This thread is related to the three roles model, i.e, Holder, Issuer and
Verifier.
However, I also copy this email to the OAuth WG, since it is currently
developing draft-ietf-oauth-status-list.
Thanks to Orie for providing the second link:
https://gitlab.opencode.de/bmi/eudi-wallet/eidas-2.0-architekturkonzept/-/blob/main/architecture-proposal.md?ref_type=heads#ocsp-stapling.
What first follows a copy/paste of some parts of the "Architecture
Proposal for the German eIDAS Implementation". Then after, my
observations follow.
Various use cases and scenarios may require revocation:
* the PID/(Q)EAA Provider wants to revoke its issued credential
because the contained data is no longer valid
* the Wallet Provider wants to revoke a Wallet Instance because
Wallet Security Cryptographic Device (WSCD)
or the Wallet Instance application is compromised or vulnerable
* the user wants to revoke their Wallet Instance because they lost
their smartphone
* the user wants to revoke their PID
* the PID Provider wants to revoke a PID because the person has died
To enable revocation within the EUDI Wallet ecosystem, the following
mechanisms for revocation are considered:
(a) Certificate Revocation Lists
(b) Status Lists
(c) Online Certificate Status Protocol (OCSP)
(d) OCSP stapling
*My observations:*
For case (a): "CRLs have seen some scalability limitations in the
Browser TLS context, and
it remains open to evaluate if CRL sizes
remain manageable within the eIDAS ecosystem".
For case (b): "it remains open to evaluate if this is sufficient for
the eIDAS ecosystem".
For case (c): "Therefore, usage of OSCP is /not/ recommended".
For case (d): "a proposal applying the concepts to the PID
credential formats is under development
<https://datatracker.ietf.org/doc/draft-demarco-oauth-status-attestations/>.
[i.e., draft-demarco-oauth-status-attestations-00]
the concept has the privacy potential as the Relying Party does not
fetch the revocation information itself".
draft-demarco-oauth-status-attestations-00 looks interesting.
Presently, this draft does not include a privacy considerations section.
It is thus questionable whether it is able to support the unlinkability
property
[it cannot be distinguished whether two transactions are related to the
same user or not].
Some nice characteristics are :
* "the Relying Party does not fetch the revocation information itself".
* "both the wallet and the verifier work without internet connectivity
during the presentation phase".
But what about a mechanism where, in addition, the holder does not fetch
the revocation information itself ?
Yes, neither the holder, nor the verifier, fetch itself any revocation
information.
Is it "mission impossible"? No, it isn't.
A Wallet Provider is in a position to suspend (i.e., which is equivalent
to a temporary revocation) any digital credential placed in a Wallet
Instance.
It is also in a position to invalidate the use of a Wallet Instance or
to remove any digital credential placed in a Wallet Instance (which is
equivalent
to a definitive revocation).
A Wallet instance is THE Holder, i.e., an application that needs to be a
Trusted Application (TA) running in a TEE. Every time the holder
(application)
is online, it can transparently connect to the Wallet Provider. If
instructed by a Credential Issuer, aWallet Provider can suspend any
digital credential
issued by that Credential Issuer.
The digital credentials placed in a Wallet Instance will only be usable
if the Wallet Instance has been online during, e.g., the last 24 or 36
hours.
From a holder point of view (or a Wallet Instance point of view), each
time it is online, it will connect to its Wallet Provider.
If no digital credential needs to be suspended, then all the digital
credentials will be usable during the next 24 or 36 hours, but no longer.
The query made by the Wallet Instance to its Wallet Provider can be
transparently repeated, e.g., every hour. If a suspension is requested
by a Credential Issuer while the Wallet Instance is online, the
suspension will occur at latest within, e.g., the next hour.
The same mechanism can also be used to revoke the Wallet Instance when
the individual lost his smart phone.
All the other approaches would require the revocation (or the
suspension) of each digital credential, one by one.
This approach avoids to define new data structures that would need to be
exchanged between a Holder and a Verifier or fetched by a Verifier.
This approach would be fully privacy preserving. In particular, the
unlinkability property will be supported.
Note also that a suspension is much better than a revocation; for
example, if a lost smart phone is found again by the legitimate individual.
With this flexibility, the individual will no more necessarily ask for
an immediate revocation which has sad consequences in terms of availability.
The suspension state allows to recover the use of the wallet, e.g.,
within the same day. Whereas an individual was afraid of the consequences
of the revocation, he will not be afraid of the consequences of a
(temporary) suspension. This allows to reduce the risks and hence to
improve
the security level.
eIDAS 2.0 does not currently allow the suspension state. Once, that
approach will be known, maybe the eIDAS.2.0 draft will be modified.
It is only a draft at this moment.
Denis
Orie - this is great work. I definitely think that scoping out how
this approach could be used with SD-CWT could be an important part of
documenting the architecture.
Mike Prorock
Founder
https://mesur.io/
On Thu, Mar 28, 2024 at 12:53 PM Orie Steele
<orie@transmute.industries> wrote:
Hello,
At IETF 119 OAUTH session, I shared some alternative solutions to
the "dynamic credential state" or "suspension and revocation
problem", in digital credentials.
https://datatracker.ietf.org/doc/draft-demarco-oauth-status-attestations
This approach offers some advantages and disadvantages over status
lists / CRL type dynamic state mechanisms that need to be fetched
over a network by relying parties, or fetched by holders and
presented alongside the credentials they monitor.
The primary improvements are:
1. Reduce implementer burden for relying parties, many of which
might be forbidden from calling out to networks.
2. Eliminate the bitstring status list, which can include decoy /
dummy values that can be used to track relying parties, or that
communicate or update state for credentials which are not
relevant to the transaction.
There is some interesting commentary on this approach here:
https://gitlab.opencode.de/bmi/eudi-wallet/eidas-2.0-architekturkonzept/-/blob/main/architecture-proposal.md?ref_type=heads#ocsp-stapling
Which you might all find interesting.
As a general comment, CRLs and OCSP can both address revocation
use cases and approaches in JOSE and COSE, and applications of
this approach to SD-CWT or SCITT Receipts are particularly
interesting to consider.
Regards,
OS
--
ORIE STEELEChief Technology Officerwww.transmute.industries
<https://streaklinks.com/B6DNq7fQ0K3-fblaFg95UjF6/https%3A%2F%2Ftransmute.industries>
ᐧ
--
SPICE mailing list
sp...@ietf.org
https://www.ietf.org/mailman/listinfo/spice
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
