IETF Logo Mail Archive

Re: [jose] An attempt at unlinkable tokens with minimal magic

Pieter Kasselman <pieter.kasselman@microsoft.com> Fri, 05 August 2022 22:51 UTC

Return-Path: <pieter.kasselman@microsoft.com>
X-Original-To: jose@ietfa.amsl.com
Delivered-To: jose@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 28552C147920 for <jose@ietfa.amsl.com>; Fri, 5 Aug 2022 15:51:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.589
X-Spam-Level:
X-Spam-Status: No, score=-2.589 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.582, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=microsoft.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Lq3FBZ_7MiXu for <jose@ietfa.amsl.com>; Fri, 5 Aug 2022 15:51:10 -0700 (PDT)
Received: from EUR04-VI1-obe.outbound.protection.outlook.com (mail-eopbgr80091.outbound.protection.outlook.com [40.107.8.91]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6CF38C14CF09 for <jose@ietf.org>; Fri, 5 Aug 2022 15:51:10 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=WiiBTrKpfH85jie2Gbmfqm3DI9CWIpksvBHwzCebtpyetCyRZU1tzkDx9fD39jOfUslJwDOXZEv99Ekan67t0zYJLvpRkEFxJPoANZMSIAp7DdiMSiyyIqt1+tvQYX8R2+khpvMpfRxL8BEe3YZ0lvvE/rErOg5PikXxhnGxRfxyWNaZVQefbegKbi/ZavKAmmZS9+OiPpcylcRMmEY0vWRE4zN9o7vyp18MjjEg4MkR3dfGr/D43ABWrB/t5OkVZ1JGYmimKHyuvD10ZGbPRwyCqyn8Ad/IjlDgWY1IksqwBX9fXC4JExzDmRQSNicV0B3k5oG5aCU0oblPvS2yAg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=2+fNYzamNOLpZOZi53Xg2jGLDVLrNKlownpsYK5CrQk=; b=ROMMPPG6qAfPMRgR5H7H8JXSCDSiVw2HrIpI7yw1coX+P60KGexEVtc90CDgMCYOVLUUI9AbVm+AKdSFlxnljS92p2Ih+7nIBfR0xuQ/T2WB/4EwbO0McKlqUBNGN1aGekq2j+5+FXrYJvIi3ujRsj0meahD4FbtPlKAHCnEVLWgwXq6nsLRFx5tsTLyIjzCP7HcQRo8LcZJRZgOrzGLTeRkERCPOG2Xq57SgKtIy4UBzuQh7K5ZsuxEfr9mnXlwVCNUqQvkRDItRq4/yfcnD5zq4IgXtBLZ4TXii2wEO8eq4kYP3TSMEyTsfSMJkLBowOu6PPqxX2yQWGVWOMU+iw==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=microsoft.com; dmarc=pass action=none header.from=microsoft.com; dkim=pass header.d=microsoft.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector2; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=2+fNYzamNOLpZOZi53Xg2jGLDVLrNKlownpsYK5CrQk=; b=JxXXj1uXVmUZZnMIRQkbbj9L/cVtbo+DBEqlg/lumFdZlVFzXTBq29lv1qhjwMwF04ljRObYNrBtZZIfVOaTO88j1JqbFpeZPxx+sEg9isw7mUa+Q6JrU3Tu/KkNhjlwMSLOX0+AhhhQwK8Xs/FzKH/8KmNZO6nOdEO1kL+Kdlg=
Received: from AM7PR83MB0452.EURPRD83.prod.outlook.com (2603:10a6:20b:1b6::10) by DB9PR83MB0520.EURPRD83.prod.outlook.com (2603:10a6:10:303::16) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5504.1; Fri, 5 Aug 2022 22:51:02 +0000
Received: from AM7PR83MB0452.EURPRD83.prod.outlook.com ([fe80::7ce2:68d0:9371:1ef8]) by AM7PR83MB0452.EURPRD83.prod.outlook.com ([fe80::7ce2:68d0:9371:1ef8%7]) with mapi id 15.20.5504.016; Fri, 5 Aug 2022 22:51:02 +0000
From: Pieter Kasselman <pieter.kasselman@microsoft.com>
To: Vasileios Kalos <vasilis.kalos=40mattr.global@dmarc.ietf.org>, Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>, Neil Madden <neil.madden@forgerock.com>, Orie Steele <orie@transmute.industries>, "Zundel, Brent" <brent.zundel=40avast.com@dmarc.ietf.org>
