i don't disagree with Paul - my comments addressed the text of the change. Will "Disclosures" be a part of the standard (even security concerns?) If that is the case, then the means to address the disclosures will need to be realistic.
AFAIK the only proposed use of the SD-JWT is in OID4VP. In that case the selective disclosure will be irrelevant as the means to disclose the selection will be inadequate. So the SD-JWT may well technically work, but the first use will be fraudulent as the selection will not be by informed user consent. Peace ..tom jones On Tue, Dec 17, 2024 at 12:05 PM Paul Bastian <paul.bast...@posteo.de> wrote: > I think people on this list are overly critical towards SD-JWT and I > don't understand it. I'm not aware that these kind of statements have > been done in other IETF standards in a comparable context. Please > correct me why neither JWT, CWT, JOSE, COSE, CBOR nor X.509 have > specific text about these kind of things. RFC7049 doesn't even have a > privacy consideration section although it contains linkable data > structures that may be utilized to track users. > > SD-JWT is a data container that brings some additional features to > JWT/JWS, but nothing more than that and we shouldn't treat it > differently. To me, SD-JWT includes a thourough privacy consideration > section on unlinkability which is way beyond what other IETF > specifications have done is looks sufficient to me. > > Best regards, > > Paul > > On 13.12.24 15:30, Carsten Bormann wrote: > > This is all great, but it is informative text except for a few sprinkled > interoperability keywords “for the implementer” (when, apparently, it > already has been decided to use this mechanism). > > > > The point, however, is that this specification has a limited area of > applicability. > > Outsourcing security decisions about this to an unwitting user is never > the right approach. > > The assumption that a user will intuitively understand the consequences > of disclosure is a tall order. > > (“Intuitive” is code for “familiar”, and every second five people are > born that are not familiar with the consequences.) > > > > Beyond the nice discussion, usage of the mechanism needs to be governed > by a strong, fully actionable applicability statement. > > > > Grüße, Carsten > > > > _______________________________________________ > > OAuth mailing list -- oauth@ietf.org > > To unsubscribe send an email to oauth-le...@ietf.org > > _______________________________________________ > OAuth mailing list -- oauth@ietf.org > To unsubscribe send an email to oauth-le...@ietf.org >
_______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
