Re: [OAUTH-WG] SD-JWT, use of JSON path in disclosure claim name

[Daniel Fett]

Hi Nikos,

this question comes up from time to time, so I'll quote myself 
<https://github.com/oauth-wg/oauth-selective-disclosure-jwt/issues/357>:

"We thought a lot about pointer-based approaches like the one you 
propose in the beginning, but there are some drawbacks:

 1. The Verifier can re-assemble the document without checking the 
hashes. This is dangerous (see the second paragraph of 
https://drafts.oauth.net/oauth-selective-disclosure-jwt/draft-ietf-oauth-selective-disclosure-jwt.html#name-manipulation-of-disclosures).
 2. The current design in the draft allows to send smaller 
presentations if only a few claims are disclosed and recursive 
disclosures are used.
 3. There is no need to discuss corner cases, for example, where a 
child element is disclosed, but not the parent element. From my 
experience, the design the we currently have is slightly easier to 
implement (fewer special cases)."

I think the first point is particularly important for the security of 
SD-JWT.

That said, JSONPath is a query syntax and its misuse as pointers must 
stop :-) (Also, it is somewhat dangerous.) JSONPointers would be 
appropriate here.

-Daniel


Am 07.02.24 um 15:52 schrieb Nikos Fotiou:
I was wondering if ever occured to use a JSON path-like approach as 
disclosure name. This will result in a single top level _sd key and 
will remove the need for sperating discolsures that conern objects vs 
those that concern arrays. If this has been disussed in the past, what 
are its disadvantages? A version of example in 6.1 using this 
hypothetical approach follows.

SD-JWT payload (the difference is in the "nationalities" key, the hash 
values have been moved to the _sd claim . Note that the hash values 
are not correct )
{
     "_sd": [
       "CrQe7S5kqBAHt-nMYXgc6bdt2SH5aTY1sU_M-PgkjPI",
       "JzYjH4svliH0R3PyEMfeZu6Jt69u5qehZo7F7EPYlSE",
       "PorFbpKuVu6xymJagvkFsFXAbRoc2JGlAUA2BA4o7cI",
       "TGf4oLbgwd5JQaHyKVQZU9UdGE0w5rtDsrZzfUaomLo",
       "XQ_3kPKt1XyX7KANkqVR6yZ2Va5NrPIvPYbyMvRKBMM",
       "XzFrzwscM6Gn6CJDc6vVK8BkMnfG8vOSKfpPIZdAfdE",
       "gbOsI4Edq2x2Kw-w5wPEzakob9hV1cRD0ATN3oQL9JM",
       "jsu9yVulwQQlhFlM_3JlzMaSFzglhQG0DpfayQwLUK4",
       "pFndjkZ_VCzmyTa6UjlZo3dh-ko8aIKQc9DlGzhaVYo",
       "7Cf6JkPudry3lcbwHgeZ8khAv1U1OSlerP0VkBJrWZ0"
     ],
     "iss": "https://issuer.example.com";,
     "iat": 1683000000,
     "exp": 1883000000,
     "sub": "user_42",
     "nationalities": [],
     "_sd_alg": "sha-256",
     "cnf": {
       "jwk": {
         "kty": "EC",
         "crv": "P-256",
         "x": "TCAER19Zvu3OHF4j4W4vfSVoHIP1ILilDls7vCeGemc",
         "y": "ZxjiWWbZMQGHVWKVQ4hbSIirsVfuecCE6t4jT9F2HZQ"
       }
     }
   }


Disclosures for nationalities
Contents: ["lklxF5jMYlGTPUovMNIvCA", $['nationalities'][0],"US"]
Contents: ["nPuoQnkRFq3BIeAm7AnXFA", $['nationalities'][1],"DE"]

Each attribute of the streat address can be easily represented as a 
different disclosure
Contents: ["6Ij7tM-a5iVPGboS5tmvVA", $['address']['region'], 
"Sachsen-Anhalt"]
Contents: ["6Ij7tM-a5iVPGboS5tmvVA", $['address']['country'], "DE"]

Best,
Nikos



_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth