Where is the guidance going to live for the issuer and holder for batch
issuance?

Just as there is guidance on salt entropy, digest algorithms etc. I suggest
it be clear to implementers what the best practice is.

For example, is each credential one time use? Does the holder need to track
which verifiers received which credentials?

The objective is defeated if the same verifier receives all the different
credentials. A likely situation where the user regularly uses a credential
for access.

As mentioned in another thread, I consider batch issuance a hack, and that
it will likely be defeated *if* there is value to an attacker in
correlating the user across apps.

/Dick

On Tue, Sep 24, 2024 at 12:07 PM Daniel Fett <mail=
40danielfett...@dmarc.ietf.org> wrote:

> A few points:
>
> * Batch credential issuing is completely transparent to the user.
>
> * The selection is done by the Wallet, before presentation.
>
> * It doesn't need to be random, the Wallet can just select the next
> credential.
>
> -Daniel
> Am 21.09.24 um 17:53 schrieb Tom Jones:
>
> that doesn't answer the question about users randomly selecting some to
> store and some to reject.  This seems to me like user private information.
> As is most of the feedback to the issuer from the wallet.
> Peace ..tom jones
>
>
> On Sat, Sep 21, 2024 at 7:30 AM Daniel Fett <mail=
> 40danielfett...@dmarc.ietf.org> wrote:
>
>> Hi Dick,
>>
>> Batch credential (not claims) issuing has become the default approach to
>> circumvent the inherent limitations of salted-hash-based credentials
>> formats. This was neither invented by us, nor is it unreasonable to ask
>> implementers to do it. Protocols such as OpenID4VCI support it.
>>
>> -Daniel
>> Am 21.09.24 um 06:42 schrieb Dick Hardt:
>>
>> Is it really going to be practical to batch issue claims, and have the
>> holder randomly choose between them on presentation?
>>
>> As an implementer, what is the right number of claims to be in a batch?
>>
>> This section of the draft reads as a hack to add a new capability
>> (unlinkability) to a mechanism that did not have that as a design objective.
>>
>> This is going to be like the "alg":"null" for SD-JWT. :-)
>>
>>
>> _______________________________________________
>> OAuth mailing list -- oauth@ietf.org
>> To unsubscribe send an email to oauth-le...@ietf.org
>>
>
> _______________________________________________
> OAuth mailing list -- oauth@ietf.org
> To unsubscribe send an email to oauth-le...@ietf.org
>
> _______________________________________________
> OAuth mailing list -- oauth@ietf.org
> To unsubscribe send an email to oauth-le...@ietf.org
>
_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-le...@ietf.org

Reply via email to