You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: draft-ietf-oauth-status-list.md
+34-13Lines changed: 34 additions & 13 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -35,6 +35,7 @@ normative:
35
35
RFC7519: RFC7519
36
36
RFC8259: RFC8259
37
37
RFC8392: RFC8392
38
+
RFC8725: RFC8725
38
39
RFC8949: RFC8949
39
40
RFC9052: RFC9052
40
41
RFC9110: RFC9110
@@ -69,6 +70,7 @@ informative:
69
70
RFC6749: RFC6749
70
71
RFC7662: RFC7662
71
72
RFC7800: RFC7800
73
+
RFC9458: RFC9458
72
74
SD-JWT.VC: I-D.ietf-oauth-sd-jwt-vc
73
75
ISO.mdoc:
74
76
author:
@@ -612,7 +614,16 @@ Resulting in the byte array and compressed/base64url-encoded status list:
612
614
# Security Considerations {#Security}
613
615
614
616
## Correct decoding and parsing of the encoded status list
615
-
TODO elaborate on risks of incorrect parsing/decoding leading to erroneous status data
617
+
618
+
Implementers should be particularly careful for the correct parsing and decoding of the status list. Incorrect implementations might check the index on the wrong data or miscalculate the bit and byte index leading to an erroneous status of the Referenced Token. Beware, that bits are indexed (bit order) from least significant bit to most significant bit (also called "right to left") while bytes are indexed (byte order) in their natural incrementing byte order (usually written for display purpose from left to write). Endianness does not apply here because each status value fits within a single byte.
619
+
620
+
Implementations are RECOMMENDED to verify correctness using the test vectors given by this specification.
621
+
622
+
## Security Guidance for JWT and CWT
623
+
624
+
A Status List Token in the JWT format should follow the security considerations of {{RFC7519}} and the best current practices of {{RFC8725}}.
625
+
626
+
A Status List Token in the CWT format should follow the security considerations of {{RFC8392}}.
616
627
617
628
## Cached and Stale status lists
618
629
@@ -621,45 +632,52 @@ in the Status List Token provides one mechanism for setting a maximum cache time
621
632
a status list to a CDN or other distribution mechanism while giving guidance to consumers of the status list on how often they need to fetch
622
633
a fresh copy of the status list even if that status list is not expired.
623
634
624
-
## Authorized access to the Status List {#security-authorization}
625
-
TODO elaborate on authorization mechanisms preventing misuse and profiling as described in privacy section
626
-
627
-
## History
628
-
TODO elaborate on status list only providing the up-to date/latest status, no historical data, may be provided by the underlying hosting architecture
629
-
630
635
# Privacy Considerations
631
636
632
-
## Limiting issuers observability of token verification {#privacy-issuer}
637
+
## Observability of Issuers {#privacy-issuer}
633
638
634
639
The main privacy consideration for a Status List, especially in the context of the Issuer-Holder-Verifier model {{SD-JWT.VC}}, is to prevent the Issuer from tracking the usage of the Referenced Token when the status is being checked. If an Issuer offers status information by referencing a specific token, this would enable him to create a profile for the issued token by correlating the date and identity of Relying Parties, that are requesting the status.
635
640
636
641
The Status List approaches these privacy implications by integrating the status information of many Referenced Tokens into the same list. Therefore, the Issuer does not learn for which Referenced Token the Relying Party is requesting the Status List. The privacy of the Holder is protected by the anonymity within the set of Referenced Tokens in the Status List, also called herd privacy. This limits the possibilities of tracking by the Issuer.
637
642
638
643
The herd privacy is depending on the number of entities within the Status List called its size. A larger size results in better privacy but also impacts the performance as more data has to be transferred to read the Status List.
639
644
645
+
Additionally, the Issuer may analyse data from the HTTP request to identify the Relying Party, e.g. through the sender's IP address. This behaviour may be mitigated by private relay protocols or other mechanism hiding the original sender like {{RFC9458}}.
