Hi Guiseppe, Francesco, Orie,
@Orie: Thanks for sharing the draft. As a quick reaction: It would be good to invent a new term for “attestation” in draft-demarco-status-attestations.html because this term is already widely used in a different context (see RFC 9334). @Guiseppe and Francesco: It would be great if you could submit your draft to OAuth or SPICE for discussion. Ciao Hannes From: OAuth <oauth-boun...@ietf.org> On Behalf Of Orie Steele Sent: Mittwoch, 17. Jänner 2024 19:07 To: sp...@ietf.org Cc: oauth <oauth@ietf.org> Subject: [OAUTH-WG] OAuth Digital Credential Status Attestations Hello Digital Credential Enthusiasts, See: https://peppelinux.github.io/draft-demarco-status-attestations/draft-demarco-status-attestations.html Note the use of the term digital credential, and the alignment to CWT based credentials and CWT based credential status lists. As a quick summary of the editors draft above: It is basically a refresh-token-like approach to dynamic state, where the holder retrieves updated state from the issuer at regular intervals, and can then present that dynamic state directly to the verifier. This eliminates the herd privacy and phone home issues associated with W3C Bitstring Status Lists. And it informs the holder of dynamic state, so the digital wallet can provide a better user experience. However, an issuer (government or ngo) could use the interval of requesting dynamic state, to track the holder... so the guidance from https://datatracker.ietf.org/doc/draft-steele-spice-oblivious-credential-state/ Is also relevant to this draft. I also learned that https://datatracker.ietf.org/doc/draft-ietf-oauth-sd-jwt-vc/ Has defined a new property for expressing "Verifiable Credential" "type" `vct`, which is different from how W3C defines credential types. W3C uses the expanded IRI for the graph node type, based on the JSON-LD context. For example with: { "@context": [ "https://www.w3.org/ns/credentials/v2";, "https://www.w3.org/ns/credentials/examples/v2"; ], "id": "http://university.example/credentials/1872";, "type": ["VerifiableCredential", "ExampleAlumniCredential"], ... } The credential type in RDF becomes "https://www.w3.org/ns/credentials/examples#ExampleAlumniCredential"; Which is different from "ExampleAlumniCredential" in JSON... More evidence that RDF leads to developer confusion regarding safe typing. The OAuth solution does not have this confusing issue, they set the type explicitly: { "vct": "https://credentials.example.com/identity_credential";, "given_name": "John", "family_name": "Doe", "email": "john...@example.com <mailto:john...@example.com> ", "phone_number": "+1-202-555-0101", "address": { "street_address": "123 Main St", "locality": "Anytown", "region": "Anystate", "country": "US" }, "birthdate": "1940-01-01", "is_over_18": true, "is_over_21": true, "is_over_65": true, "status": { "status_attestation": { "credential_hash_alg": "S256", } } } Regards, OS -- ORIE STEELE Chief Technology Officer www.transmute.industries <http://www.transmute.industries> <https://transmute.industries/>
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
