[OAUTH-WG] Re: OAuth Digest, Vol 189, Issue 37
Moneybenn <cajungotshop@gmail.com> Wed, 31 July 2024 13:11 UTC
Return-Path: <cajungotshop@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A33A2C151086; Wed, 31 Jul 2024 06:11:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V367aV7YM4Qn; Wed, 31 Jul 2024 06:11:52 -0700 (PDT)
Received: from mail-ed1-x529.google.com (mail-ed1-x529.google.com [IPv6:2a00:1450:4864:20::529]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7D2C6C14F749; Wed, 31 Jul 2024 06:11:52 -0700 (PDT)
Received: by mail-ed1-x529.google.com with SMTP id 4fb4d7f45d1cf-58f9874aeb4so7482625a12.0; Wed, 31 Jul 2024 06:11:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1722431510; x=1723036310; darn=ietf.org; h=to:subject:message-id:date:mime-version:references:in-reply-to:from :from:to:cc:subject:date:message-id:reply-to; bh=VM+hweGOTlmin5Dne1hQU5CBML+az/i1T7xnugMIuq4=; b=jrnfpYUF4ee56TRGKv0PjJwg6iUsDIIlvv6vQE59/Y95SNQ5j4JBVLRg56BrvY1UpL XO8BhZVcE91nBFTCzg8WZqeu0jWsMi6zLV/22KiCpn5oss+FCNvYpquZKmyXiTXRUaTw 9h2RC/N9s71wqayVPOUjgRzvS0ZO2Du3oPGZcdkk3cMp+5zZrdfEw0S5yMJcz10QYtI2 RDtt3f+uaVNSQxZTQ5Mjk565om4bf9nh5bD+OoscB7LPvtOH/DLmJkuF+rMUr9CIqbFv qipA0m8hQ789vLF9BjqeZzhqLCAsoNXbY7IxLBpzUMgQ+mFpgbU5SD2Nexn5BlWC/wOI ejEQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1722431510; x=1723036310; h=to:subject:message-id:date:mime-version:references:in-reply-to:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=VM+hweGOTlmin5Dne1hQU5CBML+az/i1T7xnugMIuq4=; b=HARTNtahYQMO3pYB3p0JSLe+0sjWZSGYlKlur94dmwcdnjeAxcFaJsLJYt/+Hqr9P9 kK65ET8R9ilIUrg4BGATzAWa3i6KlSWjVhq8k5SH9PRVY4mOfZFA6jGxv4GLyZtVH0gY Kgh4UG3n6GbEKCnbVapGCeHaJKx3Us+DplbpmmT86mNeUU4ACyn3xCDFtc85VryoUtWz 58zm+6o5339TTeSOWk4bRvr7StARSyZMFGmEGi7P2GgHG7s5BLSs/sbn2AVPNDN4A2qT edtIm5rSOT9e7jCWXgqEvrqTbyaqiGm8Nrxvbu8vl3wGSplBBjK9w8Wn9RO9aAbK+L04 ngtg==
X-Forwarded-Encrypted: i=1; AJvYcCWtt7yRfcO7UcZMzd1+tnh6Q8857Wt2544svg5/C+8rQaJ6CFI63VLUFD9Qd6RMA13hhG+ecGHEPd+IdqeAVw==
X-Gm-Message-State: AOJu0Ywv/Tm1VuS1jsvIln9bbJU0iAqkziuP4/u3aC5vpMaiwfve3HuT wPCoa3vEuDslJTecOyDbt1BdvVq+B9guyHCtTxGwt1ngWpSPAG9XsRUHhZCfreZ78InhXtSCeH1 M6sH0tDDt3IqrD7sG9gfsmL7SuMwqUQ==
X-Google-Smtp-Source: AGHT+IFhZnYdIZlKgZC1j02Kx01MyZ8NP90qEm0qjzJbS+9slMgZ3l2OH+9dCJNUaMCZen/UZAsBXqetdRGOlS/R9gQ=
X-Received: by 2002:a50:9510:0:b0:5a1:ef24:e9dc with SMTP id 4fb4d7f45d1cf-5b01da394a9mr9213567a12.0.1722431509394; Wed, 31 Jul 2024 06:11:49 -0700 (PDT)
Received: from 466680526474 named unknown by gmailapi.google.com with HTTPREST; Wed, 31 Jul 2024 09:11:48 -0400
From: Moneybenn <cajungotshop@gmail.com>
In-Reply-To: <172243082068.6614.5134548496979794859@ietfa.amsl.com>
References: <172243082068.6614.5134548496979794859@ietfa.amsl.com>
MIME-Version: 1.0
X-HS-Fax-Cid: 1cng6ziuoq2rg44zwivqgbpstikfebvlcwdjvsw8z5bpvna0ozw7p4k3vdwxpfkrc9fyfc6ke84xvbuvcflart6ht2xtlxq59rgpvfuowo86xg93ezk9rl6440ojt2ebp7bnc2
Date: Wed, 31 Jul 2024 09:11:48 -0400
Message-ID: <CAB-s2DCHQ8cRDrzhgoCc_65kDn0PhFW=TxvTt90LtoSDxuT9eg@mail.gmail.com>
To: oauth-request@ietf.org, oauth@ietf.org
Content-Type: multipart/alternative; boundary="000000000000447fc6061e8ad6f1"
