[OAUTH-WG] Re: Alternative text for sd-jwt privacy considerations.
Tom Jones <thomasclinganjones@gmail.com> Thu, 26 December 2024 17:38 UTC
Return-Path: <thomasclinganjones@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9037FC14F68D for <oauth@ietfa.amsl.com>; Thu, 26 Dec 2024 09:38:13 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.108
X-Spam-Level:
X-Spam-Status: No, score=-2.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id eKVlSts6oCJS for <oauth@ietfa.amsl.com>; Thu, 26 Dec 2024 09:38:13 -0800 (PST)
Received: from mail-lf1-x12b.google.com (mail-lf1-x12b.google.com [IPv6:2a00:1450:4864:20::12b]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 1CF7FC14F5FF for <oauth@ietf.org>; Thu, 26 Dec 2024 09:38:13 -0800 (PST)
Received: by mail-lf1-x12b.google.com with SMTP id 2adb3069b0e04-5401ab97206so6924362e87.3 for <oauth@ietf.org>; Thu, 26 Dec 2024 09:38:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1735234691; x=1735839491; darn=ietf.org; h=cc:to:subject:message-id:date:from:reply-to:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=9SB5tI4UcZz+mx2eIwfuJeCk/O//XfDLDdCQgSTXc6A=; b=k/TB3sU6QDGN6Z7SGVrXOWke4Qzk23+s77n91b84TYgyWTD/oq3T5VepOCwNonlLZO LmjX5w5zOMvB19CgxaXOYU9dRJkA1FACiYDfV+SMenM4UeJcQ8M3Mjp3rTf84DVeD4xz tTR+cAzPYetiDSBGesCkmdVqRUhRt7v0iJZC9jkUztuhMMDkjc4k2fgOwnixt4ShwSwZ mn1qU/GTBl/OnkukqE6fq1iG03IZlZQTL7zkEfX85tCTACQtaqO3WPhvuKq1tA+8FLz2 EFLJRK/vzfyippWtzhyoMBv5QwtZ0Q+S8cnox53jaQOhG4nnkr3HR740ua55kqNbb5ID luxg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1735234691; x=1735839491; h=cc:to:subject:message-id:date:from:reply-to:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=9SB5tI4UcZz+mx2eIwfuJeCk/O//XfDLDdCQgSTXc6A=; b=I6oSkcgvs2wfzamXnRYCJ6OUmqid2cw3vWVMYgIJwKQafuGEosOqTd9EDrMsmw2gcO MxYI4wo0PmdaFB3+EFGuumerAI4fqJdPHhVX2ilBajAHpdNHcc/ILkliJM4lxGnVQR8H W1J/MaWRx77IVvDpJtWB+p+FqRz1ef8B2G4oat7UjM1HR6fcjWALk+cJTNtFF/K+STbN knBkgiTfLpgkzdR2UG8kn1BVKRqBST4xSJDMj21YQpK6PFHTgLksv0LI7duly5YD15AQ td9ywzdPmAGw1AWs1vopFGV68r/Ifzu4zwqfKj0XpXm/ZhlMx4Xe/HTQDYDEwGwVNEIp rZew==
X-Gm-Message-State: AOJu0YzUlSrlTZ52CbrCErZiTzJgdBQ3s7JyLyjdjkZBs6ffR8KkMu74 KznaPoUvHDmHWsEbe0WnuCTIgpeZOu3mr/slGAuOTki0xW0GWA5S2RRVjeVPJeceymegs0ldZTA FdqoNTLqNHpO8voKY6e8UJS6qUSs=
X-Gm-Gg: ASbGnctk0WgxiusHdezrpqMiSL3DTaU75nQghi55YHAjvds/mYvXR1mwzEHRhKBFGAD ocH0NXBrn5RtD6a8bKsyv3UvHGFnxsTDXQbBKulQ20wkGCK+WyvU+lQzluBgA7j/FhdMKVww=
X-Google-Smtp-Source: AGHT+IHiRe3xY9wivGW5pbnzyiR4NY8yjNhg2q9nVAaujhmhJ/Hx0JwHlpOrZpoiBti0KpaD/tIwsiq4IQGunDJalKc=
X-Received: by 2002:a05:6512:31c9:b0:53e:385c:e881 with SMTP id 2adb3069b0e04-5422954fdbfmr7449348e87.30.1735234690998; Thu, 26 Dec 2024 09:38:10 -0800 (PST)
MIME-Version: 1.0
References: <CACsn0cnEJKamSSJH4-pKg1xNZ3X+__B4UwZ3P5enxP5tQ4AqzA@mail.gmail.com>
In-Reply-To: <CACsn0cnEJKamSSJH4-pKg1xNZ3X+__B4UwZ3P5enxP5tQ4AqzA@mail.gmail.com>
From: Tom Jones <thomasclinganjones@gmail.com>
Date: Thu, 26 Dec 2024 09:38:00 -0800
Message-ID: <CAK2Cwb5cf9uHJBNZp2rZ+BQcUNPpC7-GfPPhu4ben1N6ZyEa9w@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: multipart/alternative; boundary="0000000000005be7f7062a2fcfea"
Message-ID-Hash: UYBVP5ZSZOCV2CBJ66NH4CC7LTMYTPF2
