IETF Logo Mail Archive

[OAUTH-WG] Alternative text for sd-jwt privacy considerations.

Watson Ladd <watsonbladd@gmail.com> Tue, 24 December 2024 14:34 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E2616C14F6FE for <oauth@ietfa.amsl.com>; Tue, 24 Dec 2024 06:34:11 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.106
X-Spam-Level:
X-Spam-Status: No, score=-2.106 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 6t9Nf7ypwlhh for <oauth@ietfa.amsl.com>; Tue, 24 Dec 2024 06:34:11 -0800 (PST)
Received: from mail-wr1-x431.google.com (mail-wr1-x431.google.com [IPv6:2a00:1450:4864:20::431]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 2499FC14F61C for <oauth@ietf.org>; Tue, 24 Dec 2024 06:34:11 -0800 (PST)
Received: by mail-wr1-x431.google.com with SMTP id ffacd0b85a97d-385e0e224cbso2818890f8f.2 for <oauth@ietf.org>; Tue, 24 Dec 2024 06:34:11 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1735050849; x=1735655649; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=FN4T3ZNlisscYjEAKGqRC535EU9/Ipql/iVnGUHhSnE=; b=OqmnzvIl12uuirUYnruNQ/9aHkwl0JIsk7wRkcRxflE3z5f6mI1usaEVGDrxWFhN7k 0jqpjos6vUHjGRzoQ5ohG+hrOa5Yq1TKu7vXF5E4rC4PCPRb/y1AU6b+8K5YGC2gjZsq 3Lc2A6DzvzIUXqNm3ukxYp6z8uZlvCv2JWrpJC+PcyJy4cDKBQ1lZMGRRj0JrM6xHs0v VQci0rRoiTC7FuGdN2AsJYxJSIEqF9vbEpdGSsgHC5fyoHhK30bn30eQILCeI19VNEOz jJ9ptnrHOI8wXFW18NQx/XrUOFIIgpxASTJb5tTnnfWCPwX9ym+M40EgEUZV0ahVI6rO rnFA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1735050849; x=1735655649; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=FN4T3ZNlisscYjEAKGqRC535EU9/Ipql/iVnGUHhSnE=; b=IbQE8FhRDZdkMEj5AvzlXCW3xyP56gDyl3lp20sMEWSWHU8Bt4+6QG4LboUyGHV3Oj UZv7aTu4X+Gf7yedzVBrIq9RrgkxpZE8O+YOG3jfVE6cZpItTVVmxjhbfbwKDqdSAoFS 0Qyr2jN5Ngdu6NFeekSgN41+Vm9xWTfwD3EtpBhioTo6kGzgfbYDb1ibrhCe4z/bQxrJ vM11evpKH7rrSPQLpnUbZA1UUWz9iW0KhZ3GY6+4eXweaUeV0Im/hBTCDeHctu5QdgEN nwfy9By2rqCXrCJRHk1NAdPEhD3bAdQ4Hg6ZZR1SvV/r/0LIf0BuMznV7tiElu/gBjlL Hsow==
X-Gm-Message-State: AOJu0YyMa3CqTCtpxh056lBKxNlN2fEwnu+eo3yK8CMmGssLq4lgSHGB 7p2dV9LBEYZNp21SuOS/5FrV+GjLXVZFHgB49obFF78cACTE0hOPim33Nwxgk+D/tGUJAml46xh i/uuEWirq7NZksYM34gED4brmvkzi/w==
X-Gm-Gg: ASbGncvKXxQzW5eTsFdPsUmkYkTTQH30AXIfPHVflErd3ZGexdS1K82gxEbtSuex5xu h1wTTzYF2NnDLpFiVjYmCbhw3b5oCjSBH3rYzlLXLZTfvU9i1MH4Q4g0B4MGRKOeJQjiZ7Q==
X-Google-Smtp-Source: AGHT+IHg15bC/QMlQoRUaHMU5jryBpbLo46npAezp/p4HZnYsu4CpcOA4gCETp6eih9A+t9BES3Ey21O6Sg8oFI/AG4=
X-Received: by 2002:a05:6000:1a8c:b0:385:ee40:2d75 with SMTP id ffacd0b85a97d-38a221faf90mr14457850f8f.20.1735050848938; Tue, 24 Dec 2024 06:34:08 -0800 (PST)
MIME-Version: 1.0
From: Watson Ladd <watsonbladd@gmail.com>
Date: Tue, 24 Dec 2024 09:33:57 -0500
Message-ID: <CACsn0cnEJKamSSJH4-pKg1xNZ3X+__B4UwZ3P5enxP5tQ4AqzA@mail.gmail.com>
To: IETF oauth WG <oauth@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000084b49f062a050129"
Message-ID-Hash: H35AIMLNGP6CFOBFFIDRCJR2QBU6XTHZ
X-Message-ID-Hash: H35AIMLNGP6CFOBFFIDRCJR2QBU6XTHZ
X-MailFrom: watsonbladd@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Alternative text for sd-jwt privacy considerations.
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/ugVBj2O0hw-nuWNVTFpt0JH3yVY>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

I see that people are uncomfortable with making any mandates, and so I've
tried to be purely descriptive in this proposal. I leave it to the WG to
decide where to put it, but I see it as a wholesale replacement for some
sections to emphasize clarity.

 "SD-JWT conceals only the values that aren't revealed. It does not meet
standard security notations for anonymous credentials. In particular
Verifiers and Issuers can know when they have seen the same credential no
matter what fields have been opened, even none of them. This behavior may
not accord with what users naively expect or are lead to expect from UX
interactions and lead to them make choices they would not otherwise make.
Workarounds such as issuing multiple credentials at once and using them
only one time can help for keeping Verifiers from linking different
showing, but cannot work for Issuers. This issue applies to all selective
disclosure based approaches, including mdoc. "

Sincerely,
Watson

v2.39.1 | Report a Bug | By Email | System Status