Internet-Draft reclaimid May 2021
Schanzenbach & Grothoff Expires 6 November 2021 [Page]
Workgroup:
Independent Stream
Internet-Draft:
draft-schanzen-reclaimid-00
Published:
Intended Status:
Informational
Expires:
Authors:
M. Schanzenbach
GNUnet e.V.
C. Grothoff
Berner Fachhochschule

re:claimID - A System for Self-sovereign, Decentralised Identity Management and Personal Data Sharing

Abstract

This document contains the re:claimID technical specification.

Status of This Memo

This Internet-Draft is submitted in full conformance with the provisions of BCP 78 and BCP 79.

Internet-Drafts are working documents of the Internet Engineering Task Force (IETF). Note that other groups may also distribute working documents as Internet-Drafts. The list of current Internet-Drafts is at https://datatracker.ietf.org/drafts/current/.

Internet-Drafts are draft documents valid for a maximum of six months and may be updated, replaced, or obsoleted by other documents at any time. It is inappropriate to use Internet-Drafts as reference material or to cite them other than as "work in progress."

This Internet-Draft will expire on 6 November 2021.

Table of Contents

1. Introduction

re:claimID is a decentralized, self-sovereign identity management system. It allows users to be in control over their digital identities without having to rely on central identity provider services (IdPs) in order to share personal data.

re:claimID is built upon the GNU Name System [GNS] for data sharing and storage. It leverages the zone privacy and key blinding properties of the name system in order to provide a secure sharing and authorization mechanism.

The system supports both "self-asserted" as well as third party asserted identity attributes. The assertion mechanisms are out of scope of this document.

The re:claimID system can used and integrated into the OpenID Connect protocol.

This document defines the normative wire format of resource records, resolution processes, cryptographic routines and security considerations for use by implementors.

The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in [RFC2119].

2. Identities

An identity in re:claimID is defined through a zone in GNS. As such, the creation of a zone in GNS implicitly also creates a re:claimID identity.

2.1. Attributes

A re:claimID identity attribute is stored in GNS under records of type "RECLAIM_ATTRIBUTE". An attribute consists of an identifier, an optional attestation identifier, a type, a flag, a name and data. The record format of a RECLAIM_ATTRIBUTE is as follows:

0     8     16    24    32    40    48    56
+-----+-----+-----+-----+-----+-----+-----+-----+
|         TYPE          |         FLAG          |
+-----+-----+-----+-----+-----+-----+-----+-----+
|                      ID                       |
|                                               |
|                                               |
|                                               |
+-----+-----+-----+-----+-----+-----+-----+-----+
|                    ATTESTATION                |
|                                               |
|                                               |
|                                               |
+-----+-----+-----+-----+-----+-----+-----+-----+
|         NSIZE         |          DSIZE        |
+-----+-----+-----+-----+-----+-----+-----+-----+
/                  NAME + DATA                  /
/                                               /
+-----------------------------------------------+
Figure 1

where:

TYPE
Is the 32 bit attribute type as defined in the GANA registry.
FLAG
Is a 32 bit attribute flag combination as defined in the GANA registry
ID
Is a 256 bit attribute identifier.
ATTESTATION
Is the 256 bit credential identifier which asserts this attribute. 0 means no attestation.
NSIZE
32 bit length of the attribute name in bytes.
DSIZE
32 bit length of the attribute data.
NAME
The attribute name. A UTF-8 string with NULL byte at the end.
DATA
The attribute data.

2.2. Credentials

A re:claimID credential is stored in GNS under records of type "RECLAIM_CREDENTIAL". A credential consists of an identifier, a type, a flag, a name and data. The record format of a RECLAIM_CREDENTIAL is as follows:

0     8     16    24    32    40    48    56
+-----+-----+-----+-----+-----+-----+-----+-----+
|         TYPE          |         FLAG          |
+-----+-----+-----+-----+-----+-----+-----+-----+
|                      ID                       |
|                                               |
|                                               |
|                                               |
+-----+-----+-----+-----+-----+-----+-----+-----+
|         NSIZE         |          DSIZE        |
+-----+-----+-----+-----+-----+-----+-----+-----+
/                  NAME + DATA                  /
/                                               /
+-----------------------------------------------+
Figure 2

where:

TYPE
Is the 32 bit credential type as defined in the GANA registry.
FLAG
Is a 32 bit credential flag combination as defined in the GANA registry
ID
Is a 256 bit credential identifier.
NSIZE
32 bit length of the credential name in bytes.
DSIZE
32 bit length of the credential data.
NAME
The credential name. A UTF-8 string with NULL byte at the end.
DATA
The credential data.

2.3. Tickets

In order to share a set of identity attributes with a third party, re:claimID introduces the concept of "Tickets". A Ticket may be issued by a user for an identity to a relying party. The Ticket may then be used by the relying party to retrieve the shared attributes from the name system. The record wire format of a Ticket is as follows:

0     8     16    24    32    40    48    56
+-----+-----+-----+-----+-----+-----+-----+-----+
|      IDENTITY TYPE    |       IDENTITY        |
+-----------------------+                       |
|                       +-----------------------|
|                       |    AUDIENCE TYPE      |
+-----+-----+-----+-----+-----+-----+-----+-----+
|                    AUDIENCE                   |
|                                               |
|                                               |
|                                               |
+-----+-----+-----+-----+-----+-----+-----+-----+
|                      TID                      |
|                                               |
|                                               |
|                                               |
+-----+-----+-----+-----+-----+-----+-----+-----+
Figure 3

where:

IDENTITY TYPE
Is the 32 bit identity type as defined in GANA for GNS identity zone types (e.g. PKEY).
IDENTITY
Is the 256 bit identity public zone key of the user.
AUDIENCE TYPE
Is the 32 bit audience type as defined in GANA for GNS identity zone types (e.g. PKEY).
AUDIENCE
Is the 256 bit audience public zone key of the relying party.
TID
Is a 256 bit ticket identifier.

