On Fri, Dec 13, 2024, 5:45 AM Daniel Fett <mail=40danielfett...@dmarc.ietf.org> wrote: > > Hi Watson, > > Thanks for proposing text for SD-JWT. While I agree on the underlying > problem, I would propose a different wording drawing a slightly different > conclusion. > > Your text implies that when identifying information is being sent, this is > clear to the user and there will not be an assumption of anonymity on the > user's end. I think that ensuring that the user doesn't falsely assume > anonymity in the other cases is critical: > > "When disclosures include information easily understood to be > identifying, users intuitive view of what they are revealing largely > matches the underlying technical reality. In cases where the > information being disclosed may not appear to be identifying, users > MUST be informed about the possibility of tracking and identification via > issuer-verifier linkability or SD-JWT MUST NOT be used. Applications cannot > assume Verifiers behave properly (RFC > 3514) and MUST analyze the consequences for such linkage with each > credential that could be used." > > WDYT?
Telling users does not work. Telling users that they might be tracked through some mechanism that they have never heard of works even less. Think about this as a popup that says "Blahdeblah: Do you want to get your task done?". Of course people will say yes. We learnt this from the decades of browser cert warning interaction improvements. Is there a particular application you want to see SD-JWT used in where my wording would be a problem? Sincerely, Watson > -Daniel > > > Am 12.12.24 um 02:00 schrieb Watson Ladd: > > Dear all, > > I'd like to propose the following edit to resolve the concerns I have > around endorsing dangerous applications of SD-JWT: > > Delete last two lines of > https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/451/files > in 1338 and 1339 > > Add new paragraph right before the end of the section. > > "When disclosures include information easily understood to be > identifying, users intuitive view of what they are revealing largely > matches the underlying technical reality. In cases where the > information being disclosed is not identifying, SD-JWT > MUST NOT be used as this confusion leads to users making the wrong > choices. Applications cannot assume Verifiers behave properly (RFC > 3514) and MUST analyze the consequences for such linkage with each > credential that could be used." > > I think this agrees with many of the comments made about my initially > stronger edit, while addressing the core danger. > > Also, it seems this section only really treats issuer/verifier despite > promising more. Do we need to rework it? > > Sincerely, > Watson Ladd > > _______________________________________________ > OAuth mailing list -- oauth@ietf.org > To unsubscribe send an email to oauth-le...@ietf.org _______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