X-Message-ID-Hash: UYBVP5ZSZOCV2CBJ66NH4CC7LTMYTPF2
X-MailFrom: thomasclinganjones@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: IETF oauth WG <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Reply-To: peace@acm.org
Subject: [OAUTH-WG] Re: Alternative text for sd-jwt privacy considerations.
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/NE4tsyTRT0SbdJaMzI3gSzRqfuo>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
This problem was clearly demonstrated by the California mDL hackathon where the default presentation was ALL DATA. That is the easiest path, so it remains the one most taken. We have known since standards were first introduced that they immediately create a drive to the bottom. This will be the fate of this standard as well. The most permissive interpretation will be the most common. The user's desires will not be met. thx ..Tom (mobile) On Tue, Dec 24, 2024, 6:34 AM Watson Ladd <watsonbladd@gmail.com> wrote: > I see that people are uncomfortable with making any mandates, and so I've > tried to be purely descriptive in this proposal. I leave it to the WG to > decide where to put it, but I see it as a wholesale replacement for some > sections to emphasize clarity. > > "SD-JWT conceals only the values that aren't revealed. It does not meet > standard security notations for anonymous credentials. In particular > Verifiers and Issuers can know when they have seen the same credential no > matter what fields have been opened, even none of them. This behavior may > not accord with what users naively expect or are lead to expect from UX > interactions and lead to them make choices they would not otherwise make. > Workarounds such as issuing multiple credentials at once and using them > only one time can help for keeping Verifiers from linking different > showing, but cannot work for Issuers. This issue applies to all selective > disclosure based approaches, including mdoc. " > > Sincerely, > Watson > _______________________________________________ > OAuth mailing list -- oauth@ietf.org > To unsubscribe send an email to oauth-leave@ietf.org >
- [OAUTH-WG] Alternative text for sd-jwt privacy co… Watson Ladd
- [OAUTH-WG] Re: Alternative text for sd-jwt privac… Tom Jones
- [OAUTH-WG] Re: Alternative text for sd-jwt privac… Wayne Chang
- [OAUTH-WG] Re: Alternative text for sd-jwt privac… Tom Jones
- [OAUTH-WG] Re: Alternative text for sd-jwt privac… Wayne Chang
- [OAUTH-WG] Re: Alternative text for sd-jwt privac… Tom Jones
- [OAUTH-WG] Re: Alternative text for sd-jwt privac… Wayne Chang
- [OAUTH-WG] Re: Alternative text for sd-jwt privac… Pierce Gorman
- [OAUTH-WG] Re: Alternative text for sd-jwt privac… Tom Jones
- [OAUTH-WG] Re: Alternative text for sd-jwt privac… Tom Jones
- [OAUTH-WG] Re: Alternative text for sd-jwt privac… David Waite
- [OAUTH-WG] Re: Alternative text for sd-jwt privac… Tom Jones
- [OAUTH-WG] Re: Alternative text for sd-jwt privac… Brian Campbell
- [OAUTH-WG] Re: [External Sender] Re: Alternative … George Fletcher
- [OAUTH-WG] Re: [External Sender] Re: Alternative … Watson Ladd
- [OAUTH-WG] Re: Alternative text for sd-jwt privac… Watson Ladd