IETF Logo Mail Archive

[OAUTH-WG] Re: Reminder: Alternative text for sd-jwt privacy considerations.

Watson Ladd <watsonbladd@gmail.com> Thu, 09 January 2025 18:17 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 34AE6C220C3A for <oauth@ietfa.amsl.com>; Thu, 9 Jan 2025 10:17:38 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4N9Z5si_sEzb for <oauth@ietfa.amsl.com>; Thu, 9 Jan 2025 10:17:37 -0800 (PST)
Received: from mail-wm1-x334.google.com (mail-wm1-x334.google.com [IPv6:2a00:1450:4864:20::334]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A3EDAC14F602 for <oauth@ietf.org>; Thu, 9 Jan 2025 10:17:37 -0800 (PST)
Received: by mail-wm1-x334.google.com with SMTP id 5b1f17b1804b1-4361f664af5so15133835e9.1 for <oauth@ietf.org>; Thu, 09 Jan 2025 10:17:37 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1736446656; x=1737051456; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=uD/8x78tPQ4DtnSRkhmOUgw2B0I0vzJMdOwwp3xetTA=; b=AdOBoWDLgOOii8PtHFrE/qnjRg+FLzFI+Y61YTMI3VdvKiRiJWxO+4dM5R3DrAbDti orVttbbyhtv6kUhmdEFrOPqicTe0GHiQc/kVoKyQN0KvdKC9W5uSfoonPyRblATqJT7u o7CVevuI+FJjavC16bjTeCHHrutNUt4PmptiyIhTGSG6IyLnbcLb5VCxuVTS8nMUetUs pXnwkfKR8M2BK6OkdOIg1wAxNtZ50fiCF1FNk2YrswTx7UmmkM8WHTRXnPHma8ABa+ME /R3xW+zKa7dQA3Fl4E3LTePSZmaRFIL+3xlc2ZG+43D0qUTvr7DO0DVOk/SJ6FMxYrTH iR6A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1736446656; x=1737051456; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=uD/8x78tPQ4DtnSRkhmOUgw2B0I0vzJMdOwwp3xetTA=; b=HjAKmd7IjIXS8iXwA/WJeyiksssNRCM97TQo+dcLnO61NAFDJaRGyKiVdnsgib7ngY NONHsreYVFezIWFtkdvuZeE2uHiAretiSRADm8HdvpV5++mdpY86fOhmLDBSUixKRqIr S+ZCRvpMnrbk02xWjJYEpYF2NIOsNtaDusIT0jhIUQ3RhhREP6eVMuN1XK8Kk4nZkYtS ZTcUNbdsid7pweZd1odkwBzF68cK64DkfQxwK2S/akYHgb5HFZHi2kfkTi3e0BPA/qS4 vru7bg3nwtbqAP3UIfBiGEZLcWtwEw62ntG5asi+K3OIKCyjGsyy4KH1gMmaeZ3HSsA3 CLQw==
X-Gm-Message-State: AOJu0YzqpLtu2+8iqzqYV6EhXqwa5CQJz9cfo5AFaw4CNZmJITC+y9TX +Pp70Og9C9JwgN8kH3niIf+sEv4QQQaWd5eO93dKRjKNOPiIgwTIrES/Cdoxryq36zk+MQDHAlJ 24mRnGGqNDGM7FcWF2S52I8liAiM=
X-Gm-Gg: ASbGncuj5VubuzH7WhrmMThCjn1KcQFMXrhOGr6GKa+SCMVzqaByo8UXKzFLc+T5Yn1 VhWWu5cwLQVxIKSKVtpIWLbWbaceglock6tTJocgUeUBjiT9//QRULYK8nzvqtZv4hp0wL5I=
X-Google-Smtp-Source: AGHT+IHF+y8UYDk2ubxqSCVVcnadn0fc4V9sP5zbt3QX4p+3PmP9SFItTZCU214M9jrlsNZN6rYn7Z4tkWILmzwzUtw=
X-Received: by 2002:a05:600c:4ed4:b0:436:1b81:b65c with SMTP id 5b1f17b1804b1-436e26c0a33mr79456055e9.15.1736446656115; Thu, 09 Jan 2025 10:17:36 -0800 (PST)
MIME-Version: 1.0
References: <CACsn0ck9pHXtLc7dgMME8nzLh2dV+__5tJm=mbRPpBqJq8YLzA@mail.gmail.com> <CH3PR13MB674772CE395C23E30B7F35D9E1132@CH3PR13MB6747.namprd13.prod.outlook.com> <CACsn0cndtkJm4mgQi=aD4uWDjzPY-CGZ589ORb_=3WGHnoA3Bg@mail.gmail.com>
In-Reply-To: <CACsn0cndtkJm4mgQi=aD4uWDjzPY-CGZ589ORb_=3WGHnoA3Bg@mail.gmail.com>
From: Watson Ladd <watsonbladd@gmail.com>
Date: Thu, 09 Jan 2025 10:17:28 -0800
X-Gm-Features: AbW1kvZE6utFizM56xJw-aMOcMV6eJIH1Bmds5mcEeMZHAmSJ8zcAXP1U4QH1_I
Message-ID: <CACsn0ckSnUa8sW5nrySxJe9fycohAT=cpHaogM-bRx-Xzcn6fQ@mail.gmail.com>
To: Pierce Gorman <Pierce.Gorman@numeracle.com>
Content-Type: multipart/alternative; boundary="0000000000001bfcee062b49fee8"
Message-ID-Hash: VJWC22VDCIFJDUOZPAYEF553OXZGLIC4
X-Message-ID-Hash: VJWC22VDCIFJDUOZPAYEF553OXZGLIC4
X-MailFrom: watsonbladd@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: IETF oauth WG <oauth@ietf.org>
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Re: Reminder: Alternative text for sd-jwt privacy considerations.
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/fhI5ntZOazbnaT6-NE-99mGfg9k>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

