[OAUTH-WG] Re: Reminder: Alternative text for sd-jwt privacy considerations.
Pierce Gorman <Pierce.Gorman@numeracle.com> Thu, 09 January 2025 18:10 UTC
Return-Path: <Pierce.Gorman@numeracle.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6B6EEC1D6FC5 for <oauth@ietfa.amsl.com>; Thu, 9 Jan 2025 10:10:21 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_MSPIKE_H2=-0.001, RCVD_IN_VALIDITY_RPBL_BLOCKED=0.001, RCVD_IN_VALIDITY_SAFE_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=numeracle.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id RKfsR8Cxuzct for <oauth@ietfa.amsl.com>; Thu, 9 Jan 2025 10:10:17 -0800 (PST)
Received: from NAM11-BN8-obe.outbound.protection.outlook.com (mail-bn8nam11on2092.outbound.protection.outlook.com [40.107.236.92]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange ECDHE (P-384) server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B3E54C1F6FC7 for <oauth@ietf.org>; Thu, 9 Jan 2025 10:10:04 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector10001; d=microsoft.com; cv=none; b=qCqvBcHhJcfrxqXQkZfB31YlildUtKrDXu/lmz7Fb/Q7eitsCkWSwwgO8HJRkgf3qNGc3bbxF/Oc8o/lk2oQ2cVFnoHFnWzPVUC3ZofMWs3NOWp7wavOSPQodPFvX5Wcuer3OQCedJF90fvY0FB4wcH1goG7L8BebKN+9cPmaQHk8Z7G2AxTKJjSV4CYAS+twImKcim5aPW9xT3k/m3+lmXDciHmhIxz5NFu4hmkBUQm5D2IQqUc3UhNKUHCvmsxfHXG68Wvkw4sGV4w7jiHEeUGlTAJNfqSBPpoEEtzBj4+GBgT6PDiBSBf8pkiV9BC8n7d8S+k0nx8DpC34MzvZQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector10001; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=YjnpqdZxWm65eIyBCSHKibm4oXrU7Hk+7t44fOzQGe4=; b=CBTxeGM/W25aLheiqbK8fwpyQKG7Jt+Rh+T+G8qtWDfsrP8SIp6ptKLJ8AjBTqnwA+B1dqeIBCJoa8jv1NIpqwZCkYU3J67gjdp6S3PpNJpLQ23rz+AVQN+OUP5PEfzY0V8hal/4XXcqa6wdcFXkUXtGNqGNbc8CWO0Ym2Jujc5vVJqvAxLSbwROUawfVljhCh2yH8TWgIvjhUnEPL2fhcZW74mzMkIiC/HySTTYmdjVvlBqC9Xqu3lu1EkXH8zq2S7JQhFSL/EOxKlRwDbm9MnvSS7t7n+2y9oTJkD5guufDZ2tp7/gojON1vRCgCe5b+6WN7b+quz3Kw/2rMNFSg==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=numeracle.com; dmarc=pass action=none header.from=numeracle.com; dkim=pass header.d=numeracle.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=numeracle.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=YjnpqdZxWm65eIyBCSHKibm4oXrU7Hk+7t44fOzQGe4=; b=p6PyEmbRuflPg4UQgtwcasiqZNH45ypE58g3vlSRLdElwkBuTKgos6ZMmYMfRvFGw+bU8+SMqyqISsUMO3wPxxysi6tbcEwvf/KImnGgJKGBabnuLCE/xGAZk53xaTf+KlgHeoLwxvuMg7tee5GuGA1zNL5VQvjNXSlRCXhEBwdH5AlxbPzLfBRurEPjgbw39aX8mFqwSqDqO5dTNCOVBIAL6UfRhscKDe6JLH35fV78a8KUYZyrj1Oj5/7i5+MOCvlykerJr+Ww4hzBg+bvlSOphuHU4qRC0/FI4Hqe1VNKOGKsSip7+1mgBB6kOSFPQo4U/lOCHNy5EZ/b/hKVYQ==
Received: from CH3PR13MB6747.namprd13.prod.outlook.com (2603:10b6:610:1e4::5) by CH3PR13MB6971.namprd13.prod.outlook.com (2603:10b6:610:20a::8) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.8335.13; Thu, 9 Jan 2025 18:10:01 +0000
Received: from CH3PR13MB6747.namprd13.prod.outlook.com ([fe80::2f39:dcae:9ef7:d518]) by CH3PR13MB6747.namprd13.prod.outlook.com ([fe80::2f39:dcae:9ef7:d518%6]) with mapi id 15.20.8335.011; Thu, 9 Jan 2025 18:10:01 +0000
From: Pierce Gorman <Pierce.Gorman@numeracle.com>
To: Watson Ladd <watsonbladd@gmail.com>, IETF oauth WG <oauth@ietf.org>
Thread-Topic: [OAUTH-WG] Reminder: Alternative text for sd-jwt privacy considerations.