Message-ID-Hash: VI5H2IMBOTS3FRTMHHTN74GYOKWF7VOW
X-Message-ID-Hash: VI5H2IMBOTS3FRTMHHTN74GYOKWF7VOW
X-MailFrom: cajungotshop@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: OAuth Digest, Vol 189, Issue 37
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/JlN0YNo8_J6o2kFusVDhP5-iSK8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
I need my payments Seth Landry On Wed, Jul 31, 2024 at 8:07 AM, <oauth-request@ietf.org> wrote: Send OAuth mailing list submissions to oauth@ietf.org To subscribe or unsubscribe via email, send a message with subject or body 'help' to oauth-request@ietf.org You can reach the person managing the list at oauth-owner@ietf.org When replying, please edit your Subject line so it is more specific than "Re: Contents of OAuth digest..." Today's Topics: 1. Re: We cannot trust Issuers (Brian Campbell) ---------------------------------------------------------------------- Message: 1 Date: Wed, 31 Jul 2024 06:31:21 -0600 From: Brian Campbell <bcampbell@pingidentity.com> Subject: [OAUTH-WG] Re: We cannot trust Issuers To: Leif Johansson <leifj@mnt.se> Cc: IETF oauth WG <oauth@ietf.org> Message-ID: <CA+k3eCQom6=o+fSYWRd+qWZnWqki3Enij1X8tYhn75Ksuz=jvA@mail.gmail.com> Content-Type: multipart/alternative; boundary="00000000000020500b061e8a473a" On Tue, Jul 23, 2024 at 11:15 AM Leif Johansson <leifj@mnt.se> wrote: > On Mon, 2024-07-22 at 19:43 -0400, Richard Barnes wrote: > > I would observe that any solution based on garden-variety digital > > signature (not something zero-knowledge like BBS / JWP) will have > > problems with issuer/verifier collusion. One-time tokens and batch > > issuance don't help. There is no such thing as SD-JWT with > > issuer/verifier collusion resistance. At best you could have SD-JWP. > > > > I don't think this needs to be a blocker on SD-JWT. There are use > > cases that don't require issuer/verifier collusion resistance. We > > should be clear on the security considerations and warn people away > > who care about issuer/verifier collusion resistance, and accelerate > > work on SD-JWP if that's an important property to folks. > > > > > +1 on this > I'm generally a +1 on this too. There is an attempt at a discussion around unlinkablity in the privacy considerations at https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-unlinkability currently. Concrete suggestions to that text about how to better frame the risks and difficulties around Issuer/Verifier Unlinkability (perhaps especially with respect to something like a government issuer compelling collusion from verifiers) would be welcome for consideration. -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._ -------------- next part -------------- A message part incompatible with plain text digests has been removed ... Name: not available Type: text/html Size: 2919 bytes Desc: not available ------------------------------ Subject: Digest Footer _______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-leave@ietf.org ------------------------------ End of OAuth Digest, Vol 189, Issue 37 **************************************