IETF Logo Mail Archive

[OAUTH-WG] Re: SD-JWT and Unlinkability

Denis <denis.ietf@free.fr> Tue, 24 September 2024 10:45 UTC

Return-Path: <denis.ietf@free.fr>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D8EE1C1CAE9B for <oauth@ietfa.amsl.com>; Tue, 24 Sep 2024 03:45:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.906
X-Spam-Level:
X-Spam-Status: No, score=-1.906 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 0EmwaRQ4oa0g for <oauth@ietfa.amsl.com>; Tue, 24 Sep 2024 03:45:55 -0700 (PDT)
Received: from smtp6-g21.free.fr (smtp6-g21.free.fr [IPv6:2a01:e0c:1:1599::15]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 5F7FFC14F6AD for <oauth@ietf.org>; Tue, 24 Sep 2024 03:45:55 -0700 (PDT)
Received: from [192.168.1.11] (unknown [90.91.46.145]) (Authenticated sender: pinkas@free.fr) by smtp6-g21.free.fr (Postfix) with ESMTPSA id B8F6B780507; Tue, 24 Sep 2024 12:45:49 +0200 (CEST)
Content-Type: multipart/alternative; boundary="------------gLEsHCn6y3n34WycJWyPHyrQ"
Message-ID: <00345798-b435-49b8-b4ad-e93c847d7665@free.fr>
Date: Tue, 24 Sep 2024 12:45:49 +0200
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
To: Kristina Yasuda <yasudakristina@gmail.com>
References: <CAD9ie-s_gFmkCC8uKXQXC0W1u_zcaktvvNV6wEC4RtJQMarnng@mail.gmail.com> <51d9e2b2-e766-4eea-8b31-a0ae5b2cfae4@danielfett.de> <CAD9ie-sLcUPPdj4Y0KEeq7C_Nb1ah1GiUbz1sOZEyDPyFbGSZw@mail.gmail.com> <CAFje9Pg=-H9x35JQzdL8_9HjRCeR6+n9DO_pu32SK_mKib4RWw@mail.gmail.com> <CAD9ie-s8TqfwnCcO4fQr_HwvUs-+gXy53NCAVx7zYpmHT9R4vQ@mail.gmail.com> <CAFje9PgRwZ8hFGm5KDtGvDA=4ozf5ACF3SK_qduSGvW4HXcBuw@mail.gmail.com> <CAD9ie-t7aNXxeypS-5vKOhTudBf7cnRGxnDkZJz=BFbY-zRubQ@mail.gmail.com> <CAFje9PjAMNYCe5BOe8bBZ4A7wiGtJDHo_2sV3yEAXtDy=iVC=A@mail.gmail.com>
Content-Language: en-GB
From: Denis <denis.ietf@free.fr>
In-Reply-To: <CAFje9PjAMNYCe5BOe8bBZ4A7wiGtJDHo_2sV3yEAXtDy=iVC=A@mail.gmail.com>
Message-ID-Hash: 74VUWFBQAIO5G7ROFSA3FIAL5UCITNS2
X-Message-ID-Hash: 74VUWFBQAIO5G7ROFSA3FIAL5UCITNS2
X-MailFrom: denis.ietf@free.fr
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: kristina@sfc.keio.ac.jp, oauth@ietf.org, Dick.Hardt@gmail.com
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: SD-JWT and Unlinkability
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/UIAV71UXyXSY8kXq2O3WgN0Kb_I>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Hi Kristina,

Today, most people have in mind the Issuer-Holder-Verifier model. Other 
use cases are hypothetic at the moment.

This document includes a privacy considerations section (section 11) and 
the guidance given in that section
about verifier-verifier unlinkability looks appropriate on pages 47 and 48.

You wrote:

    To sum up, I think we could add back into the SD-JWT document a
    sentence saying there are ways
    other than batch issuance to achieve verifier-verifier unlinkability.

Indeed, ZKP such as BBS or BBS+ could be used but the performances of 
such algorithms are rather poor
and their inconvenients are rather important. ZKP should not be 
recommended at this point of time.
Batch issuance of digital credentials is a much more practical solution.

However, one advantage of BBS and BBS+ is their ability to link digital 
credentials issued by different Issuers.
This topic is not currently addressed in the document because the base 
mechanism does not support it.

On September 23, I sent an email to the mailing list with the following 
topic:

    How to get the benefits of BBS+, without its drawbacks while using
    conventional cryptography ? (Was SD-JWT and Unlinkability)

This characteristic can be achieved using traditional cryptography *if 
and only if* that cryptography is supported by a specific
Holder hardware/software configuration as well as by specific protocols. 
Such guidance should be added into the Security Considerations section.

On September 18, I sent an email to the mailing list with the following 
topic:

    Re: WGLC for SD-JWT

At this time, I got no replies from the editors.

