IETF Logo Mail Archive

[OAUTH-WG] Re: SD-JWT and Unlinkability

David Waite <david@alkaline-solutions.com> Tue, 24 September 2024 16:33 UTC

Return-Path: <david@alkaline-solutions.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 831CEC1516F8 for <oauth@ietfa.amsl.com>; Tue, 24 Sep 2024 09:33:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.106
X-Spam-Level:
X-Spam-Status: No, score=-7.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=alkaline-solutions.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id zWVbK_aei6Pb for <oauth@ietfa.amsl.com>; Tue, 24 Sep 2024 09:33:55 -0700 (PDT)
Received: from mail.alkaline-solutions.com (caesium6.alkaline.solutions [157.230.133.164]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 822E4C151072 for <oauth@ietf.org>; Tue, 24 Sep 2024 09:33:55 -0700 (PDT)
Content-Type: text/plain; charset="utf-8"
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alkaline-solutions.com; s=dkim; t=1727195634; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=hTOLshmkssTsarZ4IuCCrlCaFZUdJhMv7R+uICNgRec=; b=RvnhB3NuNlWjqQUXYJGGVJJkI11FAODrlFMmCjohyBHMZGEd7PO+OTstigPvlxoMZAkq/h EVxApL1g88NMse+/GRpp5RNLIb6bfzzIBNl0Zmw2c1lpHXH8myu0E7vK8O4Cg7HNJEhXCB SGiOZqO9BFxeTfPCfEk6LFCfcVcPZpbEIl6hJM6YEl7tLuQiWQ0/A/mPEdP31x0nYfv6gy ha2kLfV2EJ3InaR/AzQXGVHdqcQyx9CJ5nJSZ4TbDT1lryCg2NCL4kI8+x0B2RHBWmQaGz P5pqaMNIegrAC/5ZvjDhDISDmTboF1OKdMD0dUW3nZU0IeqG6KX9vL0Mh3SfXQ==
Authentication-Results: mail.alkaline-solutions.com; auth=pass smtp.mailfrom=david@alkaline-solutions.com
Mime-Version: 1.0
From: David Waite <david@alkaline-solutions.com>
In-Reply-To: <CACsn0cna6piYzjJVJKpu+yGhZeGT+VT+Z5LL29o4yW+5tGwt7w@mail.gmail.com>
Date: Tue, 24 Sep 2024 10:33:42 -0600
Content-Transfer-Encoding: quoted-printable
Message-Id: <E04DD2ED-F48F-4C6C-AEA6-C57997ACEB04@alkaline-solutions.com>
References: <CAD9ie-s_gFmkCC8uKXQXC0W1u_zcaktvvNV6wEC4RtJQMarnng@mail.gmail.com> <51d9e2b2-e766-4eea-8b31-a0ae5b2cfae4@danielfett.de> <CAD9ie-sLcUPPdj4Y0KEeq7C_Nb1ah1GiUbz1sOZEyDPyFbGSZw@mail.gmail.com> <CAFje9Pg=-H9x35JQzdL8_9HjRCeR6+n9DO_pu32SK_mKib4RWw@mail.gmail.com> <CAD9ie-s8TqfwnCcO4fQr_HwvUs-+gXy53NCAVx7zYpmHT9R4vQ@mail.gmail.com> <CAFje9PgRwZ8hFGm5KDtGvDA=4ozf5ACF3SK_qduSGvW4HXcBuw@mail.gmail.com> <CAD9ie-t7aNXxeypS-5vKOhTudBf7cnRGxnDkZJz=BFbY-zRubQ@mail.gmail.com> <CAFje9PjAMNYCe5BOe8bBZ4A7wiGtJDHo_2sV3yEAXtDy=iVC=A@mail.gmail.com> <CACsn0cna6piYzjJVJKpu+yGhZeGT+VT+Z5LL29o4yW+5tGwt7w@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
X-Spamd-Bar: +
Message-ID-Hash: GRYXTCC5CKZUAE5SGU5BDB3YCCGNQMVV
X-Message-ID-Hash: GRYXTCC5CKZUAE5SGU5BDB3YCCGNQMVV
X-MailFrom: david@alkaline-solutions.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: Dick.Hardt@gmail.com, kristina@sfc.keio.ac.jp, IETF oauth WG <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: SD-JWT and Unlinkability
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/OAtqmyDBByvdnt7DiZrblLdVoqQ>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>


> On Sep 24, 2024, at 8:22 AM, Watson Ladd <watsonbladd@gmail.com> wrote:
> 
> But is what they implement secure?
> 
> We added lots of appendices to TLS 1.3 to help authors of under standards understand what they had to say to get a secure result.
> 
> Adding unactionable mitigations doesn't help anyone including the authors of the other documents you think will define this.

TLS 1.3 is a protocol while this is a base document format. Both should be documenting things within their scope for implementers. For example, TLS 1.3 does not give guidelines on what operational and other policies one should look for in selecting trusted certificate authorities, even though a common set of trusted CAs is vital for public web infrastructure.

Is there specific guidance beyond 10.3. and 11.1. that targets particular properties (such as unlinkability between two issued SD-JWTs) and not particular use cases (how a protocol which issues digital credentials should operate)?

-DW

v2.39.1 | Report a Bug | By Email | System Status