> On 19 Dec 2024, at 21:54, Watson Ladd <watsonbl...@gmail.com> wrote:
> 
> On Tue, Dec 17, 2024, 1:59 PM Joseph Heenan <jos...@authlete.com 
> <mailto:jos...@authlete.com>> wrote:
>> 
>> Hi Watson
>> 
>> Just to respond to the suggested text:
>> 
>>> 
>>> "When disclosures include information easily understood to be
>>> identifying, users intuitive view of what they are revealing largely
>>> matches the underlying technical reality. In cases where the
>>> information being disclosed is not identifying, SD-JWT
>>> MUST NOT be used as this confusion leads to users making the wrong
>>> choices.
>> 
>> This sentence is really hard to make sense of and I don’t think implementors 
>> will understand it. I’m not convinced I understand it even with the extra 
>> context from the threads. I think a MUST NOT is far too strong too, and 
>> saying ’SD-JWT’ in particular must not be used it too strong as an SD-JWT 
>> where everything is disclosed (or no selective disclosures are present in 
>> the issued credential in the first place) is no different to other 
>> credentials formats that don’t have selective disclosure.
> 
> 
> Would adding "When users disclose information that is not identifying,
> e.g. age, the fact that the mechanism in this draft exposes the unique
> signature of their credential is not obvious. Users could have made
> different decisions if they understood this. Therefore," in the middle
> help?

I think that makes it easier to understand, but I disagree with the premise - I 
believe there are likely ways to describe this to users and this needs to be 
properly researched & tested with real people. As I said, the MUST NOT is too 
strong regardless - there are likely cases where the user recognises that 
tracking like this is possible/inevitable, and regardless it seems to imply 
that SD-JWT has worse properties than (for example) JWT based credentials, 
which is something we definitely shouldn’t do.

> 
>> 
>>> Applications cannot assume Verifiers behave properly (RFC
>>> 3514) and MUST analyze the consequences for such linkage with each
>>> credential that could be used."
>> 
>> This ‘MUST’ is practically impossible for some implementors - for example, 
>> it is impractical for a wallet to make this kind of judgement for each 
>> issued credential.
> 
> 
> Bingo! Wallets that use SD-JWT can't give users the control over their
> data that we would expect them to have.

I don’t think you have shown this very generalised statement is true, nor that 
if it was true that it only applies to wallets using SD-JWT.

> The wallet needs to be aware
> of how the requests impact user privacy.

The wallet doesn’t need to be aware if it is clear to the user from the context 
(and perhaps there are other cases too where the wallet doesn’t need to be 
aware). The MUST NOT is too strong, and I’m not sure even a SHOULD NOT would be 
appropriate.

Joseph


_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-le...@ietf.org

Reply via email to