MIME-Version: 1.0
References: 
 <CACsn0cnEJKamSSJH4-pKg1xNZ3X+__B4UwZ3P5enxP5tQ4AqzA@mail.gmail.com>
 <CAK2Cwb5cf9uHJBNZp2rZ+BQcUNPpC7-GfPPhu4ben1N6ZyEa9w@mail.gmail.com>
 <005A4346-84CE-47CD-BCCC-9EE236F569F1@alkaline-solutions.com>
 <CAK2Cwb6oVha8wM9+ERet8vXJT=+LeaL3Ju1ePq-6e+ye9_evrA@mail.gmail.com>
 <CA+k3eCTv91QyX1tNCRQ8fransbacOCUnnAq0wthbQA20WvTMdw@mail.gmail.com>
In-Reply-To: 
 <CA+k3eCTv91QyX1tNCRQ8fransbacOCUnnAq0wthbQA20WvTMdw@mail.gmail.com>
From: George Fletcher <george.fletcher@capitalone.com>
Date: Thu, 2 Jan 2025 09:55:47 -0500
Message-ID: 
 <CAJnLd9JGSZaPr2-Z_wJx72KZ4yTpCNu69GWCK+Un1nx_czsA-A@mail.gmail.com>
To: Brian Campbell <bcampbell=40pingidentity.com@dmarc.ietf.org>
Content-Type: multipart/alternative; boundary="000000000000338710062aba5c66"
Message-ID-Hash: RY3O7DTATZ4ERLXJ5ISPQRIA5F2FVPGI
CC: peace@acm.org, pemc kantara <Wg-pemc@kantarainitiative.org>,
 IETF oauth WG <oauth@ietf.org>
Precedence: list
Subject: =?utf-8?q?=5BOAUTH-WG=5D_Re=3A_=5BExternal_Sender=5D_Re=3A_Alternative_text_?=
 =?utf-8?q?for_sd-jwt_privacy_considerations=2E?=
Archived-At: 
 <https://mailarchive.ietf.org/arch/msg/oauth/pDiMNYfWVQ-r4BPs_b-VJfK_h2Y>

--000000000000338710062aba5c66
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

+1 for including "something along those lines" in the existing
considerations

I would be cautious about defining or assuming "what users naively expect"
as my guess is that most users are not thinking about the things we are
thinking about :) That said, any objective considerations make sense so
that developers and implementers of the specification can make
informed decisions.

Thanks,
George

On Fri, Dec 27, 2024 at 9:19=E2=80=AFAM Brian Campbell <bcampbell=3D
40pingidentity.com@dmarc.ietf.org> wrote:

