From 297b8e034beeccbfa52933a673f87e01727689be Mon Sep 17 00:00:00 2001 From: Giuseppe De Marco Date: Fri, 14 Jun 2024 09:25:33 +0200 Subject: [PATCH 1/7] fix: editorials and cti --- draft-demarco-oauth-status-assertions.md | 43 +++++++++++------------- 1 file changed, 20 insertions(+), 23 deletions(-) diff --git a/draft-demarco-oauth-status-assertions.md b/draft-demarco-oauth-status-assertions.md index 1cce2dd..56523c9 100644 --- a/draft-demarco-oauth-status-assertions.md +++ b/draft-demarco-oauth-status-assertions.md @@ -97,7 +97,9 @@ informative: org: "OpenID Foundation" title: "OpenID for Verifiable Credential Presentation" target: "https://openid.net/specs/openid-4-verifiable-presentations-1_0.html" - + RFC6066: + title: "Transport Layer Security (TLS) Extensions: Extension Definitions" + target: "https://datatracker.ietf.org/doc/html/rfc6066" --- abstract @@ -118,7 +120,7 @@ without requiring to query any third-party entities. Status Assertions ensure the non-revocation of digital credentials, whether in JSON Web Tokens (JWT) or CBOR Web Tokens (CWT) format. Status Assertions function -similarly to OCSP Stapling, allowing clients to present to the +similarly to OCSP Stapling ([RFC6066]), allowing clients to present to the relying parties time-stamped assertions provided by the credential issuer. The approach outlined in this specification enables the @@ -128,7 +130,7 @@ enhancing privacy, reducing latency, and faciliting offline verification. The figure below illustrates the process by which a client, -such as a Wallet Instance, +such as a wallet instance, requests and obtains a Status Assertion from the credential issuer. ~~~ ascii-art @@ -143,8 +145,7 @@ requests and obtains a Status Assertion from the credential issuer. **Figure 1**: Status Assertion Issuance Flow. The figure below illustrates the process by which a client -presents the Status Assertion along with the corresponding digital credential, -to prove the non-revocation status of the digital credential to a verifier. +presents the Status Assertion along with the corresponding digital credential. ~~~ ascii-art +-- ----------------+ +----------+ @@ -155,6 +156,11 @@ to prove the non-revocation status of the digital credential to a verifier. ~~~ **Figure 2**: Status Assertion Presentation Flow. +In summary, the credential issuer provides the client with a +Status Assertion, which is linked to a Digital Credential. This enables +the client to present both the digital credential and its +Status Assertion to a verifier as proof of the digital credential's +non-revocation status. # Conventions and Definitions @@ -167,25 +173,21 @@ This specification uses the terms "End-User", "Entity" as defined by OpenID Connect Core [OpenID.Core], the term "JSON Web Token (JWT)" defined by JSON Web Token (JWT) {{RFC7519}}, the term "CBOR Web Token (CWT)" defined in {{RFC8392}}, "Client" as -defined {{RFC6749}} - -Holder: -: An entity that receives Verifiable Credentials and has -control over them to present them to the Verifiers as Verifiable Presentations. +defined {{RFC6749}}. Digital Credential: : A set of one or more claims about a subject made by a Credential Issuer. Alternative names are "Verifiable Credential" or "Credential". +Holder: +: An entity that receives Verifiable Credentials and has +control over them to present them to the Verifiers as Verifiable Presentations. + Credential Issuer: : Entity that is responsible for the issuance of the Digital Credentials. The Issuer is responsible for the lifecycle of their issued Digital Credentials and their validity status. -Holder: -: An entity that receives Verifiable Credentials and has control over -them to present them to the Verifiers as Verifiable Presentations. - Verifier: : Entity that relies on the validity of the Digital Credentials presented to it. This Entity, also known as a Relying Party, verifies the authenticity and @@ -219,7 +221,7 @@ This could potentially infringe upon the End-User's right to privacy, as outlined in [ECHR-ART8] and in the the European Union's General Data Protection Regulation -([GDPR]), +[GDPR], by creating a detailed profile of the End-User's Digital Credential status without explicit consent for such continuous surveillance. @@ -279,12 +281,6 @@ affirming the authenticity and rightful possession of the Credential. # Status Assertion Request -The Credential Issuer provides the Wallet Instance with a Status Assertion, -which is bound to a Digital Credential. -This allows the Wallet Instance to present it, along with the -Digital Credential itself, -to a Verifier as proof of the Digital Credential's non-revocation status. - The following diagram shows the