[OAUTH-WG] Re: SD-JWT and Unlinkability
Watson Ladd <watsonbladd@gmail.com> Tue, 24 September 2024 14:23 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 6F9AFC1840EA for <oauth@ietfa.amsl.com>; Tue, 24 Sep 2024 07:23:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Kkstw0UNLI1Q for <oauth@ietfa.amsl.com>; Tue, 24 Sep 2024 07:23:09 -0700 (PDT)
Received: from mail-wr1-x431.google.com (mail-wr1-x431.google.com [IPv6:2a00:1450:4864:20::431]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A5F21C180B7C for <oauth@ietf.org>; Tue, 24 Sep 2024 07:23:09 -0700 (PDT)
Received: by mail-wr1-x431.google.com with SMTP id ffacd0b85a97d-374bd059b12so3353749f8f.1 for <oauth@ietf.org>; Tue, 24 Sep 2024 07:23:09 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1727187788; x=1727792588; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=O8zTf6LFMFX8LpMWmZI4xjRNpmIC05NAFfhOYleS76Y=; b=ch5/2SuqaInjsdTxWznUhwKlba15EbK+HZZn3ei8Egz+6X7taMoQ6+0n3VqbZC1f28 4S/kJBsoeR0FhyppUySibvdI0SxPPYttfP+P6fdqO7riugyoTCxvGUsFo1W8ljr+y5CS 5ENqDm6Zi+zqLHrUuSyyZBPlHmfupK4JqGZDJtt0FhYmZXTwP5BGEMhNICSe5pDbAbE2 ggU0cJ2pl+vkB0eSWoAmVqpGQkc/l5xg6rwV1XabMx+H/yuQkdgYy+93p1FLDVNwkr6k 79IdDXF/xkLZPBN1fLWVP0MInFjtCHEeRZZFfA3fsfzaQiH7wkclvoFQ0fs2Bshd360K qX6g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727187788; x=1727792588; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=O8zTf6LFMFX8LpMWmZI4xjRNpmIC05NAFfhOYleS76Y=; b=FGtkhOPVL6BUeYBALIIMnY5oDOh4U0B07ke6ZNcdr8k/HlOdiDJIlp/EYcqk4OSiaE MD5j7oPM/7HYSwCu1e7IFLLQzMXbp5GrVBsyhbPr+ZuPH54PTm54jY2q2bFwPU7gqRkb iU0vHfBIuvugkFCHFtLTKD0T9gXEklcXOSHINbPgdGCAGRQgQXQNy4Ea9L+O/Y8krfgG srfBDCfryhN1lIKyEPkaqQb4UahBOjT7lUigkiSuNPgoSOVGw6bx1mOBxBr5ZbmdgEP+ V5aCMGUDWaXuMYMVKI7gRIKQ8ZkLTARbrAsLttHYOCGZ2XeL8nF1BgmT0gntBdl628Hn 3IDg==
X-Forwarded-Encrypted: i=1; AJvYcCWBy34HpycNqxjSHiS7waPFBeG23P/bbxUb3M1qfmYpP4pU2hXlac1wSEAwPxm6D/fGw4ENJw==@ietf.org
X-Gm-Message-State: AOJu0Ywd48NIcS1sE0zIkDDTPoJ9I030b2XJNXMxmUlQzKqie/DfS5fS 2y8J46vdZveQ0SdX/6cf1clDYfh27FPsnmEYD0m+Fi9AsLHWnkp+xvdZe9puL16/mcMCAGrGh7H UGpbITQohNfSZFDyWPjt2q/NWUFE=
X-Google-Smtp-Source: AGHT+IG41+EhS2gLna7EL0BOsgibu+W4dkn7Lf43w8T6edE3FQFJwmYRuNVb5982gJQJpPXQtV3d2/1U+HElhmyunXg=
X-Received: by 2002:a5d:4947:0:b0:37a:3b34:b3a with SMTP id ffacd0b85a97d-37a4223df0emr8540104f8f.2.1727187787918; Tue, 24 Sep 2024 07:23:07 -0700 (PDT)
MIME-Version: 1.0
References: <CAD9ie-s_gFmkCC8uKXQXC0W1u_zcaktvvNV6wEC4RtJQMarnng@mail.gmail.com> <51d9e2b2-e766-4eea-8b31-a0ae5b2cfae4@danielfett.de> <CAD9ie-sLcUPPdj4Y0KEeq7C_Nb1ah1GiUbz1sOZEyDPyFbGSZw@mail.gmail.com> <CAFje9Pg=-H9x35JQzdL8_9HjRCeR6+n9DO_pu32SK_mKib4RWw@mail.gmail.com> <CAD9ie-s8TqfwnCcO4fQr_HwvUs-+gXy53NCAVx7zYpmHT9R4vQ@mail.gmail.com> <CAFje9PgRwZ8hFGm5KDtGvDA=4ozf5ACF3SK_qduSGvW4HXcBuw@mail.gmail.com> <CAD9ie-t7aNXxeypS-5vKOhTudBf7cnRGxnDkZJz=BFbY-zRubQ@mail.gmail.com> <CAFje9PjAMNYCe5BOe8bBZ4A7wiGtJDHo_2sV3yEAXtDy=iVC=A@mail.gmail.com>
In-Reply-To: <CAFje9PjAMNYCe5BOe8bBZ4A7wiGtJDHo_2sV3yEAXtDy=iVC=A@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Tue, 24 Sep 2024 07:22:55 -0700
Message-ID: <CACsn0cna6piYzjJVJKpu+yGhZeGT+VT+Z5LL29o4yW+5tGwt7w@mail.gmail.com>
To: Kristina Yasuda <yasudakristina@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000008f3ec00622de3e99"
Message-ID-Hash: NNOJIKUVLOTMQD4NT6UGM6YZN3H4VOS6
X-Message-ID-Hash: NNOJIKUVLOTMQD4NT6UGM6YZN3H4VOS6