> I feel like this thread has strayed a bit from its origin, which was some
> text Watson proposed for the privacy considerations
> https://mailarchive.ietf.org/arch/msg/oauth/ugVBj2O0hw-nuWNVTFpt0JH3yVY
> <https://urldefense.com/v3/__https://mailarchive.ietf.org/arch/msg/oauth/=
ugVBj2O0hw-nuWNVTFpt0JH3yVY__;!!FrPt2g6CO4Wadw!IkV8PDb1ibu7AVZAjBpsZYOSl3Fi=
xR2uBDUoDcqXfwq1wcEBF5hZn325iCcXGQX0ycUI5WzzorLKwP2x03cBCqR_eABSNFxTOdS6EzI=
$>
>
> From my perspective, it wouldn't be a wholesale replacement for anything
> but, assuming the co-authors and WG in general are okay with it, something
> along those lines could be incorporated into the existing considerations.
>
> On Thu, Dec 26, 2024 at 6:28=E2=80=AFPM Tom Jones <thomasclinganjones@gma=
il.com>
> wrote:
>
>> I am appalled!
>>
>> All humans must adapt to the consent plans of this small standards group!
>> I for one do not plan to adapt - sorry about that!
>>
>> Peace ..tom jones
>>
>>
>> On Thu, Dec 26, 2024 at 4:15=E2=80=AFPM David Waite <david@alkaline-solu=
tions.com>
>> wrote:
>>
>>>
>>>
>>> > On Dec 26, 2024, at 10:38=E2=80=AFAM, Tom Jones <thomasclinganjones@g=
mail.com>
>>> wrote:
>>> >
>>> > This problem was clearly demonstrated by the California mDL hackathon
>>> where the default presentation was ALL DATA. That is the easiest path, =
so
>>> it remains the one most taken. We have known since standards were first
>>> introduced that they immediately create a drive to the bottom. This wil=
l be
>>> the fate of this standard as well. The most permissive interpretation w=
ill
>>> be the most common. The user's desires will not be met.
>>> >
>>>
>>> The consequence of splitting out the policy for controlling data release
>>> from the issuing authority is that the complexity that was the business
>>> logic for handling requests, determining if they are appropriate for the
>>> use case, prompting the user for consent, etc. is now all complexity pu=
shed
>>> into the (likely third party) user agent.
>>>
>>> Architectures like PRIVACYPASS create individual solutions to release a
>>> particular type of information in the most privacy-preserving manner th=
ey
>>> are capable of. This sort of business logic is baked into the protocol,=
 and
>>> the scope of implementation is thus boxed to solve that particular prob=
lem.
>>> The user agent can only work per the spec if it intends to work properl=
y,
>>> and following the specification (hopefully) leads to a complete
>>> implementation.
>>>
>>> The majority of verifiable credentials systems proposed have no such
>>> bounds - which is one reason you are likely to see credentials often sc=
oped
>>> to be issued only to specific, qualified wallets in production. Those
>>> specific user agents will enforce the required security and privacy
>>> requirements the issuer has for their credential. That is both their own
>>> policy logic to be enforced (such as a credential being bound to hardwa=
re),
>>> as well as their own requirements for appropriate user behavior (such as
>>> mandatory authentication and mandatory disclosure before the credential=
 is
>>> released). That could include verifier authentication and having the ho=
lder
>>> agent confirm the verifier is authorized by the issuer to make the sort=
 of
>>> request they are making - before a user consent prompt ever enters the
>>> picture.
>>>
>>> You could say that the captcha usage of privacy pass and AAMVA mDL usage
>>> are the same in that they develop trust frameworks that define the netw=
ork
>>> of acceptable participants. I suspect however that the requirements for=
 the
>>> latter contain significantly more requirements and potentially new
>>> technical works.
>>>
>>> A mDL hackathon has likely not set such policy or mandated that mDL and
>>> readers abide by it. They may not even have wanted to limit participant=
s to
>>> having support for specifying complex queries (especially with the
>>> OpenID4VP query language changes which occurred recently). I=E2=80=99m =
not
>>> surprised a hackathon defaulted to a wide-open attribute policy.
>>>
>>> -DW
>>
>> _______________________________________________
>> OAuth mailing list -- oauth@ietf.org
>> To unsubscribe send an email to oauth-leave@ietf.org
>>
>
> *CONFIDENTIALITY NOTICE: This email may contain confidential and
> privileged material for the sole use of the intended recipient(s). Any
> review, use, distribution or disclosure by others is strictly prohibited.
> If you have received this communication in error, please notify the sender
> immediately by e-mail and delete the message and any file attachments from
> your computer. Thank you.*_______________________________________________
> OAuth mailing list -- oauth@ietf.org
> To unsubscribe send an email to oauth-leave@ietf.org
>

______________________________________________________________________



The information contained in this e-mail may be confidential and/or proprie=
tary to Capital One and/or its affiliates and may only be used solely in pe=
rformance of work or services for Capital One. The information transmitted =
herewith is intended only for use by the individual or entity to which it i=
s addressed. If the reader of this message is not the intended recipient, y=
ou are hereby notified that any review, retransmission, dissemination, dist=
ribution, copying or other use of, or taking of any action in reliance upon=
 this information is strictly prohibited. If you have received this communi=
cation in error, please contact the sender and delete the material from you=
r computer.




--000000000000338710062aba5c66
Content-Transfer-Encoding: quoted-printable
Content-Type: text/html; charset="utf-8"