Wallet Instance requesting a Status Assertion to a Credential Issuer, related to a specific Credential issued by the same Credential Issuer. @@ -320,7 +316,7 @@ Status Assertion Request object. to the confirmation claim assigned by the Issuer and contained within the Digital Credential. -When the JWT or CWT format are used, the JWT/CWT MUST contain the parameters defined in the following table. +The Status Assertion Request object MUST contain the parameters defined in the following table. | Header | Description | Reference | | --- | --- | --- | @@ -335,11 +331,12 @@ When the JWT or CWT format are used, the JWT/CWT MUST contain the parameters def | **exp** | UNIX Timestamp with the expiration time of the JWT. It MUST be superior to the value set for `iat` . | {{RFC9126}}, {{RFC7519}}, {{RFC7515}} | | **iat** | UNIX Timestamp with the time of JWT/CWT issuance. | {{RFC9126}}, {{RFC7519}} | | **jti** | Unique identifier for the JWT. | {{RFC7519}} Section 4.1.7 | +| **cti** | Unique identifier for the CWT. | {{RFC7519}} Section 4.1.7 | | **credential_hash** | Hash value of the Digital Credential the Status Assertion is bound to. | this specification | | **credential_hash_alg** | The Algorithm used of hashing the Digital Credential to which the Status Assertion is bound. The value SHOULD be set to `sha-256`. | this specification | Below is a non-normative example of a Status Assertion Request with -the JWT headers and payload are represented without applying signature and +the JWT headers and payload represented without applying signature and encoding: ~~~ From 589c464ead2e0381bbd141b69ee2023d49dd4577 Mon Sep 17 00:00:00 2001 From: Giuseppe De Marco Date: Fri, 14 Jun 2024 09:29:28 +0200 Subject: [PATCH 2/7] fix: editorials and cti --- draft-demarco-oauth-status-assertions.md | 53 +++++++++--------------- 1 file changed, 20 insertions(+), 33 deletions(-) diff --git a/draft-demarco-oauth-status-assertions.md b/draft-demarco-oauth-status-assertions.md index 56523c9..e1e52b2 100644 --- a/draft-demarco-oauth-status-assertions.md +++ b/draft-demarco-oauth-status-assertions.md @@ -783,31 +783,18 @@ Digital Credential ecosystem. This specification requests registration of the following Claims in the IANA "JSON Web Token Claims" registry [IANA.JWT] established by {{RFC7519}}. -* Claim Name: `credential_format` -* Claim Description: The Digital Credential format the Status Assertion is bound to. -* Change Controller: IETF -* Specification Document(s): [[ (#digital-credential-proof-of-possession) of this specification ]] - -
- -* Claim Name: `credential` -* Claim Description: The Digital Credential the Status Assertion is bound to. -* Change Controller: IETF -* Specification Document(s): [[ (#digital-credential-proof-of-possession) of this specification ]] - -
* Claim Name: `credential_hash` * Claim Description: Hash value of the Digital Credential the Status Assertion is bound to. * Change Controller: IETF -* Specification Document(s): [[ (#status-assertion) of this specification ]] +* Specification Document(s): [#status-assertion](this specification)
* Claim Name: `credential_hash_alg` * Claim Description: The Algorithm used of hashing the Digital Credential to which the Status Assertion is bound. * Change Controller: IETF -* Specification Document(s): [[ (#status-assertion) of this specification ]] +* Specification Document(s): [#status-assertion](this specification) ## Media Type Registration @@ -822,10 +809,10 @@ To indicate that the content is a JWT-based Status Assertion: * Required parameters: n/a * Optional parameters: n/a * Encoding considerations: binary; A JWT-based Status Assertion Request object is a JWT; JWT values are encoded as a series of base64url-encoded values (some of which may be the empty string) separated by period ('.') characters. - * Security considerations: See (#Security) of [[ this specification ]] + * Security considerations: See (#Security) of [#security-considerations](this specification) * Interoperability considerations: n/a - * Published specification: [[ this specification ]] - * Applications that use this media type: Applications using [[ this specification ]] for requesting Status Assertions. + * Published specification: this specification + * Applications that use this media type: Applications using this specification for requesting Status Assertions. * Fragment identifier considerations: n/a * Additional information: * File extension(s): n/a @@ -844,10 +831,10 @@ To indicate that the content is a CWT-based Status Assertion Request: * Required parameters: n/a * Optional parameters: n/a * Encoding considerations: binary - * Security considerations: See (#Security) of [[ this specification ]] + * Security considerations: See (#Security) of [#security-considerations](this specification) * Interoperability considerations: n/a - * Published specification: [[ this specification ]] - * Applications that use this media type: Applications using [[ this specification ]] for requesting Status Assertions. + * Published specification: this specification + * Applications that use this media type: Applications using this specification for requesting Status Assertions. * Fragment identifier considerations: n/a * Additional information: * File extension(s): n/a @@ -866,10 +853,10 @@ To indicate that the content is a JWT-based Status Assertion: * Required parameters: n/a * Optional parameters: n/a * Encoding considerations: binary - * Security considerations: See (#Security) of [[ this specification ]] + * Security considerations: See (#Security) of [#security-considerations](this specification) * Interoperability considerations: n/a - * Published specification: [[ this specification ]] - * Applications that use this media type: Applications using [[ this specification ]] for issuing or presenting Status Assertions. + * Published specification: this specification + * Applications that use this media type: Applications using this specification for issuing or presenting Status Assertions. * Fragment identifier considerations: n/a * Additional information: * File extension(s): n/a @@ -888,10 +875,10 @@ To indicate that the content is a CWT-based Status Assertion: * Required parameters: n/a * Optional parameters: n/a * Encoding considerations: binary - * Security considerations: See (#Security) of [[ this specification ]] + * Security considerations: See (#Security) of [#security-considerations](this specification) * Interoperability considerations: n/a - * Published specification: [[ this specification ]] - * Applications that use this media type: Applications using [[ this specification ]] for issuing or presenting Status Assertions. + * Published specification: this specification + * Applications that use this media type: Applications using this specification for issuing or presenting Status Assertions. * Fragment identifier considerations: n/a * Additional information: * File extension(s): n/a @@ -910,10 +897,10 @@ To indicate that the content is a JWT-based Status Assertion Error: * Required parameters: n/a * Optional parameters: n/a * Encoding considerations: binary - * Security considerations: See (#Security) of [[ this specification ]] + * Security considerations: See (#Security) of [#security-considerations](this specification) * Interoperability considerations: n/a - * Published specification: [[ this specification ]] - * Applications that use this media type: Applications using [[ this specification ]] for issuing Status Assertions Request Errors. + * Published specification: this specification + * Applications that use this media type: Applications using this specification for issuing Status Assertions Request Errors. * Fragment identifier considerations: n/a * Additional information: * File extension(s): n/a @@ -932,10 +919,10 @@ To indicate that the content is a CWT-based Status Assertion Error: * Required parameters: n/a * Optional parameters: n/a * Encoding considerations: binary - * Security considerations: See (#Security) of [[ this specification ]] + * Security considerations: See (#Security) of [#security-considerations](this specification) * Interoperability considerations: n/a - * Published specification: [[ this specification ]] - * Applications that use this media type: Applications using [[ this specification ]] for issuing Status Assertions Request Errors. + * Published specification: this specification + * Applications that use this media type: Applications using this specification for issuing Status Assertions Request Errors. * Fragment identifier considerations: n/a * Additional information: * File extension(s): n/a From e5faa81153711367a4ba1356ccbff4b72e9c4334 Mon Sep 17 00:00:00 2001 From: Giuseppe De Marco Date: Fri, 14 Jun 2024 09:30:47 +0200 Subject: [PATCH 3/7] fix: editorials and cti --- draft-demarco-oauth-status-assertions.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/draft-demarco-oauth-status-assertions.md b/draft-demarco-oauth-status-assertions.md index e1e52b2..a3a9a70 100644 --- a/draft-demarco-oauth-status-assertions.md +++ b/draft-demarco-oauth-status-assertions.md @@ -787,14 +787,14 @@ IANA "JSON Web Token Claims" registry [IANA.JWT] established by {{RFC7519}}. * Claim Name: `credential_hash` * Claim Description: Hash value of the Digital Credential the Status Assertion is bound to. * Change Controller: IETF -* Specification Document(s): [#status-assertion](this specification) +* Specification Document(s): [this specification](#status-assertion)
