Re: [OAUTH-WG] OAuth and JWT/VC documents

not and if >>> so whether we can start the call for adoption. >>> >>> >>> >>> Best, >>> >>> Kristina >>> >>> >>> >>> *From:* Orie Steele >>> *Sent:* Friday, September 29, 2023 10:35

Re: [OAUTH-WG] OAuth and JWT/VC documents

t; >> >> >> Best, >> >> Kristina >> >> >> >> *From:* Orie Steele >> *Sent:* Friday, September 29, 2023 10:35 AM >> *To:* Brian Campbell >> *Cc:* Torsten Lodderstedt ; torsten= >> 40lodderstedt@dmarc.ietf.org; Kristi

Re: [OAUTH-WG] OAuth and JWT/VC documents

Hi, I'm fashinated by these interpretation processes. It sounds resonable having mapped the OAuth roles in three types: Issuer or AS Holder or Client Verifier or RP even if we try to keep things simple the real world continuosly breaks the plans (as in the society the genders ...). We often for

Re: [OAUTH-WG] OAuth and JWT/VC documents

; 40lodderstedt@dmarc.ietf.org; Kristina Yasuda < > kristina.yas...@microsoft.com>; oauth ; Paul Bastian < > paul.bast...@bdr.de>; Christian Bormann < > christiancarl.borm...@de.bosch.com> > *Subject:* Re: [OAUTH-WG] OAuth and JWT/VC documents > > >

Re: [OAUTH-WG] OAuth and JWT/VC documents

@dmarc.ietf.org; Kristina Yasuda ; oauth ; Paul Bastian ; Christian Bormann Subject: Re: [OAUTH-WG] OAuth and JWT/VC documents Inline: On Fri, Sep 29, 2023 at 12:05 PM Brian Campbell mailto:bcampb...@pingidentity.com>> wrote: If I might offer an observation... The draft-looker-oauth-jwt-cwt-statu

Re: [OAUTH-WG] OAuth and JWT/VC documents

Inline: On Fri, Sep 29, 2023 at 12:05 PM Brian Campbell wrote: > > If I might offer an observation... > > The draft-looker-oauth-jwt-cwt-status-list draft is (or can easily be[*]) > really just a generic status/revocation checking mechanism for JWTs in > general. Given the history/lineage of JWT

Re: [OAUTH-WG] OAuth and JWT/VC documents

If I might offer an observation... The draft-looker-oauth-jwt-cwt-status-list draft is (or can easily be[*]) really just a generic status/revocation checking mechanism for JWTs in general. Given the history/lineage of JWT development within the OAuth WG, it seems like a general JWT status/revocati

Re: [OAUTH-WG] OAuth and JWT/VC documents

Excellent. Inline: On Tue, Sep 19, 2023 at 2:12 PM wrote: > Hi Orie, > > best regards, > Torsten. > Am 18. Sept. 2023, 16:01 +0200 schrieb Orie Steele > : > > Torsten, > > Thanks for sharing this excellent framing. > > I agree with everything you said. > > Please correct me if I'm wrong about a

Re: [OAUTH-WG] OAuth and JWT/VC documents

Hi Orie, best regards, Torsten. Am 18. Sept. 2023, 16:01 +0200 schrieb Orie Steele : > Torsten, > > Thanks for sharing this excellent framing. > > I agree with everything you said. > > Please correct me if I'm wrong about anything in this summary: > > 1. Keep working on JWT based credential format

[OAUTH-WG] OAuth and JWT/VC documents: a societal choice

Hi Roman and Torsten, This is a reply to the mail sent today by Torsten on the OAuth mailing list where I modified the name of the thread to add  ": a societal choice". I also send a blind copy to the SPICE BoF. Lest us go away from nails and screws and take a higher view, e.g., using an air

Re: [OAUTH-WG] OAuth and JWT/VC documents

Torsten, Thanks for sharing this excellent framing. I agree with everything you said. Please correct me if I'm wrong about anything in this summary: 1. Keep working on JWT based credential formats at OAuth (implicit, don't expand OAuth charter to work on CWT credential formats ?) 2. If a new wo

