[OAUTH-WG] Re: Second WGLC for SD-JWT

Watson Ladd <watsonbladd@gmail.com> Fri, 25 October 2024 15:45 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 86C04C1D875C for <oauth@ietfa.amsl.com>; Fri, 25 Oct 2024 08:45:37 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dvUHEStFv7MN for <oauth@ietfa.amsl.com>; Fri, 25 Oct 2024 08:45:37 -0700 (PDT)
Received: from mail-wr1-x436.google.com (mail-wr1-x436.google.com [IPv6:2a00:1450:4864:20::436]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 08D49C19330B for <oauth@ietf.org>; Fri, 25 Oct 2024 08:45:37 -0700 (PDT)
Received: by mail-wr1-x436.google.com with SMTP id ffacd0b85a97d-37f52925fc8so1495675f8f.1 for <oauth@ietf.org>; Fri, 25 Oct 2024 08:45:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1729871135; x=1730475935; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=HEH2rpuPttN5YHfj1o0ksnDb9BWf3eWlFUulGT37Zv8=; b=QBlFprgChzN+Wn/8+XdNdowMQD75ukxtp9JASN3NVxv9Ex5gxmb817634ngUZ8oByr hNSe3H8RjFkfadMP57ppQxEa0LTvMSXVqgdFKIg7Z4iN6z/eCVauejRQovam8/DA28Lq KZ2J2siJv2GUCX0N/UCmsPrBaNwweUqhp4wCTdM4NS3Euh1fXyZ3k44PUhDGXg0/LH8U n62+ygetbZTw4tY4qe3dHO2XapcPvJ8qDAO/miMSy0fezaV/CkyOsSOGJj70OHkwa/gw vA4pXKBcdI1f/hidJmc2XK9YGM0hzr3yyjt+jEKXSLelfHo3mntKS2yz81C6A5JVoRrq qsnQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1729871135; x=1730475935; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=HEH2rpuPttN5YHfj1o0ksnDb9BWf3eWlFUulGT37Zv8=; b=V/ljtKZQ/Du/lJNioW7axVC6xEAdZCqs8qpp+ifhNEk+BCOgz0iwMIWJXK19/QKeP/ Ye0TKkbJSALKzkpJRjrnmdG9ziYUAoyEq/4lZwWNwfULsg8UHEeKbgOmtRuqQ+5UvvoW VqoDIFxo6kxuMh1jvdAO8VxV/TBhhbWM12fLmfKPiquXNWsLebb9Rl9lspReLC6to9f3 kzWhfGwOcr7b9U7Avn6DVXZZgrjiVV4LAq/aROPAJxcbG7KmYSfw3TpTdvn12mrveutp 2tfGGPkBB+vWa8Cm/ZJTyaEDUadPBVZz3z6ZdLkX+nLZu9CtxcbY1iraMbUe9WhSyrio pKsA==
X-Gm-Message-State: AOJu0Yy92VUc15lvaDTqy94sG6BU65f39vwMcYqVJXiBC0bUs9uEDAmd kPXBu+nrmMJ5/mjMl/tIBTLA2o4UgFHa5RvfPSQPKsZlNpotk2PaxyYBMSrvhzbxw91EfTzSSxC aT2DGDP3rVCPbnkXteQR3YVLG3rc=
X-Google-Smtp-Source: AGHT+IGdM+s9gmUbbHvcvS1CYi+A0q5NthQ+EcNZWa6kT21xbNOKEQ9xrU9dw4Lo7azc2Dq9/XqHKJmvFj4Q0GkX3nQ=
X-Received: by 2002:a5d:6707:0:b0:37e:d2b7:acd5 with SMTP id ffacd0b85a97d-37efceedf6cmr6234979f8f.8.1729871134995; Fri, 25 Oct 2024 08:45:34 -0700 (PDT)
MIME-Version: 1.0
References: <CADNypP9aEU4Ka+0u8PQ3W+jmLN5c6NK77i25Wo9bxquML5Ky2w@mail.gmail.com>
In-Reply-To: <CADNypP9aEU4Ka+0u8PQ3W+jmLN5c6NK77i25Wo9bxquML5Ky2w@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Fri, 25 Oct 2024 08:45:23 -0700
Message-ID: <CACsn0ckMs=7St7hNPGb29yKjm3SBnC1pBJiuNyXRCT4Edg9mEg@mail.gmail.com>
To: Rifaat Shekh-Yusef <rifaat.s.ietf@gmail.com>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Message-ID-Hash: EO2CF54QJLAM4MFZDTSZJL6D4OVVN53J
X-Message-ID-Hash: EO2CF54QJLAM4MFZDTSZJL6D4OVVN53J
X-MailFrom: watsonbladd@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Re: Second WGLC for SD-JWT
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/P4xdFk-ezpaP-P6EfYA314Ort30>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

The privacy issues I have consistently raised have not been addressed
through actionable text.

Implementers are not receiving guidance with the current version. The
actual risks are buried below a bunch of words talking around the
issue.

I'll be very clear: if a user uses this technology to pass an age
verification filter, they will end up exposing their complete identity
without knowing it. This is an unacceptable risk, and no one disagrees
the technology poses it. Implementers will often not have the skills
or knowledge to identify this concern independently, and need
actionable guidance on how to mitigate it. We provide far more
actionable guidance on storage of credentials.

On Fri, Oct 18, 2024 at 11:00 AM Rifaat Shekh-Yusef
<rifaat.s.ietf@gmail.com> wrote:
>
> All,
>
> This is a short second WG Last Call for the SD-JWT document after the recent update based on the feedback provided during the first WGLC
> https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-13.txt
>
> Please, review this document and reply on the mailing list if you have any comments or concerns, by Oct 25th.
>
> Regards,
>   Rifaat & Hannes
> _______________________________________________
> OAuth mailing list -- oauth@ietf.org
> To unsubscribe send an email to oauth-leave@ietf.org



-- 
Astra mortemque praestare gradatim