Internet-Draft | Multipass Retrieval | July 2020 |
Waite & Miller | Expires 31 January 2021 | [Page] |
User authentication and attributes are exchanged online today between organizations based on bilateral business arrangements, with user consent and privacy provided as desired by the organization(s) involved.¶
Multipass is a system intended for an organization to issue credentials unilaterally, where other organizations can evaluate credentials without having a relationship to the issuing party. This is accomplished by leveraging a software agent, which allows this exchange to be done in a manner that is able to respect user privacy and support informed decisions around disclosure.¶
This specification provides a mechanism to retrieve single-use containers, which bundle cryptographically secure credentials in a non-correlatable, selectively disclosable manner.¶
This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.¶
Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.¶
Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."¶
This Internet-Draft will expire on 31 January 2021.¶
Copyright (c) 2020 IETF Trust and the persons identified as the document authors. All rights reserved.¶
This document is subject to BCP 78 and the IETF Trust's Legal Provisions Relating to IETF Documents (https://trustee.ietf.org/license-info) in effect on the date of publication of this document. Please review these documents carefully, as they describe your rights and restrictions with respect to this document. Code Components extracted from this document must include Simplified BSD License text as described in Section 4.e of the Trust Legal Provisions and are provided without warranty as described in the Simplified BSD License.¶
Existing multi-organizatinal identity systems such as SAML ([OASIS.saml-core-2.0-os]) and OpenID Connect ([OpenID.Core]) are designed to share authentication information and claims about the user across organizations. The basis for this exchange is typically a bilateral business relationship and mutual trust between the organizations. The user may or may not have been informed of have consented to this disclosure, depending on the policies and the regulations that the entities operate under.¶
Verifiable Credential systems [W3C.REC-vc-data-model-20191119] aim to introduce a new role into the system, that of a software agent which mediates this exchange of information about the user. This agent decouples the entities from needing a business relationship, as well as takes responsibility for protecting privacy and providing the user with the opportunity for informed disclosure and consent.¶
This specification describes the process for retrieving and handling a set of credentials from a single issuer, known as a Multipass Container. These containers are single use, cryptographically verifiable statements by a particular issuer. For compatibility with existing identity systems, this issuer acts as a protected resource under the OAuth 2.0 Authorization Framework described in ([OAUTH2]). There may be other methods for retrieving multipass containers, which are out of scope of this specification.¶
This specification also defines mechanisms to prove possession of a key associated with the container to the relying party, and for verifying the credentials were asserted by the issuer.¶
Finally, this specification describes the data expected in a request by a party for credentials, as well as the cryptographic format of the presentation of those credentials back to the requesting party. This specification does not define a profile for requesting or sending multipass containers to recipients, which may operate in roles such as "Relying Parties" or "Verifiers" within such profiles.¶
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "NOT RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in BCP 14 [RFC2119] [RFC8174] when, and only when, they appear in all capitals, as shown here. These words may also appear in this document in lower case as plain English words, absent their normative meanings.¶
Certain security-related terms are to be understood in the sense defined in [SECURITY]. These terms include, but are not limited to, "air gap", "anonymity", "assymmetric cryptography", "attribute", "authentication", "authorization", "certificate", "challenge-response", "credential", "data integrity", "domain", "domain name", "enclave", "encryption", "ephemeral key", "expire", "fresh", "identifier", "identity", "identity proofing", "integrity", "privacy", "private key", "proof-of-possession", "protocol", "public key", "repudiation", "sign", "signature", "single sign-on", "steganography", "trust", "validate", "validity period", "verify", and "zero-knowledge proof"¶
Unless otherwise noted, all the protocol parameter names and values are case sensitive.¶
This specification also defines or revises the following terms:¶
Multipass defines four roles beyond OAuth:¶
The abstract flow illustrated in Figure 2 describes the interaction between the holder, authorization server and issuer to retrieve containers.¶
multipass
.¶
Verifiers request credentials be presented to them from a holder and asserted by an issuer with appropriate cryptographic proof. The presentation is constructed by the holder based on statements from the issuer contained within the multipass container and from the credentials asserted by the issuer.¶
The selected multipass container may already have been retrieved and cached for later use (within the validity period of the container), or may be retrieved on demand as part of the process of answering the validator's request.¶
A multipass container is single-use cryptographic package used to form a credential presentation to a verifier from an issuer via a holder. It consists of a collection of individually packaged credentials about the subject, which may be selectively disclosed to minimally meet the needs of the verifier and protect the privacy of the subject.¶
The Issuer Statement is a signed JWT containing information which is both non-identifying and non-correlating of the user, which will be disclosed to all verifiers.¶
The JWT contains the following claims, defined by ([JWT]) and ([JWTPOP])¶
The JWT may also contain the following additional claim:¶
Issuer statements MAY provide additional information. This additional information MUST NOT contain identity information of the subject, or be usable to uniquely identify the subject or correlate the subject across multiple verifiers.¶
