[OAUTH-WG] Re: Alternative text for sd-jwt privacy considerations.
Tom Jones <thomasclinganjones@gmail.com> Tue, 24 December 2024 18:04 UTC
Return-Path: <thomasclinganjones@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 131A9C14CF13 for <oauth@ietfa.amsl.com>; Tue, 24 Dec 2024 10:04:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.105
X-Spam-Level:
X-Spam-Status: No, score=-2.105 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_FONT_FACE_BAD=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id mMb8ajhqwM9a for <oauth@ietfa.amsl.com>; Tue, 24 Dec 2024 10:04:40 -0800 (PST)
Received: from mail-lf1-x131.google.com (mail-lf1-x131.google.com [IPv6:2a00:1450:4864:20::131]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 96F66C14EB17 for <oauth@ietf.org>; Tue, 24 Dec 2024 10:04:40 -0800 (PST)
Received: by mail-lf1-x131.google.com with SMTP id 2adb3069b0e04-53e3778bffdso5863730e87.0 for <oauth@ietf.org>; Tue, 24 Dec 2024 10:04:40 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1735063478; x=1735668278; darn=ietf.org; h=cc:to:subject:message-id:date:from:reply-to:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=x3pMv2tT7E00k1Nx/89gJoCvIa8oB2QRJo1jGI4xtoM=; b=aq5yxMQGQ+hLxnpnxq3ts22W1jQ8/DlEzIeqn36S0uChQm1sS5criRAolI7Eh29P8B r8lmMOsdRAVaj1bBGEi1KcLa557PwAM1gXIpFUZEHcyTFmtYs9YJrYSSwtm9Ro2SeHOi Vxpuwd8LUKZpIpczzdkjUfXZ9F0ajpuBgCP1rqxAc/IV11aQHdwHnPLhnhjoqXOHV7Ux 0PfEOk/mfV/w2FdlmEerXKxbafXsSpOiWJT5JcgJVRKC2BRyH6O6KM6zL3CEIViohsqA 2s6vvo/sOGLBCd7dcQISwRYzSI9/rb5jzT30/PoTgdOAamhHYAlkmosu1pkYUn7Qa3zJ tKaQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1735063478; x=1735668278; h=cc:to:subject:message-id:date:from:reply-to:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=x3pMv2tT7E00k1Nx/89gJoCvIa8oB2QRJo1jGI4xtoM=; b=dgImYYediFSfuyv+VBIt4WImvdYhUkhjPzb+7ncE7k05PM/pChoma80Hb0CqwtO5hZ rMxxXEyEG+0+9js6OyY/mpQd+cMJaKi00StIuC7Wq3ZgpVW4NcKUicC9p74Jtfkm0aXE cfRnJjBFsISEr9Qn0tNMDnNn/LkVCtQLsNSTyWjKfz1YNp4FpRCniQmBG6U2IKKOlymn R4lhQLCh5hPSPX0glOEwobfYZJaQ/EQjdgvg+7LWc0JroeDsAcAFd+dMUF+XUwsTsccZ eb2u4korcoeGtqUGMUxoJ9uIe/g5YqvDKfiE4HH0kHygDCxjcZACXpts9OAUnME+ZNsO 0nvw==
X-Gm-Message-State: AOJu0YzmAkVhVgvoroc20NoLInwyjRkzbeTIXt6m4xiCmjxtHUwn8Olg grc8+Y+jot+N4KCn8V7NbVmoy+TM/oj4E3ery4OYagiM8npXlsQ8edqkGvMKjTD9FGSaDPhU/kK 1hVeOaw0GzQ7zG71tAd1B1MO4jfk=
X-Gm-Gg: ASbGncvEsgMYCu6DNl2OLuqiQqGdNYUXpQRpeQ2ZuZT0cUH7V/XYDXSAnLZ/CvBOZMl eCLBwlC0fd2TLl4oGrvMx+jLSd7GkUZswZXvMufquuctanBcQVRYD03kJVTaRL/6I1tImKiA=
X-Google-Smtp-Source: AGHT+IEUtund90wkJinDVxwr1yuqgw+9aEL8qQJIzj9dOTCkosKWWCEc3yA88pwguhzAnoYqNBW/JTnIBVDuE+6dKDM=
X-Received: by 2002:a05:6512:334e:b0:542:218a:343 with SMTP id 2adb3069b0e04-542295989femr4407751e87.52.1735063478147; Tue, 24 Dec 2024 10:04:38 -0800 (PST)
MIME-Version: 1.0
References: <CACsn0cnEJKamSSJH4-pKg1xNZ3X+__B4UwZ3P5enxP5tQ4AqzA@mail.gmail.com>
In-Reply-To: <CACsn0cnEJKamSSJH4-pKg1xNZ3X+__B4UwZ3P5enxP5tQ4AqzA@mail.gmail.com>
From: Tom Jones <thomasclinganjones@gmail.com>
Date: Tue, 24 Dec 2024 10:04:26 -0800
Message-ID: <CAK2Cwb4L-KTkK96CJNwpZNiYiyMQSyH35MHNnOLEiWW+_FojZQ@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>, John Wunderlich <john@wunderlich.ca>
