[OAUTH-WG] Re: -15 of SD-JWT
Watson Ladd <watsonbladd@gmail.com> Fri, 17 January 2025 03:25 UTC
Return-Path: <watsonbladd@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AE2D8C1D4A7E; Thu, 16 Jan 2025 19:25:20 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.109
X-Spam-Level:
X-Spam-Status: No, score=-2.109 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id HqHYrn-yB7aY; Thu, 16 Jan 2025 19:25:20 -0800 (PST)
Received: from mail-wr1-x42f.google.com (mail-wr1-x42f.google.com [IPv6:2a00:1450:4864:20::42f]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 4A23EC1CAF2D; Thu, 16 Jan 2025 19:25:20 -0800 (PST)
Received: by mail-wr1-x42f.google.com with SMTP id ffacd0b85a97d-385d7b4da2bso1462739f8f.1; Thu, 16 Jan 2025 19:25:20 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1737084318; x=1737689118; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=1NMytwQEEhwGRk7kYCFL/cgF5F/SMj/cJrQ/BDO8lNQ=; b=OiW0jZn/HYXQNHuSBeJzDUzVwB3uQ2mljrbsl1hpzT540VLwNCOAo1L1BFGTWNbICq 8PKC9ka8IhXnw4oBBoA4cGga4q3a2XBjLHHtRDv15k9ApKPYIGSojq8eDSN4Jo5wz9zu 8tXXWRtzSFHuUWlOLo956oypkF1iXc9yJ37mqct7P2GgT2HFCuwzrwwUtX5H6nR7kHww JaGYY82CP06vBOWzI7RXeo6CR22kcoZM49EUEXkCsqoGwr0JhdfY7syWhyf6jd0BqqIv Z9Sd7ciVluiPS+POagOM6+UHMIBgDBn2l08N6qeBBk2nzr5vCFudeSgB+5Pxb35ETawT xYgQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1737084318; x=1737689118; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=1NMytwQEEhwGRk7kYCFL/cgF5F/SMj/cJrQ/BDO8lNQ=; b=IizmRZBURJM/pp8Dlb7b2yvC4sGWlQOzi2MZRoN1oObCjwvPhM7ncxMAVGM4tffdY+ V8pTQN3A0EyYhk+dmLtWX/EZ+e8Bnvt2sxO7TFaSXwyOaCfdqrHFCpxPiv+HdjyT4ZZb wPyDdnXsUsBEUHVuhvtBlHybQTj3qPmLmPAJTpClfeXrLVfm5JdL0/uspywAbp6aw9ZB O0RmFyhSQkJjhyYNDfk/p/XCDUTN1Iw32GLVZ86Kn9m3yh+NomYJKdZtYip38jtIL2J1 UnJPa8IxEQiZO7ZiJ8HEAguaL3gO+7nDW0SVlv+anVvBjRa6RcbVPCsrJtRDxRnebj/j SAng==
X-Forwarded-Encrypted: i=1; AJvYcCUhp7nbfiiJ/vqn22+6iiIMrif/DpQpdG69HfipqqnYBqZ2+ddyCicfbKeAfCzXhNrl4w+qzLDpPz5AAQM=@ietf.org
X-Gm-Message-State: AOJu0YwdANTRVPhebCzm0RkJvNc6sc1LgBKb0fC10to/muRN9bxDMYwt gJ0rIhcRdkCUbcKgXdMPJIB39YMBJMaIMjp5J5qLueCh7JisgCnOf/2DJu932+vC+x2yAoZO7+V OF8GoK8KYpZCALC+jemR+bIMeQ+g=
X-Gm-Gg: ASbGncuHrs6ejErpHKT4w7mQ7q9rLVATOkqpSpo9cVYX/F2vSX+4DKHafVxA31rKqDF 6mb9YRtdsd/HNzyXuSc4rZbE4yiga0XtjRX5Z8JyBpXFq+yvGSc+mbto+QsyooJLJYWtRJg==
X-Google-Smtp-Source: AGHT+IEe65PeJkot490YDWUeJXY4Mp4VppQC0lYy9iug/ne9hMkLezin98gc1fyNEov03QbA0y5UVx9HSYu2c64fpjs=
X-Received: by 2002:a5d:5f51:0:b0:385:e9de:d521 with SMTP id ffacd0b85a97d-38bf56494a0mr760385f8f.8.1737084317852; Thu, 16 Jan 2025 19:25:17 -0800 (PST)
MIME-Version: 1.0
References: <173705224344.1092276.9982201992849908644@dt-datatracker-57c4c68d9c-p9khg> <CA+k3eCQ6wjPhXsLzPiRpYpDCmTUgfU=aTuWAr7X+tAFYVKYu3A@mail.gmail.com>
In-Reply-To: <CA+k3eCQ6wjPhXsLzPiRpYpDCmTUgfU=aTuWAr7X+tAFYVKYu3A@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Thu, 16 Jan 2025 19:25:06 -0800
