[OAUTH-WG] Re: Second WGLC for SD-JWT

Watson Ladd <watsonbladd@gmail.com> Wed, 13 November 2024 01:04 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C28F8C1840FD for <oauth@ietfa.amsl.com>; Tue, 12 Nov 2024 17:04:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.103
X-Spam-Level:
X-Spam-Status: No, score=-2.103 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id hYgI-xOd_IsW for <oauth@ietfa.amsl.com>; Tue, 12 Nov 2024 17:04:40 -0800 (PST)
Received: from mail-wr1-x42b.google.com (mail-wr1-x42b.google.com [IPv6:2a00:1450:4864:20::42b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 162A2C180B76 for <oauth@ietf.org>; Tue, 12 Nov 2024 17:04:40 -0800 (PST)
Received: by mail-wr1-x42b.google.com with SMTP id ffacd0b85a97d-37d462c91a9so3980856f8f.2 for <oauth@ietf.org>; Tue, 12 Nov 2024 17:04:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1731459878; x=1732064678; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=oWQ4ov8Fda9QIYB8uyOnQpxqv83xLZgM8+nsTIRdaXs=; b=OVGHlQME4KF61HUjrk8UtkUwoBVkumtBeuV8Rz2u8l1uoo+v98qDUx7A1awmE59BHz o/NIA7Fki+5qDUnfhgZCF9ufvUjVqhxWnkLDGLE2S+GTVYfbjWU7HEfUao1O3Xx5M4qf vbAjzCYeXgnKntSPubqXLsrY29AA8gQL1NH3T26D+NW4NdfKrzgsYUa7UeA50EFAWV4B L+xK3Syvp4u5izG8jFcGxvMkQ2viprEHrkO358+huuwCBs4G9WvascQdI+rX/4rBArz8 mR8O5GeUK+ofpbfcsVmqG8UTvOaTB6Li2nw68VaFJDoOM647mvZlnAuvzoJmDRriaOkj peNw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1731459878; x=1732064678; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=oWQ4ov8Fda9QIYB8uyOnQpxqv83xLZgM8+nsTIRdaXs=; b=uCUqSF7Ak1xhNMILsqks/2eK85/HooYAoioPZkgvgYoAzezI7rgWMLtONvSEmWiDU0 u4kS/nSXofvM/rEVDuiUWD/ONGfJx8jgF6f8XOyi1qw6yeAeZWg9OCWf/UB5UuGpLQqg yunNSFi8NQNHmOYVfO2gIMG47Y1Wk1ZbEpEdhlBdjz7JE96VLSprWngs6O2+yQ48kVyn zv2xGuTd36qCeJlvoK1LfE1vdvqmwUBVDQ/oi0ukXBSCoAzzhgPx12k57qqPMpVi1n0A lUIsLY5+3EZmn7vpD+YEKEZ515OFp8pxxyhp6QiQTqoPqkmY/ZoVXGdtBIFpzEUxssUp QqHw==
X-Forwarded-Encrypted: i=1; AJvYcCVYZgptejKDoJfgUvKXaKat924kcDhZTw8YWRqrUN6eFUx+RlTl6LLilXTPp94e8I7NwNzVLA==@ietf.org
X-Gm-Message-State: AOJu0YwyID0FgQHdHGCw2hyCzG/qLNp8vGO6K1QH+NGmVFEcl/8d5IQ/ CRNYAzpX2DHnB8zmx53KyeNG6nifmb9hh4QHigLVrCnFLvB2hKCgFRz6V2vYhAw6glD/DEFLUAF 018xMF3sG3X+Y3umBGNfkoHHPOS34bbPd
X-Google-Smtp-Source: AGHT+IFS2hZveE6TNe07m0euZKM22kYXB96dXZWSnNTfTcW8vDPEm1jJTQJsIk9xzV8jXW/B3+1HPBV3KyweeSF0oos=
X-Received: by 2002:a05:6000:715:b0:37d:3939:ad98 with SMTP id ffacd0b85a97d-382080f68a2mr3878567f8f.3.1731459878225; Tue, 12 Nov 2024 17:04:38 -0800 (PST)
MIME-Version: 1.0
References: <CADNypP9aEU4Ka+0u8PQ3W+jmLN5c6NK77i25Wo9bxquML5Ky2w@mail.gmail.com> <CACsn0ckMs=7St7hNPGb29yKjm3SBnC1pBJiuNyXRCT4Edg9mEg@mail.gmail.com> <CA+k3eCR9dZsj1ZQVT4nWrHzh0vGouzbD1cOEtBvD5WbXosOMXQ@mail.gmail.com>
In-Reply-To: <CA+k3eCR9dZsj1ZQVT4nWrHzh0vGouzbD1cOEtBvD5WbXosOMXQ@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Tue, 12 Nov 2024 17:04:28 -0800
Message-ID: <CACsn0c=wiCU_XEdXzTz_tmVA-WHmVQOkS3Zobe8bU=VQP_Jaog@mail.gmail.com>
To: Brian Campbell <bcampbell@pingidentity.com>
Content-Type: multipart/alternative; boundary="000000000000fc0fd30626c0eac8"
Message-ID-Hash: KRMP25OGTHIVLSNQZOGI7Q36MCF4SWKP
X-Message-ID-Hash: KRMP25OGTHIVLSNQZOGI7Q36MCF4SWKP
X-MailFrom: watsonbladd@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Re: Second WGLC for SD-JWT
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/3uX4FTKIs12XVVKrxUGFBJQQZVc>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Brian,

