Internet-Draft json-proof-token October 2024
Jones, et al. Expires 24 April 2025 [Page]
Workgroup:
jose
Internet-Draft:
draft-ietf-jose-json-proof-token-07
Published:
Intended Status:
Standards Track
Expires:
Authors:
M. Jones
Self-Issued Consulting
D. Waite
Ping Identity
J. Miller
Ping Identity

JSON Proof Token

Abstract

JSON Proof Token (JPT) is a compact, URL-safe, privacy-preserving representation of claims to be transferred between three parties. The claims in a JPT are encoded as base64url-encoded JSON objects that are used as the payloads of a JSON Web Proof (JWP) structure, enabling them to be digitally signed and selectively disclosed. JPTs also support reusability and unlinkability when using Zero-Knowledge Proofs (ZKPs).

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 24 April 2025.

Table of Contents

1. Introduction

JSON Proof Token (JPT) is a compact claims representation format intended to be used in the same ways as a JSON Web Token (JWT), but with additional support for selective disclosure and unlinkability. JPTs encode claim values to be transmitted as payloads of a JSON Web Proof (JWP) [I-D.ietf-jose-json-web-proof]. JPTs are always represented using the JWP Compact Serialization. The corresponding claim names are not transmitted in the payloads and are stored in a separate structure that can be externalized and shared across multiple JPTs.

Editor's Note: This draft is still early and incomplete. There will be significant changes to the algorithms as currently defined here. Please do not use any of these definitions or examples for anything except personal experimentation and learning. Contributions and feedback are welcomed at https://github.com/ietf-wg-jose/json-web-proof.

2. Conventions and Definitions

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here.

3. Background

JWP defines a container binding together a protected header, one or more payloads, and a cryptographic proof. It does not define how claims are organized into payloads and what formats they are in. JPTs are intended to be as close to a JWT as possible, while also supporting the selective disclosure and unlinkability of JWPs.

4. Design Considerations

The rationale behind the design for JSON Proof Tokens is important when considering how it is structured. These sections detail the underlying reasoning informing the JPT design.

4.1. Unlinkability

Supporting unlinkability is perhaps the most challenging design constraint for JPTs. Even the smallest oversight can introduce a subtle vector for relying parties to collude and correlate one or more subjects across their usage.

The principal tools to prevent this are data minimization and uniformity. The data included in a JPT SHOULD be minimized to remove potential correlation points. The data SHOULD contain only values that are able to be selectively disclosed with consent or transformed by the proof algorithm when presented.

Any other data that is repeated across multiple JPTs is externalized so that it is uniform across every issuance. This includes preventing the usage of optional headers, dynamic mapping of claims to payloads, changes to how many payloads are included, and the ordering of the payloads.

4.2. Selective Disclosure

While JWPs provide the underling structure for easily supporting selective disclosure, JPTs must go a step further to ensure that holders can effectively provide choice and consent on exactly what is being disclosed. Software using JWPs MUST know the mappings from payloads to claims. All disclosed payloads MUST be mapped to claims and made accessible to the application. Holders SHOULD understand the semantics of all potentially disclosed claims to the extent needed to decide whether to disclose them. JPTs SHOULD NOT contain claims that are intended only for a specific verifier.

4.3. Familiarity

JPTs are intended to be as close to a JWT as possible in order to provide the simplest transition for any JWT-based system to add support for JPTs.

Although there are some stark differences in the lifecycle of a JPT, from the application's perspective, the interface to a JPT can be made fairly similar: a JSON object containing a mix of required and optional claims with well-understood values.

The most significant divergence required by JPTs is that of supporting values that may be disclosed or may instead only be a proof about the value. Applications are required to interact with the JPT on a payload-by-payload basis instead of just verifying a JWT and then being able to interact with the JSON body directly.

4.4. Proofs

To generate a variety of efficient ZKPs of knowledge, range, membership, or other predicates, it is essential that each individual payload is only a single claim value. This greatly simplifies the task of linking a derived proof of a given claim to the specific payload that was also signed by the issuer. While JPTs support claims that have complex object or array compound values, they also allow for simple claim values such as JSON strings, numbers, and booleans that can be used directly in generating predicate proofs.

5. Claim Names

It is RECOMMENDED that the claim names used with JPTs come from those in the IANA JSON Web Token Claims Registry [IANA.JWT.Claims] established by [RFC7519], when those fit the application's needs.

6. Claims Header Parameter

A JSON Proof Token assigns each playload a claim name. Payloads MUST each have a negotiated and understood claim name within the application context. The simplest solution to establish payload claim names is as an ordered array that aligns with the included payloads. This claims array can be conveniently included in the Claims header parameter.

The claims Header Parameter is an array listing the Claim Names corresponding to the JWP payloads, in the same order as the payloads. Each array value is a Claim Name, as defined in [RFC7519]. Use of this Header Parameter is OPTIONAL.

All payloads are claim values and MUST be the base64url encoding of the UTF-8 representation of a JSON value. That said, predicate proofs derived from payload values are not represented as claims; they are contained in the presentation proof using algorithm-specific representations.

