Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Detailed status assertions #61

Merged
merged 23 commits into from
Sep 26, 2024
Merged
Changes from 7 commits
Commits
Show all changes
23 commits
Select commit Hold shift + click to select a range
c99c696
Assertions of invalidity
OR13 May 25, 2024
1696d3d
Add example
OR13 May 25, 2024
8ed71d4
Updated examples for clarity
OR13 May 25, 2024
9e6e06c
Add privacy considerations for reasons
OR13 May 25, 2024
b6c6954
Update draft-demarco-oauth-status-attestations.md
OR13 May 25, 2024
4e14ab8
Update draft-demarco-oauth-status-attestations.md
OR13 May 25, 2024
acdc495
Merge branch 'main' of github.com:peppelinux/draft-demarco-oauth-stat…
OR13 Jun 18, 2024
44276b5
Update draft-demarco-oauth-status-assertions.md
OR13 Jun 21, 2024
f201a8e
Update draft-demarco-oauth-status-assertions.md
OR13 Jun 21, 2024
b8c7314
Apply suggestions from code review
OR13 Jun 21, 2024
418f232
Apply suggestions from code review
OR13 Jun 21, 2024
7455156
Update draft-demarco-oauth-status-assertions.md
OR13 Jun 21, 2024
3003acd
Apply suggestions from code review
OR13 Jun 21, 2024
5d9c4ca
Update draft-demarco-oauth-status-assertions.md
Jun 21, 2024
1e15782
Update draft-demarco-oauth-status-assertions.md
OR13 Jun 21, 2024
79709aa
Merge branch 'detailed-status' of github.com:peppelinux/draft-demarco…
OR13 Jun 21, 2024
1d878b1
Apply suggestions from code review
Jun 21, 2024
465dcbb
Apply suggestions from code review
OR13 Jun 21, 2024
68e4fac
Update draft-demarco-oauth-status-assertions.md
OR13 Jul 4, 2024
b00b9bf
Update draft-demarco-oauth-status-assertions.md
OR13 Jul 4, 2024
42526e6
Update draft-demarco-oauth-status-assertions.md
OR13 Jul 4, 2024
e6239f5
address missing details
OR13 Jul 8, 2024
425868d
Update draft-demarco-oauth-status-assertions.md
OR13 Sep 25, 2024
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
126 changes: 126 additions & 0 deletions draft-demarco-oauth-status-assertions.md
Original file line number Diff line number Diff line change
Expand Up @@ -676,6 +676,125 @@ may not always coincide with the actual usability of a Digital Credential,
allowing Verifiers to examine and make educated conclusions based on a
variety of scenarios.

# Complex Status Assertions
OR13 marked this conversation as resolved.
Show resolved Hide resolved

Status assertions can be complex, and are not limited to simple boolean information.
OR13 marked this conversation as resolved.
Show resolved Hide resolved
This enables verifier policies to be conditioned on the presence of secured information, instead of the absence of information.
OR13 marked this conversation as resolved.
Show resolved Hide resolved
This section proposes syntax to support complex assertions.
OR13 marked this conversation as resolved.
Show resolved Hide resolved
The `validity` claim MUST be present and be either `true` or `false`.
OR13 marked this conversation as resolved.
Show resolved Hide resolved
The `validity_reasons` claim MAY be present and if present MUST be an object.
OR13 marked this conversation as resolved.
Show resolved Hide resolved
The semantics of the claims within the `validity_reasons` object are determined by the issuer.
OR13 marked this conversation as resolved.
Show resolved Hide resolved

An example of a boolean status is:

~~~
{
"alg": "ES256",
"typ": "status-assertion+jwt",
"kid": "w8ZOZRcx21Zpry7H-0VLBsH7Wf7WXb6TeK3qVMCpY44"
}
.
{
"iss": "https://issuer.example.org",
"iat": 1504699136,
"exp": 1504785536,
"credential_hash": "xnlAq6Ma8fgu1z4hdGphJnKLulaVHpLCFeZFUGpQ2dA",
"credential_hash_alg": "sha-256",
"validity": false,
OR13 marked this conversation as resolved.
Show resolved Hide resolved
"validity_reasons": {
OR13 marked this conversation as resolved.
Show resolved Hide resolved
OR13 marked this conversation as resolved.
Show resolved Hide resolved
"suspended": true,
peppelinux marked this conversation as resolved.
Show resolved Hide resolved
OR13 marked this conversation as resolved.
Show resolved Hide resolved
},
"cnf": {
"jwk": {
"kid": "1wL9OG_AZOniODhs2xvMchvFcBWhpQPz3uW29LhqvI0",
OR13 marked this conversation as resolved.
Show resolved Hide resolved
"alg": "ES256",
"kty": "EC",
"crv": "P-256",
"x": "_2ySUmWFjwmraNlo15r6dIBXerVdy_NpJuwAKJMFdoc",
"y": "MV3C88MhhEMba6oyMBWuGeB3dKHP4YADJmGyJwwILsk"
}
}
}
~~~

