IETF Logo Mail Archive

[OAUTH-WG] Re: Reminder: Alternative text for sd-jwt privacy considerations.

Watson Ladd <watsonbladd@gmail.com> Thu, 09 January 2025 18:15 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8FB42C1D6FBE for <oauth@ietfa.amsl.com>; Thu, 9 Jan 2025 10:15:22 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id qOwxFb6sX3oA for <oauth@ietfa.amsl.com>; Thu, 9 Jan 2025 10:15:22 -0800 (PST)
Received: from mail-wm1-x334.google.com (mail-wm1-x334.google.com [IPv6:2a00:1450:4864:20::334]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7427EC16A128 for <oauth@ietf.org>; Thu, 9 Jan 2025 10:15:07 -0800 (PST)
Received: by mail-wm1-x334.google.com with SMTP id 5b1f17b1804b1-4361dc6322fso9638115e9.3 for <oauth@ietf.org>; Thu, 09 Jan 2025 10:15:07 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1736446505; x=1737051305; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=7D5wdQsSxbrhcpqW0meLKZzm34juIkRWBGeOXdiE+a4=; b=j4nGg0RrA3Qx/ySLXVKsS2ePuPLlMIF4eA0IjLH88Qk5iODIVbI4I/xgMyAzRqtNuS b/lRtRpbuwFIVGrpeb/hClL4CCDHAu9S1aVcX+GOF3klMI4jBjt9e56q5TxUqNTnbMqJ IschU0eqpP1Psqm3CATsEmFduu18Rgtnf2ct3zA6RQvyFGDfVq4PhE0M4mLKy5ZdDD08 5UmWpQ9BFOSIKfEBQ1UMT/bsfm4KgAtNV5AVC8h2j/eIp6j2rzFmTnqU++ZAm3AmaTu3 sVzYyEpHTp7KfWVQOQ3IRNfaJcRJUN+AH7d53jwQglcWKEjIHkomd8XRwe8puGlHgite Tjpg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1736446505; x=1737051305; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=7D5wdQsSxbrhcpqW0meLKZzm34juIkRWBGeOXdiE+a4=; b=a2QjfCsIPzx9RBOtmqUyAKlq0MYgoOtnEFYb8+yTT6iBf5e0DMowp959vQul0mzp6a S4w1jA7Qir6TXRR78xSm9zlCguwJTL1zwN30eq7LAiVn2nPZTKWeJP/pbXFFGKjG2+9p w3iWKVCUEGGslqocPV4Mj5VoCN9yBCyHC8tp81p2OjhRqMhilt+3HIpaZRuXx20broox aGBaq1hazxJmI+vuGWpaSFQxMNOpk6d1UGsoOO7Zoh//UOiZEtbJhbdYgiVkxkex7yEp Ismj7Vx8WBcUvoqhyk0SdsvlObryzWiLqR+PaTqVE1yOc6TNrsl9oBIYZqzUih2mQp5W mFTQ==
X-Gm-Message-State: AOJu0YxZrNcbOMO7cImmenvAPF7qRS18S8nLKO98zuwmVVIBPRgif39y IG5dbNmIbhBgb6qlSkmWuC8BM3z9ndfJDVCA4MLzjTWnb+kH0S50yQ9wvH0kgjOXbOBYb3pi2+0 GsgHynC0bxikc9ljniGCFj9GPRCnwcQ==
X-Gm-Gg: ASbGncuLhcVBcQP/OXEvGvrzwzH+rhQhdhTX9gno4dd/rmFa4vmfhCW5LPzZIqpFIJB 7+PFhv3tsgBXBj+sQrz84pE4rjEg9xXmyYfxHXQ6FuWC/WyUle+gG6LULEzEHQk3LuksVgdo=
X-Google-Smtp-Source: AGHT+IFvEzIO1kqmrFnAKj2+8TQGfvvPT81X5FxrwF7cRLbGbMXGeXkEC8nTwlyJHRpOHlLeP1PjEiXna39CnCxAlNU=
X-Received: by 2002:a5d:64cb:0:b0:385:ee40:2d88 with SMTP id ffacd0b85a97d-38a872d2a11mr6598926f8f.3.1736446505300; Thu, 09 Jan 2025 10:15:05 -0800 (PST)
MIME-Version: 1.0
References: <CACsn0ck9pHXtLc7dgMME8nzLh2dV+__5tJm=mbRPpBqJq8YLzA@mail.gmail.com> <CH3PR13MB674772CE395C23E30B7F35D9E1132@CH3PR13MB6747.namprd13.prod.outlook.com>
In-Reply-To: <CH3PR13MB674772CE395C23E30B7F35D9E1132@CH3PR13MB6747.namprd13.prod.outlook.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Thu, 09 Jan 2025 10:14:55 -0800
X-Gm-Features: AbW1kvbsj6G0Mf5Nu1VTbymcFkU4LqjLtxdj6iTA7zwb0gOHoza2gCoQiSvfdOc
Message-ID: <CACsn0cndtkJm4mgQi=aD4uWDjzPY-CGZ589ORb_=3WGHnoA3Bg@mail.gmail.com>
To: Pierce Gorman <Pierce.Gorman@numeracle.com>
Content-Type: multipart/alternative; boundary="0000000000001eb959062b49f551"
Message-ID-Hash: SB3LTVVC74NPCPXW75ZWP4UQDBZQGC5H
X-Message-ID-Hash: SB3LTVVC74NPCPXW75ZWP4UQDBZQGC5H
X-MailFrom: watsonbladd@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: IETF oauth WG <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Re: Reminder: Alternative text for sd-jwt privacy considerations.
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/V_wUhnGcwJvmyzSUEbrie3SWTw4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

