Return-Path: <watsonbladd@gmail.com>
X-Original-To: oauth@ietfa.amsl.com
Delivered-To: oauth@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1])
	by ietfa.amsl.com (Postfix) with ESMTP id 282B8C14F702
	for <oauth@ietfa.amsl.com>; Wed,  8 Jan 2025 15:50:58 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.107
X-Spam-Level: 
X-Spam-Status: No, score=-2.107 tagged_above=-999 required=5
	tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1,
	DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, FREEMAIL_FROM=0.001,
	RCVD_IN_DNSWL_BLOCKED=0.001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001,
	SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01]
	autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key)
	header.d=gmail.com
Received: from mail.ietf.org ([50.223.129.194])
	by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id 5NUIBazbLJHC for <oauth@ietfa.amsl.com>;
	Wed,  8 Jan 2025 15:50:57 -0800 (PST)
Received: from mail-wm1-x32d.google.com (mail-wm1-x32d.google.com
 [IPv6:2a00:1450:4864:20::32d])
	(using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits)
	 key-exchange X25519 server-signature ECDSA (P-256) server-digest SHA256)
	(No client certificate requested)
	by ietfa.amsl.com (Postfix) with ESMTPS id C395BC14F6E4
	for <oauth@ietf.org>; Wed,  8 Jan 2025 15:50:57 -0800 (PST)
Received: by mail-wm1-x32d.google.com with SMTP id
 5b1f17b1804b1-43621d27adeso2833325e9.2
        for <oauth@ietf.org>; Wed, 08 Jan 2025 15:50:57 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1736380255; x=1736985055; darn=ietf.org;
        h=to:subject:message-id:date:from:mime-version:from:to:cc:subject
         :date:message-id:reply-to;
        bh=VODHOa+/DumuPBIq1qE5Ys2tr6hZI5zDumUohpOn3lg=;
        b=PmSyiVYEYvW1RTXmtuJITf62IDeQCJ8iEJRaL86FTD2963R5HGN9+++00cVKIniILP
         qumfGPsbCEkWoRneM0Od01VwouKK4gRsbHH9rd0Sr17obkZ13HPrpVvNfRzGpdsLA0T0
         XGYcVOSKZ6oDg5TtaJIR9KPbYs9vjux7BEDhrKSFN6wgle0QYy1haSZzArxWuaE+IBzV
         Di3zO56xjdQsMww1EFieHOCU0BmHYJWgnP/ldzy/yzksMHKMZGdeq7r6yTCICTFzz+RP
         y3JON9og3iaYeNeXgE5eKUKalQSOyUg95OssyXVhvZA0n8i1Jqx/U9m+i4C+BE9DJcml
         GPMQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1736380255; x=1736985055;
        h=to:subject:message-id:date:from:mime-version:x-gm-message-state
         :from:to:cc:subject:date:message-id:reply-to;
        bh=VODHOa+/DumuPBIq1qE5Ys2tr6hZI5zDumUohpOn3lg=;
        b=A21RZ3pM1U7tJH+UhcxjKl4YsWv7cXVGkyuPPmhZnV55sgm4NoIMWNEzVI7CFMXUOc
         3KHzQ6JfHRy6zBsipApeIs8oC8jE261K9SFU9x2cbhTfRDnHNSh5Mk69+xvDTTXpesRg
         3L+4qzUPS1q6KpqueoVqmO0b4Dz4BmI3A1h0Z6zN9KsLg3w8Z967252kg/A8yX0Nuu43
         1PA590wFU1yQDJOxxjv9pBosu+Bn0f6h8ZKRrym/7F49waeMB0M5/EYTbfzBl5TFNGPw
         M9LzP2ieySqkggsX92tE/AVe5iFs1lS+4S7E1x2+XP4WJGz4wCTkx+yIsSPsCWc0BxYq
         mfdQ==
X-Gm-Message-State: AOJu0YxvLM6spuIZGRtS9BuhY92x60K1nWu3mhz2s6RrRobw57eodHsq
	pnW/ulBgz8VjCGOwgv0tEN5dVKIhFJuMuUkZrot6eJ5sAYv874156hmqaebeuQvg/BxZFPF0mzC
	DmlhQOBmSSzpsLBn/JDhJ+xD+JR3loQ==
X-Gm-Gg: ASbGncu71z6z0lFmBNWidmu2NM5fCKtDin+j3BTFE2LkxGXoA2CTgsa0E1/sn4PsE6q
	8P67u82V5iTVICfMyBfHT8wudQ2ezEAKdvBtvT0wsaaL0DroodO7DIbahCSHIB1PT/qWVng==
X-Google-Smtp-Source: 
 AGHT+IFdSqnYrB732gPU1z9yYHKme3xwUtjKpXdMXU3WSpP+l7LNc+x1wih11BKtBCPeahK/7Adugbhy5JM7QA3SZ2c=
X-Received: by 2002:a05:600c:314f:b0:435:9ed3:5688 with SMTP id
 5b1f17b1804b1-436e26a1f79mr36949945e9.18.1736380254983; Wed, 08 Jan 2025
 15:50:54 -0800 (PST)
MIME-Version: 1.0
From: Watson Ladd <watsonbladd@gmail.com>
Date: Wed, 8 Jan 2025 15:50:43 -0800
X-Gm-Features: AbW1kvbtDtDXnaaXRku33vT4p1MA7CrokMikEF7ntapD4S7imr5ivGsBKacYJy0
Message-ID: 
 <CACsn0ck9pHXtLc7dgMME8nzLh2dV+__5tJm=mbRPpBqJq8YLzA@mail.gmail.com>
To: IETF oauth WG <oauth@ietf.org>
Content-Type: text/plain; charset="UTF-8"
Message-ID-Hash: Z233YFG2TG27CVLSTUESKABCIQ5SRZEN
X-Message-ID-Hash: Z233YFG2TG27CVLSTUESKABCIQ5SRZEN
X-MailFrom: watsonbladd@gmail.com
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency;
 loop; banned-address; member-moderation; header-match-oauth.ietf.org-0;
 nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size;
 news-moderation; no-subject; digests; suspicious-header
X-Mailman-Version: 3.3.9rc6
Precedence: list
Subject: =?utf-8?q?=5BOAUTH-WG=5D_Reminder=3A_Alternative_text_for_sd-jwt_privacy_con?=
	=?utf-8?q?siderations=2E?=
List-Id: OAUTH WG <oauth.ietf.org>
Archived-At: 
 <https://mailarchive.ietf.org/arch/msg/oauth/zC8fU5nOVHsY4S5erBlBEy2fDTI>
List-Archive: <https://mailarchive.ietf.org/arch/browse/oauth>
List-Help: <mailto:oauth-request@ietf.org?subject=help>
List-Owner: <mailto:oauth-owner@ietf.org>
List-Post: <mailto:oauth@ietf.org>
List-Subscribe: <mailto:oauth-join@ietf.org>
List-Unsubscribe: <mailto:oauth-leave@ietf.org>

Dear oauth wg,

Happy 2025! I hope everyone has had a nice set of holidays. As a
reminder I put forward the following proposal for text to add to
either privacy or security considerations of sd-jwt, but the timing
was unfortunate, coming Christmas eve.
Comments on it welcome.

"SD-JWT conceals only the values that aren't revealed. It does not
meet standard security notations for anonymous credentials. In
particular Verifiers and Issuers can know when they have seen the same
credential no matter what fields have been opened, even none of them.
This behavior may not accord with what users naively expect or are
lead to expect from UX interactions and lead to them make choices they
would not otherwise make. Workarounds such as issuing multiple
credentials at once and using them only one time can help for keeping
Verifiers from linking different showing, but cannot work for Issuers.
This issue applies to all selective disclosure based approaches,
including mdoc. "

Sincerely,
Watson

--
Astra mortemque praestare gradatim