<div dir=3D"ltr"><div dir=3D"ltr">+1 for including=C2=A0&quot;something alo=
ng those lines&quot; in the existing considerations<br><input name=3D"virtr=
u-metadata" type=3D"hidden" value=3D"{&quot;email-policy&quot;:{&quot;disab=
leCopyPaste&quot;:false,&quot;disablePrint&quot;:false,&quot;disableForward=
ing&quot;:false,&quot;enableNoauth&quot;:false,&quot;expandedWatermarking&q=
uot;:false,&quot;expires&quot;:true,&quot;sms&quot;:false,&quot;expirationN=
um&quot;:87840,&quot;expirationUnit&quot;:&quot;minutes&quot;,&quot;isManag=
ed&quot;:false,&quot;persistentProtection&quot;:false,&quot;expirationDate&=
quot;:&quot;2025-03-02T14:55:47.336Z&quot;},&quot;attachments&quot;:{},&quo=
t;compose-id&quot;:&quot;5&quot;,&quot;compose-window&quot;:{&quot;secure&q=
uot;:false}}"><div><br></div><div>I would be cautious about defining or ass=
uming &quot;what users naively expect&quot; as my guess is that most users =
are not thinking about the things we are thinking about :) That said, any o=
bjective considerations make sense so that developers and implementers of t=
he specification can make informed=C2=A0decisions.</div><div><br></div><div=
>Thanks,</div><div>George</div></div><br><div class=3D"gmail_quote gmail_qu=
ote_container" style=3D""><div dir=3D"ltr" class=3D"gmail_attr">On Fri, Dec=
 27, 2024 at 9:19=E2=80=AFAM Brian Campbell &lt;bcampbell=3D<a href=3D"mail=
to:40pingidentity.com@dmarc.ietf.org">40pingidentity.com@dmarc.ietf.org</a>=
&gt; wrote:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px =
0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div=
 dir=3D"ltr"><div>I feel like this thread has strayed a bit from its origin=
, which was some text Watson proposed for the privacy considerations <a hre=
f=3D"https://urldefense.com/v3/__https://mailarchive.ietf.org/arch/msg/oaut=
h/ugVBj2O0hw-nuWNVTFpt0JH3yVY__;!!FrPt2g6CO4Wadw!IkV8PDb1ibu7AVZAjBpsZYOSl3=
FixR2uBDUoDcqXfwq1wcEBF5hZn325iCcXGQX0ycUI5WzzorLKwP2x03cBCqR_eABSNFxTOdS6E=
zI$" target=3D"_blank">https://mailarchive.ietf.org/arch/msg/oauth/ugVBj2O0=
hw-nuWNVTFpt0JH3yVY</a> <br></div><div><br></div><div>From my perspective, =
it wouldn&#39;t be a wholesale replacement for anything but, assuming the c=
o-authors and WG in general are okay with it, something along those lines c=
ould be incorporated into the existing considerations. <br></div></div><br>=
<div class=3D"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Thu, De=
c 26, 2024 at 6:28=E2=80=AFPM Tom Jones &lt;<a href=3D"mailto:thomasclingan=
jones@gmail.com" target=3D"_blank">thomasclinganjones@gmail.com</a>&gt; wro=
te:<br></div><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px =
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir=3D"=
ltr"><div>I am appalled!</div><div><br></div><div>All humans must adapt to =
the consent plans of this small standards group!</div><div>I for one do not=
 plan to adapt - sorry about that!</div><div><br></div><div><div dir=3D"ltr=
" class=3D"gmail_signature"><div dir=3D"ltr"><font face=3D"-apple-system, s=
ystem-ui, system-ui, Segoe UI, Roboto, Helvetica Neue, Fira Sans, Ubuntu, O=
xygen, Oxygen Sans, Cantarell, Droid Sans, Apple Color Emoji, Segoe UI Emoj=
i, Segoe UI Symbol, Lucida Grande, Helvetica, Arial, sans-serif" color=3D"#=
38761d"><span style=3D"font-size:14px;background-color:rgb(242,242,242)">Pe=
ace  ..tom jones</span></font></div></div></div><br></div><br><div class=3D=
"gmail_quote"><div dir=3D"ltr" class=3D"gmail_attr">On Thu, Dec 26, 2024 at=
 4:15=E2=80=AFPM David Waite &lt;<a href=3D"mailto:david@alkaline-solutions=
.com" target=3D"_blank">david@alkaline-solutions.com</a>&gt; wrote:<br></di=
v><blockquote class=3D"gmail_quote" style=3D"margin:0px 0px 0px 0.8ex;borde=
r-left:1px solid rgb(204,204,204);padding-left:1ex"><br>
<br>
&gt; On Dec 26, 2024, at 10:38=E2=80=AFAM, Tom Jones &lt;<a href=3D"mailto:=
thomasclinganjones@gmail.com" target=3D"_blank">thomasclinganjones@gmail.co=
m</a>&gt; wrote:<br>
&gt; <br>
&gt; This problem was clearly demonstrated by the California mDL hackathon =
where the default presentation was ALL DATA. That is the easiest path, so i=
t remains the one most taken. We have known since standards were first intr=
oduced that they immediately create a drive to the bottom. This will be the=
 fate of this standard as well. The most permissive interpretation will be =
the most common. The user&#39;s desires will not be met.<br>
&gt; <br>
<br>
The consequence of splitting out the policy for controlling data release fr=
om the issuing authority is that the complexity that was the business logic=
 for handling requests, determining if they are appropriate for the use cas=
e, prompting the user for consent, etc. is now all complexity pushed into t=
he (likely third party) user agent.<br>
<br>
Architectures like PRIVACYPASS create individual solutions to release a par=
ticular type of information in the most privacy-preserving manner they are =
capable of. This sort of business logic is baked into the protocol, and the=
 scope of implementation is thus boxed to solve that particular problem. Th=
e user agent can only work per the spec if it intends to work properly, and=
 following the specification (hopefully) leads to a complete implementation=
.<br>
<br>
The majority of verifiable credentials systems proposed have no such bounds=
 - which is one reason you are likely to see credentials often scoped to be=
 issued only to specific, qualified wallets in production. Those specific u=
ser agents will enforce the required security and privacy requirements the =
issuer has for their credential. That is both their own policy logic to be =
enforced (such as a credential being bound to hardware), as well as their o=
wn requirements for appropriate user behavior (such as mandatory authentica=
tion and mandatory disclosure before the credential is released). That coul=
d include verifier authentication and having the holder agent confirm the v=
erifier is authorized by the issuer to make the sort of request they are ma=
king - before a user consent prompt ever enters the picture.<br>
<br>
You could say that the captcha usage of privacy pass and AAMVA mDL usage ar=
e the same in that they develop trust frameworks that define the network of=
 acceptable participants. I suspect however that the requirements for the l=
atter contain significantly more requirements and potentially new technical=
 works.<br>
<br>
A mDL hackathon has likely not set such policy or mandated that mDL and rea=
ders abide by it. They may not even have wanted to limit participants to ha=
ving support for specifying complex queries (especially with the OpenID4VP =
query language changes which occurred recently). I=E2=80=99m not surprised =
a hackathon defaulted to a wide-open attribute policy.<br>
<br>
-DW</blockquote></div>
_______________________________________________<br>
OAuth mailing list -- <a href=3D"mailto:oauth@ietf.org" target=3D"_blank">o=
auth@ietf.org</a><br>
To unsubscribe send an email to <a href=3D"mailto:oauth-leave@ietf.org" tar=
get=3D"_blank">oauth-leave@ietf.org</a><br>
</blockquote></div>