X-MailFrom: watsonbladd@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Dick.Hardt@gmail.com, kristina@sfc.keio.ac.jp, IETF oauth WG <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: SD-JWT and Unlinkability
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/MxrhoQFftaDOr9QVQe6OvHfQIm8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
But is what they implement secure? We added lots of appendices to TLS 1.3 to help authors of under standards understand what they had to say to get a secure result. Adding unactionable mitigations doesn't help anyone including the authors of the other documents you think will define this. On Tue, Sep 24, 2024, 2:19 AM Kristina Yasuda <yasudakristina@gmail.com> wrote: > SD-JWT document has a clearly defined scope and one can implement > “something useful”that is meant to be in scope by reading only SD-JWT > document. > > Also please see my other response about SD-JWT not being meant only for > issuer-holder-verifier model. There might be usages of SD-JWT outside that > model that do not need batch issuance. Like, theoretically, using sd-JWT as > a content of an access token for whatever reason. > > Once again, “what we can do is to add a text saying more clearly that the > details of batch issuance are defined elsewhere and what kind of details > need to be defined in that document”. > > > On Tue, Sep 24, 2024 at 11:10 AM Dick Hardt <dick.hardt@gmail.com> wrote: > >> I understood your point. :) >> >> As a reader, I had no idea I was supposed to look elsewhere for guidance >> on either unlinkability, explicit typing, or decoy digests. >> >> My other point is the document should stand on its own and not require >> other documents to do something useful. >> >> On Tue, Sep 24, 2024 at 10:01 AM Kristina Yasuda < >> yasudakristina@gmail.com> wrote: >> >>> And my point is that SD-JWT document is a wrong place to look for such >>> actionable language. The intention is not and should not be to define a >>> stand alone batch issuance protocol in SD-JWT document. >>> >>> What we can do is to add a text saying more clearly that the details of >>> batch issuance are defined elsewhere and what kind of details need to be >>> defined in that document. >>> >>> Best, >>> Kristina >>> >>> >>> >>> On Tue, Sep 24, 2024 at 9:22 AM Dick Hardt <dick.hardt@gmail.com> wrote: >>> >>>> My feedback is that the current language on batch issuance is not >>>> actionable, and that this document should stand on its own >>>> >>>> If the reader is supposed to take guidance from other documents, then >>>> you should refer to those other documents, but I would have that in >>>> addition to specific guidance. >>>> >>>> On Mon, Sep 23, 2024 at 10:03 PM Kristina Yasuda < >>>> yasudakristina@gmail.com> wrote: >>>> >>>>> > there is no guidance on how many to issue, nor how a holder chooses >>>>> when to reissue the same ones >>>>> > the question about users randomly selecting some to store and some >>>>> to reject. >>>>> >>>>> These are great points, however, just like JWT/JWS specifications do >>>>> not define how to manage the lifecycle of those, SD-JWT document is >>>>> not a right place to discuss them. What you call a "hack" is not >>>>> meant to be fully specified in SD-JWT document itself. Please review >>>>> documents such as OpenID4VCI to improve various aspects of >>>>> batch (re)issuance. >>>>> >>>>> On another note, and not sure this was your original point, but I can >>>>> recall that originally, we