]> Oblivious Credential State Transmute
orie@transmute.industries
Security Secure Patterns for Internet CrEdentials credential status privacy preserving oblivious Issuers of Digital Credentials enable dynamic state or status checks through the use of dereferenceable identifiers, that resolve to resources providing herd privacy. Privacy in such systems is determined not just from the size of the herd, and the cryptographic structure encoding it, but also from the observability of access to shared state. This document describes a privacy preserving state management system for digital credentials based on Oblivious HTTP that addresses both data model and protocol risks associated with digital credentials with dynamic state. About This Document The latest revision of this draft can be found at . Status information for this document may be found at . Discussion of this document takes place on the Secure Patterns for Internet CrEdentials Working Group mailing list (), which is archived at . Subscribe at . Source for this draft and an issue tracker can be found at .
Introduction Digitial Credentials often have a validity period, which indicates the time at which the claims become active for the subject according to the issuer, and the time at which the issuer specifies the claims are no longer to be considered asserted by the issuer. A typical example is a digital drivers license, which has an activation date, and an expiration date. When the activation date is in the past, and the expiration date is in the future, we consider the license to be valid at the current time. A verifier might wonder if such licenses are suspended or revoked, even if the validity period is acceptable. A common solution is to the issuer of the credential to provide a resource that reflects information about the state of the credential over time. Because issuer's track the presentation of digital credentials if a verifier where to ask the issuer about the state of a specific digital credential, it common to see credential states be merged into blocks, or herds, where an issuer can deliver the block to the verifier upon request, without learning which specific digital credential the verifier is interested in. Unfortunatly, the metadata associated with resolving credential state can leak time and location information about the presentation of credentials over time. This document addresses this risk by introducing a mediator which is trusted by the verifier.
Credential State To simplify interpretation of resolution of credential state resources, this document uses the following aliases for the terms defined in . The Verifier's Software is the Oblivious HTTP Client. The Mediator's Credential State Resource is the Oblivious Relay Resource. The Issuer's Gateway Resource is the Gateway Resource. The Issuer's Credential State Resource is the Target Resource. The critical privacy property is obtained by the verifier's client relying on the Mediator's Credential State Resource instead of Issuer's Credential State Resource. In order to achieve this property, while preserving the property that issuer's do not know which verifier's will be interested in dynamic state information associated with their credentials, the issuer includes the identifier for their Issuer's Credential State Resource in their credential claim sets, however the verifier rewrites this URL to be their Mediator's Credential State Resource before resolution. Editor note: is there a simpler solution here? Verifier Mediator Issuer + Mediator +<------>+ Issuer | '--------' +----------+ '-------' ]]>
Identifier While many different protocol schemes can be used to identify resources, to improve interoperability and reduce attack surface, this document requires credential state resources to be identified with https URLS, as described in . The following URI Templates, as described in are required to improve interoperability and reduce the chances of degrading the privacy properties through the inclusion of extraneos information in the identifiers embedded in credentials.
  • issuer MUST support internationalizaton considerations, as described in , for example: 🏛️.example
  • mediator MUST support internationalizaton considerations, as described in , for example: 🚛.example
  • resource-name MUST be a URN as described in , for example: urn:uuid:f81d4fae-7dec-11d0-a765-00a0c91e6bf6
Issuer's Credential State Resource
Issuer Credential State Resources
Mediator's Credential State Resource
Mediator Credential State Resources
Resources Credential state resources typically rely on a similar content type as the credentials that require them. Mixing different content types for credentials and their state, increases implementation costs and harms interoperability. The credential state resource MUST be secured with the same content type that was used to secure the digital credential that has dynamic state. For example, a JSON Web Token, based digital credential must rely on a based credential state resource. There are many different content types that can be used to secure digital credentials, this document does not require a specific content type to be used. The Accept header MUST be supported, and the application/cose content type SHOULD be supported.
Processing Credential State Resources Validation of the digital credential state MUST occur after verification. Validation of the digital credential validity period MUST occur before credential state checks. Implementers are cautioned that concepts like "suspended" or "revoked" are interpretted differently and used differently by issuers. All dynamic claims provided through credential state resources MUST be considered issuer defined, and cannot be interpretted globally. Interpretting the structure of the Issuer's Credential State Resource is outside the scope of this document. However, other documents describe this process in detail. provides guidance on processing resources that secure the content type application/vc+ld+json, such as application/cose. provides guidance on processing resources of the content type application/cwt, and application/jwt.
Techniques
CRL Distribution Points described a mechanism for verifiers to check the revocation status of attribute certificates.
Online Certificate Status Protocol described a protocol useful in determining the current status of a digital certificate without requiring CRLs.