The following is an example JWP Issuer Protected Header that includes a claims property:

{
  "kid": "HjfcpyjuZQ-O8Ye2hQnNbT9RbbnrobptdnExR0DUjU8",
  "alg": "BBS",
  "claims": [
    "iat",
    "exp",
    "family_name",
    "given_name",
    "email",
    "address",
    "age_over_21"
  ]
}

In this example, the "iat" and "exp" would be JSON-formatted numbers, "family_name", "given_name" and "email" would be JSON strings (in quotes), "address" would be a JSON object and "age_over_21" would be expected to be either true or false.

7. Claims ID ("cid") JWP Header Parameter

A Claims ID ("cid") value can be used as an identifier for a set of claim names without explicitly listing them.

The structure of the cid value is unspecified. Its value MUST be a case-sensitive string. Use of this JWP Header Parameter is OPTIONAL.

The cid can be used similarly to a kid in order to ensure that is it possible to externally resolve and then verify that the correct list of claim names is being used when processing the payloads containing the claim values.

If there is an associated JWK containing the signing key information, the claims key is also registered there as a convenient location for the claim names.

When the claims array is transferred as a property in the Issuer Protected Header, any variations of that array between JWP will be visible to the verifier, and can leak information about the subject or provide an additional vector for linkability. Given the privacy design considerations around linkability, it is RECOMMENDED that the claims are defined external to an individual JPT and either referenced or known by the application context.

The following is an example JWP Protected Header that includes a cid:

{
  "kid": "HjfcpyjuZQ-O8Ye2hQnNbT9RbbnrobptdnExR0DUjU8",
  "alg": "BBS",
  "cid": "guA8PAI14Gkn4273f1rR606yMbRMFg4y"
}

8. Presented Claims and Proofs

Each claim in the issued form of the JPT results in one of three things in the presented form of the JPT: 1. A disclosed JSON value. 1. An indicator that the value was not disclosed. 1. An algorithm-specific proof method.

8.1. Disclosed

A disclosed payload is represented as a UTF-encoded octet string representing a valid JSON value.

8.2. Undisclosed

The placeholder indicating that a payload was not disclosed is represented as described in Section 6 (Serializations) of [I-D.ietf-jose-json-web-proof].

8.3. Proof Methods

Proof methods can be returned instead of a disclosed payload. These are generated in an algorithm-specific manner from information in the JWP's proof value.

A proof method may be custom based on the capabilities of the algorithm.

  • TBD: Describe common proof method types available?

    • range
    • membership
    • time
    • knowledge
    • linking

9. Example JPTs

See the examples in Appendix A.1 of [I-D.ietf-jose-json-proof-algorithms].

10. Security Considerations

11. IANA Considerations

11.1. JSON Web Proof Header Parameters Registration

This section registers the following JWP Header Parameter in the IANA "JSON Web Proof Header Parameters" registry established by [I-D.ietf-jose-json-web-proof].

11.1.1. Registry Contents

11.1.1.1. "claims" (Claims) Header Parameter
  • Header Parameter Name: Claims
  • Header Parameter JSON Label: claims
  • Header Parameter CBOR Label: 10
  • Header Parameter Usage Location(s): Issued
  • Change Controller: IETF
  • Specification Document(s): Section 6 of this specification
11.1.1.2. "cid" (Claims ID) Header Parameter
  • Header Parameter Name: Claims ID
  • Header Parameter JSON Label: cid
  • Header Parameter CBOR Label: 11
  • Header Parameter Usage Location(s): Issued
  • Change Controller: IETF
  • Specification Document(s): Section 7 of this specification

12. References

12.1. Normative References

[I-D.ietf-jose-json-web-proof]
Miller, J., Waite, D., and M. B. Jones, "JSON Web Proof", Work in Progress, Internet-Draft, draft-ietf-jose-json-web-proof-06, , <https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-web-proof-06>.
[RFC7519]
Jones, M., Bradley, J., and N. Sakimura, "JSON Web Token (JWT)", RFC 7519, DOI 10.17487/RFC7519, , <https://www.rfc-editor.org/info/rfc7519>.

12.2. Informative References

[I-D.ietf-jose-json-proof-algorithms]
Miller, J., Jones, M. B., and D. Waite, "JSON Proof Algorithms", Work in Progress, Internet-Draft, draft-ietf-jose-json-proof-algorithms-06, , <https://datatracker.ietf.org/doc/html/draft-ietf-jose-json-proof-algorithms-06>.
[IANA.JWT.Claims]
IANA, "JSON Web Token Claims", <https://www.iana.org/assignments/jwt>.
[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/info/rfc2119>.
[RFC8174]
Leiba, B., "Ambiguity of Uppercase vs Lowercase in RFC 2119 Key Words", BCP 14, RFC 8174, DOI 10.17487/RFC8174, , <https://www.rfc-editor.org/info/rfc8174>.

Appendix A. Acknowledgements

This work was incubated in the DIF Applied Cryptography Working Group.

We would like to thank Brent Zundel for his valuable contributions to this specification.

Appendix B. Document History

[[ To be removed from the final specification ]]

-07

-06

-05

-04

-03

-02

-01

-00

Authors' Addresses

Michael B. Jones
Self-Issued Consulting
David Waite
Ping Identity
Jeremie Miller
Ping Identity