE
Chief Technology Officer
www.transmute.industries
<https://transmute.industries>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
transmute-industries/audacious-presentations
Feel free to file issues or open PRs to make corrections.
I will provide a full implementation PoC, in the same repo shortly.
Regards,
OS
--
ORIE STEELE
Chief Technology Officer
www.transmute.industries
<https
claims work out of scope.
Regards,
OS
--
ORIE STEELE
Chief Technology Officer
www.transmute.industries
<https://transmute.industries>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
>
> For W3C Verifiable Credentials that could be:
>
> application/ld+json; profile="https://www.w3.org/ns/credentials;
>
> Noting that W3C already supports https://www.w3.org/ns/credentials/v2
>
> Regards,
>
> OS
>
> On Mon, Nov 27, 2023 at 8:55 AM Orie Steele
could be:
application/ld+json; profile="https://www.w3.org/ns/credentials;
Noting that W3C already supports https://www.w3.org/ns/credentials/v2
Regards,
OS
On Mon, Nov 27, 2023 at 8:55 AM Orie Steele
wrote:
> Hello,
>
> There was a request to add media type parameters to application/s
not
apply.
Regards,
OS
--
ORIE STEELE
Chief Technology Officer
www.transmute.industries
<https://transmute.industries>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
__
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
-
___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
--
Alexey, please correct anything I miscommunicated.
Regards,
OS
--
ORIE STEELE
Chief Technology Officer
www.transmute.industries
<https://transmute.industries>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
I agree, I don't think one should block the other.
In our implementation of SD-CWT, we take advantage of the unprotected
header for disclosures, this means we don't need new media types, we are
also considering enabling selective disclosure of the header parameters,
which would allow the payload
kings, presidents, and voting. We believe in: rough consensus and running
>> code".
>> _______
>> OAuth mailing list
>> OAuth@ietf.org
>> https://www.ietf.org/mailman/listinfo/oauth
>>
>
> *CONFIDENTIALITY NOTIC
>
>
>
>
> On Tue, Oct 3, 2023 at 8:51 PM John Bradley wrote:
>
> +1 for adoption
>
>
>
> On Sat, Sep 30, 2023, 9:53 AM Rifaat Shekh-Yusef
> wrote:
>
> All,
>
> This is an official call for adoption for the *JWT and CWT Status List*
> draft:
> https://datatracker.
y approach would be better than allowing
free form responses from the holder.
OS
On Fri, Oct 20, 2023 at 9:30 AM Daniel Fett wrote:
> The Holder can put such information into the KB-JWT, if required.
>
> -Daniel
> Am 20.10.23 um 16:28 schrieb Orie Steele:
>
> In some ways thi
he verifier.
> -Daniel
> Am 18.10.23 um 05:03 schrieb Tom Jones:
>
> That's leaking the existence of PII. That requires permission of the
> subject. I think it's way more complicated than you think.
>
> thx ..Tom (mobile)
>
> On Tue, Oct 17, 2023, 6:20 AM Orie Steele
ll never be
found in the payload, as we know they will hash differently than array
encoded disclosures, which will be found in the payload.
I'll be giving a presentation on this topic to the W3C Credentials
community group later today, happy to shuttle their reactions back to this
:
>
> On Fri, Oct 13, 2023 at 3:53 PM Orie Steele
> wrote:
>
>> Inline (and sorry for repeating points / rambling) :
>>
>
> No need to apologize.
>
> It is, however, difficult (for me anyway) to engage with all this in a way
> that feels productive. Honestly,
Thanks David, responses inline:
On Fri, Oct 13, 2023 at 6:35 PM David Waite
wrote:
>
>
> On Oct 13, 2023, at 3:52 PM, Orie Steele
> wrote:
>
> Inline (and sorry for repeating points / rambling) :
>
> On Fri, Oct 13, 2023 at 1:25 PM Brian Campbell
> wrote:
>
&g
attack... even with
our guidance they may not be successful.
It's not a silver bullet, nothing in security is, but it is an attack that
can be mitigated because its known to be a weak point that's been
repeatedly broken:
"Deserialization of Untrusted Data" -
https://cwe.mitre.org/dat
case that the parsing library is vulnerable, the attacker can craft
a protected header that exploits the verifier prior to signature
verification.
Apologies if this has already been discussed.
Regards,
OS
--
ORIE STEELE
Chief Technology Officer
www.transmute.industries
I support adoption.
We have implementations of a similar spec and we don't think it would be
good for vendors to have to support both, but that's not under control of
OAuth... we hope there will be significant improvements made, after
adoption to justify a separate spec, aside from CWT being
able-credentials
Regards,
OS
--
ORIE STEELE
Chief Technology Officer
www.transmute.industries
<https://transmute.industries>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
s but no actual
> content as such, which could be removed to focus the scope of the draft.
