I've opened https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/448 as a step torwads this.
On Wed, Jul 31, 2024 at 5:31 AM Brian Campbell <bcampb...@pingidentity.com> wrote: > > > > On Tue, Jul 23, 2024 at 11:15 AM Leif Johansson <le...@mnt.se> wrote: >> >> On Mon, 2024-07-22 at 19:43 -0400, Richard Barnes wrote: >> > I would observe that any solution based on garden-variety digital >> > signature (not something zero-knowledge like BBS / JWP) will have >> > problems with issuer/verifier collusion. One-time tokens and batch >> > issuance don't help. There is no such thing as SD-JWT with >> > issuer/verifier collusion resistance. At best you could have SD-JWP. >> > >> > I don't think this needs to be a blocker on SD-JWT. There are use >> > cases that don't require issuer/verifier collusion resistance. We >> > should be clear on the security considerations and warn people away >> > who care about issuer/verifier collusion resistance, and accelerate >> > work on SD-JWP if that's an important property to folks. >> > >> >> >> +1 on this > > > I'm generally a +1 on this too. There is an attempt at a discussion around > unlinkablity in the privacy considerations at > https://www.ietf.org/archive/id/draft-ietf-oauth-selective-disclosure-jwt-10.html#name-unlinkability > currently. Concrete suggestions to that text about how to better frame the > risks and difficulties around Issuer/Verifier Unlinkability (perhaps > especially with respect to something like a government issuer compelling > collusion from verifiers) would be welcome for consideration. > > CONFIDENTIALITY NOTICE: This email may contain confidential and privileged > material for the sole use of the intended recipient(s). Any review, use, > distribution or disclosure by others is strictly prohibited. If you have > received this communication in error, please notify the sender immediately by > e-mail and delete the message and any file attachments from your computer. > Thank you. -- Astra mortemque praestare gradatim _______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