Thread-Index: AQHbYihP9X0x+WoHRECBKvojBCguOLMOvhKg
Date: Thu, 09 Jan 2025 18:10:01 +0000
Message-ID: <CH3PR13MB674772CE395C23E30B7F35D9E1132@CH3PR13MB6747.namprd13.prod.outlook.com>
References: <CACsn0ck9pHXtLc7dgMME8nzLh2dV+__5tJm=mbRPpBqJq8YLzA@mail.gmail.com>
In-Reply-To: <CACsn0ck9pHXtLc7dgMME8nzLh2dV+__5tJm=mbRPpBqJq8YLzA@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
msip_labels: MSIP_Label_15e9b572-a956-451d-b5da-feb99663c3d1_ActionId=c82b6735-8d8c-434b-9b10-f29a98508b83;MSIP_Label_15e9b572-a956-451d-b5da-feb99663c3d1_ContentBits=0;MSIP_Label_15e9b572-a956-451d-b5da-feb99663c3d1_Enabled=true;MSIP_Label_15e9b572-a956-451d-b5da-feb99663c3d1_Method=Standard;MSIP_Label_15e9b572-a956-451d-b5da-feb99663c3d1_Name=Confidential;MSIP_Label_15e9b572-a956-451d-b5da-feb99663c3d1_SetDate=2025-01-09T18:06:23Z;MSIP_Label_15e9b572-a956-451d-b5da-feb99663c3d1_SiteId=b807d15e-47b0-447f-a656-f397dba6285c;
x-codetwoprocessed: true
x-codetwo-clientsignature-inserted: true
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=numeracle.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: CH3PR13MB6747:EE_|CH3PR13MB6971:EE_
x-ms-office365-filtering-correlation-id: 6a8cf023-5162-4747-db1d-08dd30d8d591
x-ms-exchange-atpmessageproperties: SA
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;ARA:13230040|1800799024|366016|376014|10070799003|4022899009|38070700018;
x-microsoft-antispam-message-info: lW5AWNjNdxBHWS257MOdvCaHQrpJwHK1ZKfPURfnXaxaRLQgRb8Dp4hH2X/k58xgwd7MQ3r5A4h7XJm1tk7cboPF9WQBxrtrwhE5nC/BmiZFkj9EWc1rDfL1u18DBq5kTcyN4YNcQwi6gzGqqgPTtieZ6yB5ZF2VWbpWoSnbWRx5DUWe8rLG8y2l4tEy1/8pw7AB6blQXk5KdxXOXo9cQxnFi0UuDl4safVhYp0ESkArKWuQ7Yt98yfeWOx635AZxEOlWW7IjTfs7JXWLGmYHJe7INJRBb3oQKyS+u6wl38GtiENjRDmm+XPdyKlBhl4No/0oZiYRaxWzhLlOxM9T+fmgYcRfGKBLGevHHXWT1/0AVeAyetxBWJUIPcJv+wpsVDKuSMV4IaGqfDkU7iSeNWk9/drXuTxz9p3A/6wCL8gOnHWEShYkbYLn3JHb4LDcLC2AZfHJZQmROthHWW9EWsuwXynhpvc5uGZDHtiVxq3l2vRG7teJuKjmNWlrj8H0bb9cNIxAgLwUc8G6P/ipu7cfoKKXzS63XxXVa1HTv+vAxt7hhlcID1UHC0G5nvSlJs2L9HaBrS7cV91giHS71l6loYjrS6Dw5mnrqbVYVAiVm8K1RHtvvPBES5JSrXXayU3qCnTCCyTpWyCk3u4ntemjCWnXEmmKUEFtqOyEjQrQainO18oht38UboIY7WpxWPmgdE1V0lZLoOClbu2MFBuoNGryR5F5I15ocZutV3Z1BLeIFSCGQRidQV0WVi+/o/fUONxh6+77n7ULxbSPnGrPb7vnuUYiCthwk+kFkF/LXrkNKqMlWm3ZmMCHSRBIsA5Toly4FIY3jMw/OrSh9Pep1bf3B1embOsT81KfA0ZpcLR6ovNw3Ki2Jxcm1TJpnFBAPzA29z3wETKUgbxnRxziRBCjqgLKvtoEBD2TEV77TopD/G9BGwo4We9T3JByyNWKoZq+1+bqN0YLmUGplH/V6MtDY16Ioeor9l+njzpfZHY8y+zniVmXK+5dxgp/kffZ9eJsHhndH2Z5Nr8Iz8fKaHEp17QQco8VuLcsJon+Lt4m34wPTbELraD6ZEl6pJ575HJVXvyIiIlipkDs2WFhxbbwfT0uI+ZR3LDm6jnAISw2bQcTcDI54M/f8Bn15W1nIK97jxdbd7ZpYUXdNK/v1i9LXeXEgjPKAr5LtZ+tIqVCF8OfeJBlif3gKz1EJCZdsCr15qjRlskPQDI8kZPeiiqzK6hn9LZc/gG4PfwyzwdaX2uHlDhPutwIjbZFhOfYXwVrwHVf0xQJI+i8G8ITn8Vl6KUam/zPzLAs2qNpVNHGIhHtxW2dkv6+usJ0PUKM1KwHx4aZHkK8tDLCJ8drt8qKuoIwPN+NwvMNtxsx+9BuWA7+XWAG27bz9Cuo85yOGhnGU68nv56q526juhhB3rmhI60vSNSEaqDcJ3e+P5WTSBtxzAIzGGy3lpC