An example of an enumeration status is:

~~~
{
"alg": "ES256",
"typ": "status-assertion+jwt",
"kid": "w8ZOZRcx21Zpry7H-0VLBsH7Wf7WXb6TeK3qVMCpY44"
}
.
{
"iss": "https://issuer.example.org",
"iat": 1504699136,
"exp": 1504785536,
"credential_hash": "xnlAq6Ma8fgu1z4hdGphJnKLulaVHpLCFeZFUGpQ2dA",
"credential_hash_alg": "sha-256",
"validity": false,
OR13 marked this conversation as resolved.
Show resolved Hide resolved
"validity_reasons": {
OR13 marked this conversation as resolved.
Show resolved Hide resolved
"state": "suspended", // or "revoked"
},
"cnf": {
"jwk": {
"kid": "1wL9OG_AZOniODhs2xvMchvFcBWhpQPz3uW29LhqvI0",
OR13 marked this conversation as resolved.
Show resolved Hide resolved
"alg": "ES256",
"kty": "EC",
"crv": "P-256",
"x": "_2ySUmWFjwmraNlo15r6dIBXerVdy_NpJuwAKJMFdoc",
"y": "MV3C88MhhEMba6oyMBWuGeB3dKHP4YADJmGyJwwILsk"
}
}
}
~~~

An example of dynamic status using a small matrix:

~~~
{
"alg": "ES256",
"typ": "status-assertion+jwt",
"kid": "w8ZOZRcx21Zpry7H-0VLBsH7Wf7WXb6TeK3qVMCpY44"
}
.
{
"iss": "https://issuer.example.org",
"iat": 1504699136,
"exp": 1504785536,
"credential_hash": "xnlAq6Ma8fgu1z4hdGphJnKLulaVHpLCFeZFUGpQ2dA",
"credential_hash_alg": "sha-256",
"validity": true,
OR13 marked this conversation as resolved.
Show resolved Hide resolved
"validity_reasons": {
OR13 marked this conversation as resolved.
Show resolved Hide resolved
"preferences": [[1, 0.25, 0.76 ...] ...]
},
"cnf": {
"jwk": {
"kid": "1wL9OG_AZOniODhs2xvMchvFcBWhpQPz3uW29LhqvI0",
OR13 marked this conversation as resolved.
Show resolved Hide resolved
"alg": "ES256",
"kty": "EC",
"crv": "P-256",
"x": "_2ySUmWFjwmraNlo15r6dIBXerVdy_NpJuwAKJMFdoc",
"y": "MV3C88MhhEMba6oyMBWuGeB3dKHP4YADJmGyJwwILsk"
}
}
}
~~~

An example of multiple assertions:

~~~
HTTP/1.1 200 Created
Content-Type: application/json

{
"status_assertion_responses": [
$JWT_1, // Not revoked, boolean assertion
$JWT_2, // alg = none, suspended indicator
$JWT_3, // Preferences matrix assertion
]
}
~~~

# Security Considerations

Expand Down Expand Up @@ -782,6 +901,13 @@ Status Assertions are based on a privacy-by-design approach, reflecting
a deliberate effort to balance security and privacy needs in the
Digital Credential ecosystem.

## Validity Reasons

Status assertions can reveal information about the holder or subject that was not commited to in the original credential issuance.
OR13 marked this conversation as resolved.
Show resolved Hide resolved
Providing a reason that a digital credential is no longer valid can be essential to certian use cases, and unacceptable for others.
OR13 marked this conversation as resolved.
Show resolved Hide resolved
For example, in a healthcare setting, a patient should not have medical reasons for a suspended credential disclosed in assertions of suspension.
However, in a supply chain context, a product suspension might benefit from additional information, such as batch or lot information.

# IANA Considerations

## JSON Web Token Claims Registration
Expand Down
Loading