[OAUTH-WG] Re: SD-JWT and Unlinkability
Dick Hardt <dick.hardt@gmail.com> Tue, 24 September 2024 07:22 UTC
Return-Path: <dick.hardt@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 67952C16941F for <oauth@ietfa.amsl.com>; Tue, 24 Sep 2024 00:22:12 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Ib2vb_Kp7byq for <oauth@ietfa.amsl.com>; Tue, 24 Sep 2024 00:22:11 -0700 (PDT)
Received: from mail-yb1-xb30.google.com (mail-yb1-xb30.google.com [IPv6:2607:f8b0:4864:20::b30]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D82BEC14F6BE for <oauth@ietf.org>; Tue, 24 Sep 2024 00:22:11 -0700 (PDT)
Received: by mail-yb1-xb30.google.com with SMTP id 3f1490d57ef6-e05f25fb96eso4594803276.1 for <oauth@ietf.org>; Tue, 24 Sep 2024 00:22:11 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1727162531; x=1727767331; darn=ietf.org; h=cc:to:subject:message-id:date:from:reply-to:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=OdSx45dkGR0Wf3hWGTjsu0nfLF3QJLUqXrA0z7g8JVo=; b=WrStjGpxJTz2KO4Q9fIGw11w1CIDKKTJp1W3EBWG0RQsRr3LlluCpXytGgW5jQO5K1 HO1JZfnOhsX4ZVZF/rhoLDRfFerQjUTQHZXJ7zBADFDB3LDNDjVI5TY1xeoAVv+t4kH/ F1ZUkR8J4ArzSxxZ1sP7dZDHLU2Bs9U7NajBxK8uyNITD9YsDlH3fytVOkGj6Y4JK9dT gvtt9RIpBDlJEVBY/5/KUgVKaGiPHv0HDmp3d2YDaS0h5vYEh2X6j2QCyp4bDWpAZP0a npalhfH+kzprRVOjg9n5cENmSjiYBSBdPNNWJlhin7Np+Aj6jrvZauT1YCmuI/F6kdQM QkEQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727162531; x=1727767331; h=cc:to:subject:message-id:date:from:reply-to:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=OdSx45dkGR0Wf3hWGTjsu0nfLF3QJLUqXrA0z7g8JVo=; b=A4sviVkG+wbSRgCdy/qBzqUlsub6g/inPtd+z66ni0vYfMadwGKP0NmDxiUnOafBsn j3C9/6EHc/2b7OtfUHVjHypcScMyBjL1kwFdbp4e3PyCKsnZw5WdmMK+WWkw0z6MxDXg TEG5/JBlqLrehlU5YvXUQq1G/7KCa3sYDwsjO+YJzxrayPnOTubD5KPKxi+cqmW0L8cT VpVJRvfhTjsxnOpiSWu056WL1p3KyYmlNRZ0BidsASgqmdPMeV79QDC2cpF2ta/TMeLG WdUu27mxuSqNlkqbfojFTGtGe78dMU5snRjnSAINOxKXFwmdXl7b43p8MubQzfxItlu9 RZuQ==
X-Forwarded-Encrypted: i=1; AJvYcCVhv4C6L2LBLU71L119MdVuDrd5OMTNiD1DKI0y1FRokOJMA/YB2GE+Z+5UuGCk9IDDExPH2w==@ietf.org
X-Gm-Message-State: AOJu0Yz8gCbUg8fh1xHGSVimyDaiKTaOTX2FKTOQf/3ECzJJYMNrzKNN 6KEgT24XzAXty/BDNhl9JTXdWmF0ZQ93kzScZv990ZMAJniuIWSUAkstEh+23nHppgCfWszXiiA PbCmcWvY+ozn1wrQkM03iaSPZURM=
X-Google-Smtp-Source: AGHT+IEt2GYcICBeW21BDXaYkp7CjZKlD7fFHfJwehO2q+KUbU9jH5vTzxHJgwbhZ2RYX97LCXN0kprHuciJYYo4OmQ=
X-Received: by 2002:a05:6902:2012:b0:e13:ca39:f80d with SMTP id 3f1490d57ef6-e2250ca32d5mr10001480276.38.1727162530942; Tue, 24 Sep 2024 00:22:10 -0700 (PDT)
MIME-Version: 1.0
References: <CAD9ie-s_gFmkCC8uKXQXC0W1u_zcaktvvNV6wEC4RtJQMarnng@mail.gmail.com> <51d9e2b2-e766-4eea-8b31-a0ae5b2cfae4@danielfett.de> <CAD9ie-sLcUPPdj4Y0KEeq7C_Nb1ah1GiUbz1sOZEyDPyFbGSZw@mail.gmail.com> <CAFje9Pg=-H9x35JQzdL8_9HjRCeR6+n9DO_pu32SK_mKib4RWw@mail.gmail.com>
In-Reply-To: <CAFje9Pg=-H9x35JQzdL8_9HjRCeR6+n9DO_pu32SK_mKib4RWw@mail.gmail.com>
From: Dick Hardt <dick.hardt@gmail.com>
Date: Tue, 24 Sep 2024 08:21:35 +0100
Message-ID: <CAD9ie-s8TqfwnCcO4fQr_HwvUs-+gXy53NCAVx7zYpmHT9R4vQ@mail.gmail.com>
To: Kristina Yasuda <yasudakristina@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000205d910622d85d7f"
Message-ID-Hash: QOIJYPGLESJYWUZMK4ETU7CHIRPKA5WO
X-Message-ID-Hash: QOIJYPGLESJYWUZMK4ETU7CHIRPKA5WO
X-MailFrom: dick.hardt@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: kristina@sfc.keio.ac.jp, oauth@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Reply-To: Dick.Hardt@gmail.com
Subject: [OAUTH-WG] Re: SD-JWT and Unlinkability
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/Ke61Qokb4GH5cgFBFqOLv-EPmYU>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