On Thu, Jan 9, 2025, 10:14 AM Watson Ladd <watsonbladd@gmail.com> wrote:

>
>
> On Thu, Jan 9, 2025, 10:10 AM Pierce Gorman <Pierce.Gorman@numeracle.com>
> wrote:
>
>> Hi Watson,
>>
>> I thought it was a good suggestion and am looking forward to feedback
>> from others.
>>
>> I didn't understand the part of the statement in the penultimate sentence
>> which says, "but cannot work for Issuers".  I should probably understand
>> what you meant without having to ask, but I don't.
>>
>> Can you please elaborate what you meant about workarounds such as issuing
>> multiple one-time-use credentials at once (if I understood that correctly)
>> not working for issuers?
>>
>
> Let's change that to "cannot prevent Issuers from linking issuance to
> showing". Does that help?
>

Actually I see Brian already made a better edit to fix it in the PR

>
>> Pierce
>>
>>
>> CONFIDENTIAL
>> -----Original Message-----
>> From: Watson Ladd <watsonbladd@gmail.com>
>> Sent: Wednesday, January 8, 2025 5:51 PM
>> To: IETF oauth WG <oauth@ietf.org>
>> Subject: [OAUTH-WG] Reminder: Alternative text for sd-jwt privacy
>> considerations.
>>
>> EXTERNAL EMAIL
>>
>> Dear oauth wg,
>>
>> Happy 2025! I hope everyone has had a nice set of holidays. As a reminder
>> I put forward the following proposal for text to add to either privacy or
>> security considerations of sd-jwt, but the timing was unfortunate, coming
>> Christmas eve.
>> Comments on it welcome.
>>
>> "SD-JWT conceals only the values that aren't revealed. It does not meet
>> standard security notations for anonymous credentials. In particular
>> Verifiers and Issuers can know when they have seen the same credential no
>> matter what fields have been opened, even none of them.
>> This behavior may not accord with what users naively expect or are lead
>> to expect from UX interactions and lead to them make choices they would not
>> otherwise make. Workarounds such as issuing multiple credentials at once
>> and using them only one time can help for keeping Verifiers from linking
>> different showing, but cannot work for Issuers.
>> This issue applies to all selective disclosure based approaches,
>> including mdoc. "
>>
>> Sincerely,
>> Watson
>>
>> --
>> Astra mortemque praestare gradatim
>>
>> _______________________________________________
>> OAuth mailing list -- oauth@ietf.org
>> To unsubscribe send an email to oauth-leave@ietf.org
>>
>

v2.39.1 | Report a Bug | By Email | System Status