Hi Watson,
Thanks for proposing text for SD-JWT. While I agree on the underlying
problem, I would propose a different wording drawing a slightly
different conclusion.
Your text implies that when identifying information is being sent, this
is clear to the user and there will not be an assumption of anonymity on
the user's end. I think that ensuring that the user doesn't falsely
assume anonymity in the other cases is critical:
"When disclosures include information easily understood to be
identifying, users intuitive view of what they are revealing largely
matches the underlying technical reality. In cases where the
information being disclosed may not appear to be identifying, users
MUST be informed about the possibility of tracking and identification via
issuer-verifier linkability or SD-JWT MUST NOT be used. Applications
cannot assume Verifiers behave properly (RFC
3514) and MUST analyze the consequences for such linkage with each
credential that could be used."
WDYT?
-Daniel
Am 12.12.24 um 02:00 schrieb Watson Ladd:
Dear all,
I'd like to propose the following edit to resolve the concerns I have
around endorsing dangerous applications of SD-JWT:
Delete last two lines of
https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/451/files
in 1338 and 1339
Add new paragraph right before the end of the section.
"When disclosures include information easily understood to be
identifying, users intuitive view of what they are revealing largely
matches the underlying technical reality. In cases where the
information being disclosed is not identifying, SD-JWT
MUST NOT be used as this confusion leads to users making the wrong
choices. Applications cannot assume Verifiers behave properly (RFC
3514) and MUST analyze the consequences for such linkage with each
credential that could be used."
I think this agrees with many of the comments made about my initially
stronger edit, while addressing the core danger.
Also, it seems this section only really treats issuer/verifier despite
promising more. Do we need to rework it?
Sincerely,
Watson Ladd
_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-le...@ietf.org
