On Fri, Dec 13, 2024, 5:45 AM Daniel Fett
<mail=40danielfett...@dmarc.ietf.org> wrote:
>
> Hi Watson,
>
> Thanks for proposing text for SD-JWT. While I agree on the underlying 
> problem, I would propose a different wording drawing a slightly different 
> conclusion.
>
> Your text implies that when identifying information is being sent, this is 
> clear to the user and there will not be an assumption of anonymity on the 
> user's end. I think that ensuring that the user doesn't falsely assume 
> anonymity in the other cases is critical:
>
> "When disclosures include information easily understood to be
> identifying, users intuitive view of what they are revealing largely
> matches the underlying technical reality. In cases where the
> information being disclosed may not appear to be identifying, users
> MUST be informed about the possibility of tracking and identification via
> issuer-verifier linkability or SD-JWT MUST NOT be used. Applications cannot 
> assume Verifiers behave properly (RFC
> 3514) and MUST analyze the consequences for such linkage with each
> credential that could be used."
>
> WDYT?

Telling users does not work. Telling users that they might be tracked
through some mechanism that they have never heard of works even less.
Think about this as a popup that says "Blahdeblah: Do you want to get
your task done?". Of course people will say yes. We learnt this from
the decades of browser cert warning interaction improvements.

Is there a particular application you want to see SD-JWT used in where
my wording would be a problem?

Sincerely,
Watson

> -Daniel
>
>
> Am 12.12.24 um 02:00 schrieb Watson Ladd:
>
> Dear all,
>
> I'd like to propose the following edit to resolve the concerns I have
> around endorsing dangerous applications of SD-JWT:
>
> Delete last two lines of
> https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/451/files
> in 1338 and 1339
>
> Add new paragraph right before the end of the section.
>
> "When disclosures include information easily understood to be
> identifying, users intuitive view of what they are revealing largely
> matches the underlying technical reality. In cases where the
> information being disclosed is not identifying, SD-JWT
> MUST NOT be used as this confusion leads to users making the wrong
> choices. Applications cannot assume Verifiers behave properly (RFC
> 3514) and MUST analyze the consequences for such linkage with each
> credential that could be used."
>
> I think this agrees with many of the comments made about my initially
> stronger edit, while addressing the core danger.
>
> Also, it seems this section only really treats issuer/verifier despite
> promising more. Do we need to rework it?
>
> Sincerely,
> Watson Ladd
>
> _______________________________________________
> OAuth mailing list -- oauth@ietf.org
> To unsubscribe send an email to oauth-le...@ietf.org

_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-le...@ietf.org

Reply via email to