IETF Logo Mail Archive

[OAUTH-WG] Re: Alternative text for sd-jwt privacy considerations.

Wayne Chang <wayne@spruceid.com> Tue, 24 December 2024 18:14 UTC

Return-Path: <wayne@spruceid.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 550FCC14F617 for <oauth@ietfa.amsl.com>; Tue, 24 Dec 2024 10:14:01 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.103
X-Spam-Level:
X-Spam-Status: No, score=-2.103 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_FONT_FACE_BAD=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=spruceid.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id R_uO9vO_9Atx for <oauth@ietfa.amsl.com>; Tue, 24 Dec 2024 10:13:57 -0800 (PST)
Received: from mail-lf1-x136.google.com (mail-lf1-x136.google.com [IPv6:2a00:1450:4864:20::136]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 766D2C14F604 for <oauth@ietf.org>; Tue, 24 Dec 2024 10:13:57 -0800 (PST)
Received: by mail-lf1-x136.google.com with SMTP id 2adb3069b0e04-53e3a90336eso5795092e87.3 for <oauth@ietf.org>; Tue, 24 Dec 2024 10:13:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=spruceid.com; s=google; t=1735064036; x=1735668836; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=IWouDU4ZJf56Jrh225KPrvro+jE0yiHNwCuIWGTZblw=; b=o3d7QWjN85mBk4knoX37L8E4FMma0erbT5lhUXttd8jMoK6ajGhhL2/zfKZXEXcwYM AM7Cd3anq50UsMiIacpyUfQL322BUbFtjVaK+7+JCW1DdTULEib5EXcfaECCIC6ovq1F JO+bvn+6doYEhsKeY8DwNI6gyJo/x7wInTKckPjo00TsEcDsXwfoTAr6yDJDVr8/03Uf /OX08DzaFCRiDl7gE9tw+6NXtDAB6KI5wlYEVErmpFIVEnIqQLJ6/yoEsObd5ESE7G8S 1I6WDvRV54T/UFE12NxsoxTAjOH5w3e/3oD6xNypADO27IflQeAV4eqsIHHdDPJTNiym cbaQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1735064036; x=1735668836; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=IWouDU4ZJf56Jrh225KPrvro+jE0yiHNwCuIWGTZblw=; b=jZLG+9Q4AO0QfqN0flBE+oJI8jrdvcdQgOY/XnVhff4tq0XZh9Tsp95yOlprrgmMTH RgsRNv2SOQ/BeNwui6Cs2tgPU6Vm5alLofHZrSJUqfBM6zYx/32uH0TkDHxaRYwgpfLu 2rlXYIJYllgHxBZVvrcYF1Ka4Iy2Sy1O4dU0HlRanefx0ESIYeKpAHJSgz8baUPCSVgB TeXHn+BXqXi0+f2TvFwXPwEdorRI8BFf1RcfCxsecQv93ZHReCJidBlFeikh/gWl98r/ vWE4CRoCT6g/JH6yqFLT1ojVgCVX+lvg0ST5w2FxThAMOSNoCosn2+PwqD0n1INkD7l+ JgJA==
X-Forwarded-Encrypted: i=1; AJvYcCWDHtr0zSla8HcomdFP/2Bp1f2nsqiD5TiLlHvAVC+d3PqYxi5juPEpjBCWB/Up/VVi8hLzIw==@ietf.org
X-Gm-Message-State: AOJu0YzUfyd7brFvEjLxEqcu9RtCdGxPAVck2bxJ4QKOfOaeynSEsTu4 CDlq5M2ukOxY8tOgvcqEekBZHoajmdzbYIQ3jLu5t3ifBRLyVhqKU2vepYk2ZFCO7EOJxsseGiY jXaviY1IauWgTL+287klQfB3/AIEJAcEwDZO55w==
X-Gm-Gg: ASbGnctlrzKAEFl0lFeERKgYtNbePMXJlrsUQOHoFx2HR7nEjg4iJKFSm8dx+42stG4 l6F23iD3P8uAoOmEWDqzHMfD9PloffDwVy6b8hpk=
X-Google-Smtp-Source: AGHT+IHs9GgWFMBfsv81If3Vt9qMsEE0c7/kg1jb9Wci09/FrAwqU49knel9FffwhpVIVBHnqziBoMCzOrVjLtZ5Yg0=
X-Received: by 2002:a05:6512:39c3:b0:542:2e04:edc5 with SMTP id 2adb3069b0e04-5422e04f185mr3512554e87.0.1735064035672; Tue, 24 Dec 2024 10:13:55 -0800 (PST)
MIME-Version: 1.0
References: <CACsn0cnEJKamSSJH4-pKg1xNZ3X+__B4UwZ3P5enxP5tQ4AqzA@mail.gmail.com> <CAK2Cwb4L-KTkK96CJNwpZNiYiyMQSyH35MHNnOLEiWW+_FojZQ@mail.gmail.com>
In-Reply-To: <CAK2Cwb4L-KTkK96CJNwpZNiYiyMQSyH35MHNnOLEiWW+_FojZQ@mail.gmail.com>
From: Wayne Chang <wayne@spruceid.com>
Date: Wed, 25 Dec 2024 02:13:44 +0800
Message-ID: <CAFTzAXjq8AhZKKM5LC7ykFqTUAHJUD70kscrpLH-MaUFfiv_Hg@mail.gmail.com>
To: peace@acm.org
Content-Type: multipart/alternative; boundary="0000000000008262e1062a081311"
Message-ID-Hash: TAC572FYKI6HG4IYMI7N5Y34QXJTIUHJ
X-Message-ID-Hash: TAC572FYKI6HG4IYMI7N5Y34QXJTIUHJ
X-MailFrom: wayne@spruceid.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: John Wunderlich <john@wunderlich.ca>, IETF oauth WG <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Re: Alternative text for sd-jwt privacy considerations.
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/BmDJDQiPqsGvmHAPAbvqF8xZOyM>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Tom, how do you feel about private sector issued ID?

