Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Merging credential_response_encryption parameters into a single object #136

Merged
merged 7 commits into from
Dec 14, 2023
Merged

Merging credential_response_encryption parameters into a single object #136

merged 7 commits into from
Dec 14, 2023

Conversation

paulbastian
Copy link
Contributor

@paulbastian paulbastian commented Dec 8, 2023
edited
Loading

Closes #113

  • Is there a default value for alg, as there is a default value for enc?
  • Shall we also merge objects in the Issuer Metadata?

I was unsure about the intention of the Issuer Metadata. Issuer could offer credential_response_encryption_alg_values_supported for offering the optionality to the wallet but set require_credential_response_encryption to false?

The current Issuer metadata:

  • credential_response_encryption_alg_values_supported: OPTIONAL. Array containing a list of the JWE [@!RFC7516] encryption algorithms (alg values) [@!RFC7518] supported by the Credential and/or Batch Credential Endpoint to encode the Credential or Batch Credential Response in a JWT [@!RFC7519].
  • credential_response_encryption_enc_values_supported: OPTIONAL. Array containing a list of the JWE [@!RFC7516] encryption algorithms (enc values) [@!RFC7518] supported by the Credential and/or Batch Credential Endpoint to encode the Credential or Batch Credential Response in a JWT [@!RFC7519].
    *: OPTIONAL. Boolean value specifying whether the Credential Issuer requires additional encryption on top of TLS for the Credential Response and expects encryption parameters to be present in the Credential Request and/or Batch Credential Request, with true indicating support. When the value is true, credential_response_encryption_alg_values_supported parameter MUST also be provided. If omitted, the default value is false.

@paulbastian paulbastian linked an issue Dec 8, 2023 that may be closed by this pull request
Credential Encryption Parameter Name Discrepancy #113
Closed
@Sakurann
Copy link
Collaborator

Sakurann commented Dec 8, 2023

On the Credential request parameters, the logic between the presence of jwk, enc, and alg sounds weird. My suggestion would be to make all three mandatory, and remove the default value for enc.

On the Issuer metadata.... I don't think there is a need to group there, but we could either

  1. move require_credential_response_encryption before credential_response_encryption_alg_values_supported and credential_response_encryption_enc_values_supported to make the order more natural, or
  2. remove require_credential_response_encryption and say that the presence of both credential_response_encryption_alg_values_supported and credential_response_encryption_enc_values_supported (not either) means that "Credential Issuer requires additional encryption on top of TLS for the Credential Response and expects encryption parameters to be present in the Credential Request and/or Batch Credential Request".

peppelinux
peppelinux reviewed Dec 9, 2023
View reviewed changes
openid-4-verifiable-credential-issuance-1_0.md Outdated
@@ -872,7 +873,7 @@ Credential Response can be immediate or deferred. The Credential Issuer MAY be a

In other cases, the Credential Issuer MAY NOT be able to immediately issue a requested Credential and would want to send a `transaction_id` parameter to the Client to be used later to receive a Credential when it is ready. The HTTP status code MUST be 202 (section 10.2.3 of [@!RFC2616]).

If the Client requested encrypted responses, the Credential Issuer MUST encode the information in the Credential Reponse as a JWT with `credential_response_encryption_alg` and `credential_response_encryption_enc`. The JWT MUST be encrypted using the public key specified by `credential_encryption_jwk` in the Credential Request. If the Credential Response is encrypted, the media type of the response MUST bet set to `application/jwt`. If encryption was negotiated in the Credential Request and the Credential Response is not encrypted, the Client SHOULD reject the Credential Response.
If the Client requested encrypted responses, the Credential Issuer MUST encode the information in the Credential Response as a JWT with `alg`, `enc` and using the public key specified by `jwk` from the `credential_response_encryption` object in the Credential Request. If the Credential Response is encrypted, the media type of the response MUST bet set to `application/jwt`. If encryption was negotiated in the Credential Request and the Credential Response is not encrypted, the Client SHOULD reject the Credential Response.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this mean that the the response is an encrypted json and not a Netsted JWT, signed and then encrypted?
I would give more clarification, as OIDC with the userinfo response (or id token) made:

If the UserInfo Response is signed and/or encrypted, then the Claims are returned in a JWT and the content-type MUST be application/jwt. The response MAY be encrypted without also being signed. If both signing and encryption are requested, the response MUST be signed then encrypted, with the result being a Nested JWT, as defined in [JWT].

@sakimura @selfissued ^

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is about encryption only, this is how I read it

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@peppelinux i think here we are trying to talk about the case when response is only encrypted and not signed. and that probably can be made clearer.

@paulbastian @Sakurann
Update openid-4-verifiable-credential-issuance-1_0.md
6dbdd46 
Co-authored-by: Kristina <52878547+Sakurann@users.noreply.github.com>
@awoie
Copy link
Contributor

awoie commented Dec 11, 2023

On the Credential request parameters, the logic between the presence of jwk, enc, and alg sounds weird. My suggestion would be to make all three mandatory, and remove the default value for enc.

