[OAUTH-WG] Re: Second WGLC for SD-JWT

Daniel Fett <mail@danielfett.de> Wed, 13 November 2024 15:50 UTC

Return-Path: <mail@danielfett.de>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8A9D6C15152F for <oauth@ietfa.amsl.com>; Wed, 13 Nov 2024 07:50:12 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.104
X-Spam-Level:
X-Spam-Status: No, score=-2.104 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=danielfett.de
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZryhB9rajqT1 for <oauth@ietfa.amsl.com>; Wed, 13 Nov 2024 07:50:07 -0800 (PST)
Received: from mout-p-201.mailbox.org (mout-p-201.mailbox.org [IPv6:2001:67c:2050:0:465::201]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9193EC14F6B7 for <oauth@ietf.org>; Wed, 13 Nov 2024 07:50:07 -0800 (PST)
Received: from smtp202.mailbox.org (smtp202.mailbox.org [IPv6:2001:67c:2050:b231:465::202]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by mout-p-201.mailbox.org (Postfix) with ESMTPS id 4XpSQy5dNfz9svF for <oauth@ietf.org>; Wed, 13 Nov 2024 16:50:02 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=danielfett.de; s=MBO0001; t=1731513002; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=d7K8hcH3YEZmSYcaQdNsVwkrzVN5yaqiVKYPlC8fvuA=; b=CB7I/WIlymDlvkNOJLfJmKblalxyUutt3ciU9XQg2SBdkGmED22RLkVoyxBC8yJsbGjOg1 FIULkLmual5Y2bw2UoBX5YwP04d9Mzj0CSScr1ymt5A6bidu4IPZm12UK5+r1DEUNN2bzJ Tt9quKfCwGWxz8G2yqZ0T2b18xeKp3W5ACSDt5Z4RHbM1Whkod4/L4rNuiNCrbR+c3HSFi ytZEjO/dMDPFM0Zltt/JlK/GLTTrhjZPYLy6wU5r9LfBY0SqgkGsNzJcTrK4bTzs6t8Ne+ 0iAA2j0vYkHKYoDur28Jd77qRjA/USYBlLit4A8QfANli3RzR1RB/b2vWUZmjw==
Content-Type: multipart/alternative; boundary="------------aOMA07pcHgv60wZu00MjAevL"
Message-ID: <73c03d2e-f629-4096-8796-8e3965df909e@danielfett.de>
Date: Wed, 13 Nov 2024 16:49:54 +0100
MIME-Version: 1.0
To: oauth@ietf.org
References: <CADNypP9aEU4Ka+0u8PQ3W+jmLN5c6NK77i25Wo9bxquML5Ky2w@mail.gmail.com> <CACsn0ckMs=7St7hNPGb29yKjm3SBnC1pBJiuNyXRCT4Edg9mEg@mail.gmail.com> <CA+k3eCR9dZsj1ZQVT4nWrHzh0vGouzbD1cOEtBvD5WbXosOMXQ@mail.gmail.com> <CACsn0c=wiCU_XEdXzTz_tmVA-WHmVQOkS3Zobe8bU=VQP_Jaog@mail.gmail.com>
Content-Language: en-US
From: Daniel Fett <mail@danielfett.de>
In-Reply-To: <CACsn0c=wiCU_XEdXzTz_tmVA-WHmVQOkS3Zobe8bU=VQP_Jaog@mail.gmail.com>
X-Rspamd-Queue-Id: 4XpSQy5dNfz9svF
Message-ID-Hash: KGJRZT7VNOJ7PRTKADMPJ2PU6CPZUI4H
X-Message-ID-Hash: KGJRZT7VNOJ7PRTKADMPJ2PU6CPZUI4H
X-MailFrom: mail@danielfett.de
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Re: Second WGLC for SD-JWT
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/czP1cGb_jPHvoA4hS6Y_51APMlY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Am 13.11.24 um 02:04 schrieb Watson Ladd:
>
> I'd appreciate if others would weigh in, particularly if they haven't 
> followed this debate before.

Happy to -  as a co-author of the draft, I think that the current text 
addresses this risk sufficiently. Besides that, I'd second what Brian said.

-Daniel



>
>
> On Tue, Nov 12, 2024, 3:59 PM Brian Campbell 
> <bcampbell@pingidentity.com> wrote:
>
>     Consistently saying something isn't the same as gathering
>     consensus about what, if any, changes to make as a result of
>     saying it. The IETF has a consensus-based process for standards
>     development and sometimes one individual's viewpoint falls outside
>     consensus. Repeatedly voicing the viewpoint doesn't change that.
>
>     I suggest the WG proceed with submitting the draft to the IESG for
>     publication while noting in the Shepherd Write-Up that Watson has
>     repeatedly raised a concern about privacy implications and,
>     despite changes being made as a result, has raised the comment
>     again. I believe it's completely reasonable at this point to
>     declare the comment as "in the rough" with respect to the
>     consensus of the WG.
>
>
>     On Fri, Oct 25, 2024 at 9:45 AM Watson Ladd
>     <watsonbladd@gmail.com> wrote:
>
>         The privacy issues I have consistently raised have not been
>         addressed
>         through actionable text.
>
>         Implementers are not receiving guidance with the current
>         version. The
>         actual risks are buried below a bunch of words talking around the
>         issue.
>
>         I'll be very clear: if a user uses this technology to pass an age
>         verification filter, they will end up exposing their complete
>         identity
>         without knowing it. This is an unacceptable risk, and no one
>         disagrees
>         the technology poses it. Implementers will often not have the
>         skills
>         or knowledge to identify this concern independently, and need
>         actionable guidance on how to mitigate it. We provide far more
>         actionable guidance on storage of credentials.
>
>         On Fri, Oct 18, 2024 at 11:00 AM Rifaat Shekh-Yusef
>         <rifaat.s.ietf@gmail.com> wrote:
>         >
>         > All,
>         >
>         > This is a short second WG Last Call for the SD-JWT document
>         after the recent update based on the feedback provided during
>         the first WGLC
>         >
>         https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-13.txt
>         >
>         > Please, review this document and reply on the mailing list
>         if you have any comments or concerns, by Oct 25th.
>         >
>         > Regards,
>         >   Rifaat & Hannes
>         > _______________________________________________
>         > OAuth mailing list -- oauth@ietf.org
>         > To unsubscribe send an email to oauth-leave@ietf.org
>
>
>
>         -- 
>         Astra mortemque praestare gradatim
>
>         _______________________________________________
>         OAuth mailing list -- oauth@ietf.org
>         To unsubscribe send an email to oauth-leave@ietf.org
>
>
>     /CONFIDENTIALITY NOTICE: This email may contain confidential and
>     privileged material for the sole use of the intended recipient(s).
>     Any review, use, distribution or disclosure by others is strictly
>     prohibited.  If you have received this communication in error,
>     please notify the sender immediately by e-mail and delete the
>     message and any file attachments from your computer. Thank you./
>
>
> _______________________________________________
> OAuth mailing list --oauth@ietf.org
> To unsubscribe send an email tooauth-leave@ietf.org