Bitmaps In this approach, the size of the herd is the length of the bitmap, and the state of a digital credential claim is the value of the bit at a given index. Scaling this approach can be difficult, as a seperate list is needed for each dynamic claim in a digital credential. This scalling challenge can be partially addressed by consuming multiple bits at a given index, however, the resulting enumeration needs to be consistently understood. A common solution to consistent interpretation of enumerations is the establishment of a registry, however this can become impractical depending on the nature of the issuer's need to express dynamic state. Publishing a dictionary per issuer, or per sets of issuer's can help address these challenges for some use cases.
Cryptographic Accumulators describes an approach to expressing proofs of set membership.
Bloom Filters mentions an application of bloom filters, that can be applied to communicating credential state assuming the probabilistic nature of bloom filters is acceptable to the verifier.
Transparency Services Tree structures, such as described in can be used to provide advanced membership proofs, such as proving inclusion, consistency, non inclusion, and freshness.
Terminology The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 when, and only when, they appear in all capitals, as shown here.
Security Considerations TODO Security
IANA Considerations This document has no IANA actions.
References Normative References A Universally Unique IDentifier (UUID) URN Namespace This specification defines a Uniform Resource Name namespace for UUIDs (Universally Unique IDentifier), also known as GUIDs (Globally Unique IDentifier). A UUID is 128 bits long, and can guarantee uniqueness across space and time. UUIDs were originally used in the Apollo Network Computing System and later in the Open Software Foundation\'s (OSF) Distributed Computing Environment (DCE), and then in Microsoft Windows platforms. This specification is derived from the DCE specification with the kind permission of the OSF (now known as The Open Group). Information from earlier versions of the DCE specification have been incorporated into this document. [STANDARDS-TRACK] URI Template A URI Template is a compact sequence of characters for describing a range of Uniform Resource Identifiers through variable expansion. This specification defines the URI Template syntax and the process for expanding a URI Template into a URI reference, along with guidelines for the use of URI Templates on the Internet. [STANDARDS-TRACK] Oblivious HTTP This document describes Oblivious HTTP, a protocol for forwarding encrypted HTTP messages. Oblivious HTTP allows a client to make multiple requests to an origin server without that server being able to link those requests to the client or to identify the requests as having come from the same client, while placing only limited trust in the nodes used to forward the messages. URL - Living Standard n.d. Key words for use in RFCs to Indicate Requirement Levels In many standards track documents several words are used to signify the requirements in the specification. These words are often capitalized. This document defines these words as they should be interpreted in IETF documents. This document specifies an Internet Best Current Practices for the Internet Community, and requests discussion and suggestions for improvements. Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words RFC 2119 specifies common key words that may be used in protocol specifications. This document aims to reduce the ambiguity by clarifying that only UPPERCASE usage of the key words have the defined special meanings. Informative References JSON Web Token (JWT) JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted. Recommendations for DNS Privacy Service Operators This document presents operational, policy, and security considerations for DNS recursive resolver operators who choose to offer DNS privacy services. With these recommendations, the operator can make deliberate decisions regarding which services to provide, as well as understanding how those decisions and the alternatives impact the privacy of users. This document also presents a non-normative framework to assist writers of a Recursive operator Privacy Statement, analogous to DNS Security Extensions (DNSSEC) Policies and DNSSEC Practice Statements described in RFC 6841. X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP This document specifies a protocol useful in determining the current status of a digital certificate without requiring CRLs. [STANDARDS-TRACK] An Internet Attribute Certificate Profile for Authorization This specification defines a profile for the use of X.509 Attribute Certificates in Internet Protocols. Attribute certificates may be used in a wide range of applications and environments covering a broad spectrum of interoperability goals and a broader spectrum of operational and assurance requirements. The goal of this document is to establish a common baseline for generic applications requiring broad interoperability as well as limited special purpose requirements. The profile places emphasis on attribute certificate support for Internet electronic mail, IPsec, and WWW security applications. This document obsoletes RFC 3281. [STANDARDS-TRACK] Key Transparency Architecture This document defines the terminology and interaction patterns involved in the deployment of Key Transparency (KT) in a general secure group messaging infrastructure, and specifies the security properties that the protocol provides. It also gives more general, non-prescriptive guidance on how to securely apply KT to a number of common applications. OAuth Status List MATTR This specification defines status list data structures for representing the status of JSON Web Tokens (JWTs) [RFC7519] and CBOR Web Tokens (CWTs) [RFC8392]. The status list data structures themselves are also represented as JWTs or CWTs. Zero-Knowledge Accumulators and Set Operations n.d. Bitstring Status List v1.0 n.d.
Acknowledgments TODO acknowledge.