IETF Logo Mail Archive

[OAUTH-WG] Re: SD-JWT and Unlinkability

Kristina Yasuda <yasudakristina@gmail.com> Mon, 23 September 2024 21:03 UTC

Return-Path: <yasudakristina@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AEBBBC14F5F2 for <oauth@ietfa.amsl.com>; Mon, 23 Sep 2024 14:03:57 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id BjCXjw9WOYBS for <oauth@ietfa.amsl.com>; Mon, 23 Sep 2024 14:03:57 -0700 (PDT)
Received: from mail-yw1-x1132.google.com (mail-yw1-x1132.google.com [IPv6:2607:f8b0:4864:20::1132]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 7DC5DC14F5ED for <oauth@ietf.org>; Mon, 23 Sep 2024 14:03:47 -0700 (PDT)
Received: by mail-yw1-x1132.google.com with SMTP id 00721157ae682-6ddd138e0d0so42354347b3.1 for <oauth@ietf.org>; Mon, 23 Sep 2024 14:03:47 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1727125426; x=1727730226; darn=ietf.org; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:from:to:cc:subject:date:message-id:reply-to; bh=wJIDEMU8BuxW/doIiuZn6VV7OAkK/BTu1L7l2LxhFNc=; b=BZ/p+LDxhrR+SN3b94t3d48r0VYSuYLPmjnHCSrPadGKYXajbcs5Jq5zT8gSbyoWPK Ijcuy/ZcHDsMBkMzq8ZDp5tkd+IsH74H0sPXjMMhCzK/r7QUY5NyMaiaUtl1lNwFBLmu /Hb+qDQlTAphGP54D3M2J3krPmApdIAr3KbYTohvWLgIzO9SclF6WxpBxAS6rmtCwT4g NrY9RaH5eylCTQf2aY2LbohqIZECK8XH4zUvLXptTaydPpL8RZ4sAunUFMki6Zs9RJYm m/xXv2pDOTDR4AboL6llR83NgfIgkKZ7vBSHc+NCdKSrvn4uVMcNnxFy3ezqp01H+717 EM5Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1727125426; x=1727730226; h=cc:to:subject:message-id:date:from:in-reply-to:references :mime-version:x-gm-message-state:from:to:cc:subject:date:message-id :reply-to; bh=wJIDEMU8BuxW/doIiuZn6VV7OAkK/BTu1L7l2LxhFNc=; b=JwI3aPm31b7h4bvsQLUyGVHy06z3gHB7YpiJY8k6gBPK02B701wZSYW0Z+Mj2Dzo7U j9zrgBgLkaR4rIX6fnBGXf083mI/K9Cc9st4S8GwDBG+3OGlRtiWsto8+QHcp+VUIFKC YoPsXk5PCMRb435XLzoeXkvYcNsXPxeTfzbDf2lwLPsOHorzzsDaMdxKU0LrWUBF+OJF yCp/e8ze7ywknFMcSgki3eLw92nTloFssfw+V0EVQgo5+WwUhCznoWvNZlHHlIMMyPTL lRr6OiTFo0Mscn7Zlute432EWUEZS8rCFRCfHvtSbQSmIKG/D/7XybS4/MuImNpgJGGK 0V4g==
X-Forwarded-Encrypted: i=1; AJvYcCVdYgZr1pYQO1zMcmssbFNghlXmPM17reOXtEctvmGg2CNvcQoU48kh4QkdxUXhUm0M2H64ow==@ietf.org
X-Gm-Message-State: AOJu0YyoGVCFKIF+p95LqbVLSKZjCKQT/AOKIcvbAyW300Q+ctf6EZ6m 3F72Y0cZXOY2JlWeR9yhRdgqYSsYaZbN7J1rO/MwZ/HvC5fxHKV2xknm+mfnHS0fYwhcr5QhyfN 9M/tM4HwBL3jdbOVV/3SuUwMXEIQ=
X-Google-Smtp-Source: AGHT+IEdZLDqstinyolESKHuR73LK4QzIEdmUIj0mq5QIvVCYkSxekw52425AlJ3BBIZZwQFDegunHKsPbO2YXEOXJo=
X-Received: by 2002:a05:690c:3387:b0:6d1:41:5b35 with SMTP id 00721157ae682-6dfeed30c22mr117115967b3.13.1727125426579; Mon, 23 Sep 2024 14:03:46 -0700 (PDT)
MIME-Version: 1.0
References: <CAD9ie-s_gFmkCC8uKXQXC0W1u_zcaktvvNV6wEC4RtJQMarnng@mail.gmail.com> <51d9e2b2-e766-4eea-8b31-a0ae5b2cfae4@danielfett.de> <CAD9ie-sLcUPPdj4Y0KEeq7C_Nb1ah1GiUbz1sOZEyDPyFbGSZw@mail.gmail.com>
In-Reply-To: <CAD9ie-sLcUPPdj4Y0KEeq7C_Nb1ah1GiUbz1sOZEyDPyFbGSZw@mail.gmail.com>
From: Kristina Yasuda <yasudakristina@gmail.com>
Date: Mon, 23 Sep 2024 23:03:35 +0200
Message-ID: <CAFje9Pg=-H9x35JQzdL8_9HjRCeR6+n9DO_pu32SK_mKib4RWw@mail.gmail.com>
To: Dick.Hardt@gmail.com
Content-Type: multipart/alternative; boundary="00000000000088b03e0622cfb9ba"
Message-ID-Hash: KTVE2V73SNXQ2OVZPIMA4QBNW7WKICE7
X-Message-ID-Hash: KTVE2V73SNXQ2OVZPIMA4QBNW7WKICE7
X-MailFrom: yasudakristina@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
CC: kristina@sfc.keio.ac.jp, oauth@ietf.org
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] Re: SD-JWT and Unlinkability
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/oxo_exUls7UzPz51F2pD-ZcCJf8>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