had a text in the document that there are other >>>>> ways to achieve verifier/verifier unlinkability, other than batch issuance, >>>>> mainly using advanced cryptography (aka ZKPs). Then, upon receiving >>>>> feedback that such text is not really actionable or implementable, because >>>>> it was not well established how to use ZKP with SD-JWTs, we removed >>>>> sentences alluding to the mechanisms that are not batch issuance. >>>>> However, I think that might be changing, looking at the work >>>>> cryptographers at Google have been demonstrating recently. I think we are >>>>> eagerly waiting for that work to be published and peer reviewed. >>>>> To sum up, I think we could add back into the SD-JWT document a >>>>> sentence saying there are ways other than batch issuance to achieve >>>>> verifier-verifier unlinkability. >>>>> >>>>> Best, >>>>> Kristina >>>>> >>>>> >>>>> On Sat, Sep 21, 2024 at 5:56 PM Dick Hardt <dick.hardt@gmail.com> >>>>> wrote: >>>>> >>>>>> I understand it has become the accepted approach. It still comes >>>>>> across as a hack, and there is no guidance on how many to issue, nor how a >>>>>> holder chooses when to reissue the same ones. >>>>>> >>>>>> I'm amused by the decision to use implicit typing in a disclosure to >>>>>> save a few bytes, but we will send dozens of credentials to minimize the >>>>>> chance of linking :) >>>>>> >>>>>> On Sat, Sep 21, 2024 at 4:29 PM Daniel Fett <mail@danielfett.de> >>>>>> wrote: >>>>>> >>>>>>> Hi Dick, >>>>>>> >>>>>>> Batch credential (not claims) issuing has become the default >>>>>>> approach to circumvent the inherent limitations of salted-hash-based >>>>>>> credentials formats. This was neither invented by us, nor is it >>>>>>> unreasonable to ask implementers to do it. Protocols such as OpenID4VCI >>>>>>> support it. >>>>>>> >>>>>>> -Daniel >>>>>>> Am 21.09.24 um 06:42 schrieb Dick Hardt: >>>>>>> >>>>>>> Is it really going to be practical to batch issue claims, and have >>>>>>> the holder randomly choose between them on presentation? >>>>>>> >>>>>>> As an implementer, what is the right number of claims to be in a >>>>>>> batch? >>>>>>> >>>>>>> This section of the draft reads as a hack to add a new capability >>>>>>> (unlinkability) to a mechanism that did not have that as a design objective. >>>>>>> >>>>>>> This is going to be like the "alg":"null" for SD-JWT. :-) >>>>>>> >>>>>>> >>>>>>> _______________________________________________ > OAuth mailing list -- oauth@ietf.org > To unsubscribe send an email to oauth-leave@ietf.org >
- [OAUTH-WG] SD-JWT and Unlinkability Dick Hardt
- [OAUTH-WG] Re: SD-JWT and Unlinkability Daniel Fett
- [OAUTH-WG] Re: SD-JWT and Unlinkability Tom Jones
- [OAUTH-WG] Re: SD-JWT and Unlinkability Dick Hardt
- [OAUTH-WG] Re: How to get the benefits of BBS+, w… Watson Ladd
- [OAUTH-WG] Re: SD-JWT and Unlinkability Kristina Yasuda
- [OAUTH-WG] Re: SD-JWT and Unlinkability Kristina Yasuda
- [OAUTH-WG] Re: SD-JWT and Unlinkability Daniel Fett
- [OAUTH-WG] Re: SD-JWT and Unlinkability Dick Hardt
- [OAUTH-WG] Re: SD-JWT and Unlinkability Kristina Yasuda
- [OAUTH-WG] Re: SD-JWT and Unlinkability Denis
- [OAUTH-WG] Re: SD-JWT and Unlinkability Dick Hardt
- [OAUTH-WG] How to get the benefits of BBS+, witho… Denis
- [OAUTH-WG] Re: SD-JWT and Unlinkability Dick Hardt
- [OAUTH-WG] Re: SD-JWT and Unlinkability Watson Ladd
- [OAUTH-WG] Re: SD-JWT and Unlinkability David Waite