IETF Logo Mail Archive

[OAUTH-WG] We cannot trust Issuers

Watson Ladd <watsonbladd@gmail.com> Mon, 22 July 2024 21:11 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A6465C1840C8 for <oauth@ietfa.amsl.com>; Mon, 22 Jul 2024 14:11:56 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.108
X-Spam-Level:
X-Spam-Status: No, score=-7.108 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ypAFzU3Wqs5X for <oauth@ietfa.amsl.com>; Mon, 22 Jul 2024 14:11:56 -0700 (PDT)
Received: from mail-wr1-x42a.google.com (mail-wr1-x42a.google.com [IPv6:2a00:1450:4864:20::42a]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 50698C1D61E5 for <oauth@ietf.org>; Mon, 22 Jul 2024 14:11:56 -0700 (PDT)
Received: by mail-wr1-x42a.google.com with SMTP id ffacd0b85a97d-3687fb526b9so2256292f8f.0 for <oauth@ietf.org>; Mon, 22 Jul 2024 14:11:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1721682714; x=1722287514; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=Kdc+5N14yTRGfX5p1fL0yN7AWyElg6vFnRt8D742iCs=; b=CDS4pr+4tPEz0ci8mQ8Jgh7af2Nx6Absr2tNqfvPlBIiJTmwZUpAviK0zzqWsxw02n T8kZp6v+RSmtKPllR4xZ31gZGO8BHf2QZ5ZMuoUaexj0QwvSBFaLB59tzx5wCixg9uU6 cKqdmNpNifOAmO3ZsJiDPAWGoM74uO5wMK9z0l9hiO3rchlG9N3oFKZAKofd69Y6IXOK GVDYjENi1zxybfn2iWD0pi0ryIkM+bEeJ0QtLzLL8ARxQzqfeW/dr1bqtGqap/5Ssa2i mnkAZtR3rlF185q8eEUCWJdparzevJlb8daVBRjn4ZzjymZ154wmoVwghcMSnsmVh78u d5eQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1721682714; x=1722287514; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=Kdc+5N14yTRGfX5p1fL0yN7AWyElg6vFnRt8D742iCs=; b=lQWyt3j02GGVmjPrLHeJZNdm3xJh9BdZ8mie9+m/O8PN4fV12pXw2xvE2BucwwCOfX AdlWIOe1f2/OoDnFRZmJM/wCxp+7ojGqZzfb/AvFRhYzVmCqQRIQ7HDC4lb4GDfoIgm8 lv9lJh8nGtCBGSagfQjkg9XuVTWem+vSWOMYcshauuM1DCHUP7TrZhoU3XZsjlBfKmMo ma5Ujp/eboxef9zNncQvPIALKQ1Qob9uyGZBusS1dGvgpTkQvexUvF7Rn7qNwdHuZ5CG 2ZuYDmLFkj+VZbOBtkZzMbuWNCosYCfT8w5W9DsFA3HEtmV/p24PjyvdVj1WZq1GsBwn QnfA==
X-Gm-Message-State: AOJu0YzKGvL6oGHxqGqwu0N+IPUTJcCvsnw/ifdBnOEyyLj2TrIJUn/L GCPUa7vosEyBM8Kd2ph5LZCIYyfkrKLyefSG7KSv/uqYNWnIavBiZu06h2vSJwL710WIizgutpz jegLVwNC7kXcU007evEehLHRiqkXXsQ==
X-Google-Smtp-Source: AGHT+IF/rCouUakTjBlEJorpys4kJDAro+FoMb4cR8y412brUrjhK6EKvNi7eLcEpCK7xWqmzwd/FGxqYDQbv7RN8vU=
X-Received: by 2002:a5d:6d08:0:b0:367:8fc3:a25b with SMTP id ffacd0b85a97d-369bae6adcdmr6442175f8f.42.1721682714286; Mon, 22 Jul 2024 14:11:54 -0700 (PDT)
MIME-Version: 1.0
From: Watson Ladd <watsonbladd@gmail.com>
Date: Mon, 22 Jul 2024 14:11:42 -0700
Message-ID: <CACsn0cmy03viT6wboUZeVu_8Yf-m7As0rxcjpda2W_Xw6ohKNg@mail.gmail.com>
To: IETF oauth WG <oauth@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Message-ID-Hash: DNI7Z47J5G2YMVYP5GFR2B3ZJAXQPPGR
X-Message-ID-Hash: DNI7Z47J5G2YMVYP5GFR2B3ZJAXQPPGR
X-MailFrom: watsonbladd@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc4
Precedence: list
Subject: [OAUTH-WG] We cannot trust Issuers
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/vGJwnAMNrUTC57VCmmpoPnT6PN4>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Dear Oauth,

I'm disappointed to see SD-JWT work continue with inadequate privacy
considerations. The fact is an Issuer can link any showings to
issuance of the credential. This is not foregrounded sufficiently in
privacy considerations, nor do we discuss how to ensure users are
aware. We really need to use more RFC 2119 language and highlight
these issues. Section 11.1 about local storage which has never been an
IETF concern before is far more prescriptive than 11.4, and that's not
a good thing. To be clear, the threat model must include an issuer
that is a government issuing credentials that if used to verify age on
certain websites or via a digital wallet on site, and learned about by
the issuer who may have access to data from the site, will result in
imprisonment or execution. This is not a hypothetical scenario.

Users and UX designers will have intuitions that do not match the
reality and that result in bad decisions being made. That's on us. A
driver's license doesn't leave a trace of where you showed it, but the
SD-JWT does.

At a minimum I think we mandate batch issuance and one time usage
using RFC 2119 language. We need to say in clear, unambiguous English
that this mechanism enables an issuer to connect every presentation of
a credential to the issuance.

Sincerely,
Watson Ladd

-- 
Astra mortemque praestare gradatim

v2.35.0 | Report a Bug | By Email | System Status