CC: Jeremie Miller <jeremie.miller@gmail.com>, "jose@ietf.org" <jose@ietf.org>
Thread-Topic: [jose] An attempt at unlinkable tokens with minimal magic
Thread-Index: AQHYpDmWqkqpDchZ4UaUm4inDHCQ562bYnIAgAA0woCAAGnlAIAADKmAgAM+xACAAaQIkA==
Date: Fri, 05 Aug 2022 22:51:02 +0000
Message-ID: <AM7PR83MB045236AE8FBE111E106C57A5919E9@AM7PR83MB0452.EURPRD83.prod.outlook.com>
References: <ME4P282MB0984F3582C4BD1707B86C8068E969@ME4P282MB0984.AUSP282.PROD.OUTLOOK.COM> <3D04F1F0-ACA2-402D-94B5-BB227126CFAE@forgerock.com> <CAAFNpxu0=MEwnUTtgxuU48aJVmFODwu=oLBOwxEevoa=r1iZFw@mail.gmail.com> <FA054BF3-440B-43E8-81B5-42BDADC14498@forgerock.com> <CAN8C-_JD7FjGkiP_SmyWBJpKtM33Fkmm97u9u3v3UM_6MrPr5Q@mail.gmail.com> <CAGi82uMvrrnx1KejuAohStKwSdZsr2v5+8U4iu-v7Hz_h0apdA@mail.gmail.com> <SA2PR00MB1002CA68369EC08AF30DF07BF59D9@SA2PR00MB1002.namprd00.prod.outlook.com> <SYYP282MB099015395F9B8C0AF3E4140F8E9F9@SYYP282MB0990.AUSP282.PROD.OUTLOOK.COM>
In-Reply-To: <SYYP282MB099015395F9B8C0AF3E4140F8E9F9@SYYP282MB0990.AUSP282.PROD.OUTLOOK.COM>
Accept-Language: en-IE, en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Enabled=true; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SetDate=2022-08-02T19:56:19Z; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Method=Standard; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_Name=Internal; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_SiteId=72f988bf-86f1-41af-91ab-2d7cd011db47; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ActionId=b92a6ac8-8e9b-4af6-90c8-f7821f0b06ff; MSIP_Label_f42aa342-8706-4288-bd11-ebb85995028c_ContentBits=0;
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=microsoft.com;
x-ms-publictraffictype: Email
x-ms-office365-filtering-correlation-id: cab59dd2-cc01-4ebe-dfd6-08da7734f8ea
x-ms-traffictypediagnostic: DB9PR83MB0520:EE_
x-ld-processed: 72f988bf-86f1-41af-91ab-2d7cd011db47,ExtAddr
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: KTDhoFaqoxXe8BjIVY92Wp/7EEzoJdrtRf+CsDZS7PnUSE+JZ1++tH6poQyOW1QmD6zCoGRnZAk9b5KaPKVHUh0Ts+AgsmfsEyXAGl45BU73NrbYBuqLc7F+iTN04hMGyU32DrFyxB0Hh9fyG/tbqZ7iK3TQ9njPcHgypwboZs+TTPQul6hKAqJyx25oypnRbUMhiEL8NLyVvQTJb5jXXFNXZpkFsGOxSyVlH5liuVP/JJ6NOt3qzGt73szWSQnH3FNLf+eSQx4Nm3HnNKqzuwWDH13VIFUnBcttwJYpDQQQQb+ifr5IGY79+in+evPXvbCGNks6EW50zW+3e8iA1DPb4UtO+2WNYiMFQKCQURElLj8JcepHVMI4L6CrhpT6TvDzbLFfSeBrNQFZLJrM7OTQZgqwTNY0mL/ZibnAwVSzYlwC6fu11rLhLvoU5TDbMPMR5Im7aHaA4tlKrilkOoOF39dl1y3VOj336Z8cb7cYqnOLXujSQVVHpz9lc+vLrBuyp4pn9zV35TktLBB8Gi33r75jXBkDlA2LHQo1scK2cPR4rW7HF/WKr5lTxR0uYiSmzGU4Tqr+zaMbcyU1wU8W3eTF1h/HA6s4mQQDcLUZJU2w9smt20R6zOt1tWlL14fnXHz4e2kPPdJJBDL++OPBfN16pEZq/2nQdFH4f4J/hAReMFMOxzJlPUUU2SpNYRbyyO5XS5O5MMMFPE6ufK9Cj1eXR4fGQ86mYdUQiPHFGXBnO7OwbDfenVkrEPA8pGcjWyybO3QBEmgDePIeTuvEbnOnLR2oro5birvkuHPTz2FqcHN0DZT+Xpf6HPXwXfXp0OKvLH8R6UAtnftEbzvw5kXFSwHlk57HQoKa4Dht9txZxuygkIM6jIGIbQdld0Etnx1zeCBqlWyZN8hCxxqRjv6q+sfl+cUH8BHTgiI=
