I think people on this list are overly critical towards SD-JWT and I
don't understand it. I'm not aware that these kind of statements have
been done in other IETF standards in a comparable context. Please
correct me why neither JWT, CWT, JOSE, COSE, CBOR nor X.509 have
specific text about these kind of things. RFC7049 doesn't even have a
privacy consideration section although it contains linkable data
structures that may be utilized to track users.
SD-JWT is a data container that brings some additional features to
JWT/JWS, but nothing more than that and we shouldn't treat it
differently. To me, SD-JWT includes a thourough privacy consideration
section on unlinkability which is way beyond what other IETF
specifications have done is looks sufficient to me.
Best regards,
Paul
On 13.12.24 15:30, Carsten Bormann wrote:
This is all great, but it is informative text except for a few sprinkled
interoperability keywords “for the implementer” (when, apparently, it already
has been decided to use this mechanism).
The point, however, is that this specification has a limited area of
applicability.
Outsourcing security decisions about this to an unwitting user is never the
right approach.
The assumption that a user will intuitively understand the consequences of
disclosure is a tall order.
(“Intuitive” is code for “familiar”, and every second five people are born that
are not familiar with the consequences.)
Beyond the nice discussion, usage of the mechanism needs to be governed by a
strong, fully actionable applicability statement.
Grüße, Carsten
_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-le...@ietf.org
_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-le...@ietf.org