<br>
<i style=3D"margin:0px;padding:0px;border:0px;outline:0px;vertical-align:ba=
seline;background:rgb(255,255,255);font-family:proxima-nova-zendesk,system-=
ui,-apple-system,system-ui,&quot;Segoe UI&quot;,Roboto,Oxygen-Sans,Ubuntu,C=
antarell,&quot;Helvetica Neue&quot;,Arial,sans-serif;color:rgb(85,85,85)"><=
span style=3D"margin:0px;padding:0px;border:0px;outline:0px;vertical-align:=
baseline;background:transparent;font-family:proxima-nova-zendesk,system-ui,=
-apple-system,BlinkMacSystemFont,&quot;Segoe UI&quot;,Roboto,Oxygen-Sans,Ub=
untu,Cantarell,&quot;Helvetica Neue&quot;,Arial,sans-serif;font-weight:600"=
><font size=3D"2">CONFIDENTIALITY NOTICE: This email may contain confidenti=
al and privileged material for the sole use of the intended recipient(s). A=
ny review, use, distribution or disclosure by others is strictly prohibited=
.=C2=A0 If you have received this communication in error, please notify the=
 sender immediately by e-mail and delete the message and any file attachmen=
ts from your computer. Thank you.</font></span></i>________________________=
_______________________<br>
OAuth mailing list -- <a href=3D"mailto:oauth@ietf.org" target=3D"_blank">o=
auth@ietf.org</a><br>
To unsubscribe send an email to <a href=3D"mailto:oauth-leave@ietf.org" tar=
get=3D"_blank">oauth-leave@ietf.org</a><br>
</blockquote></div></div>

<HR><table border=3D"0" cellspacing=3D"0" cellpadding=3D"0" width=3D"100=
7;" height=3D"30"><BR>
<tr><BR>
<font color=3D"#404040">The information contained in this e-mail may be con=
fidential and/or proprietary to Capital One and/or its affiliates and may o=
nly be used solely in performance of work or services for Capital One. The =
information transmitted herewith is intended only for use by the individual=
 or entity to which it is addressed. If the reader of this message is not t=
he intended recipient, you are hereby notified that any review, retransmiss=
ion, dissemination, distribution, copying or other use of, or taking of any=
 action in reliance upon this information is strictly prohibited. If you ha=
ve received this communication in error, please contact the sender and dele=
te the material from your computer.</font></td><BR>
</tr><BR>
</table><BR>

--000000000000338710062aba5c66--