Re: [OAUTH-WG] Call for adoption - SD-JWT

2022-08-01 Thread Kristina Yasuda
I support adoption. To add some color. One of the use-cases is a flow where issuance of a user credential (collection of user claims) is decoupled from presentation (where both issuance and presentation of a user credential are done using extensions of OAuth flows). The goal of this

Re: [OAUTH-WG] Call for adoption - SD-JWT

2022-08-01 Thread Vittorio Bertocci
I support adoption of this draft as a WG document. On Thu, Jul 28, 2022 at 5:17 PM Rifaat Shekh-Yusef wrote: > *This message originated outside your organization.* > > -- > > All, > > This is a call for adoption for the *SD-JWT* document >

Re: [OAUTH-WG] Call for adoption - SD-JWT

2022-08-01 Thread Warren Parad
And in the situation they did, we would just use the existing scopes and let the user approve the selected list. RS requests, AS redirects the user, the user approves. (RS => AS => User) The draft isn't trying to prevent needing to do that, it's trying to change the order of the flow, first the

Re: [OAUTH-WG] Call for adoption - SD-JWT

2022-08-01 Thread Neil Madden
> On 1 Aug 2022, at 17:34, Aaron Parecki > wrote: > David, > > Creating "A conventional JWT with a subset of claims" is exactly the thing > this draft sets out to prevent needing to do. The problem with that approach > is the AS would have to create a new JWT with only the claims needed for

Re: [OAUTH-WG] Call for adoption - SD-JWT

2022-08-01 Thread Warren Parad
Hey David, would you be able to go back and reread what you wrote? I'm trying to parse it and it seems what you are calling different things don't align to the common understanding of what AS/RS/client mean. For instance: - the user, not the AS, authorizes a client to attain credentials -

Re: [OAUTH-WG] Call for adoption - SD-JWT

2022-08-01 Thread David Chadwick
Hi Aaron I think we have different mental models for this. In my opinion, if the AS authorises the client to obtain a complete credential with all the properties, then the client should be able to ask the RS for a set of subsets of the credential, since the client

[OAUTH-WG] (no subject)

2022-08-01 Thread Ryan Acosta
Sent from my Verizon, Samsung Galaxy smartphone Get Outlook for Android ___ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth

Re: [OAUTH-WG] Call for adoption - SD-JWT

2022-08-01 Thread Aaron Parecki
David, Creating "A conventional JWT with a subset of claims" is exactly the thing this draft sets out to prevent needing to do. The problem with that approach is the AS would have to create a new JWT with only the claims needed for the particular presentation, so the AS would need to be both

Re: [OAUTH-WG] Call for adoption - SD-JWT

2022-08-01 Thread David Chadwick
thanks Guiseppe. Glad to hear that blinding claim names is now on the cards. This does not answer the question about why conventional JWTs with a subset of the claims cannot also be used Kind regards David On 01/08/2022 17:04, Giuseppe De Marco

Re: [OAUTH-WG] Call for adoption - SD-JWT

2022-08-01 Thread Giuseppe De Marco
Hi David, This issue was already raised. Below the proposal for both draft and python code https://github.com/oauthstuff/draft-selective-disclosure-jwt/pull/124 Regarding the privacy I'd like to have a combined presentation format that makes the PID/QEAA (VC) untraceable (jwe, with variable iat

Re: [OAUTH-WG] Call for adoption - SD-JWT

2022-08-01 Thread David Chadwick
I would like to add a few further points. The age-over property is more complex than your example, because a driving license only contains the date of birth. The issuing authority decides which age-over properties to statically provide in the mDL and the ISO

Re: [OAUTH-WG] Call for adoption - SD-JWT

2022-08-01 Thread Warren Parad
> > This is done because network availability and privacy concerns may > separate the act of acquiring the SD-JWT of a license from the issuing > authority, and presenting it (such as days later during a traffic stop on a > mountain road). I think we keep pointing to "offline drivers license" as

Re: [OAUTH-WG] Call for adoption - SD-JWT

2022-08-01 Thread David Chadwick
On 01/08/2022 11:55, Neil Madden wrote: I agree with many of these points that Jaimandeep Singh raises.  It would be good to know exactly what the intended use-cases within OAuth are. In particular, in OAuth it’s

Re: [OAUTH-WG] Call for adoption - SD-JWT

2022-08-01 Thread Neil Madden
I agree with many of these points that Jaimandeep Singh raises. It would be good to know exactly what the intended use-cases within OAuth are. In particular, in OAuth it’s normally the case that the client is relatively untrusted and a privacy goal is to avoid revealing information/PII to the

Re: [OAUTH-WG] Call for adoption - SD-JWT

2022-08-01 Thread Joseph Heenan
I support adoption. Joseph Heenan > On 29 Jul 2022, at 01:16, Rifaat Shekh-Yusef wrote: > > All, > > This is a call for adoption for the SD-JWT document > https://datatracker.ietf.org/doc/draft-fett-oauth-selective-disclosure-jwt/ >