* Claim Name: `credential_hash_alg` * Claim Description: The Algorithm used of hashing the Digital Credential to which the Status Assertion is bound. * Change Controller: IETF -* Specification Document(s): [#status-assertion](this specification) +* Specification Document(s): [this specification](#status-assertion) ## Media Type Registration @@ -809,7 +809,7 @@ To indicate that the content is a JWT-based Status Assertion: * Required parameters: n/a * Optional parameters: n/a * Encoding considerations: binary; A JWT-based Status Assertion Request object is a JWT; JWT values are encoded as a series of base64url-encoded values (some of which may be the empty string) separated by period ('.') characters. - * Security considerations: See (#Security) of [#security-considerations](this specification) + * Security considerations: See (#Security) of [this specification](#security-considerations) * Interoperability considerations: n/a * Published specification: this specification * Applications that use this media type: Applications using this specification for requesting Status Assertions. @@ -831,7 +831,7 @@ To indicate that the content is a CWT-based Status Assertion Request: * Required parameters: n/a * Optional parameters: n/a * Encoding considerations: binary - * Security considerations: See (#Security) of [#security-considerations](this specification) + * Security considerations: See (#Security) of [this specification](#security-considerations) * Interoperability considerations: n/a * Published specification: this specification * Applications that use this media type: Applications using this specification for requesting Status Assertions. @@ -853,7 +853,7 @@ To indicate that the content is a JWT-based Status Assertion: * Required parameters: n/a * Optional parameters: n/a * Encoding considerations: binary - * Security considerations: See (#Security) of [#security-considerations](this specification) + * Security considerations: See (#Security) of [this specification](#security-considerations) * Interoperability considerations: n/a * Published specification: this specification * Applications that use this media type: Applications using this specification for issuing or presenting Status Assertions. @@ -875,7 +875,7 @@ To indicate that the content is a CWT-based Status Assertion: * Required parameters: n/a * Optional parameters: n/a * Encoding considerations: binary - * Security considerations: See (#Security) of [#security-considerations](this specification) + * Security considerations: See (#Security) of [this specification](#security-considerations) * Interoperability considerations: n/a * Published specification: this specification * Applications that use this media type: Applications using this specification for issuing or presenting Status Assertions. @@ -897,7 +897,7 @@ To indicate that the content is a JWT-based Status Assertion Error: * Required parameters: n/a * Optional parameters: n/a * Encoding considerations: binary - * Security considerations: See (#Security) of [#security-considerations](this specification) + * Security considerations: See (#Security) of [this specification](#security-considerations) * Interoperability considerations: n/a * Published specification: this specification * Applications that use this media type: Applications using this specification for issuing Status Assertions Request Errors. @@ -919,7 +919,7 @@ To indicate that the content is a CWT-based Status Assertion Error: * Required parameters: n/a * Optional parameters: n/a * Encoding considerations: binary - * Security considerations: See (#Security) of [#security-considerations](this specification) + * Security considerations: See (#Security) of [this specification](#security-considerations) * Interoperability considerations: n/a * Published specification: this specification * Applications that use this media type: Applications using this specification for issuing Status Assertions Request Errors. From dfcfdcc2e3295fe0fdcef40b6b7ab946d6892d6c Mon Sep 17 00:00:00 2001 From: Giuseppe De Marco Date: Fri, 14 Jun 2024 09:31:25 +0200 Subject: [PATCH 4/7] fix: editorials and cti --- draft-demarco-oauth-status-assertions.