Content-Type: multipart/alternative; boundary="000000000000472559062a07f224"
Message-ID-Hash: OECCZ6LHPD4IGHIZ7BLQT6J3253M6WFH
X-Message-ID-Hash: OECCZ6LHPD4IGHIZ7BLQT6J3253M6WFH
X-MailFrom: thomasclinganjones@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: IETF oauth WG <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Reply-To: peace@acm.org
Subject: [OAUTH-WG] Re: Alternative text for sd-jwt privacy considerations.
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/SqVIONrXCIAF7E6_CNzIYus3_pY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
While Waton's statement is correct - it does not address the core problem with any credential that comes with an ID. All reusable IDs enable tracking. Full Stop. All government issued ID enable tracking. Just like social insurance number or any other cred. So - if you want privacy - don't release the ID number. Peace ..tom jones On Tue, Dec 24, 2024 at 6:34 AM Watson Ladd <watsonbladd@gmail.com> wrote: > I see that people are uncomfortable with making any mandates, and so I've > tried to be purely descriptive in this proposal. I leave it to the WG to > decide where to put it, but I see it as a wholesale replacement for some > sections to emphasize clarity. > > "SD-JWT conceals only the values that aren't revealed. It does not meet > standard security notations for anonymous credentials. In particular > Verifiers and Issuers can know when they have seen the same credential no > matter what fields have been opened, even none of them. This behavior may > not accord with what users naively expect or are lead to expect from UX > interactions and lead to them make choices they would not otherwise make. > Workarounds such as issuing multiple credentials at once and using them > only one time can help for keeping Verifiers from linking different > showing, but cannot work for Issuers. This issue applies to all selective > disclosure based approaches, including mdoc. " > > Sincerely, > Watson > _______________________________________________ > OAuth mailing list -- oauth@ietf.org > To unsubscribe send an email to oauth-leave@ietf.org >
- [OAUTH-WG] Alternative text for sd-jwt privacy co… Watson Ladd
- [OAUTH-WG] Re: Alternative text for sd-jwt privac… Tom Jones
- [OAUTH-WG] Re: Alternative text for sd-jwt privac… Wayne Chang
- [OAUTH-WG] Re: Alternative text for sd-jwt privac… Tom Jones
- [OAUTH-WG] Re: Alternative text for sd-jwt privac… Wayne Chang
- [OAUTH-WG] Re: Alternative text for sd-jwt privac… Tom Jones
- [OAUTH-WG] Re: Alternative text for sd-jwt privac… Wayne Chang
- [OAUTH-WG] Re: Alternative text for sd-jwt privac… Pierce Gorman
- [OAUTH-WG] Re: Alternative text for sd-jwt privac… Tom Jones
- [OAUTH-WG] Re: Alternative text for sd-jwt privac… Tom Jones
- [OAUTH-WG] Re: Alternative text for sd-jwt privac… David Waite
- [OAUTH-WG] Re: Alternative text for sd-jwt privac… Tom Jones
- [OAUTH-WG] Re: Alternative text for sd-jwt privac… Brian Campbell
- [OAUTH-WG] Re: [External Sender] Re: Alternative … George Fletcher
- [OAUTH-WG] Re: [External Sender] Re: Alternative … Watson Ladd
- [OAUTH-WG] Re: Alternative text for sd-jwt privac… Watson Ladd