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:AM7PR83MB0452.EURPRD83.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230016)(4636009)(366004)(39860400002)(396003)(136003)(376002)(346002)(451199009)(82950400001)(66476007)(82960400001)(8990500004)(52536014)(5660300002)(66446008)(86362001)(33656002)(316002)(53546011)(64756008)(55016003)(8676002)(83380400001)(41300700001)(71200400001)(66556008)(66946007)(76116006)(8936002)(38070700005)(9686003)(4326008)(966005)(38100700002)(44832011)(122000001)(166002)(186003)(54906003)(2906002)(478600001)(7696005)(10290500003)(110136005)(6506007); DIR:OUT; SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: JzeM3HOmhbrxxet+nkAAY55cncNaZUwUAJATwNejpENhubUzko0buAm6zAZza11biusU75Ccp+FwLf7ceFUqfI44pawC3IKH8GN5ZhG5qMymXQ7bSZ34BZ7OzVjkab6Kf6NaIvilRrOPi4eewjql1SlecAm6vF0jOivLJdM20kHiSlKiqJkhCaJhMCRVuLPSVx1Aol7YKjEQLjzZPKjRiHTbO5yPAySixWzynFN4m7AWhgl3FTKeU1P7AIRef1pswFJdoF9GqI09g3T9025GsR3ch7kl9h6xqdzC3e115h0A/1SyzQ7Xj9mYjHW0QHaSugDOkM422Uaftn2KN6eyUTmYDgFV9BzwW7BDqGPK6qxPN5XRyP3QqcpT3DsALvI8tkOyLF1K3N4RP1LZk7eJ0pq9G1PwkjLb7b3elTI2xf+oJTh34MCpSU8Lhmrg3eLqPgRuWCZfly23KBA/YXzhlgnaOd2/SSZ/Dc/rqn7FbYLVm/q2GXL8eX+WmeTkHT9vj73Zxp11SvU7djV8mmDKPmwcmU3vVOgam6KCTrbkLzeLry2TNSGV5wMr/ch1HTLT+DBHfWUJOJpH3WViUvXh4uJmv0GatdnTYmgtAwU5bQJfVDL4QmBA8IBdCq2EGkEmbEzMkHHpoz5N19FaU1f2kcE8kU5UUAL6Mdnug2rD69iAlrI1hJ/8tldwR6no/RaxY9qOz6bkXPRyLlmNr8o+0YuFhaRNxrxLtrmN0hWWDactyzZ+NkOV30WaRqB2/cLefjSGk6g4CW0qLIzocIo1kHlXaW5k4hNXHPu8YKH+gnJ9Nd9oG2P5Lok+APdgwxCmA0nAt+ctPA1pHZXzbw0xlsanLnzDDhhe0ap0MHcIM05yUQnwbRRsXPCH3zzuwX+BHtiMwVo534xsCbJ/M3RyKsuwoDT0KINH2w4lXXWtr99F+D+OVw2br7kg/mvJD+mP7sJ/04Mn0MWYOVWRVdUJ2fVf8jCDnCb+NMHlxNOpWZabNUG3sMYqynYgdK9NZZMtxUVdVY2+CwOsTiN2Y2BUhbxosSCM1gnj/6VCXdYWgcPrLlbHDDJWe/d3e+/dI+Sh/CNEkbx02TDi69qWI+uw9ZDn+2ckoEsMQ64zXugwA4kPFunKdbJLFjHcGFN36XV3cZZhOOO9rSP+wcxFJa5qO0t+vRjV9ZebW26quJcoFoD8d06UO9P2QfapbWz/aKWHg34/+VkQ5YirgcH1EeazpD130VOEa5Ie4nA+3L25ZDtFtb0t5fuhvfNmrILtBKKsOAqvjrm9Ct+kBTdcpwOLIJuoQHhdkHJwy0V9rX5AhZdSN4hox9vNyna1yon/7pwJTru3g7rRXvkhfhYA7WtKZ63nBSL+h17PM0XtPs5/o+zCdhS1prmZ+2RuiMtd5QJy0Am3t15VFNcHZ0weZ3BM6FbUjI2zPxv29DVIS0i0PlQ6QJ7WTN6CvnkMWlK6WvusKGcJtu74hRsL7LaQbfsl8yh/tx2B9iJxsnx/JCmgO/hJVGutyJDlJTF4PLVG9wGr0OJzO3hmtrlpcdr4MR/xbNm2zH15q7SGY5cuKsu8QxqeyQrm6QU96qALWSntL0i9
Content-Type: multipart/alternative; boundary="_000_AM7PR83MB045236AE8FBE111E106C57A5919E9AM7PR83MB0452EURP_"
MIME-Version: 1.0
X-OriginatorOrg: microsoft.com
X-MS-Exchange-Transport-CrossTenantHeadersStamped: DB9PR83MB0520
Archived-At: <https://mailarchive.ietf.org/arch/msg/jose/By5rsPWMZXgCnzZH5sljWEphp4A>
Subject: Re: [jose] An attempt at unlinkable tokens with minimal magic
X-BeenThere: jose@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Javascript Object Signing and Encryption <jose.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/jose>, <mailto:jose-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/jose/>
List-Post: <mailto:jose@ietf.org>
List-Help: <mailto:jose-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/jose>, <mailto:jose-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Aug 2022 22:51:15 -0000