X-Gm-Features: AbW1kvZqQSAqZCqR8C_hBcEyUYVTL_87VTgZVDWC49cixqFt3l3x7uBMrQraLc8
Message-ID: <CACsn0cm+xb78_8G2Txjzh0JWc0Ci97A_7nn2bvanOrXObc-BKQ@mail.gmail.com>
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>
Content-Type: text/plain; charset="UTF-8"
Message-ID-Hash: SX23RD6CYA3LD2BLWZ55T4242YLMDJN7
X-Message-ID-Hash: SX23RD6CYA3LD2BLWZ55T4242YLMDJN7
X-MailFrom: watsonbladd@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: oauth <oauth@ietf.org>, oauth-chairs@ietf.org
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Re: -15 of SD-JWT
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/bzD22X6K_3wY5gZcB0LZODtKFSI>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>
Brian, I'm glad we've finally reached rough consensus on adding the paragraph I've wanted since SF, and more importantly highlighting the issues that the security failures of SD-JWT makes for users. However, the editorial issues with the verbosity of the privacy considerations remains, and has gotten worse. Is there really no way to condense it? I hoped that instead of my hamfisted mass deletion in the first PR we'd have a more careful rewrite of the preceding text in light of the new consensus to express, vs. not touching it. I think it would read better as follows: - Move the summary paragraph (with some edits (s/above/below/ etc)) to the top of the section - Delete the paragraph that goes "Issuer/Verifier unlinkability with a careless," as it is subsumed by the summary entirely. We'll put the data minimization note in somewhere else - "Contrary to that, Issuer/Verifier unlinkability" - add in the data minimization note here Probably this will need some more chopping at. IMHO it seems that rather than agree on what we want to say, then say it, we've agreed to say 3 or 4 different things all at the same time. I don't think that's actually recording agreement on the substance of what we want to say. When we talk about batch issuance we say it achieves presentation unlinkability. However, that's not how we defined presentation unlinkability, which applies to multiple showing of the same, not different credentials. I'm not really sure what to do with that: maybe "achieves" should become "works around the lack of". Or maybe we need a different notion of same, but that's going to force some very sweeping changes. Sincerely, Watson -- Astra mortemque praestare gradatim
- [OAUTH-WG] -15 of SD-JWT Brian Campbell
- [OAUTH-WG] Re: -15 of SD-JWT Watson Ladd
- [OAUTH-WG] Re: -15 of SD-JWT Brian Campbell
- [OAUTH-WG] Re: -15 of SD-JWT Michael Prorock
- [OAUTH-WG] Re: -15 of SD-JWT Brent Zundel
- [OAUTH-WG] Re: -15 of SD-JWT Paul Bastian
- [OAUTH-WG] Re: -15 of SD-JWT Watson Ladd
- [OAUTH-WG] Re: -15 of SD-JWT Pierce Gorman
- [OAUTH-WG] Re: -15 of SD-JWT Daniel Fett
- [OAUTH-WG] Re: -15 of SD-JWT torsten