On Sat, Dec 21, 2024 at 1:37 PM Joseph Heenan <jos...@authlete.com> wrote:

>
>  < ...  snip ... >
>
> The current text is clear that there are situations where issuer-verifier
> linkability can’t be fully prevented.
>
> Process wide, I believe if you think the text currently in the
> specification is inadequate, you need to make a concrete suggestion that
> doesn’t introduce new problems and hence can gain consensus with working
> group members.
>
>
I believe this kinda gets at the heart of things here. It does for me
anyway. There are indeed some legitimate and not obvious or intuitive
privacy considerations inherent in salted-hash based selective disclosure
mechanisms like SD-JWT (also SD-CWT, ISO mdoc/mDL, and probably others I'm
unaware of) that deserve serious treatment in a prospective RFC. The
authors on this draft have endeavored to provide thoughtful treatment of
the topic(s) and believe that the current text, while obviously not
perfect, is reasonably clear and provides sufficient discourse on the
subject(s). Watson feels otherwise, which is a completely reasonable
viewpoint. However, at this stage of things especially, I believe it is
incumbent on him to provide a concrete suggestion that doesn't introduce
new/unwanted problems and can be viewed as at least acceptable as rough
consensus of the working group. This thread and several others of a very
similar vein over the last few months suggests that, from my perspective as
both draft author and WG participant anyway, the various proposals don't
meet that bar.

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._
_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-le...@ietf.org

Reply via email to