Thank you for the feedback! I can definitely get some text motivating the claims. You're exactly right that my particular use case is carrying policy inside a bearer token. An issuer may provide a bearer token that provides access to multiple resources. In my case, the logical claims allow the issuer to describe those resources in a way that a relying party can determine access permission without separate communication with an issuer.
It's potentially useful for JWTs, yes, although CWTs handle the enveloped claim considerably more cleanly, with no requirement for additional escaping and encoding. The logical claims would be easy and useful for JWTs, though. And yes, the enveloped claim (name up for conversation :) ) requires that a relying party acquire the decryption key in some other way. My intent is that the list of available encryption algorithms, key distribution, and so on be outside this document. Protocols that use CWTs that bear encrypted claims would need to specify how those keys are handled. The details will vary considerably from protocol to protocol. Perhaps this approach isn't as useful as I think it is, though. At a minimum, I can make sure I have adequate text calling this approach out. In the use case I have in front of me at the moment, the enveloped claim allows the issuer to communicate information to the relying party without intermediaries (and the bearer) that do not have the decryption key being able to read the values of the claims. The work on this bearer token is being done in a different standards org, but we identified these specific claims as generic and not specific to the work we were doing, so I wanted to bring the generic portion of the work here to see what people's thoughts were on defining a few generically useful claims. And I can fix the name for the next time I update the draft. On Wed, Nov 1, 2023 at 12:40 PM Hannes Tschofenig <[email protected]> wrote: > > Hi Chris, > > > thanks for sending a mail to the list. Since you have not submitted the draft > as draft-lemmons-cose-composite-claims it slipped through my radar. > > > Here is a bit of high-level feedback. > > > The draft lacks a motivation about why this functionality (particularly the > "logical claim") is useful. From a high-level point of view one might wonder > why it is a good idea to carry "policy" in the token itself or whether we are > better off using policy in the AS (or push it down to the RS). There has been > a lot of progress in policy languages recently with OPA, for example. This > raises also the question about what the expressiveness of the policy language > should be. Is "and"/"or"/"not" enough? > > > Would this functionality also be useful for JWTs or only for CWTs? > > > I would also appreciate examples. > > > Finally, the encrypted claim, or enveloped claim as you call it, is > interesting but just referencing COSE_Encrypt0 and COSE_Encrypt will give you > zero interoperability because of the large number of key distribution > mechanisms specified in the COSE RFC. On top of that these key distribution > mechanisms need to be "profiled" in order to be used. You provide none of > that information in the draft. > > > Ciao > Hannes > > > Am 01.11.2023 um 10:10 schrieb Chris Lemmons: > > If time permits, could I have ten minutes for draft-lemmons-composite-claims? > > On Tue, Oct 31, 2023, 19:04 Ivaylo Petrov <[email protected]> wrote: >> >> Dear all, >> >> >> Our agenda has been uploaded at >> https://datatracker.ietf.org/doc/agenda-118-cose/01/. It contains: >> >> >> >> Agenda COSE IETF 118 >> >> >> 13:00-13:10 Opening remarks - the chairs (10 minutes) >> 13:10-13:15 draft-ietf-cose-typ-header-parameter-00 (5 minutes) >> 13:15-13:20 draft-ietf-cose-key-thumbprint-04 (5 minutes) >> 13:20-13:30 draft-ietf-cose-cbor-encoded-cert-07 (10 minutes) >> 13:30-13:40 draft-ra-cose-hybrid-encrypt-02 (10 minutes) >> 13:40-13:50 draft-tschofenig-jose-cose-guidance-00 (10 minutes) >> 13:50-14:20 draft-ietf-cose-hpke-07 (30 minutes) >> >> 14:20-15:00 AOB (40 minutes) >> >> >> Presenters, please upload your slides at >> https://datatracker.ietf.org/meeting/118/session/cose by Friday. >> >> >> >> Best regards, >> >> -- Ivo >> >> _______________________________________________ >> COSE mailing list >> [email protected] >> https://www.ietf.org/mailman/listinfo/cose > > > _______________________________________________ > COSE mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/cose _______________________________________________ COSE mailing list [email protected] https://www.ietf.org/mailman/listinfo/cose