On Thu, Jan 9, 2025, 10:10 AM Pierce Gorman <Pierce.Gorman@numeracle.com>
wrote:

> Hi Watson,
>
> I thought it was a good suggestion and am looking forward to feedback from
> others.
>
> I didn't understand the part of the statement in the penultimate sentence
> which says, "but cannot work for Issuers".  I should probably understand
> what you meant without having to ask, but I don't.
>
> Can you please elaborate what you meant about workarounds such as issuing
> multiple one-time-use credentials at once (if I understood that correctly)
> not working for issuers?
>

Let's change that to "cannot prevent Issuers from linking issuance to
showing". Does that help?

>
> Pierce
>
>
> CONFIDENTIAL
> -----Original Message-----
> From: Watson Ladd <watsonbladd@gmail.com>
> Sent: Wednesday, January 8, 2025 5:51 PM
> To: IETF oauth WG <oauth@ietf.org>
> Subject: [OAUTH-WG] Reminder: Alternative text for sd-jwt privacy
> considerations.
>
> EXTERNAL EMAIL
>
> Dear oauth wg,
>
> Happy 2025! I hope everyone has had a nice set of holidays. As a reminder
> I put forward the following proposal for text to add to either privacy or
> security considerations of sd-jwt, but the timing was unfortunate, coming
> Christmas eve.
> Comments on it welcome.
>
> "SD-JWT conceals only the values that aren't revealed. It does not meet
> standard security notations for anonymous credentials. In particular
> Verifiers and Issuers can know when they have seen the same credential no
> matter what fields have been opened, even none of them.
> This behavior may not accord with what users naively expect or are lead to
> expect from UX interactions and lead to them make choices they would not
> otherwise make. Workarounds such as issuing multiple credentials at once
> and using them only one time can help for keeping Verifiers from linking
> different showing, but cannot work for Issuers.
> This issue applies to all selective disclosure based approaches, including
> mdoc. "
>
> Sincerely,
> Watson
>
> --
> Astra mortemque praestare gradatim
>
> _______________________________________________
> OAuth mailing list -- oauth@ietf.org
> To unsubscribe send an email to oauth-leave@ietf.org
>

v2.39.1 | Report a Bug | By Email | System Status