I understand it has become the accepted approach. It still comes across as a hack, and there is no guidance on how many to issue, nor how a holder chooses when to reissue the same ones.
I'm amused by the decision to use implicit typing in a disclosure to save a few bytes, but we will send dozens of credentials to minimize the chance of linking :) On Sat, Sep 21, 2024 at 4:29 PM Daniel Fett <m...@danielfett.de> wrote: > Hi Dick, > > Batch credential (not claims) issuing has become the default approach to > circumvent the inherent limitations of salted-hash-based credentials > formats. This was neither invented by us, nor is it unreasonable to ask > implementers to do it. Protocols such as OpenID4VCI support it. > > -Daniel > Am 21.09.24 um 06:42 schrieb Dick Hardt: > > Is it really going to be practical to batch issue claims, and have the > holder randomly choose between them on presentation? > > As an implementer, what is the right number of claims to be in a batch? > > This section of the draft reads as a hack to add a new capability > (unlinkability) to a mechanism that did not have that as a design objective. > > This is going to be like the "alg":"null" for SD-JWT. :-) > > >
_______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