As a specific example, this information MUST NOT indicate the subject belong to a subset at a particular issuer who have access to a particular credential, such as by including an additional mechanism to verify that credential format. The cdv
property is provided specifically so that that verification information can be included separately from the issuer statement, as part of the credential itself. The issuer statement MAY include such information if it does not distinguish the subject as belonging to a subset, but a requirement to do so might serve as a limitation of that credential format in other environments.¶
A multipass container is an assertion by the issuer of one or more credentials about the subject, which may be selectively disclosed by the holder to a verifier. Selective disclosure allows for presented credentials to be limited to only the information requested by a verifier. In addition to selecting which credentials are disclosed, some credential formats MAY also allow portions of the credential to be selectively disclosed.¶
The format of a credential data is out of scope of this specification, outside of providing the credential validation object (cdv
) in the issued container. The credential validation object contains an ephemeral public key (as a jwk
property) which is leveraged by some credential formats to verify that credential data is asserted by the issuer. The credential data MAY contain information only meant for the holder in order to properly present the credential to the issuer, and MAY define a verification method other than the cdv
public key.¶
The holder will typically only offer credentials to a relying party which it understands and can properly prompt the user to consent to release. Issuers offer credentials in the formats they support, containing the attributes they can assert about the subject. Validators indicate that they require a certain set of attributes along with the credential formats they support to receive them.¶
A specification which defines a credential format is RECOMMENDED to define:¶
cdv
key¶
A credential format MAY impact all stages of the multipass protocol described below, including:¶
The Multipass Metadata Endpoint builds upon the OAuth Authorization Server Metadata format ([OAUTHMETA].) When using the OAuth Application Server metadata, the OAuth issuer and Multipass issuer have the same URI name.¶
It is RECOMMENDED that metadata be retrieved using the process detailed in Section 3 of [OAUTHMETA], first attempting to resolve the URL suffix "oauth-authorization-server", then attempting to resolve the URL suffix "openid-configuration" using the same process. [OpenID.Core] describes a different, non-standard location for "openid-configuration" metadata when the issuer URL contains a path - Issuers SHOULD NOT assume that Holders or Verifiers will attempt to resolve this location, and SHOULD either move or duplicate their metadata to the location specified by [OAUTHMETA].¶
Multipass Metadata values are grouped under a property with the multipass
metadata name.¶
true
to indicate support.¶
https
scheme URL of the multipass endpoint.¶
ES256
(ECDSA using P-256 and SHA-256). It is RECOMMENDED that ES256
be supported for compatibility.¶
Given an appropriate access token, the holder requests a multipass container via POST to the multipass container endpoint.¶
The parameters of the request are:¶
true
as a default configuration and MUST use true
if no configuration is defined for a given credential format. An issuer takes this as advice, and MAY return more credentials than requested or omit requested credential formats.¶
The multipass container response consists of a JSON [JSON] object body with keys representing the issuer statement and credentials. These values are used by the holder to assemble a multipass presentation.¶
cdv
claim.¶
A relying party interacts with this system by requesting credentials from a holder, and being either presented back with those credentials or being given an error. This specification details the data format used for this request and the resulting presentation, while the semantics of the communication channel between the relying part and holder are considered out of scope.¶
A Presentation Request is represented by a JSON object with several keys.¶
rpid
parameter. For a relying party with a HTTPS identifier, this value should be the relying party's effective domain or a registrable domain suffix of that effective domain.¶
true
.¶
true
.¶
A presentation is the successful response to a relying party's presentation request. It is a signed [JWT], protected by the ephemeral keypair represented within the issuer statement of a multipass container.¶
The JWT contains the following claims:¶
cdv
public key.¶
A future system may support multi-use containers by leveraging a different cryptographic protocol, such as anonymous credentials ([ANONCRED]). However, the difference in security is such that this likely will be a separate specification.¶
This system does not attempt to resolve the ability of the issuer and validator to collude to determine the identity of the subject. In addition to a jti
claim in the issuer statements, the issuer could use the uniqueness of the statements themselves to correlate any statement to a particular issuance and the corresponding holder and subject.¶
The container itself does not have a revocation mechanism, instead leveraging the expiry of the containers themselves. Accordingly, containers should have short expirations that properly accomodate potential offline or disconnected use cases.¶
In addition to requests against issuers, a brokered trust model (requesting an issuer within a network) will likely be desirable.¶
The current presentation response format limits the response to credentials from a single issuer. It should be possible to extend this presentation response to being from multiple issuers, although some scenarios may make it difficult to use a single ephemeral key.¶
The current issuer text is perhaps not flexible enough allow for other kinds of issuers, such as local (self-asserted) information or the use of a local authentication credential such as a client certificate or FIDO authenticator. The intention is that these would be possible within the framework described.¶