Hi Tiru As a member of the DCP WG (and a co-chair of it, but writing as a member) it would have been great if we’d been made aware of this draft. (Unfortunately many of us just don’t have the time to keep on top of all the relevant working groups. And apologies if we had been made aware and I missed it.)
The “lazy verifier” problem (that a detached aad could help solve)[1] is a problem that a number of DCP WG members are very concerned about. Whilst there isn’t a consensus in the working group on how to solve the problem (in my opinion mostly because there is no clean way to solve this in JWE as specified today), my feeling is that there is at least a consensus that we should look for solutions. I think the primary hope is that the jose-hpke draft progresses quickly and supports a way to solve the problem, which I’m hoping is still likely to happen? Thanks Joseph [1]: https://github.com/openid/OpenID4VP/issues/347 > On 18 Apr 2025, at 02:46, tirumal reddy <[email protected]> wrote: > > Hi Oliver, > > I presented the draft at the IETF 122 meeting. I received feedback that there > was no consensus on the problem in OpenID4VC. > You can refer to the meeting minutes at: > https://notes.ietf.org/notes-ietf-122-jose. > > Cheers, > -Tiru > > On Wed, 16 Apr 2025 at 01:25, Oliver Terbu <[email protected]> wrote: >> Hi, >> >> I reviewed the specification and overall, it makes sense to me and find it >> very useful in the situations that were outlined in the spec. >> >> A few things I found when reading the spec: >> >> inconsistent use of protected header names in some places: detached_aad vs >> aad_detached >> the example for JWE compact serialization could probably be simplified by >> using base64 for the canonicalization algorithm of the external context JSON >> structure. >> >> Otherwise, it looks great. >> >> What is the status of this document? Was it presented to the JOSE WG and >> where can I find the feedback? >> >> Thanks, >> Oliver >> >> >> >> >> From: tirumal reddy <[email protected] <mailto:[email protected]>> >> Sent: Tuesday, February 11, 2025 7:52 AM >> To: JOSE WG <[email protected] <mailto:[email protected]>> >> Subject: [jose] Fwd: New Version Notification for >> draft-reddy-jose-detached-aad-00.txt >> >> EXTERNAL EMAIL: This email originated outside of our organisation. Do not >> click links or open attachments unless you recognise the sender and know the >> content is safe. >> >> Hi all, >> >> We have published a new draft >> https://datatracker.ietf.org/doc/draft-reddy-jose-detached-aad/ that >> introduces a mechanism to support detached AAD in JWE. This allows the AAD >> to be derived from context-specific information instead of being transmitted >> in-band. The mechanism is particularly useful in scenarios such as OpenID >> for Verifiable Credentials (OID4VC), where a verifier must validate context >> information without relying on in-band AAD. >> >> Comments and suggestions are welcome. >> >> Cheers, >> -Tiru & Hannes >> >> >> ---------- Forwarded message --------- >> From: <[email protected] <mailto:[email protected]>> >> Date: Mon, 3 Feb 2025 at 12:23 >> Subject: New Version Notification for draft-reddy-jose-detached-aad-00.txt >> To: Tirumaleswar Reddy.K <[email protected] <mailto:[email protected]>>, >> Hannes Tschofenig <[email protected] >> <mailto:[email protected]>> >> >> >> A new version of Internet-Draft draft-reddy-jose-detached-aad-00.txt has been >> successfully submitted by Tirumaleswar Reddy and posted to the >> IETF repository. >> >> Name: draft-reddy-jose-detached-aad >> Revision: 00 >> Title: Enhanced JWE Security with Detached Additional Authenticated Data >> (AAD) >> Date: 2025-02-03 >> Group: Individual Submission >> Pages: 9 >> URL: >> https://www.ietf.org/archive/id/draft-reddy-jose-detached-aad-00.txt >> Status: https://datatracker.ietf.org/doc/draft-reddy-jose-detached-aad/ >> HTML: >> https://www.ietf.org/archive/id/draft-reddy-jose-detached-aad-00.html >> HTMLized: https://datatracker.ietf.org/doc/html/draft-reddy-jose-detached-aad >> >> >> Abstract: >> >> This draft introduces a mechanism to support detached Additional >> Authenticated Data (AAD) in JWE (JSON Web Encryption), allowing the >> AAD to be derived from context-specific information, such as session >> identifiers, algorithm identifiers, and identifiers of communication >> endpoints, rather than being transmitted in-band. This mechanism >> strengthens security by mitigating risk against unknown-key-share >> attacks and/or other exploitation techniques that depend on some type >> of confusion over the role played by each party. >> >> The document explains how to integrate this functionality into JWE, >> covering both JWE JSON Serialization and JWE Compact Serialization. >> >> >> >> The IETF Secretariat >> >> > _______________________________________________ > jose mailing list -- [email protected] > To unsubscribe send an email to [email protected]
_______________________________________________ jose mailing list -- [email protected] To unsubscribe send an email to [email protected]