My feedback is that the current language on batch issuance is not actionable, and that this document should stand on its own If the reader is supposed to take guidance from other documents, then you should refer to those other documents, but I would have that in addition to specific guidance. On Mon, Sep 23, 2024 at 10:03 PM Kristina Yasuda <yasudakristina@gmail.com> wrote: > > there is no guidance on how many to issue, nor how a holder chooses > when to reissue the same ones > > the question about users randomly selecting some to store and some to > reject. > > These are great points, however, just like JWT/JWS specifications do not > define how to manage the lifecycle of those, SD-JWT document is not a > right place to discuss them. What you call a "hack" is not meant to be > fully specified in SD-JWT document itself. Please review documents such > as OpenID4VCI to improve various aspects of batch (re)issuance. > > On another note, and not sure this was your original point, but I can > recall that originally, we had a text in the document that there are other > ways to achieve verifier/verifier unlinkability, other than batch issuance, > mainly using advanced cryptography (aka ZKPs). Then, upon receiving > feedback that such text is not really actionable or implementable, because > it was not well established how to use ZKP with SD-JWTs, we removed > sentences alluding to the mechanisms that are not batch issuance. > However, I think that might be changing, looking at the work > cryptographers at Google have been demonstrating recently. I think we are > eagerly waiting for that work to be published and peer reviewed. > To sum up, I think we could add back into the SD-JWT document a sentence > saying there are ways other than batch issuance to achieve > verifier-verifier unlinkability. > > Best, > Kristina > > > On Sat, Sep 21, 2024 at 5:56 PM Dick Hardt <dick.hardt@gmail.com> wrote: > >> I understand it has become the accepted approach. It still comes across >> as a hack, and there is no guidance on how many to issue, nor how a holder >> chooses when to reissue the same ones. >> >> I'm amused by the decision to use implicit typing in a disclosure to save >> a few bytes, but we will send dozens of credentials to minimize the chance >> of linking :) >> >> On Sat, Sep 21, 2024 at 4:29 PM Daniel Fett <mail@danielfett.de> wrote: >> >>> Hi Dick, >>> >>> Batch credential (not claims) issuing has become the default approach to >>> circumvent the inherent limitations of salted-hash-based credentials >>> formats. This was neither invented by us, nor is it unreasonable to ask >>> implementers to do it. Protocols such as OpenID4VCI support it. >>> >>> -Daniel >>> Am 21.09.24 um 06:42 schrieb Dick Hardt: >>> >>> Is it really going to be practical to batch issue claims, and have the >>> holder randomly choose between them on presentation? >>> >>> As an implementer, what is the right number of claims to be in a batch? >>> >>> This section of the draft reads as a hack to add a new capability >>> (unlinkability) to a mechanism that did not have that as a design objective. >>> >>> This is going to be like the "alg":"null" for SD-JWT. :-) >>> >>> >>>
- [OAUTH-WG] SD-JWT and Unlinkability Dick Hardt
- [OAUTH-WG] Re: SD-JWT and Unlinkability Daniel Fett
- [OAUTH-WG] Re: SD-JWT and Unlinkability Tom Jones
- [OAUTH-WG] Re: SD-JWT and Unlinkability Dick Hardt
- [OAUTH-WG] Re: How to get the benefits of BBS+, w… Watson Ladd
- [OAUTH-WG] Re: SD-JWT and Unlinkability Kristina Yasuda
- [OAUTH-WG] Re: SD-JWT and Unlinkability Kristina Yasuda
- [OAUTH-WG] Re: SD-JWT and Unlinkability Daniel Fett
- [OAUTH-WG] Re: SD-JWT and Unlinkability Dick Hardt
- [OAUTH-WG] Re: SD-JWT and Unlinkability Kristina Yasuda
- [OAUTH-WG] Re: SD-JWT and Unlinkability Denis
- [OAUTH-WG] Re: SD-JWT and Unlinkability Dick Hardt
- [OAUTH-WG] How to get the benefits of BBS+, witho… Denis
- [OAUTH-WG] Re: SD-JWT and Unlinkability Dick Hardt
- [OAUTH-WG] Re: SD-JWT and Unlinkability Watson Ladd
- [OAUTH-WG] Re: SD-JWT and Unlinkability David Waite