I think  people on this list are overly critical towards SD-JWT and I don't understand it. I'm not aware that these kind of statements have been done in other IETF standards in a comparable context. Please correct me why neither JWT, CWT, JOSE, COSE, CBOR nor X.509 have specific text about these kind of things. RFC7049 doesn't even have a privacy consideration section although it contains linkable data structures that may be utilized to track users.

SD-JWT is a data container that brings some additional features to JWT/JWS, but nothing more than that and we shouldn't treat it differently. To me, SD-JWT includes a thourough privacy consideration section on unlinkability which is way beyond what other IETF specifications have done is looks sufficient to me.

Best regards,

Paul

On 13.12.24 15:30, Carsten Bormann wrote:
This is all great, but it is informative text except for a few sprinkled 
interoperability keywords “for the implementer” (when, apparently, it already 
has been decided to use this mechanism).

The point, however, is that this specification has a limited area of 
applicability.
Outsourcing security decisions about this to an unwitting user is never the 
right approach.
The assumption that a user will intuitively understand the consequences of 
disclosure is a tall order.
(“Intuitive” is code for “familiar”, and every second five people are born that 
are not familiar with the consequences.)

Beyond the nice discussion, usage of the mechanism needs to be governed by a 
strong, fully actionable applicability statement.

Grüße, Carsten

_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-le...@ietf.org

_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-le...@ietf.org

Reply via email to