> there is no guidance on how many to issue, nor how a holder chooses when
to reissue the same ones
> the question about users randomly selecting some to store and some to
reject.

These are great points, however, just like JWT/JWS specifications do not
define how to manage the lifecycle of those, SD-JWT document is not a right
place to discuss them. What you call a "hack" is not meant to be fully
specified in SD-JWT document itself. Please review documents such as
OpenID4VCI to improve various aspects of batch (re)issuance.

On another note, and not sure this was your original point, but I can
recall that originally, we had a text in the document that there are other
ways to achieve verifier/verifier unlinkability, other than batch issuance,
mainly using advanced cryptography (aka ZKPs). Then, upon receiving
feedback that such text is not really actionable or implementable, because
it was not well established how to use ZKP with SD-JWTs, we removed
sentences alluding to the mechanisms that are not batch issuance.
However, I think that might be changing, looking at the work cryptographers
at Google have been demonstrating recently. I think we are eagerly waiting
for that work to be published and peer reviewed.
To sum up, I think we could add back into the SD-JWT document a sentence
saying there are ways other than batch issuance to achieve
verifier-verifier unlinkability.

Best,
Kristina


On Sat, Sep 21, 2024 at 5:56 PM Dick Hardt <dick.hardt@gmail.com> wrote:

> I understand it has become the accepted approach. It still comes across as
> a hack, and there is no guidance on how many to issue, nor how a holder
> chooses when to reissue the same ones.
>
> I'm amused by the decision to use implicit typing in a disclosure to save
> a few bytes, but we will send dozens of credentials to minimize the chance
> of linking :)
>
> On Sat, Sep 21, 2024 at 4:29 PM Daniel Fett <mail@danielfett.de> wrote:
>
>> Hi Dick,
>>
>> Batch credential (not claims) issuing has become the default approach to
>> circumvent the inherent limitations of salted-hash-based credentials
>> formats. This was neither invented by us, nor is it unreasonable to ask
>> implementers to do it. Protocols such as OpenID4VCI support it.
>>
>> -Daniel
>> Am 21.09.24 um 06:42 schrieb Dick Hardt:
>>
>> Is it really going to be practical to batch issue claims, and have the
>> holder randomly choose between them on presentation?
>>
>> As an implementer, what is the right number of claims to be in a batch?
>>
>> This section of the draft reads as a hack to add a new capability
>> (unlinkability) to a mechanism that did not have that as a design objective.
>>
>> This is going to be like the "alg":"null" for SD-JWT. :-)
>>
>>
>>

v2.39.1 | Report a Bug | By Email | System Status