IETF Logo Mail Archive

[OAUTH-WG] Reminder: Alternative text for sd-jwt privacy considerations.

Watson Ladd <watsonbladd@gmail.com> Wed, 08 January 2025 23:50 UTC

Return-Path: <watsonbladd@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 282B8C14F702 for <oauth@ietfa.amsl.com>; Wed, 8 Jan 2025 15:50:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level:
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5NUIBazbLJHC for <oauth@ietfa.amsl.com>; Wed, 8 Jan 2025 15:50:57 -0800 (PST)
Received: from mail-wm1-x32d.google.com (mail-wm1-x32d.google.com [IPv6:2a00:1450:4864:20::32d]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id C395BC14F6E4 for <oauth@ietf.org>; Wed, 8 Jan 2025 15:50:57 -0800 (PST)
Received: by mail-wm1-x32d.google.com with SMTP id 5b1f17b1804b1-43621d27adeso2833325e9.2 for <oauth@ietf.org>; Wed, 08 Jan 2025 15:50:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1736380255; x=1736985055; darn=ietf.org; h=to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=VODHOa+/DumuPBIq1qE5Ys2tr6hZI5zDumUohpOn3lg=; b=PmSyiVYEYvW1RTXmtuJITf62IDeQCJ8iEJRaL86FTD2963R5HGN9+++00cVKIniILP qumfGPsbCEkWoRneM0Od01VwouKK4gRsbHH9rd0Sr17obkZ13HPrpVvNfRzGpdsLA0T0 XGYcVOSKZ6oDg5TtaJIR9KPbYs9vjux7BEDhrKSFN6wgle0QYy1haSZzArxWuaE+IBzV Di3zO56xjdQsMww1EFieHOCU0BmHYJWgnP/ldzy/yzksMHKMZGdeq7r6yTCICTFzz+RP y3JON9og3iaYeNeXgE5eKUKalQSOyUg95OssyXVhvZA0n8i1Jqx/U9m+i4C+BE9DJcml GPMQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1736380255; x=1736985055; h=to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=VODHOa+/DumuPBIq1qE5Ys2tr6hZI5zDumUohpOn3lg=; b=A21RZ3pM1U7tJH+UhcxjKl4YsWv7cXVGkyuPPmhZnV55sgm4NoIMWNEzVI7CFMXUOc 3KHzQ6JfHRy6zBsipApeIs8oC8jE261K9SFU9x2cbhTfRDnHNSh5Mk69+xvDTTXpesRg 3L+4qzUPS1q6KpqueoVqmO0b4Dz4BmI3A1h0Z6zN9KsLg3w8Z967252kg/A8yX0Nuu43 1PA590wFU1yQDJOxxjv9pBosu+Bn0f6h8ZKRrym/7F49waeMB0M5/EYTbfzBl5TFNGPw M9LzP2ieySqkggsX92tE/AVe5iFs1lS+4S7E1x2+XP4WJGz4wCTkx+yIsSPsCWc0BxYq mfdQ==
X-Gm-Message-State: AOJu0YxvLM6spuIZGRtS9BuhY92x60K1nWu3mhz2s6RrRobw57eodHsq pnW/ulBgz8VjCGOwgv0tEN5dVKIhFJuMuUkZrot6eJ5sAYv874156hmqaebeuQvg/BxZFPF0mzC DmlhQOBmSSzpsLBn/JDhJ+xD+JR3loQ==
X-Gm-Gg: ASbGncu71z6z0lFmBNWidmu2NM5fCKtDin+j3BTFE2LkxGXoA2CTgsa0E1/sn4PsE6q 8P67u82V5iTVICfMyBfHT8wudQ2ezEAKdvBtvT0wsaaL0DroodO7DIbahCSHIB1PT/qWVng==
X-Google-Smtp-Source: AGHT+IFdSqnYrB732gPU1z9yYHKme3xwUtjKpXdMXU3WSpP+l7LNc+x1wih11BKtBCPeahK/7Adugbhy5JM7QA3SZ2c=
X-Received: by 2002:a05:600c:314f:b0:435:9ed3:5688 with SMTP id 5b1f17b1804b1-436e26a1f79mr36949945e9.18.1736380254983; Wed, 08 Jan 2025 15:50:54 -0800 (PST)
MIME-Version: 1.0
From: Watson Ladd <watsonbladd@gmail.com>
Date: Wed, 08 Jan 2025 15:50:43 -0800
X-Gm-Features: AbW1kvbtDtDXnaaXRku33vT4p1MA7CrokMikEF7ntapD4S7imr5ivGsBKacYJy0
Message-ID: <CACsn0ck9pHXtLc7dgMME8nzLh2dV+__5tJm=mbRPpBqJq8YLzA@mail.gmail.com>
To: IETF oauth WG <oauth@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Message-ID-Hash: Z233YFG2TG27CVLSTUESKABCIQ5SRZEN
X-Message-ID-Hash: Z233YFG2TG27CVLSTUESKABCIQ5SRZEN
X-MailFrom: watsonbladd@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; header-match-oauth.ietf.org-0; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: [OAUTH-WG] Reminder: Alternative text for sd-jwt privacy considerations.
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: <https://mailarchive.ietf.org/arch/msg/oauth/zC8fU5nOVHsY4S5erBlBEy2fDTI>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Dear oauth wg,

Happy 2025! I hope everyone has had a nice set of holidays. As a
reminder I put forward the following proposal for text to add to
either privacy or security considerations of sd-jwt, but the timing
was unfortunate, coming Christmas eve.
Comments on it welcome.

"SD-JWT conceals only the values that aren't revealed. It does not
meet standard security notations for anonymous credentials. In
particular Verifiers and Issuers can know when they have seen the same
credential no matter what fields have been opened, even none of them.
This behavior may not accord with what users naively expect or are
lead to expect from UX interactions and lead to them make choices they
would not otherwise make. Workarounds such as issuing multiple
credentials at once and using them only one time can help for keeping
Verifiers from linking different showing, but cannot work for Issuers.
This issue applies to all selective disclosure based approaches,
including mdoc. "

Sincerely,
Watson

--
Astra mortemque praestare gradatim

v2.39.1 | Report a Bug | By Email | System Status