Best,
Wayne Chang
Founder & CEO | SpruceID <https://spruceid.com/> | LinkedIn
<https://www.linkedin.com/in/waynebuilds/>


On Wed, Dec 25, 2024 at 02:04 Tom Jones <thomasclinganjones@gmail.com>
wrote:

> While Waton's statement is correct - it does not address the core problem
> with any credential that comes with an ID.
>
> All reusable IDs enable tracking.  Full Stop.
> All government issued ID enable tracking. Just like social insurance
> number or any other cred.
> So - if you want privacy - don't release the ID number.
>
> Peace ..tom jones
>
>
> On Tue, Dec 24, 2024 at 6:34 AM Watson Ladd <watsonbladd@gmail.com> wrote:
>
>> I see that people are uncomfortable with making any mandates, and so I've
>> tried to be purely descriptive in this proposal. I leave it to the WG to
>> decide where to put it, but I see it as a wholesale replacement for some
>> sections to emphasize clarity.
>>
>>  "SD-JWT conceals only the values that aren't revealed. It does not meet
>> standard security notations for anonymous credentials. In particular
>> Verifiers and Issuers can know when they have seen the same credential no
>> matter what fields have been opened, even none of them. This behavior may
>> not accord with what users naively expect or are lead to expect from UX
>> interactions and lead to them make choices they would not otherwise make.
>> Workarounds such as issuing multiple credentials at once and using them
>> only one time can help for keeping Verifiers from linking different
>> showing, but cannot work for Issuers. This issue applies to all selective
>> disclosure based approaches, including mdoc. "
>>
>> Sincerely,
>> Watson
>> _______________________________________________
>> OAuth mailing list -- oauth@ietf.org
>> To unsubscribe send an email to oauth-leave@ietf.org
>>
> _______________________________________________
> OAuth mailing list -- oauth@ietf.org
> To unsubscribe send an email to oauth-leave@ietf.org
>

v2.39.1 | Report a Bug | By Email | System Status