x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:CH3PR13MB6747.namprd13.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230040)(1800799024)(366016)(376014)(10070799003)(4022899009)(38070700018);DIR:OUT;SFP:1102;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: JFfJjg1oJDYGqDk8VGUuDcYyC3/CJJClNdF3gYM+pN9zTB+AdCvh24/BWbfdiW0y+PwRVEf86UmncuDWYILQ9nHJ7YdLFl8CrTnQtcvjnxVWNEvYObqhQVllrh+24HME6TVGvhE/HikOhmZg5u5MBeBAAJtKxCxmU7nbV5pfYzgBaGlXQXUNU9rNgY3Sg13gcCyZqcJbcZCYlX7MPvIpiGyyz5nBGiIiRUvJoIJ4vKdzQbOCbn2L4zGDQNKEnqOSYFoy5/1EcdqlkLpQ1F4PwL1781aUjQ4VJm5dgI+fhaN8KWzmtL8RgFuJaQFH8iihVgMkbrq0Mp7xIQKVAoZFf3YtV1IlahGkvAY4f0JeLCmLtCWRBFcUTtaARiu645Bcso2ZnwRGMo/KCBnrhzUAhu+lv02rmA+OwvIndo2fjs6gRQ+7Yi47giVfzPVEuwcQcmFmhkcSSgdwLvKT+oT2mJp12ybJza+pV3ffqTuE8IX2qFn7o0Fg1axtPBTZCdpJl5Y0jlI6VScrYHT8VKbQLKkk65afvVouvq+RrybtVqTNy4Rx4qTGdYYFdiz0v3aiRkkwgxunWv11qfBU/f98EtieXIxCt5ij3Qcm24xBcEmOU2AnrS4NKmZjJffSwPYUmjaD/YJ1Er6ujOSoGqU5eNAAAZbWp+0RBKzbZJA9XOj10YkBq87YL+43mKpm2PMF6+VuH1SdxMyZB1FcCUz0qL1v+wptG8sambXxIORhM/tFNVS2fvhqxwFqW7qjATqoTQ54h32ay1bobpc2NO8s0HXcooLNGV0euyBMCNVGzQaJAvJvO4L2tUXMA2gluKncXXxNo/J8aOqfreGoBL3gix/hdtOabfZADpNlSgMalIpbs0FDajsy0xC6CedANm5CC4rWHrcT6AaKj+MYTJIEcB26JYmafHYI/PwrdwWvssfFOHpYovURWWflHcGEemEHfj5AbMSEW2+RcFT7cn3LUq+LYGFG2vvtq1St3fBegu6BGV+LoM70oM1nzSVzusDWcczVOLeTfCbz+9xtdOz6aXiQnDSjJhbYIa9AmnIG0rcWRPP7V/eWQ4WFv5D1NYbsISdtGMx+RmeC/Q0z0MG0oG/xZ74yZAh7LWArgVQtsyv05D25Q9IfYOOIIeu3UIoh0A9pVhfqg2EGrL3jbhZSK+p8lOrBfsUY9DYCG7JdPm1WDHjLbhAC6jVVsYPkFZz2MwhSY1cwSbhwlUjxDKHoj0mORfLNfvjGd7h1wPwH+J3AZefH/6+l2Wmw385huJV3/sFyaX7+ILUCA5np+4FZsDuhHsjUD2q5toClgjpdN5cNQSCRJ+5Q/3vxFUA10VqNB3Y9OGW8QPH5w82tnZoJaDGORo1S8Yoygf4YJskQmzjePF8F4Mj0Z7tPv4ZUTtGkmWzcWcPw6SVsyWv0ckzqepQ7Ni7t+BEIv64bqqiZWA/400JD/6YBsttBfxpjPjjRnrp7YvPNUtfyYTQL8hvgg+bJQ5xFqTuAsqTk1eG95affF+Hga/buMax8k8Smf8wVa+kUXplqqCfw3oDypC2tb6bBU+hsL84+F73yrKrXQ8uv0aaMGY5033YWvOJKnEByi+oGAuCBQXVY1Wyq43FKs0l7QOv4RUKzQ1CfiuWyc4XRUy9Z9Qlm18DluTzOu488foGtC6sk3ls1y9uMPQupgg==
Content-Type: text/plain; charset="utf-7"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-OriginatorOrg: numeracle.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: CH3PR13MB6747.namprd13.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 6a8cf023-5162-4747-db1d-08dd30d8d591
X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Jan 2025 18:10:01.0402 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: b807d15e-47b0-447f-a656-f397dba6285c
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: fuzx6BUIr5cw1aHZ6krmcVz/oqmnJ+iRnCQPchoxDLiptXzUa4SvkHCV3nwW9B/3vxx+1ZREinKvu+LKemOcKWgR4dhdJxHghpsiw07T5N0=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH3PR13MB6971
Message-ID-Hash: ETUZ46RRHM3KO2Y6FIPWGKCQEFHKZVJO
X-Message-ID-Hash: ETUZ46RRHM3KO2Y6FIPWGKCQEFHKZVJO
X-MailFrom: Pierce.Gorman@numeracle.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Re: Reminder: Alternative text for sd-jwt privacy considerations.