Denis

> SD-JWT document has a clearly defined scope and one can implement 
> “something useful”that is meant to be in scope by reading only SD-JWT 
> document.
>
> Also please see my other response about SD-JWT not being meant only 
> for issuer-holder-verifier model. There might be usages of SD-JWT 
> outside that model that do not need batch issuance. Like, 
> theoretically, using sd-JWT as a content of an access token for 
> whatever reason.
>
> Once again, “what we can do is to add a text saying more clearly that 
> the details of batch issuance are defined elsewhere and what kind of 
> details need to be defined in that document”.
>
>
> On Tue, Sep 24, 2024 at 11:10 AM Dick Hardt <dick.hardt@gmail.com> wrote:
>
>     I understood your point. :)
>
>     As a reader, I had no idea I was supposed to look elsewhere for
>     guidance on either unlinkability, explicit typing, or decoy digests.
>
>     My other point is the document should stand on its own and not
>     require other documents to do something useful.
>
>     On Tue, Sep 24, 2024 at 10:01 AM Kristina Yasuda
>     <yasudakristina@gmail.com> wrote:
>
>         And my point is that SD-JWT document is a wrong place to look
>         for such actionable language. The intention is not and should
>         not be to define a stand alone batch issuance protocol in
>         SD-JWT document.
>
>         What we can do is to add a text saying more clearly that the
>         details of batch issuance are defined elsewhere and what kind
>         of details need to be defined in that document.
>
>         Best,
>         Kristina
>
>
>
>         On Tue, Sep 24, 2024 at 9:22 AM Dick Hardt
>         <dick.hardt@gmail.com> wrote:
>
>             My feedback is that the current language on batch issuance
>             is not actionable, and that this document should stand on
>             its own
>
>             If the reader is supposed to take guidance from other
>             documents, then you should refer to those other documents,
>             but I would have that in addition to specific guidance.
>
>             On Mon, Sep 23, 2024 at 10:03 PM Kristina Yasuda
>             <yasudakristina@gmail.com> wrote:
>
>                 > there is no guidance on how many to issue, nor how a
>                 holder chooses when to reissue the same ones
>                 > the question about users randomly selecting some to
>                 store and some to reject.
>
>                 These are great points, however, just like JWT/JWS
>                 specifications do not define how to manage the
>                 lifecycle of those,SD-JWTdocument is not a right place
>                 to discuss them. What you call a "hack" is not meant
>                 to be fully specified in SD-JWT document itself.
>                 Please review documents such as OpenID4VCI to
>                 improve various aspects of batch (re)issuance.
>
>                 On another note, and not sure this was your original
>                 point, but I can recall that originally, we had a text
>                 in the document that there are other ways to achieve
>                 verifier/verifier unlinkability, other than batch
>                 issuance, mainly using advanced cryptography (aka
>                 ZKPs). Then, upon receiving feedback that such text is
>                 not really actionable or implementable, because it was
>                 not well established how to use ZKP with SD-JWTs, we
>                 removed sentences alluding to the mechanisms that are
>                 not batch issuance.
>                 However, I think that might be changing, looking at
>                 the work cryptographers at Google have been
>                 demonstrating recently. I think we are eagerly waiting
>                 for that work to be published and peer reviewed.
>                 To sum up, I think we could add back into the SD-JWT
>                 document a sentence saying there are ways other than
>                 batch issuance to achieve verifier-verifier unlinkability.
>
>                 Best,
>                 Kristina
>
>
>                 On Sat, Sep 21, 2024 at 5:56 PM Dick Hardt
>                 <dick.hardt@gmail.com> wrote:
>
>                     I understand it has become the accepted approach.
>                     It still comes across as a hack, and there is no
>                     guidance on how many to issue, nor how a holder
>                     chooses when to reissue the same ones.
>
>                     I'm amused by the decision to use implicit typing
>                     in a disclosure to save a few bytes, but we will
>                     send dozens of credentials to minimize the chance
>                     of linking :)
>
>                     On Sat, Sep 21, 2024 at 4:29 PM Daniel Fett
>                     <mail@danielfett.de> wrote:
>
>                         Hi Dick,
>
>                         Batch credential (not claims) issuing has
>                         become the default approach to circumvent the
>                         inherent limitations of salted-hash-based
>                         credentials formats. This was neither invented
>                         by us, nor is it unreasonable to ask
>                         implementers to do it. Protocols such as
>                         OpenID4VCI support it.
>
>                         -Daniel
>
>                         Am 21.09.24 um 06:42 schrieb Dick Hardt:
>>                         Is it really going to be practical to batch
>>                         issue claims, and have the holder randomly
>>                         choose between them on presentation?
>>
>>                         As an implementer, what is the right number
>>                         of claims to be in a batch?
>>
>>                         This section of the draft reads as a hack to
>>                         add a new capability (unlinkability) to a
>>                         mechanism that did not have that as a design
>>                         objective.
>>
>>                         This is going to be like the "alg":"null" for
>>                         SD-JWT. :-)
>>
>>
>
> _______________________________________________
> OAuth mailing list --oauth@ietf.org
> To unsubscribe send an email tooauth-leave@ietf.org

v2.38.3 | Report a Bug | By Email | System Status