Internet DRAFT - draft-steele-spice-profiles-bcp

draft-steele-spice-profiles-bcp







Secure Patterns for Internet CrEdentials                       O. Steele
Internet-Draft                                                 Transmute
Intended status: Informational                                M. Prorock
Expires: 24 June 2024                                           mesur.io
                                                           M. Alkhraishi
                                                                mavennet
                                                        22 December 2023


           Digital Credential Profiles Best Current Practices
                   draft-steele-spice-profiles-bcp-00

Abstract

   Digital Credentials are frequently modeled on documents, forms, and
   messages that enable a holder to prove they have attributes that are
   acceptable to a verifier.

   This document provides guidance to verifiers enabling them to
   describe their requirements such that they can be translated into
   digital credential profiles.

About This Document

   This note is to be removed before publishing as an RFC.

   The latest revision of this draft can be found at
   https://OR13.github.io/draft-steele-spice-profiles-bcp/draft-steele-
   spice-profiles-bcp.html.  Status information for this document may be
   found at https://datatracker.ietf.org/doc/draft-steele-spice-
   profiles-bcp/.

   Discussion of this document takes place on the Secure Patterns for
   Internet CrEdentials Working Group mailing list
   (mailto:spice@ietf.org), which is archived at
   https://mailarchive.ietf.org/arch/browse/spice/.  Subscribe at
   https://www.ietf.org/mailman/listinfo/spice/.

   Source for this draft and an issue tracker can be found at
   https://github.com/OR13/draft-steele-spice-profiles-bcp.

Status of This Memo

   This Internet-Draft is submitted in full conformance with the
   provisions of BCP 78 and BCP 79.






Steele, et al.            Expires 24 June 2024                  [Page 1]

Internet-Draft                   DCP-BCP                   December 2023


   Internet-Drafts are working documents of the Internet Engineering
   Task Force (IETF).  Note that other groups may also distribute
   working documents as Internet-Drafts.  The list of current Internet-
   Drafts is at https://datatracker.ietf.org/drafts/current/.

   Internet-Drafts are draft documents valid for a maximum of six months
   and may be updated, replaced, or obsoleted by other documents at any
   time.  It is inappropriate to use Internet-Drafts as reference
   material or to cite them other than as "work in progress."

   This Internet-Draft will expire on 24 June 2024.

Copyright Notice

   Copyright (c) 2023 IETF Trust and the persons identified as the
   document authors.  All rights reserved.

   This document is subject to BCP 78 and the IETF Trust's Legal
   Provisions Relating to IETF Documents (https://trustee.ietf.org/
   license-info) in effect on the date of publication of this document.
   Please review these documents carefully, as they describe your rights
   and restrictions with respect to this document.  Code Components
   extracted from this document must include Revised BSD License text as
   described in Section 4.e of the Trust Legal Provisions and are
   provided without warranty as described in the Revised BSD License.

Table of Contents

   1.  Introduction  . . . . . . . . . . . . . . . . . . . . . . . .   3
   2.  Terminology . . . . . . . . . . . . . . . . . . . . . . . . .   3
   3.  Ontologies  . . . . . . . . . . . . . . . . . . . . . . . . .   4
   4.  Information vs Data . . . . . . . . . . . . . . . . . . . . .   4
   5.  Schema vs Definition  . . . . . . . . . . . . . . . . . . . .   5
   6.  Designing Data Structures . . . . . . . . . . . . . . . . . .   5
   7.  Security Considerations . . . . . . . . . . . . . . . . . . .   7
     7.1.  Cryptographic Agility . . . . . . . . . . . . . . . . . .   7
     7.2.  Internationalized Names . . . . . . . . . . . . . . . . .   7
     7.3.  Exploiting Data Validation  . . . . . . . . . . . . . . .   7
   8.  IANA Considerations . . . . . . . . . . . . . . . . . . . . .   7
   9.  References  . . . . . . . . . . . . . . . . . . . . . . . . .   7
     9.1.  Normative References  . . . . . . . . . . . . . . . . . .   7
     9.2.  Informative References  . . . . . . . . . . . . . . . . .   8
   Acknowledgments . . . . . . . . . . . . . . . . . . . . . . . . .   8
   Authors' Addresses  . . . . . . . . . . . . . . . . . . . . . . .   8







Steele, et al.            Expires 24 June 2024                  [Page 2]

Internet-Draft                   DCP-BCP                   December 2023


1.  Introduction

   Verifiers have digital credential requirements that reduce their
   liability, improve their transaction throughput, comply with local,
   regional, or international laws, and support their environmental,
   social and governance objectives and values.

   Requirements are often expressed as "Policy Documents", and furnished
   to holders, to enable them to easily comply.  For example, sometimes
   to receive a new credential, a holder may need to present one or more
   existing credentials, and different regional agencies might have
   unique requirements regarding the quality, age, and issuing authority
   of these credentials.

