IETF Logo Mail Archive

[OAUTH-WG] Re: Reminder: Alternative text for sd-jwt privacy considerations.

Brian Campbell <bcampbell@pingidentity.com> Thu, 09 January 2025 18:08 UTC

Return-Path: <bcampbell@pingidentity.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C6E1C1519AF for <oauth@ietfa.amsl.com>; Thu, 9 Jan 2025 10:08:36 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.102
X-Spam-Level:
X-Spam-Status: No, score=-2.102 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=pingidentity.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T0pwo9OP6YsX for <oauth@ietfa.amsl.com>; Thu, 9 Jan 2025 10:08:32 -0800 (PST)
Received: from mail-ua1-x932.google.com (mail-ua1-x932.google.com [IPv6:2607:f8b0:4864:20::932]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 9F934C16940D for <oauth@ietf.org>; Thu, 9 Jan 2025 10:08:32 -0800 (PST)
Received: by mail-ua1-x932.google.com with SMTP id a1e0cc1a2514c-85c529e72bcso299423241.0 for <oauth@ietf.org>; Thu, 09 Jan 2025 10:08:32 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=pingidentity.com; s=google; t=1736446112; x=1737050912; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=16cG9aProwuzJb+0r7T6BJWwvDs9FkHKsphN0U7JcXM=; b=fZzb5rcN6ItsKnP2vXpDo6hRRqP9CWLnPF5n+4It0mYciDrqf5pclRGUbb3/PYOd97 4nu3OpfgovGRQYF9nTD93Q1dUGf6DEXu2BmbYmmffF8/eUTnk17ZvVQIJRtiQxLX/NzK qVi6EnRCVrEWtsbaSJKQfxItkqEp4RHeH+xbmWTgjYBGgoW97vc4EQjpVaNGUDQLfeEd 9MFDMw7ckJowxT9WchuqivP+IfQrB/XOPMICzZAFJm5coXvFHDaKE87D6Xf8F9RK3zcQ W2yb8/3PB3xBisc6DLfZkQF00+EOjYSSz30iFfftt87wdkcrHt8RwvblySoAXqwFXm0S 9QkQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1736446112; x=1737050912; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=16cG9aProwuzJb+0r7T6BJWwvDs9FkHKsphN0U7JcXM=; b=gKgw4aHHd106S7rQ4MKEhiHwmD+ZNk1WK1D2obwdMnUPH4/57RNPi8ZSXBcVh2RbCt zt2qIZNR0Mi5FtobaKrcfIsxhUZ1quFjFGLyBX3lTmzX/ZQqCsX/ql4b3PG+jTQ9zv5Z ZJaVxm6W3DKXLcuSucZ0DBW8O/xJ5V7IieQ7T6btvKlK/+DYqFqROkYcTmblS8JSUFBh YUzTPQ8SFn4OYWtWKdXWViyLJMMor6W6IUeIxea5EGieyYePL8+d3uYyABoVBoq6DPfN Z4qoBlSG8fpybGm5Cv7s27hWbkw8A4IGNYE7DP90QMwx1iqSU8bagb/s9bWTPQYY1NcS Ujqg==
X-Gm-Message-State: AOJu0YxvIaTdBPUTpMOwEew4z1F/XWuiFobo7dRHl7308ICFjHsEVr1b Y34y26ZTqNa+7p+L+6fSPtOOyvFTYY4LWrirO5on3aEoBsd/wV4/wLwi0TXthlxnOMWgBFCc/Ni 1ci0vaAAhoSYi/PEgpjytXFe6KoXVvn6wuad8aCr2we1aPm7RiEu1susNyV1FF+seAZusqfC63L ol2VxZ9bgbdQ==
X-Gm-Gg: ASbGncsrtjghn24fO8QFmOFe/e+wiuUBlQkkOWBnJKw/ChG3qJotoD8PXqwPoFxXZ/2 vs4NlBzQHmTzVeu61LmeCeYrlNDfAUOUD/9HJDTg=
X-Google-Smtp-Source: AGHT+IEJY9JtJTPIN/43onSMpgw5gk58U4RrT2jeS51BzAs7XV2v+53iriGJ2yZVEVj+q9KclBNPTri7OgzyD7LZgAY=
X-Received: by 2002:a05:6122:168e:b0:516:1bd5:67da with SMTP id 71dfb90a1353d-51c6c4942d6mr6437310e0c.8.1736446111463; Thu, 09 Jan 2025 10:08:31 -0800 (PST)
MIME-Version: 1.0
References: <CACsn0ck9pHXtLc7dgMME8nzLh2dV+__5tJm=mbRPpBqJq8YLzA@mail.gmail.com>
In-Reply-To: <CACsn0ck9pHXtLc7dgMME8nzLh2dV+__5tJm=mbRPpBqJq8YLzA@mail.gmail.com>
From: Brian Campbell <bcampbell@pingidentity.com>
Date: Thu, 09 Jan 2025 11:08:05 -0700
X-Gm-Features: AbW1kvbTOvL4iqOiMRB5rORdpu9d5XoeyYaULCiqGU9uZJ7ats0ZlvlW7x21Zf4
Message-ID: <CA+k3eCRFD4PCNmch12v7LWo-+ARWHXauB6DwNbLk36fJyY76Og@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
Content-Type: multipart/alternative; boundary="000000000000a5611a062b49dd64"
Message-ID-Hash: YTYW237KMYAJQO2DGWCFMK5BFCNMZFLT
X-Message-ID-Hash: YTYW237KMYAJQO2DGWCFMK5BFCNMZFLT
X-MailFrom: bcampbell@pingidentity.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: IETF oauth WG <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Re: Reminder: Alternative text for sd-jwt privacy considerations.
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/eZz7yoDFjI7xsKFXzN-PbFiJXro>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Pull request
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/535
incorporates text based on this suggestion into the end of
the Unlinkability subsection of the Privacy Considerations. Barring
objections/concerns with this, we'll look to merge it and publish a new
draft next week.

On Wed, Jan 8, 2025 at 4:51 PM Watson Ladd <watsonbladd@gmail.com> wrote:

> Dear oauth wg,
>
> Happy 2025! I hope everyone has had a nice set of holidays. As a
> reminder I put forward the following proposal for text to add to
> either privacy or security considerations of sd-jwt, but the timing
> was unfortunate, coming Christmas eve.
> Comments on it welcome.
>
> "SD-JWT conceals only the values that aren't revealed. It does not
> meet standard security notations for anonymous credentials. In
> particular Verifiers and Issuers can know when they have seen the same
> credential no matter what fields have been opened, even none of them.
> This behavior may not accord with what users naively expect or are
> lead to expect from UX interactions and lead to them make choices they
> would not otherwise make. Workarounds such as issuing multiple
> credentials at once and using them only one time can help for keeping
> Verifiers from linking different showing, but cannot work for Issuers.
> This issue applies to all selective disclosure based approaches,
> including mdoc. "
>
> Sincerely,
> Watson
>
> --
> Astra mortemque praestare gradatim
>
> _______________________________________________
> OAuth mailing list -- oauth@ietf.org
> To unsubscribe send an email to oauth-leave@ietf.org
>

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

v2.39.1 | Report a Bug | By Email | System Status