Speaking as an individual, of course, I do not believe there is consensus that the so-called “lazy verifier” problem is an actual problem at all, let alone one that should be "solved" with some new detached AAD mechanism.
On Sun, Apr 20, 2025 at 8:31 AM Joseph Heenan <[email protected]> wrote: > Hi Tiru > > As a member of the DCP WG (and a co-chair of it, but writing as a member) > it would have been great if we’d been made aware of this draft. > (Unfortunately many of us just don’t have the time to keep on top of all > the relevant working groups. And apologies if we had been made aware and I > missed it.) > > The “lazy verifier” problem (that a detached aad could help solve)[1] is a > problem that a number of DCP WG members are very concerned about. Whilst > there isn’t a consensus in the working group on how to solve the problem > (in my opinion mostly because there is no clean way to solve this in JWE as > specified today), my feeling is that there is at least a consensus that we > should look for solutions. > > I think the primary hope is that the jose-hpke draft progresses quickly > and supports a way to solve the problem, which I’m hoping is still likely > to happen? > > Thanks > > Joseph > > > [1]: https://github.com/openid/OpenID4VP/issues/347 > > > On 18 Apr 2025, at 02:46, tirumal reddy <[email protected]> wrote: > > Hi Oliver, > > I presented the draft at the IETF 122 meeting. I received feedback that > there was no consensus on the problem in OpenID4VC. > You can refer to the meeting minutes at: > https://notes.ietf.org/notes-ietf-122-jose. > > Cheers, > -Tiru > > On Wed, 16 Apr 2025 at 01:25, Oliver Terbu <[email protected]> > wrote: > >> Hi, >> >> I reviewed the specification and overall, it makes sense to me and find >> it very useful in the situations that were outlined in the spec. >> >> A few things I found when reading the spec: >> >> >> - inconsistent use of protected header names in some places: >> detached_aad vs aad_detached >> - the example for JWE compact serialization could probably be >> simplified by using base64 for the canonicalization algorithm of the >> external context JSON structure. >> >> >> Otherwise, it looks great. >> >> What is the status of this document? Was it presented to the JOSE WG and >> where can I find the feedback? >> >> Thanks, >> Oliver >> >> >> >> >> ------------------------------ >> *From:* tirumal reddy <[email protected]> >> *Sent:* Tuesday, February 11, 2025 7:52 AM >> *To:* JOSE WG <[email protected]> >> *Subject:* [jose] Fwd: New Version Notification for >> draft-reddy-jose-detached-aad-00.txt >> >> EXTERNAL EMAIL: This email originated outside of our organisation. Do not >> click links or open attachments unless you recognise the sender and know >> the content is safe. >> >> Hi all, >> >> We have published a new draft >> https://datatracker.ietf.org/doc/draft-reddy-jose-detached-aad/ that >> introduces a mechanism to support detached AAD in JWE. This allows the AAD >> to be derived from context-specific information instead of being >> transmitted in-band. The mechanism is particularly useful in scenarios such >> as OpenID for Verifiable Credentials (OID4VC), where a verifier must >> validate context information without relying on in-band AAD. >> >> Comments and suggestions are welcome. >> >> Cheers, >> -Tiru & Hannes >> >> >> ---------- Forwarded message --------- >> From: <[email protected]> >> Date: Mon, 3 Feb 2025 at 12:23 >> Subject: New Version Notification for draft-reddy-jose-detached-aad-00.txt >> To: Tirumaleswar Reddy.K <[email protected]>, Hannes Tschofenig < >> [email protected]> >> >> >> A new version of Internet-Draft draft-reddy-jose-detached-aad-00.txt has >> been >> successfully submitted by Tirumaleswar Reddy and posted to the >> IETF repository. >> >> Name: draft-reddy-jose-detached-aad >> Revision: 00 >> Title: Enhanced JWE Security with Detached Additional Authenticated >> Data (AAD) >> Date: 2025-02-03 >> Group: Individual Submission >> Pages: 9 >> URL: >> https://www.ietf.org/archive/id/draft-reddy-jose-detached-aad-00.txt >> Status: https://datatracker.ietf.org/doc/draft-reddy-jose-detached-aad/ >> HTML: >> https://www.ietf.org/archive/id/draft-reddy-jose-detached-aad-00.html >> HTMLized: >> https://datatracker.ietf.org/doc/html/draft-reddy-jose-detached-aad >> >> >> Abstract: >> >> This draft introduces a mechanism to support detached Additional >> Authenticated Data (AAD) in JWE (JSON Web Encryption), allowing the >> AAD to be derived from context-specific information, such as session >> identifiers, algorithm identifiers, and identifiers of communication >> endpoints, rather than being transmitted in-band. This mechanism >> strengthens security by mitigating risk against unknown-key-share >> attacks and/or other exploitation techniques that depend on some type >> of confusion over the role played by each party. >> >> The document explains how to integrate this functionality into JWE, >> covering both JWE JSON Serialization and JWE Compact Serialization. >> >> >> >> The IETF Secretariat >> >> >> _______________________________________________ > jose mailing list -- [email protected] > To unsubscribe send an email to [email protected] > > > _______________________________________________ > jose mailing list -- [email protected] > To unsubscribe send an email to [email protected] > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ jose mailing list -- [email protected] To unsubscribe send an email to [email protected]