   Not all the attributes of a credential may be necessary to disclose,
   and the details of the serialization are often less relevant to the
   verifier than the authenticity and integrity of the credential
   attributes.

   Verifiers need to update their policies as new credential formats
   become available, but still need to ensure that mandatory attributes
   are disclosed, even while changing the securing mechanisms and
   serialization details.

   Depending on how a verifier wrote their policy, the process of
   updating it to take advantage of new capabilities, safer
   cryptography, smaller message sizes, or advances in data
   minimization, can be difficult.

   This document provides guidance to policy writers, enabling them to
   construct policies that can be translated into human and machine
   verifiable profiles, enabling digital credential formats to evolve
   with the speed and precision at which policies can be written.

2.  Terminology

   The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
   "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and
   "OPTIONAL" in this document are to be interpreted as described in
   BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all
   capitals, as shown here.

   Ontology:  a set of concepts and categories in a subject area or
      domain that shows their properties and the relations between them.
      (oxford dictionary citation fixme)






Steele, et al.            Expires 24 June 2024                  [Page 3]

Internet-Draft                   DCP-BCP                   December 2023


3.  Ontologies

   Verifiers can share their view of a subject area or domain by
   acknowledging or leveraging ontologies.  Ontologies can be leveraged
   to model information requirements, with or without requiring the data
   format to explicitly encode the ontology or leverage the ontology
   directly in the construction of digital credentials.

   For example, the ontology defined in
   [I-D.draft-petithuguenin-rfc-ontology] can be used to describe the
   information required in a digital credential for RFCs, without
   requiring the digital credential to contain the literal strings used
   to serialize the ontology, for example the string:
   "ftp://shalmaneser.org/rfc#area", need not be present, so long as the
   verifier describes that the string "area" is equivalent in their
   profile text.

   Policy writers SHOULD distinguish between the information they
   require, and the ontologies that can express the concepts needed to
   understand the information.

4.  Information vs Data

   Information is abstract, we can express the same information in many
   different ways, including in many different serializations.

   The following statement for example, expresses information:

   Alice believes Bob is 42 years old.

   That can also be expressed in different data structures, while
   preserving the information:

   in JSON:

   {
     "alice": {
       "knows": {
         "bob": {
           "age": {
             "42": "years"
           }
         }
       }
     }
   }





Steele, et al.            Expires 24 June 2024                  [Page 4]

Internet-Draft                   DCP-BCP                   December 2023


   Verifiers can write policies that mandate a single method to encode
   information in a serialization and allow only one serialization.
   This can reduce both the cost to implement and the attack surface
   associated with the digital credentials that are acceptable to the
   verifier.

   However, if a new serialization is invented, that is simpler to
   support, and more directly aligns with the values of the verifier and
   their mission objectives, having such a policy could prevent the
   verifier from adopting the new and improved serialization, even if it
   secures the same information and provides additional benefits, beyond
   integrity and authenticity, such as compactness, reduced computation
   and storage costs, or safer formal modeling capabilities.

   Policy writers SHOULD distinguish between the information they
   require, and the acceptable serializations that can express this
   information required.

5.  Schema vs Definition

   Once a verifier has documented their information requirements, and
   selected data formats capable of expressing the required information
   while satisfying their policies and values, the details of the
   acceptable data format SHOULD be considered.

   There are a number of subtle details regarding octet encodings that
   can lead to security or performance issues in digital credential
   formats.

   For example, understanding the allowed data types for expressing
   information, be it an integer, a floating point number, a string, or
   a boolean value.

   Policy writers SHOULD describe the allowed data types for the
   expression of information, and SHOULD NOT support polymorphic types.

   Schema or data definition languages such as [RFC8610] SHOULD be used
   when describing acceptable expressions of information models, so that
   validation of data instances can be automated.

6.  Designing Data Structures

   Although schema or data definition languages can help address some
   common security issues such as validation as described in [RFC4949],
   there are still problematic expressions of information which should
   generally be avoided even when fully specifying data.





Steele, et al.            Expires 24 June 2024                  [Page 5]

Internet-Draft                   DCP-BCP                   December 2023


   Most commonly deeply nested data structures, or lists of deeply
   nested data structures containing lists.

   Most digital credentials are about asserting attributes of a subject,
   in a way that is secured by the issuer, and provable by the holder.

   This can naturally be expressed using a simple map data type.

   subject-attributes = {
     ; identifier
     ? &(id: 1) => int,
     ; age
     ? &(age: 2) => int,
   }

   Strings and arbitrary length data structures SHOULD be avoided,
   whenever possible.

   As the issuer secures the data, the interpretation of the data is
   always in the context of:

   1.  the definitions published by the issuer.