646
+
640
647
## Malicious Issuers
641
648
642
649
A malicious Issuer could bypass the privacy benefits of the herd privacy by generating a unique Status List for every Referenced Token. By these means, he could maintain a mapping between Referenced Tokens and Status Lists and thus track the usage of Referenced Tokens by utilizing this mapping for the incoming requests. This malicious behaviour could be detected by Relying Parties that request large amounts of Referenced Tokens by comparing the number of different Status Lists and their sizes.
643
650
644
-
## Unobservability of Relying Parties {#privacy-relying-party}
651
+
## Observability of Relying Parties {#privacy-relying-party}
645
652
646
653
Once the Relying Party receives the Referenced Token, this enables him to request the Status List to validate its status through the provided `uri` parameter and look up the corresponding `index`. However, the Relying Party may persistently store the `uri` and `index` of the Referenced Token to request the Status List again at a later time. By doing so regularly, the Relying Party may create a profile of the Referenced Token's validity status. This behaviour may be intended as a feature, e.g. for a KYC process that requires regular validity checks, but might also be abused in cases where this is not intended and unknown to the Holder, e.g. profiling the suspension of a driving license or checking the employment status of an employee credential.
647
654
648
-
This behaviour could be mitigated by:
655
+
TODO elaborate on status list only providing the up-to date/latest status, no historical data, may be provided by the underlying hosting architecture
649
656
650
-
- adding authorization rules to the Status List, see [](#security-authorization).
657
+
This behaviour could be mitigated by:
651
658
- regular re-issuance of the Referenced Token, see [](#implementation-lifecycle).
652
659
660
+
## Observability of Outsiders {#privacy-outsider}
661
+
662
+
Outside actors may analyse the publicly available Status Lists to get information on the internal processes of the Issuer and his related business. This data may allow inferences on the total number of issued Reference Tokens and the revocation rate. Additionally, actors may regularly fetch this data or use the historic data functionality to learn how these numbers change over time.
663
+
664
+
This behaviour could be mitigated by:
665
+
- disable the historical data feature (TODO:link)
666
+
- disable the Status List Aggregation {#batch-fetching}
667
+
- choose non-sequential, pseudo-random or random indices
668
+
- use decoy entries to obfuscate the real number of Referenced Tokens within a Status List
669
+
- choose to deploy and utilize multiple Status Lists simultaneously
670
+
653
671
## Unlinkability
654
672
655
-
Colluding Issuers and a Relying Parties have the possibility to link two transactions, as the tuple of `uri` and `index` inside the Referenced Token are unique and therefore traceable data. By comparing the status claims of received Referenced Tokens, two colluding Relying Parties could determine that they have interacted with the same user or an Issuer could trace the usage of its issued Referenced Token by colluding with various Relying Parties. It is therefore recommended to use Status Lists for Referenced Token formats that have similar unlinkability properties.
673
+
Colluding Issuers and Relying Parties have the possibility to link two transactions, as the tuple of `uri` and `index` inside the Referenced Token are unique and therefore traceable data. By comparing the status claims of received Referenced Tokens, two colluding Relying Parties could determine that they have interacted with the same user or an Issuer could trace the usage of its issued Referenced Token by colluding with various Relying Parties. It is therefore recommended to use Status Lists for Referenced Token formats that have similar unlinkability properties.
656
674
657
675
To avoid privacy risks for colluding Relying Parties, it is RECOMMENDED that Issuers use batch issuance to issue multiple tokens, see [](#implementation-lifecycle).
658
676
659
677
To avoid further correlatable information by the values of `uri` and `index`, Issuers are RECOMMENDED to:
660
678
661
679
- choose non-sequential, pseudo-random or random indices
662
-
- use decoy or dead entries to obfuscate the real number of Referenced Tokens within a Status List
680
+
- use decoy entries to obfuscate the real number of Referenced Tokens within a Status List
663
681
- choose to deploy and utilize multiple Status Lists simultaneously
664
682
665
683
## Third Party Hosting
@@ -909,6 +927,9 @@ for their valuable contributions, discussions and feedback to this specification
909
927
910
928
-04
911
929
930
+
* add privacy consideration on using private relay protocols
931
+
* add privacy consideration on observability of outsiders
932
+
* add security considerations on correct parsing and decoding
912
933
* remove requirement for matching iss claim in Referenced Token and Status List Token
0 commit comments