For me, JWP is about a container format that can work with different cryptographic schemes for enabling selective disclosure.

If  we want a plurality of selective disclosure schemes and still have interoperability (or at least pluggability), we need JWPs to provide us with a common container format.

The alternative is proprietary formats that will probably be more prone to exploits, harder to implement and make selective disclosure harder to scale across wallets, authorisation servers and resource servers.

Cheers

Pieter

From: jose <jose-bounces@ietf.org> On Behalf Of Vasileios Kalos
Sent: Thursday, August 4, 2022 10:38 PM
To: Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org>; Neil Madden <neil.madden@forgerock.com>; Orie Steele <orie@transmute.industries>; Zundel, Brent <brent.zundel=40avast.com@dmarc.ietf.org>
Cc: Jeremie Miller <jeremie.miller@gmail.com>; Vasileios Kalos <vasilis.kalos=40mattr.global@dmarc.ietf.org>; jose@ietf.org
Subject: Re: [jose] An attempt at unlinkable tokens with minimal magic

Some people who received this message don't often get email from vasilis.kalos=40mattr.global@dmarc.ietf.org<mailto:vasilis.kalos=40mattr.global@dmarc.ietf.org>. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification>
As a further note, I think we also underestimate a little the difficulty of defining a container format that supports selective disclosure and unlinkability. There are many nuances in the design, and without a formal analysis it is easy to unintentionally compromise security and privacy [1, 2]. Applications that tried it have been found to introduce vulnerabilities [3].

What is the best wording to avoid ambiguities and what guarantees it is safe to make in the document is an excellent discussion to have but IMO is not reason enough to dismiss the item.

[1] https://ieeexplore.ieee.org/abstract/document/9799315<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fieeexplore.ieee.org%2Fabstract%2Fdocument%2F9799315&data=05%7C01%7Cpieter.kasselman%40microsoft.com%7Cbedc193dc46b45b7ea8b08da7661a6c7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637952459838625546%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=KKtdGTACH7%2FeaociDz%2FanU7GrhNv1pBqvu9orSkRlq0%3D&reserved=0>
[2] https://mm.aueb.gr/publications/fd17e44e-9b7a-477d-b948-81a71db53b06.pdf<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmm.aueb.gr%2Fpublications%2Ffd17e44e-9b7a-477d-b948-81a71db53b06.pdf&data=05%7C01%7Cpieter.kasselman%40microsoft.com%7Cbedc193dc46b45b7ea8b08da7661a6c7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637952459838625546%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=rBzC7iCntWwmIFOE0yvEIv%2Bxt%2FdMcV99gdQPZ3Aqe%2FA%3D&reserved=0>
[3] https://github.com/w3c-ccg/ldp-bbs2020/issues/60<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fw3c-ccg%2Fldp-bbs2020%2Fissues%2F60&data=05%7C01%7Cpieter.kasselman%40microsoft.com%7Cbedc193dc46b45b7ea8b08da7661a6c7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637952459838625546%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=s5UPr3jhAEmxltuvUNmXgnLqU%2FEElxap1GGi%2B04Nlrg%3D&reserved=0>

