[OAUTH-WG] Re: Second WGLC for SD-JWT
Watson Ladd <watsonbladd@gmail.com> Fri, 25 October 2024 15:45 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86C04C1D875C for <oauth@ietfa.amsl.com>; Fri, 25 Oct 2024 08:45:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dvUHEStFv7MN for <oauth@ietfa.amsl.com>; Fri, 25 Oct 2024 08:45:37 -0700 (PDT)
Received: from mail-wr1-x436.google.com (mail-wr1-x436.google.com [IPv6:2a00:1450:4864:20::436]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 08D49C19330B for <oauth@ietf.org>; Fri, 25 Oct 2024 08:45:37 -0700 (PDT)
Received: by mail-wr1-x436.google.com with SMTP id ffacd0b85a97d-37f52925fc8so1495675f8f.1 for <oauth@ietf.org>; Fri, 25 Oct 2024 08:45:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1729871135; x=1730475935; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=HEH2rpuPttN5YHfj1o0ksnDb9BWf3eWlFUulGT37Zv8=; b=QBlFprgChzN+Wn/8+XdNdowMQD75ukxtp9JASN3NVxv9Ex5gxmb817634ngUZ8oByr hNSe3H8RjFkfadMP57ppQxEa0LTvMSXVqgdFKIg7Z4iN6z/eCVauejRQovam8/DA28Lq KZ2J2siJv2GUCX0N/UCmsPrBaNwweUqhp4wCTdM4NS3Euh1fXyZ3k44PUhDGXg0/LH8U n62+ygetbZTw4tY4qe3dHO2XapcPvJ8qDAO/miMSy0fezaV/CkyOsSOGJj70OHkwa/gw vA4pXKBcdI1f/hidJmc2XK9YGM0hzr3yyjt+jEKXSLelfHo3mntKS2yz81C6A5JVoRrq qsnQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1729871135; x=1730475935; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=HEH2rpuPttN5YHfj1o0ksnDb9BWf3eWlFUulGT37Zv8=; b=V/ljtKZQ/Du/lJNioW7axVC6xEAdZCqs8qpp+ifhNEk+BCOgz0iwMIWJXK19/QKeP/ Ye0TKkbJSALKzkpJRjrnmdG9ziYUAoyEq/4lZwWNwfULsg8UHEeKbgOmtRuqQ+5UvvoW VqoDIFxo6kxuMh1jvdAO8VxV/TBhhbWM12fLmfKPiquXNWsLebb9Rl9lspReLC6to9f3 kzWhfGwOcr7b9U7Avn6DVXZZgrjiVV4LAq/aROPAJxcbG7KmYSfw3TpTdvn12mrveutp 2tfGGPkBB+vWa8Cm/ZJTyaEDUadPBVZz3z6ZdLkX+nLZu9CtxcbY1iraMbUe9WhSyrio pKsA==
X-Gm-Message-State: AOJu0Yy92VUc15lvaDTqy94sG6BU65f39vwMcYqVJXiBC0bUs9uEDAmd kPXBu+nrmMJ5/mjMl/tIBTLA2o4UgFHa5RvfPSQPKsZlNpotk2PaxyYBMSrvhzbxw91EfTzSSxC aT2DGDP3rVCPbnkXteQR3YVLG3rc=
X-Google-Smtp-Source: AGHT+IGdM+s9gmUbbHvcvS1CYi+A0q5NthQ+EcNZWa6kT21xbNOKEQ9xrU9dw4Lo7azc2Dq9/XqHKJmvFj4Q0GkX3nQ=
X-Received: by 2002:a5d:6707:0:b0:37e:d2b7:acd5 with SMTP id ffacd0b85a97d-37efceedf6cmr6234979f8f.8.1729871134995; Fri, 25 Oct 2024 08:45:34 -0700 (PDT)
MIME-Version: 1.0
References: <CADNypP9aEU4Ka+0u8PQ3W+jmLN5c6NK77i25Wo9bxquML5Ky2w@mail.gmail.com>
In-Reply-To: <CADNypP9aEU4Ka+0u8PQ3W+jmLN5c6NK77i25Wo9bxquML5Ky2w@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Fri, 25 Oct 2024 08:45:23 -0700
Message-ID: <CACsn0ckMs=7St7hNPGb29yKjm3SBnC1pBJiuNyXRCT4Edg9mEg@mail.gmail.com>
To: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: EO2CF54QJLAM4MFZDTSZJL6D4OVVN53J
X-Message-ID-Hash: EO2CF54QJLAM4MFZDTSZJL6D4OVVN53J
X-MailFrom: watsonbladd@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Re: Second WGLC for SD-JWT
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/P4xdFk-ezpaP-P6EfYA314Ort30>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
The privacy issues I have consistently raised have not been addressed through actionable text. Implementers are not receiving guidance with the current version. The actual risks are buried below a bunch of words talking around the issue. I'll be very clear: if a user uses this technology to pass an age verification filter, they will end up exposing their complete identity without knowing it. This is an unacceptable risk, and no one disagrees the technology poses it. Implementers will often not have the skills or knowledge to identify this concern independently, and need actionable guidance on how to mitigate it. We provide far more actionable guidance on storage of credentials. On Fri, Oct 18, 2024 at 11:00 AM Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com> wrote: > > All, > > This is a short second WG Last Call for the SD-JWT document after the recent update based on the feedback provided during the first WGLC > https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-13.txt > > Please, review this document and reply on the mailing list if you have any comments or concerns, by Oct 25th. > > Regards, > Rifaat & Hannes > _______________________________________________ > OAuth mailing list -- oauth@ietf.org > To unsubscribe send an email to oauth-leave@ietf.org -- Astra mortemque praestare gradatim
- [OAUTH-WG] Second WGLC for SD-JWT Rifaat Shekh-Yusef
- [OAUTH-WG] Re: Second WGLC for SD-JWT Denis
- [OAUTH-WG] Re: Second WGLC for SD-JWT Watson Ladd
- [OAUTH-WG] Re: Second WGLC for SD-JWT: 41 issues … Denis
- [OAUTH-WG] Re: Second WGLC for SD-JWT Denis
- [OAUTH-WG] Re: Second WGLC for SD-JWT: 41 issues … Brian Campbell
- [OAUTH-WG] Re: Second WGLC for SD-JWT: 41 issues … Denis
- [OAUTH-WG] Re: Second WGLC for SD-JWT Watson Ladd
- [OAUTH-WG] Re: Second WGLC for SD-JWT Brian Campbell
- [OAUTH-WG] Re: Second WGLC for SD-JWT: 41 issues … Daniel Fett
- [OAUTH-WG] Re: Second WGLC for SD-JWT Daniel Fett
- [OAUTH-WG] Re: Second WGLC for SD-JWT: 41 issues … Tom Jones
- [OAUTH-WG] Re: Second WGLC for SD-JWT: 41 issues … Daniel Fett
- [OAUTH-WG] Re: Second WGLC for SD-JWT: 41 issues … Paul Bastian
- [OAUTH-WG] Re: Second WGLC for SD-JWT: 41 issues … Brian Campbell
- [OAUTH-WG] Re: Second WGLC for SD-JWT: 41 issues … Denis