The TID essentially serves as a shared secret between user and relying party. knowledge of the IDENTITY key and the TID allows the relying party to iteratively query attribute data in GNS. Tickets are stored as RECLAIM_TICKET records under a label derived from the TID by applying a Base64-encoding. In addition to the ticket, the record set also contains references to the shared attributes as well as any credential presentations which attest attribute values.

2.3.1. Attribute References

An attribute reference is stored in GNS under records of type "RECLAIM_ATTRIBUTE_REF". An attribute reference is stored in GNS under a label derived from a ticket ID. The reference points to an actual attribute ID. The record format of a RECLAIM_ATTRIBUTE_REF is as follows:

0     8     16    24    32    40    48    56
+-----+-----+-----+-----+-----+-----+-----+-----+
|                 ATTRIBUTE ID                  |
|                                               |
|                                               |
|                                               |
+-----+-----+-----+-----+-----+-----+-----+-----+
|         NSIZE         |          DSIZE        |
+-----+-----+-----+-----+-----+-----+-----+-----+
/                  NAME + DATA                  /
/                                               /
+-----------------------------------------------+
Figure 4

where:

ATTRIBUTE ID
Is the 256 bit attribute ID of an existing attribute.

2.3.2. Credential Presentations

A re:claimID presentation is stored in GNS under records of type "RECLAIM_PRESENTATION". A presentation is derived from a credential and may contain only a subset of the attestations. The presentation construct is used to support selective disclosure of third party issued credentials. It consists of a type, a flag, a name and data. The record format of a RECLAIM_PRESENTATION is as follows:

0     8     16    24    32    40    48    56
+-----+-----+-----+-----+-----+-----+-----+-----+
|         TYPE          |         FLAG          |
+-----+-----+-----+-----+-----+-----+-----+-----+
|                      ID                       |
|                                               |
|                                               |
|                                               |
+-----+-----+-----+-----+-----+-----+-----+-----+
|         NSIZE         |          DSIZE        |
+-----+-----+-----+-----+-----+-----+-----+-----+
/                  NAME + DATA                  /
/                                               /
+-----------------------------------------------+
Figure 5

where:

TYPE
Is the 32 bit presentation type as defined in the GANA registry.
FLAG
Is a 32 bit presentation flag combination as defined in the GANA registry
ID
Is a 256 bit credential identifier.
NSIZE
32 bit length of the presentation name in bytes.
DSIZE
32 bit length of the credential data.
NAME
The credential name. A UTF-8 string with NULL byte at the end.
DATA
The credential data.

3. Access Management

4. OpenID Connect Integration

5. Internationalization and Character Encoding

All attribute names in re:claimID are encoded in UTF-8 [RFC3629].

6. Security Considerations

7. GANA Considerations

GANA is requested to populate this registry as follows:

Number: 65549
Name: RECLAIM_TICKET
Contact: N/A
References: [This.I-D]
Description: Ticket

Number: 65549
Name: RECLAIM_ATTRIBUTE
Contact: N/A
References: [This.I-D]
Description: Identity attribute

Number: 65550
Name: RECLAIM_ATTRIBUTE_REF
Contact: N/A
References: [This.I-D]
Description: Refrerence to identity attribute

Number: 65551
Name: RECLAIM_OIDC_CLIENT
Contact: N/A
References: [This.I-D]
Description: OIDC client description

Number: 65552
Name: RECLAIM_OIDC_REDIRECT
Contact: N/A
References: [This.I-D]
Description: OIDC client redirect(s)

Number: 65553
Name: RECLAIM_CREDENTIAL
Contact: N/A
References: [This.I-D]
Description: Credential

Number: 65554
Name: RECLAIM_PRESENTATION
Contact: N/A
References: [This.I-D]
Description: Credential presentation
Figure 6

GANA is requested to amend the "GNUnet Signature Purpose" registry as follows:

Purpose: 27
Name: RECLAIM_CODE_SIGN
References: [This.I-D]
Description: Signature in OIDC authorization code
Figure 7

8. Test Vectors

9. Normative References

[RFC2119]
Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, DOI 10.17487/RFC2119, , <https://www.rfc-editor.org/info/rfc2119>.
[RFC3629]
Yergeau, F., "UTF-8, a transformation format of ISO 10646", STD 63, RFC 3629, DOI 10.17487/RFC3629, , <https://www.rfc-editor.org/info/rfc3629>.
[GNS]
Schanzenbach, M., Grothoff, C., and B. Fix, "The GNU Name System", , <https://lsd.gnunet.org/lsd0001>.

Authors' Addresses

Martin Schanzenbach
GNUnet e.V.
Boltzmannstrasse 3
85748 Garching
Germany
Christian Grothoff
Berner Fachhochschule
Hoeheweg 80
CH-2501 Biel/Bienne
Switzerland