>
>
+1
>
>
> On Tue, Sep 19, 2023 at 1:56 PM Orie Steele
> wrote:
>
>> Excellent.
>>
>> Inline:
>>
>> On Tue, Sep 19, 2023 at 2:12 PM wrote:
>>
>>
Excellent.
Inline:
On Tue, Sep 19, 2023 at 2:12 PM wrote:
> Hi Orie,
>
> best regards,
> Torsten.
> Am 18. Sept. 2023, 16:01 +0200 schrieb Orie Steele
> :
>
> Torsten,
>
> Thanks for sharing this excellent framing.
>
> I agree with everything you said.
>
t model
> (issuer, holder, verifier) used in
> draft-ietf-oauth-selective-disclosure-jwt?
>
> Thanks,
> Roman, Hannes, and Rifaat
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
> ___
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
--
ORIE STEELE
Chief Technology Officer
www.transmute.industries
<https://transmute.industries>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
I agree with Brian's comments. It's clear to me that SD-JWT has benefited a
lot from the expertise of the OAuth WG.
OS
On Fri, Sep 15, 2023, 4:12 PM Brian Campbell wrote:
> Hi Roman,
>
> I'm going to dodge some of the bigger picture questions but wanted to give
> a bit of historical
es emerging that might be good to do that work, and I
wonder if folks here agree or have comments on how this is progressing...
and I am also still very interested in what the next charter for OAuth
might focus on.
Regards,
OS
--
ORIE STEELE
Chief Technology Off
g, kristina probably has a better take):
>> https://openid.net/wg/digital-credentials-protocols/
>>
>> Are there things DCP might need from OAuth WG, how might the charter
>> align to that work?
>>
>>
>>> ** Is there work to be done around bridging
> Thanks,
> Roman, Hannes, and Rifaat
> _______
> OAuth mailing list
> OAuth@ietf.org
> https://www.ietf.org/mailman/listinfo/oauth
>
--
ORIE STEELE
Chief Technology Officer
www.transmute.industries
<https://transmute.industries>
___
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
Inline:
On Thu, Aug 24, 2023, 6:50 PM Watson Ladd wrote:
> On Thu, Aug 24, 2023, 1:32 PM Kristina Yasuda
> wrote:
> >
> > First of all, BBS and SD-JWT are not comparable apple to apple. BBS is a
> signature scheme and it needs to be combined with few other things like JWP
> or BBS data
Hey Watson,
There are 2 properties that credential subjects are looking for in new
credential formats:
1. Selective Disclosure
2. Unlinkability
Ideally we would get both of these for JWT and CWT, with new algorithms,
and both compact and flat encodings.
Ideally, we would have more than 1
I support adoption.
On Wed, Aug 23, 2023, 5:06 PM Michael Jones
wrote:
> I support adoption.
>
> -- Mike
>
>
> --
> *From:* OAuth on behalf of Dick Hardt <
> dick.ha...@gmail.com>
> *Sent:* Wednesday, August 23, 2023 8:09:46 PM
> *To:* Rifaat Shekh-Yusef
> *Cc:*
the media type
application/sd-jwt or the structured suffix +sd-jwt.
Is there a need to signal the content type of the "verified payload"?
What is the recommended way to do this?
OS
--
ORIE STEELE
Chief Technology Officer
www.transmute.industries
<https://transmu
I support adoption
On Sun, Jul 30, 2023, 9:14 AM Pieter Kasselman wrote:
> I support adoption.
>
>
>
> *From:* OAuth *On Behalf Of *Rifaat Shekh-Yusef
> *Sent:* Saturday, July 29, 2023 8:27 PM
> *To:* oauth
> *Subject:* [OAUTH-WG] Call for adoption - Attestation-Based Client
> Authentication
I support adoption.
On Sun, Jul 30, 2023, 9:15 AM Pieter Kasselman wrote:
> I support adoption of this draft.
>
>
>
> *From:* OAuth *On Behalf Of *Rifaat Shekh-Yusef
> *Sent:* Saturday, July 29, 2023 8:25 PM
> *To:* oauth
> *Subject:* [OAUTH-WG] Call for adoption - SD-JWT-based Verifiable
>
mmunication, including any attachments, is confidential. If you are
> not the intended recipient, you should not read it – please contact me
> immediately, destroy it, and do not copy or use any part of this
> communication or disclose anything about it. Thank you. Please note that
or use any part of this
> communication or disclose anything about it. Thank you. Please note that
> this communication does not designate an information system for the
> purposes of the Electronic Transactions Act 2002.
> ___
> OAuth mailing list
52 matches
Mail list logo