On the Issuer metadata.... I don't think there is a need to group there, but we could either

  1. move require_credential_response_encryption before credential_response_encryption_alg_values_supported and credential_response_encryption_enc_values_supported to make the order more natural, or
  2. remove require_credential_response_encryption and say that the presence of both credential_response_encryption_alg_values_supported and credential_response_encryption_enc_values_supported (not either) means that "Credential Issuer requires additional encryption on top of TLS for the Credential Response and expects encryption parameters to be present in the Credential Request and/or Batch Credential Request".

We cannot make all three keys REQUIRED since encryption is OPTIONAL. If we group them, then we can make the group key OPTIONAL and then we probably don't have to say anything about the sub-keys (jwk, enc, alg) anymore.

@paulbastian
Copy link
Contributor Author

On the Credential request parameters, the logic between the presence of jwk, enc, and alg sounds weird. My suggestion would be to make all three mandatory, and remove the default value for enc.
On the Issuer metadata.... I don't think there is a need to group there, but we could either

  1. move require_credential_response_encryption before credential_response_encryption_alg_values_supported and credential_response_encryption_enc_values_supported to make the order more natural, or
  2. remove require_credential_response_encryption and say that the presence of both credential_response_encryption_alg_values_supported and credential_response_encryption_enc_values_supported (not either) means that "Credential Issuer requires additional encryption on top of TLS for the Credential Response and expects encryption parameters to be present in the Credential Request and/or Batch Credential Request".

We cannot make all three keys REQUIRED since encryption is OPTIONAL. If we group them, then we can make the group key OPTIONAL and then we probably don't have to say anything about the sub-keys (jwk, enc, alg) anymore.

I think I also tend to favor grouping for Issuer metadata.

awoie
awoie requested changes Dec 11, 2023
View reviewed changes
openid-4-verifiable-credential-issuance-1_0.md Outdated Show resolved Hide resolved
openid-4-verifiable-credential-issuance-1_0.md Outdated Show resolved Hide resolved
openid-4-verifiable-credential-issuance-1_0.md Outdated Show resolved Hide resolved
openid-4-verifiable-credential-issuance-1_0.md Outdated Show resolved Hide resolved
@awoie
Copy link
Contributor

awoie commented Dec 11, 2023

On the Credential request parameters, the logic between the presence of jwk, enc, and alg sounds weird. My suggestion would be to make all three mandatory, and remove the default value for enc.
On the Issuer metadata.... I don't think there is a need to group there, but we could either

  1. move require_credential_response_encryption before credential_response_encryption_alg_values_supported and credential_response_encryption_enc_values_supported to make the order more natural, or
  2. remove require_credential_response_encryption and say that the presence of both credential_response_encryption_alg_values_supported and credential_response_encryption_enc_values_supported (not either) means that "Credential Issuer requires additional encryption on top of TLS for the Credential Response and expects encryption parameters to be present in the Credential Request and/or Batch Credential Request".

We cannot make all three keys REQUIRED since encryption is OPTIONAL. If we group them, then we can make the group key OPTIONAL and then we probably don't have to say anything about the sub-keys (jwk, enc, alg) anymore.

I think I also tend to favor grouping for Issuer metadata.

Let's do that in a separate PR.

awoie
awoie approved these changes Dec 12, 2023
View reviewed changes
Copy link
Contributor

@awoie awoie left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be nice if my other suggestions would be committed otherwise looks good..

paulbastian and others added 2 commits December 13, 2023 09:00
@paulbastian @tplooker
Update openid-4-verifiable-credential-issuance-1_0.md
5bf8617 
Co-authored-by: Tobias Looker <tplooker@gmail.com>
@paulbastian @awoie
Update openid-4-verifiable-credential-issuance-1_0.md
c7cb200 
Co-authored-by: Oliver Terbu <43441584+awoie@users.noreply.github.com>
paulbastian and others added 2 commits December 13, 2023 12:11
@paulbastian @jogu
Update openid-4-verifiable-credential-issuance-1_0.md
02d6bbf 
Co-authored-by: Joseph Heenan <joseph@heenan.me.uk>
@paulbastian
add hstory
3d2cd67
@paulbastian paulbastian mentioned this pull request Dec 14, 2023
Closed
@Sakurann Sakurann merged commit d5118a8 into main Dec 14, 2023
2 checks passed
@peppelinux peppelinux mentioned this pull request Dec 15, 2023
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@awoie awoie awoie approved these changes

@tplooker tplooker tplooker left review comments

@peppelinux peppelinux peppelinux left review comments

@Sakurann Sakurann Sakurann approved these changes

@jogu jogu jogu approved these changes

@tlodderstedt tlodderstedt Awaiting requested review from tlodderstedt

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Credential Encryption Parameter Name Discrepancy
6 participants
@paulbastian @Sakurann @awoie @jogu @peppelinux @tplooker