Re: [OAUTH-WG] OAuth and JWT/VC documents

I agree with Brian's comments. It's clear to me that SD-JWT has benefited a lot from the expertise of the OAuth WG. OS On Fri, Sep 15, 2023, 4:12 PM Brian Campbell wrote: > Hi Roman, > > I'm going to dodge some of the bigger picture questions but wanted to give > a bit of historical context/

Re: [OAUTH-WG] OAuth and JWT/VC documents

Hi Roman, I’m writing this post on behalf of the group of co-authors who proposed the following drafts for adoption by the OAuth WG: draft-ietf-oauth-attestation-based-client-auth draft-ietf-oauth-sd-jwt-vc draft-looker-oauth-jwt-cwt-status-list We have brought these drafts to the IETF because

Re: [OAUTH-WG] OAuth and JWT/VC documents

Hi Brian, The main questions raised by Roman were: What's the body of work around SD/JWT/VC that should be done and how much work will that be? What needs to be done first? The topic is about SD-JWT-VC (draft-ietf-oauth-sd-jwt-vc). It is not about SD-JWT (draft-ietf-oauth-selective-di

Re: [OAUTH-WG] OAuth and JWT/VC documents

re, but reveals more information about the prover than the disclosed claims. It discloses information that allows different verifiers to link the proofs they receive. By design, draft-ietf-oauth-sd-jwt-vc-00 is unable to support the Unlinkability property between verifiers. ZKP cannot be supported.

Re: [OAUTH-WG] OAuth and JWT/VC documents

Hi Roman, I'm going to dodge some of the bigger picture questions but wanted to give a bit of historical context/justification for the draft-ietf-oauth-selective-disclosure-jwt work in the OAuth WG. JWT itself was a product of OAuth WG yet was intention

Re: [OAUTH-WG] OAuth and JWT/VC documents

essarily. That's what the whole SD-JWT is about. Ciao Hannes Von: OAuth Im Auftrag von Denis Gesendet: Samstag, 9. September 2023 15:44 An: Roman Danyliw Cc: oauth Betreff: Re: [OAUTH-WG] OAuth and JWT/VC documents Historically, the OAuth WG has been using a model including five compone

Re: [OAUTH-WG] OAuth and JWT/VC documents

The problem is that we need a 2 party, off-line model for the world of mobile devices. that should not depend on OAuth. ..tom On Mon, Sep 11, 2023 at 8:22 AM Orie Steele wrote: > As far as I know, OpenID and DIF both use OAuth for these cases (the 3 > party model). > > W3C focuses only on the

Re: [OAUTH-WG] OAuth and JWT/VC documents

As far as I know, OpenID and DIF both use OAuth for these cases (the 3 party model). W3C focuses only on the data model (in JSON-LD and RDF) and lacks the expertise to focus on the other parts (including security, and transport considerations IMO.) GlobalPlatform and others are related to the

Re: [OAUTH-WG] OAuth and JWT/VC documents

+1 Denis. I cannot understand why OAuth is used in this user (or many others in development) as there is no authorization involved! The verifier asks the user (wallet) for data (perhaps with some back and forth) the user (wallet) supplies the data or not with consent to the conditions supplied by

Re: [OAUTH-WG] OAuth and JWT/VC documents

Historically, the OAuth WG has been using a model including five components: the user, the Client, the AS, the RO and the RS. The model applicable in the context of the "three part model (issuer, holder, verifier)" is rather different since there is no AS, nor RO. An AS should not be confused w

Re: [OAUTH-WG] OAuth and JWT/VC documents

Thanks for kicking off the conversation! Inline: On Fri, Sep 8, 2023 at 2:08 PM Roman Danyliw wrote: > Hi! > > We've observed growing energy around JWT, selective disclosure and VC > related topics in the WG in recent meetings. We spent almost all of the > third OAuth meeting at IETF 117 on re

[OAUTH-WG] OAuth and JWT/VC documents

Hi! We've observed growing energy around JWT, selective disclosure and VC related topics in the WG in recent meetings. We spent almost all of the third OAuth meeting at IETF 117 on related topics. The initial SD-JWT (draft-ietf-oauth-selective-disclosure-jwt) has been followed up with SD-JWT-