Best regards!
Vasilis

________________________________
From: jose <jose-bounces@ietf.org<mailto:jose-bounces@ietf.org>> on behalf of Mike Jones <Michael.Jones=40microsoft.com@dmarc.ietf.org<mailto:Michael.Jones=40microsoft.com@dmarc.ietf.org>>
Sent: Tuesday, August 2, 2022 11:04 PM
To: Neil Madden <neil.madden@forgerock.com<mailto:neil.madden@forgerock.com>>; Orie Steele <orie@transmute.industries<mailto:orie@transmute.industries>>; Zundel, Brent <brent.zundel=40avast.com@dmarc.ietf.org<mailto:brent.zundel=40avast.com@dmarc.ietf.org>>
Cc: Jeremie Miller <jeremie.miller@gmail.com<mailto:jeremie.miller@gmail.com>>; Vasileios Kalos <vasilis.kalos=40mattr.global@dmarc.ietf.org<mailto:vasilis.kalos=40mattr.global@dmarc.ietf.org>>; jose@ietf.org<mailto:jose@ietf.org> <jose@ietf.org<mailto:jose@ietf.org>>
Subject: Re: [jose] An attempt at unlinkable tokens with minimal magic

EXTERNAL EMAIL: This email originated outside of our organisation. Do not click links or open attachments unless you recognise the sender and know the content is safe.


Neil, you wrote:

"I think perhaps we most fundamentally disagree on this roadmap. Although many standardised systems have followed this kind of modular design, I don't think it is the best approach. Compare say IPSec vs WireGuard for an often-cited example. Privacy is not a separable concern. Start with the privacy-aware applications. Otherwise I think we'll end up with lots of "privacy-related" tools with lots of sharp edges that inevitably get used inappropriately."



Modular design based on standards is the most practical approach to enabling applications to use these new algorithms easily, safely, and correctly.  Yes, as with any standards, implementation mistakes will be made.  But as happened with the other JOSE standards, those mistakes were caught, implementations were fixed, and the JWT BCP<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.rfc-editor.org%2Frfc%2Frfc8725.html&data=05%7C01%7Cpieter.kasselman%40microsoft.com%7Cbedc193dc46b45b7ea8b08da7661a6c7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637952459838625546%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=HMziLE0uWEeFxMGrw0uV1QcAyndjr5gO3W2vXiR%2FA8U%3D&reserved=0> was written to help implementers avoid them in the future.  By making JWP a standard, the same virtuous cycle of review and refinement will occur for it.



The alternative is having applications write bespoke cryptographic code to use these algorithms.  That's certainly a security anti-pattern.  Yes, the WireShark code is likely well reviewed by virtue of being in the Linux Kernel, but that's not typical.  We owe those needing this functionality simple, well-reviewed standards they can build upon.



                                                       -- Mike



P.S.  To my first point, see Kristina Yasuda's reprise<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Ftwitter.com%2Fkristinayasuda%2Fstatus%2F1554474399226552320&data=05%7C01%7Cpieter.kasselman%40microsoft.com%7Cbedc193dc46b45b7ea8b08da7661a6c7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637952459838625546%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=62bMKS3qmZx%2BLt08%2FEWu1XKx5kbg3nFxh0Q7luTnPLg%3D&reserved=0> of John Bradley's points "Open standards can create a healthy ecosystem in which security issues are addressed effectively" and "implementation is everything".



From: jose <jose-bounces@ietf.org<mailto:jose-bounces@ietf.org>> On Behalf Of Zundel, Brent
Sent: Tuesday, August 2, 2022 12:19 PM
To: Orie Steele <orie@transmute.industries<mailto:orie@transmute.industries>>
Cc: Neil Madden <neil.madden@forgerock.com<mailto:neil.madden@forgerock.com>>; Jeremie Miller <jeremie.miller@gmail.com<mailto:jeremie.miller@gmail.com>>; Vasileios Kalos <vasilis.kalos=40mattr.global@dmarc.ietf.org<mailto:vasilis.kalos=40mattr.global@dmarc.ietf.org>>; jose@ietf.org<mailto:jose@ietf.org>
Subject: Re: [jose] An attempt at unlinkable tokens with minimal magic



You don't often get email from brent.zundel=40avast.com@dmarc.ietf.org<mailto:brent.zundel=40avast.com@dmarc.ietf.org>. Learn why this is important<https://aka.ms/LearnAboutSenderIdentification>

>  If we are going to do modern cryptography, we will either have a standard json representation or we won't.