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/HMt0dDe3axANIq6wniSqkhPb_WA>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
Hi Watson, I thought it was a good suggestion and am looking forward to feedback from others. I didn't understand the part of the statement in the penultimate sentence which says, "but cannot work for Issuers". I should probably understand what you meant without having to ask, but I don't. Can you please elaborate what you meant about workarounds such as issuing multiple one-time-use credentials at once (if I understood that correctly) not working for issuers? Pierce CONFIDENTIAL -----Original Message----- From: Watson Ladd <watsonbladd@gmail.com> Sent: Wednesday, January 8, 2025 5:51 PM To: IETF oauth WG <oauth@ietf.org> Subject: [OAUTH-WG] Reminder: Alternative text for sd-jwt privacy considerations. EXTERNAL EMAIL Dear oauth wg, Happy 2025! I hope everyone has had a nice set of holidays. As a reminder I put forward the following proposal for text to add to either privacy or security considerations of sd-jwt, but the timing was unfortunate, coming Christmas eve. Comments on it welcome. "SD-JWT conceals only the values that aren't revealed. It does not meet standard security notations for anonymous credentials. In particular Verifiers and Issuers can know when they have seen the same credential no matter what fields have been opened, even none of them. This behavior may not accord with what users naively expect or are lead to expect from UX interactions and lead to them make choices they would not otherwise make. Workarounds such as issuing multiple credentials at once and using them only one time can help for keeping Verifiers from linking different showing, but cannot work for Issuers. This issue applies to all selective disclosure based approaches, including mdoc. " Sincerely, Watson -- Astra mortemque praestare gradatim _______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-leave@ietf.org
- [OAUTH-WG] Reminder: Alternative text for sd-jwt … Watson Ladd
- [OAUTH-WG] Re: Reminder: Alternative text for sd-… Watson Ladd
- [OAUTH-WG] Re: Reminder: Alternative text for sd-… Watson Ladd
- [OAUTH-WG] Re: Reminder: Alternative text for sd-… Brian Campbell
- [OAUTH-WG] Re: Reminder: Alternative text for sd-… Pierce Gorman
- [OAUTH-WG] Re: Reminder: Alternative text for sd-… Watson Ladd
- [OAUTH-WG] Re: Reminder: Alternative text for sd-… Brian Campbell
- [OAUTH-WG] Re: Reminder: Alternative text for sd-… Paul Bastian
- [OAUTH-WG] Re: Reminder: Alternative text for sd-… Watson Ladd
- [OAUTH-WG] Re: Reminder: Alternative text for sd-… Dean Saxe
- [OAUTH-WG] Re: Reminder: Alternative text for sd-… Watson Ladd
- [OAUTH-WG] Re: Reminder: Alternative text for sd-… Paul Bastian
- [OAUTH-WG] Re: Reminder: Alternative text for sd-… Dean Saxe
- [OAUTH-WG] Re: Reminder: Alternative text for sd-… Pierce Gorman