The entire premise of SD-JWT in a VP transaction is basically fraudulent as there is not sufficient information in the VP to allow the user to make an informed consent decision. It gives the illusion of user control without the ability to deliver on the promise. For this proposal to have any value to the user it must be part of a transaction that tells the user agent (wallet) who is asking for the data and what the purpose of the request is. Absent that, this give the impression of user control of release of data without the fact.
BTW - the idea of dealing with the UX of the transaction is admirable, but there are no UX people involved in the discussion. Peace ..tom jones On Wed, Dec 11, 2024 at 5:01 PM Watson Ladd <watsonbl...@gmail.com> wrote: > Dear all, > > I'd like to propose the following edit to resolve the concerns I have > around endorsing dangerous applications of SD-JWT: > > Delete last two lines of > https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/451/files > in 1338 and 1339 > > Add new paragraph right before the end of the section. > > "When disclosures include information easily understood to be > identifying, users intuitive view of what they are revealing largely > matches the underlying technical reality. In cases where the > information being disclosed is not identifying, SD-JWT > MUST NOT be used as this confusion leads to users making the wrong > choices. Applications cannot assume Verifiers behave properly (RFC > 3514) and MUST analyze the consequences for such linkage with each > credential that could be used." > > I think this agrees with many of the comments made about my initially > stronger edit, while addressing the core danger. > > Also, it seems this section only really treats issuer/verifier despite > promising more. Do we need to rework it? > > Sincerely, > Watson Ladd > -- > Astra mortemque praestare gradatim > > _______________________________________________ > OAuth mailing list -- oauth@ietf.org > To unsubscribe send an email to oauth-le...@ietf.org >
_______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