This hits a main point for me. We want to use modern cryptographic schemes, and would prefer to have a standard JSON representation. None of the existing JOSE formats work, it looks like JWP would work great, while also making use of the general architecture shared by other JOSE formats.



On Tue, Aug 2, 2022 at 7:00 AM Orie Steele <orie@transmute.industries<mailto:orie@transmute.industries>> wrote:

Good security is about building the right layers.



Many of these arguments might be better focused in the CFRG.



I wonder if the argument in this thread might be some version of denying the problem... If we are going to do modern cryptography, we will either have a standard json representation or we won't.



If the assertion is, let's not use that cryptography... That's not exactly an argument against the envelope format.



I am in favor or resurrecting JOSE and defining JWP.



Regards,



OS















On Tue, Aug 2, 2022, 4:51 AM Neil Madden <neil.madden@forgerock.com<mailto:neil.madden@forgerock.com>> wrote:

On 30 Jul 2022, at 18:26, Jeremie Miller <jeremie.miller@gmail.com<mailto:jeremie.miller@gmail.com>> wrote:



Isn't this somewhat overstating the likely privacy benefits? If the prover reveals _any_ PII to the verifier then the verifier can collaborate with the issuer to discover everything about that user.



JWP as a container aims to make unlinkability _possible_ for applications to build, not a guarantee.  There are many extremes an application may choose to design for to accomplish different scales of unlinkability (from multiple verifiers colluding, from the verifier and issuer colluding, from multiple presentations to the same verifier, etc).



In my mind it's akin to you can cryptographically validate the contents and signature in a JWS, but how you decide if you trust the signer is up to the application or higher level protocols.



And we know from many studies on deanonymisation that it is very easy to accidentally reveal enough information to be identifiable. ZK proofs are nice and everything but they only ensure zero *additional* knowledge is gained by the verifier. In practice what is explicitly revealed is often enough.



That's exactly why we believe this work is very important, having a container to support algorithms where zero *additional* knowledge is revealed by the container and crypto layers.



It *is* very easy to incidentally reveal linkable factors, which is why JWP is hard to get right, and critical to do so to enable this capability.



IMO if you want to have any hope of actually achieving the privacy you want then you really need to design the entire protocol, including specifying exactly what information is to be revealed. I think designing a generic "privacy preserving" message container is likely to give people unrealistic expectations.



We have the lowest level privacy algorithms becoming well established like BBS (and CL signatures, etc), next we need a privacy-capable container to make those algorithms more accessible and interoperable, then we need privacy protocols to leverage those containers, then privacy aware applications, ecosystems, and user experiences.



I think perhaps we most fundamentally disagree on this roadmap. Although many standardised systems have followed this kind of modular design, I don't think it is the best approach. Compare say IPSec vs WireGuard for an often-cited example. Privacy is not a separable concern. Start with the privacy-aware applications. Otherwise I think we'll end up with lots of "privacy-related" tools with lots of sharp edges that inevitably get used inappropriately.



- Neil



_______________________________________________
jose mailing list
jose@ietf.org<mailto:jose@ietf.org>
https://www.ietf.org/mailman/listinfo/jose<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fjose&data=05%7C01%7Cpieter.kasselman%40microsoft.com%7Cbedc193dc46b45b7ea8b08da7661a6c7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637952459838625546%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=T2ZFLiy7haZ%2BoyjsA0iHuMzkMspIIptmXCe4p1jDWOU%3D&reserved=0>

_______________________________________________
jose mailing list
jose@ietf.org<mailto:jose@ietf.org>
https://www.ietf.org/mailman/listinfo/jose<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Fjose&data=05%7C01%7Cpieter.kasselman%40microsoft.com%7Cbedc193dc46b45b7ea8b08da7661a6c7%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637952459838625546%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=T2ZFLiy7haZ%2BoyjsA0iHuMzkMspIIptmXCe4p1jDWOU%3D&reserved=0>




--

Brent Zundel

Principle Crypto Engineer - Avast

v2.23.0 | Report a Bug | By Email