Hi Oliver, I presented the draft at the IETF 122 meeting. I received feedback that there was no consensus on the problem in OpenID4VC. You can refer to the meeting minutes at: https://notes.ietf.org/notes-ietf-122-jose.
Cheers, -Tiru On Wed, 16 Apr 2025 at 01:25, Oliver Terbu <[email protected]> wrote: > Hi, > > I reviewed the specification and overall, it makes sense to me and find it > very useful in the situations that were outlined in the spec. > > A few things I found when reading the spec: > > > - inconsistent use of protected header names in some places: > detached_aad vs aad_detached > - the example for JWE compact serialization could probably be > simplified by using base64 for the canonicalization algorithm of the > external context JSON structure. > > > Otherwise, it looks great. > > What is the status of this document? Was it presented to the JOSE WG and > where can I find the feedback? > > Thanks, > Oliver > > > > > ------------------------------ > *From:* tirumal reddy <[email protected]> > *Sent:* Tuesday, February 11, 2025 7:52 AM > *To:* JOSE WG <[email protected]> > *Subject:* [jose] Fwd: New Version Notification for > draft-reddy-jose-detached-aad-00.txt > > EXTERNAL EMAIL: This email originated outside of our organisation. Do not > click links or open attachments unless you recognise the sender and know > the content is safe. > > Hi all, > > We have published a new draft > https://datatracker.ietf.org/doc/draft-reddy-jose-detached-aad/ that > introduces a mechanism to support detached AAD in JWE. This allows the AAD > to be derived from context-specific information instead of being > transmitted in-band. The mechanism is particularly useful in scenarios such > as OpenID for Verifiable Credentials (OID4VC), where a verifier must > validate context information without relying on in-band AAD. > > Comments and suggestions are welcome. > > Cheers, > -Tiru & Hannes > > > ---------- Forwarded message --------- > From: <[email protected]> > Date: Mon, 3 Feb 2025 at 12:23 > Subject: New Version Notification for draft-reddy-jose-detached-aad-00.txt > To: Tirumaleswar Reddy.K <[email protected]>, Hannes Tschofenig < > [email protected]> > > > A new version of Internet-Draft draft-reddy-jose-detached-aad-00.txt has > been > successfully submitted by Tirumaleswar Reddy and posted to the > IETF repository. > > Name: draft-reddy-jose-detached-aad > Revision: 00 > Title: Enhanced JWE Security with Detached Additional Authenticated > Data (AAD) > Date: 2025-02-03 > Group: Individual Submission > Pages: 9 > URL: > https://www.ietf.org/archive/id/draft-reddy-jose-detached-aad-00.txt > Status: https://datatracker.ietf.org/doc/draft-reddy-jose-detached-aad/ > HTML: > https://www.ietf.org/archive/id/draft-reddy-jose-detached-aad-00.html > HTMLized: > https://datatracker.ietf.org/doc/html/draft-reddy-jose-detached-aad > > > Abstract: > > This draft introduces a mechanism to support detached Additional > Authenticated Data (AAD) in JWE (JSON Web Encryption), allowing the > AAD to be derived from context-specific information, such as session > identifiers, algorithm identifiers, and identifiers of communication > endpoints, rather than being transmitted in-band. This mechanism > strengthens security by mitigating risk against unknown-key-share > attacks and/or other exploitation techniques that depend on some type > of confusion over the role played by each party. > > The document explains how to integrate this functionality into JWE, > covering both JWE JSON Serialization and JWE Compact Serialization. > > > > The IETF Secretariat > > >
_______________________________________________ jose mailing list -- [email protected] To unsubscribe send an email to [email protected]