   2.  the data the issuer chose to secure that expresses the
       information.

   Policy writers SHOULD leverage tabular data structures (tables, csv)
   whenever possible.

   Policy writers SHOULD externalize definitions of data structures
   wherever possible, and use those external definitions to generate
   relevant sections of the policy document.

   Policy writers SHOULD ensure that output documents are computer
   readable, and that when tabular data is embedded in a policy
   document, that it is clearly separated from other sections of tabular
   data.

   Documents SHOULD be sectioned by logical concepts, and document
   sections dealing with the description of data structures SHOULD be
   clearly identifed and not mixed with other data structure
   descriptions without clear separation.

   Policy writers SHOULD clearly version policy documents, and SHOULD
   clearly identify the date of publication, start date of applicabiilty
   of the policy, and if known, the end date of applicability.





Steele, et al.            Expires 24 June 2024                  [Page 6]

Internet-Draft                   DCP-BCP                   December 2023


   Policy writers SHOULD clearly define the scope of the policy, and the
   audience to which the policy applies to.  These scope and audience
   definitions SHOULD take place in their own sections.

   Policy writers SHOULD restrict what data is expressed in a digital
   credential and how the data is expressed not just the information
   that is required to be present.

   Policy writers SHOULD avoid making recommendations where the same
   information may be conveyed in many different, but equivalent data
   structures.  When leveraging CBOR, [I-D.draft-ietf-cbor-cde] SHOULD
   be used.

   Policy writers should avoid creating "frameworks" where
   interoperability is not immediately available [RFC9518].

7.  Security Considerations

   TODO Security

7.1.  Cryptographic Agility

   TODO Cryptographic Agility

   Registries / Pick at least 2, use at least N bit security... avoid
   MUST support.... recommend AT LEAST support.

7.2.  Internationalized Names

   TODO Internationalized Names Strings / domain names... Unicode.

7.3.  Exploiting Data Validation

   Max depth exceeded in JSON, cannonicalization timeout in XML / JSON-
   LD, similar issues with large CBOR structures.

8.  IANA Considerations

   This document has no IANA actions.

9.  References

9.1.  Normative References








Steele, et al.            Expires 24 June 2024                  [Page 7]

Internet-Draft                   DCP-BCP                   December 2023


   [I-D.draft-ietf-cbor-cde]
              Bormann, C., "CBOR Common Deterministic Encoding (CDE)",
              Work in Progress, Internet-Draft, draft-ietf-cbor-cde-00,
              27 November 2023, <https://datatracker.ietf.org/doc/html/
              draft-ietf-cbor-cde-00>.

   [RFC2119]  Bradner, S., "Key words for use in RFCs to Indicate
              Requirement Levels", BCP 14, RFC 2119,
              DOI 10.17487/RFC2119, March 1997,
              <https://www.rfc-editor.org/rfc/rfc2119>.

   [RFC4949]  Shirey, R., "Internet Security Glossary, Version 2",
              FYI 36, RFC 4949, DOI 10.17487/RFC4949, August 2007,
              <https://www.rfc-editor.org/rfc/rfc4949>.

   [RFC8174]  Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC
              2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174,
              May 2017, <https://www.rfc-editor.org/rfc/rfc8174>.

   [RFC8610]  Birkholz, H., Vigano, C., and C. Bormann, "Concise Data
              Definition Language (CDDL): A Notational Convention to
              Express Concise Binary Object Representation (CBOR) and
              JSON Data Structures", RFC 8610, DOI 10.17487/RFC8610,
              June 2019, <https://www.rfc-editor.org/rfc/rfc8610>.

   [RFC9518]  Nottingham, M., "Centralization, Decentralization, and
              Internet Standards", RFC 9518, DOI 10.17487/RFC9518,
              December 2023, <https://www.rfc-editor.org/rfc/rfc9518>.

9.2.  Informative References

   [I-D.draft-petithuguenin-rfc-ontology]
              Petit-Huguenin, M., "An Ontology for RFCs", Work in
              Progress, Internet-Draft, draft-petithuguenin-rfc-
              ontology-03, 25 July 2023,
              <https://datatracker.ietf.org/doc/html/draft-
              petithuguenin-rfc-ontology-03>.

Acknowledgments

   TODO acknowledge.

Authors' Addresses

   Orie Steele
   Transmute
   Email: orie@transmute.industries




Steele, et al.            Expires 24 June 2024                  [Page 8]

Internet-Draft                   DCP-BCP                   December 2023


   Michael Prorock
   mesur.io
   Email: mprorock@mesur.io


   Mahmoud Alkhraishi
   mavennet
   Email: mahmoud@mavennet.com











































Steele, et al.            Expires 24 June 2024                  [Page 9]