I think we all agree on the technical issue here and it's implications. The
question should be tightened to the adequacy of the advice given for
dealing with it.

Age verification is an application that people will want to use and a clear
statement that that's not a good idea is needed here. Otherwise we're
ignoring our ethical responsibilities to the public.

I'd appreciate if others would weigh in, particularly if they haven't
followed this debate before.


On Tue, Nov 12, 2024, 3:59 PM Brian Campbell <bcampbell@pingidentity.com>
wrote:

> Consistently saying something isn't the same as gathering consensus about
> what, if any, changes to make as a result of saying it. The IETF has a
> consensus-based process for standards development and sometimes one
> individual's viewpoint falls outside consensus. Repeatedly voicing the
> viewpoint doesn't change that.
>
> I suggest the WG proceed with submitting the draft to the IESG for
> publication while noting in the Shepherd Write-Up that Watson has
> repeatedly raised a concern about privacy implications and, despite changes
> being made as a result, has raised the comment again. I believe it's
> completely reasonable at this point to declare the comment as "in the
> rough" with respect to the consensus of the WG.
>
>
> On Fri, Oct 25, 2024 at 9:45 AM Watson Ladd <watsonbladd@gmail.com> wrote:
>
>> The privacy issues I have consistently raised have not been addressed
>> through actionable text.
>>
>> Implementers are not receiving guidance with the current version. The
>> actual risks are buried below a bunch of words talking around the
>> issue.
>>
>> I'll be very clear: if a user uses this technology to pass an age
>> verification filter, they will end up exposing their complete identity
>> without knowing it. This is an unacceptable risk, and no one disagrees
>> the technology poses it. Implementers will often not have the skills
>> or knowledge to identify this concern independently, and need
>> actionable guidance on how to mitigate it. We provide far more
>> actionable guidance on storage of credentials.
>>
>> On Fri, Oct 18, 2024 at 11:00 AM Rifaat Shekh-Yusef
>> <rifaat.s.ietf@gmail.com> wrote:
>> >
>> > All,
>> >
>> > This is a short second WG Last Call for the SD-JWT document after the
>> recent update based on the feedback provided during the first WGLC
>> >
>> https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-13.txt
>> >
>> > Please, review this document and reply on the mailing list if you have
>> any comments or concerns, by Oct 25th.
>> >
>> > Regards,
>> >   Rifaat & Hannes
>> > _______________________________________________
>> > OAuth mailing list -- oauth@ietf.org
>> > To unsubscribe send an email to oauth-leave@ietf.org
>>
>>
>>
>> --
>> Astra mortemque praestare gradatim
>>
>> _______________________________________________
>> OAuth mailing list -- oauth@ietf.org
>> To unsubscribe send an email to oauth-leave@ietf.org
>>
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*