[OAUTH-WG] Re: -15 of SD-JWT

Paul Bastian <paul.bastian@posteo.de> Wed, 29 January 2025 17:03 UTC

Content-Type: multipart/alternative; boundary="------------zg3rtamI0sQndq696iJXZ0wO"
Message-ID: <f14ef99f-b062-48ef-ac73-b022ff32c24b@posteo.de>
Date: Wed, 29 Jan 2025 17:03:06 +0000
MIME-Version: 1.0
To: oauth@ietf.org
References: <173705224344.1092276.9982201992849908644@dt-datatracker-57c4c68d9c-p9khg> <CA+k3eCQ6wjPhXsLzPiRpYpDCmTUgfU=aTuWAr7X+tAFYVKYu3A@mail.gmail.com> <CACsn0cm+xb78_8G2Txjzh0JWc0Ci97A_7nn2bvanOrXObc-BKQ@mail.gmail.com> <CA+k3eCSATeU343WtKrTiqbzXf25awdMN-VRnzyrogXSQt1_jQA@mail.gmail.com> <CAK=m9GaTtjSL9N_iRxZnZk3GeEZ+V6xVf8pKJc_oC2mPQfB_Fw@mail.gmail.com>
Content-Language: en-US
From: Paul Bastian <paul.bastian@posteo.de>
In-Reply-To: <CAK=m9GaTtjSL9N_iRxZnZk3GeEZ+V6xVf8pKJc_oC2mPQfB_Fw@mail.gmail.com>
Message-ID-Hash: NUAIEQKGOXVDIABB6FTD6HO37RSBMGQR
Precedence: list
Subject: [OAUTH-WG] Re: -15 of SD-JWT
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/MZ-0yWBfrsKdXi6ZjOsZchYSGvw>

I agree that the draft is ready to progress. I also agree with Brian 
that the privacy considerations are good enough and have been for 
several months already and are beyond what the average IETF Draft is 
providing.

On 29.01.25 16:48, Brent Zundel wrote:
> fwiw, I also believe the draft is ready to progress.
>
> On Wed, Jan 22, 2025 at 2:17 PM Brian Campbell 
> <bcampbell=40pingidentity.com@dmarc.ietf.org> wrote:
>
>     Watson,
>
>     I think perhaps there's a misalignment of goals here.
>
>     My perspective is that the privacy considerations are good enough
>     (and have been for several months now) for the draft to proceed
>     and will likely be improved or changed more anyway during the
>     course of shepherd, AD, directorate, and IESG reviews yet to come.
>
>     There were some accommodations made to hear your concerns and then
>     incorporate text based on your most recent suggestion. From my
>     point of view, this was an olive branch offered to help move the
>     conversation forward. It was not intended as an invitation or
>     obligation to introduce further, more significant changes.
>
>     I strongly believe it is time for this draft to progress, a
>     sentiment I share with the draft co-editors and I think a
>     significant portion of the working group participants. Once again,
>     I respectfully request that the chairs initiate the document
>     shepherding process.
>
>
>
>
>
>     On Thu, Jan 16, 2025 at 8:25 PM Watson Ladd
>     <watsonbladd@gmail.com> wrote:
>
>         Brian,
>
>         I'm glad we've finally reached rough consensus on adding the
>         paragraph
>         I've wanted since SF, and more importantly highlighting the issues
>         that the security failures of SD-JWT makes for users.
>
>         However, the editorial issues with the verbosity of the privacy
>         considerations remains, and has gotten worse. Is there really
>         no way
>         to condense it? I hoped that instead of my hamfisted mass
>         deletion in
>         the first PR we'd have a more careful rewrite of the preceding
>         text in
>         light of the new consensus to express, vs. not touching it.
>
>         I think it would read better as follows:
>
>         - Move the summary paragraph (with some edits (s/above/below/
>         etc)) to
>         the top of the section
>         - Delete the paragraph that goes "Issuer/Verifier
>         unlinkability with a
>         careless," as it is subsumed by the summary entirely. We'll
>         put the
>         data minimization note in somewhere else
>         - "Contrary to that, Issuer/Verifier unlinkability" - add in
>         the data
>         minimization note here
>
>         Probably this will need some more chopping at.
>
>         IMHO it seems that rather than agree on what we want to say,
>         then say
>         it, we've agreed to say 3 or 4 different things all at the
>         same time.
>         I don't think that's actually recording agreement on the
>         substance of
>         what we want to say.
>
>         When we talk about batch issuance we say it achieves presentation
>         unlinkability. However, that's not how we defined presentation
>         unlinkability, which applies to multiple showing of the same, not
>         different credentials. I'm not really sure what to do with
>         that: maybe
>         "achieves" should become "works around the lack of". Or maybe
>         we need
>         a different notion of same, but that's going to force some very
>         sweeping changes.
>
>         Sincerely,
>         Watson
>
>         -- 
>         Astra mortemque praestare gradatim
>
>
>     /CONFIDENTIALITY NOTICE: This email may contain confidential and
>     privileged material for the sole use of the intended recipient(s).
>     Any review, use, distribution or disclosure by others is strictly
>     prohibited.  If you have received this communication in error,
>     please notify the sender immediately by e-mail and delete the
>     message and any file attachments from your computer. Thank
>     you./_______________________________________________
>     OAuth mailing list -- oauth@ietf.org
>     To unsubscribe send an email to oauth-leave@ietf.org
>
>
> _______________________________________________
> OAuth mailing list --oauth@ietf.org
> To unsubscribe send an email tooauth-leave@ietf.org

[OAUTH-WG] -15 of SD-JWT Brian Campbell
[OAUTH-WG] Re: -15 of SD-JWT Watson Ladd
[OAUTH-WG] Re: -15 of SD-JWT Brian Campbell
[OAUTH-WG] Re: -15 of SD-JWT Michael Prorock
[OAUTH-WG] Re: -15 of SD-JWT Brent Zundel
[OAUTH-WG] Re: -15 of SD-JWT Paul Bastian
[OAUTH-WG] Re: -15 of SD-JWT Watson Ladd
[OAUTH-WG] Re: -15 of SD-JWT Pierce Gorman
[OAUTH-WG] Re: -15 of SD-JWT Daniel Fett
[OAUTH-WG] Re: -15 of SD-JWT torsten