Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Multi RP Credentials/Authentication capability #308

Open
wants to merge 7 commits into
base: main
Choose a base branch
from

Conversation

tlodderstedt
Copy link
Collaborator

@tlodderstedt tlodderstedt commented Nov 5, 2024

This PR changes the way requests are signed to the Digital Credentials API from compact serialization (single RP) to JWS JSON Serialization (Multiple RPs).
Questions to the WG:

  • Do you want to keep (re-add) the JWS Compact Serialization to the Digital Credentials API profile?
  • Do we want the Multi RP capability to the traditional OID4VP flow?

resolves #248

openid-4-verifiable-presentations-1_0.md Outdated Show resolved Hide resolved
openid-4-verifiable-presentations-1_0.md Outdated Show resolved Hide resolved
Copy link
Member

@selfissued selfissued left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The JWS Compact Serialization is supported by essentially all implementations, whereas many don't support the JSON Serialization, in part, because JWTs don't use it.

I believe switching to the JSON Serialization would present an unnecessary burden to developers and harm interoperability.

(For what it's worth, I believe that adding the JSON Serialization a dozen or so years ago at all was a mistake, but I realize that that's water under the bridge.)

@David-Chadwick
Copy link
Contributor

As I pointed out in the issue that this PR purports to resolve: when there is a trust infrastructure in place the request does not need to be signed as the wallet can determine the authenticity of the RP using the trust infrastructure. So we do not need multiple signatures and JSON serialisation.

@Sakurann
Copy link
Collaborator

@David-Chadwick well... the wallet determines the authenticity of the RP using the trust infrastructure based on the keys used to sign the request, that's why signature is crucial here.

@tlodderstedt
Copy link
Collaborator Author

As I pointed out in the issue that this PR purports to resolve: when there is a trust infrastructure in place the request does not need to be signed as the wallet can determine the authenticity of the RP using the trust infrastructure. So we do not need multiple signatures and JSON serialisation.

The profile supports unsigned requests. Would that be appropriate for your use cases?

@David-Chadwick
Copy link
Contributor

@Sakurann What you say is only one way of evaluating trust. The trust infrastructure can equally well decide if the RP is trustworthy or not based on its asserted name or ID. No keys are needed for this. If the asserted name/ID is deemed to be untrustworthy by the trust infrastructure, then the wallet knows not to trust the RP. If the name/ID is deemed to be trustworthy then there are two cases. 1. The RP is giving its true name, or 2. the RP is masquerading as a trustworthy RP. The latter can be protected against by the trust infrastructure providing the return URI of the RP for the wallet's response, and then the masquerading RP will not glean any information from the wallet. This is what we implemented. To prevent a DOS attack on the real trustworthy RP, we could add an extra protection feature, namely, the RP provides a random number on its request, which forms the query parameter on the wallet's reply to the return URI. The RP checks this parameter and if it is not recognised throws the wallet's response away.

@David-Chadwick
Copy link
Contributor

@tlodderstedt Yes, not requiring the RP's request to be signed solves the use case, and it also solves the problem of requiring multiple signatures to be on the request, because no signatures are actually needed. The RP can provide a set of names/IDs, one for each trust infrastructure that it is a member of. Then the wallet can match the presented trust infrastructures to the ones it is a member of, and where there is an intersection find out if the RP is trustworthy or not.

@tlodderstedt
Copy link
Collaborator Author

The JWS Compact Serialization is supported by essentially all implementations, whereas many don't support the JSON Serialization, in part, because JWTs don't use it.

I believe switching to the JSON Serialization would present an unnecessary burden to developers and harm interoperability.

(For what it's worth, I believe that adding the JSON Serialization a dozen or so years ago at all was a mistake, but I realize that that's water under the bridge.)

@selfissued The requirement we are asked to fulfill is to allow for multiple RP credentials being proven (through signatures) in a single request. We have extensively discussed this requirement in the hybrid workshop and agreed to support it. The design in the PR is, in my opinion, the simplest and most robust solution we can do it (alternative proposals involved canonicalization). So from my standpoint, what we can do is to also continue to support compact serialization. That's why I asked that question further up.

}
},
"presentation_definition": {...}
"dcql_query": {...}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why were the client_id, client_metadata, and jwks deleted? This change seems unrelated to the purpose of this PR.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is indeed related to this PR, as this data elements are RP specific. Consequently, the PR moves them into the RP credential specific elements of the request.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should discuss where the client_id, client_metadata, and jwks claims should go when using the Compact Serialization. These would normally be claims - not header parameters.

I understand the reasoning for making them header parameters when using the JSON Serialization, but in my view, that's not the normal case, and we should make the normal case natural.

The signed Request Object MAY contain all the parameters listed in (#browser_api_request), except `request`.

Below is a non-normative example of such a request sent over the W3C Digital Credentials API:
The signed Request MUST use the JWS Serialization [@!RFC7515]). This allows the Verifier multiple Client Identifiers and corresponding key material and metadata when invoking a Wallet. This is to serve use cases where the Verifier requests credentials belonging to different trust frameworks and thus must authenticate in the context of those trust frameworks.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We should discuss whether to always use the JSON Serialization or only to use it when there are multiple signatures. (In this case, I realize that the "Keep simple things simple but make complex things possible" adage cuts both ways.) I'd rather keep the simple case simple.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your feedback (that's what I asked for in the description of the PR).

Comment on lines 2034 to 2037
The following request parameters MUST be present in the protected header of the respective signature object:

* `client_id`
* `client_metadata`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These aren't defined header parameters, so this is weird. Why aren't these being sent as claims in the request?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

because they are specific to a certain RP credential

"payload": "eyAiaXNzIjogImh0dHBzOi8...NzY4Mzc4MzYiIF0gfQ",
"signatures": [
{
"protected": "eyJhbGciOiJFUzI1NiJ9",
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would have expected a "kid" parameter - not just "alg".

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not sure what you mean, see an header example (with kid and alg) below

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

eyJhbGciOiJFUzI1NiJ9 decodes to {"alg":"ES256"}, which has no kid.

@bc-pi
Copy link
Member

bc-pi commented Dec 3, 2024

Do you want to keep (re-add) the JWS Compact Serialization to the Digital Credentials API profile?

Yes

Do we want the Multi RP capability to the traditional OID4VP flow?

No

@tlodderstedt
Copy link
Collaborator Author

WG call: the sense of the "room" is we should not remove compact serialization. No support for adding multiple RP authentication feature to the HTTPS flow.

@Sakurann Sakurann added this to the Final 1.0 milestone Dec 19, 2024
@Sakurann Sakurann requested review from leecam and removed request for charsleysa December 19, 2024 16:32
@Sakurann
Copy link
Collaborator

WG discussion:

  • question was asked if this approach is too much given the direction ISO SC17 WG10 has chosen? It was clarified that 18013-5 1st edition and 18013-7 2nd edition meet this requirement by sending multiple requests, but 18013-5 2nd edition would allows to meet this requirement by sending one request with multiple signatures, so the outcome of the discussion was that the approach in this PR is still very much needed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

How can verifiers that support multiple trust models/ecosystems know how to authenticate to the wallet?
8 participants