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/draft-demarco-oauth-status-assertions.md b/draft-demarco-oauth-status-assertions.md index a3a9a70..8289270 100644 --- a/draft-demarco-oauth-status-assertions.md +++ b/draft-demarco-oauth-status-assertions.md @@ -798,9 +798,9 @@ IANA "JSON Web Token Claims" registry [IANA.JWT] established by {{RFC7519}}. ## Media Type Registration -This section requests registration of the following media types [@RFC2046] in +This section requests registration of the following media types [@!RFC2046] in the "Media Types" registry [IANA.MediaTypes] in the manner described -in [@RFC6838]. +in [@!RFC6838]. To indicate that the content is a JWT-based Status Assertion: From 2ca48c27098302a7259db2e33dee12ef8f81510b Mon Sep 17 00:00:00 2001 From: Giuseppe De Marco Date: Fri, 14 Jun 2024 09:32:10 +0200 Subject: [PATCH 5/7] fix: editorials and cti --- draft-demarco-oauth-status-assertions.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/draft-demarco-oauth-status-assertions.md b/draft-demarco-oauth-status-assertions.md index 8289270..0819fd0 100644 --- a/draft-demarco-oauth-status-assertions.md +++ b/draft-demarco-oauth-status-assertions.md @@ -32,7 +32,9 @@ author: email: fa.marino@ipzs.it normative: + RFC2046: RFC2046 RFC6749: RFC6749 + RFC6838: RFC6838 RFC7515: RFC7515 RFC7516: RFC7516 RFC7517: RFC7517 @@ -798,9 +800,9 @@ IANA "JSON Web Token Claims" registry [IANA.JWT] established by {{RFC7519}}. ## Media Type Registration -This section requests registration of the following media types [@!RFC2046] in +This section requests registration of the following media types [RFC2046] in the "Media Types" registry [IANA.MediaTypes] in the manner described -in [@!RFC6838]. +in [RFC6838]. To indicate that the content is a JWT-based Status Assertion: From 785bbcf401526724e964840ea2a47980b40ad170 Mon Sep 17 00:00:00 2001 From: Giuseppe De Marco Date: Fri, 14 Jun 2024 09:33:59 +0200 Subject: [PATCH 6/7] fix: editorials and cti --- draft-demarco-oauth-status-assertions.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/draft-demarco-oauth-status-assertions.md b/draft-demarco-oauth-status-assertions.md index 0819fd0..a466bd4 100644 --- a/draft-demarco-oauth-status-assertions.md +++ b/draft-demarco-oauth-status-assertions.md @@ -74,7 +74,7 @@ normative: org: "IANA" title: "CBOR Web Token (CWT) Claims" target: "https://www.iana.org/assignments/cwt/cwt.xhtml" - CWT.typ: I-D.ietf-cose-typ-header-parameter + RFC9596: RFC9596 IANA-HASH-REG: title: "IANA - Named Information Hash Algorithm Registry" target: "https://www.iana.org/assignments/named-information/named-information.xhtml#hash-alg" @@ -322,7 +322,7 @@ The Status Assertion Request object MUST contain the parameters defined in the f | Header | Description | Reference | | --- | --- | --- | -| **typ** | It MUST be set to `status-assertion-request+jwt` when JWT format is used. It MUST be set to `status-assertion-request+cwt` when CWT format is used. | {{RFC7516}} Section 4.1.1 | +| **typ** | It MUST be set to `status-assertion-request+jwt` when JWT format is used. It MUST be set to `status-assertion-request+cwt` when CWT format is used. | {{RFC7516}} Section 4.1.1, [RFC9596] | | **alg** | A digital signature algorithm identifier such as per IANA "JSON Web Signature and Encryption Algorithms" registry. It MUST NOT be set to `none` or any symmetric algorithm (MAC) identifier. | {{RFC7516}} Section 4.1.1 | | **kid** | It is the Unique identifier of the `JWK` or `Cose_Key` owned by the Holder and used for validating the signature of the Status Assertion Request. When the Credential confirmation method uses a cryptographic material, it MUST match the one contained in the Credential. The header parameter `kid` is required when other cryptographic public key identification methods are not used, such as `x5c`. | {{RFC7515}} | From 93f9c18d6ccf60b31c1734f006f4666bd7d458af Mon Sep 17 00:00:00 2001 From: Giuseppe De Marco Date: Mon, 17 Jun 2024 11:01:04 +0200 Subject: [PATCH 7/7] Apply suggestions from code review Co-authored-by: Orie Steele --- draft-demarco-oauth-status-assertions.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/draft-demarco-oauth-status-assertions.md b/draft-demarco-oauth-status-assertions.md index c094257..380754d 100644 --- a/draft-demarco-oauth-status-assertions.md +++ b/draft-demarco-oauth-status-assertions.md @@ -161,7 +161,7 @@ In summary, the credential issuer provides the client with a Status Assertion, which is linked to a Digital Credential. This enables the client to present both the digital credential and its Status Assertion to a verifier as proof of the digital credential's -non-revocation status. +validity status. # Conventions and Definitions @@ -181,7 +181,7 @@ Digital Credential: Alternative names are "Verifiable Credential" or "Credential". Holder: -: An entity that receives Verifiable Credentials and has +: An entity that possesses Verifiable Credentials and has control over them to present them to the Verifiers as Verifiable Presentations. Credential Issuer: