> On Aug 23, 2023, at 12:33 PM, Watson Ladd <watsonbl...@gmail.com> wrote:
>
> On Wed, Aug 23, 2023 at 10:02 AM David Waite
> <da...@alkaline-solutions.com <mailto:da...@alkaline-solutions.com>> wrote:
<snip>
>> For example, are you talking about properties for anonymous credentials from
>> the academic space as set by [Chaum85] or perhaps [CL01]? Or maybe are you
>> talking toward some existing requirements specified by a regulated space?
>>
>> Assuming you are speaking primarily to multi-use unlinkability, there are
>> efforts within the broader IETF ecosystem around that - such as an effort
>> to describe BBS usage within the CFRG, and proposals/efforts to leverage
>> that within privacypass and jose. Those obviously will not have the benefit
>> of being able to be implemented on top of broadly available and accepted
>> cryptographic operations. I would refer to these as trade-offs rather than
>> shortcomings.
>
> Why should users accept worse privacy just because it means we can use
> "accepted" cryptographic operations? It's a tradeoff where the costs
> that are most salient to decision makers (the need for
> "acceptability", e.g. their own ability to make decisisons) are at
> odds with the privacy cost to users, and where it ultimately rests on
> an illusion that primitives matter most.
There are credentials where the user will always have an identifier, per policy
of the type of credential/credential issuer. Not all credentials are anonymous
credentials.
There are certainly privacy-centric protocols (such as privacypass) which
support single-use unlinkability, which is what SD-JWTs are targetting.
Since you used U-Prove as an example - it also only provides unlinkability on
single-use. Lysyanskaya (separately from [CL01]) describes a linkable anonymous
credentials scheme in [BL13].
There are issuers who simply are not going to trust their reputation against
risk of forgery (or other attacks) from using less-proven cryptographic
algorithms. The issuers may also be operating under explicit guidance on what
cryptography they are allowed to use (e.g. from NIST). Issuing a ’stack’ of
credentials for single use unlinkability is worth reducing risks and meeting
imposed requirements..
The need for more confidence on anonymous credential algorithms is also a
strong motivator around the BBS efforts.
> As for availability it really
> doesn't take many implementations to have enough for almost all
> purposes, and those who aren't served can make their own.
I would discourage nearly everyone from writing their own cryptography
implementations - it is a very distinct skill set and mistakes tend toward the
highest levels of severity.
-DW
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
