This problem was clearly demonstrated by the California mDL hackathon where the default presentation was ALL DATA. That is the easiest path, so it remains the one most taken. We have known since standards were first introduced that they immediately create a drive to the bottom. This will be the fate of this standard as well. The most permissive interpretation will be the most common. The user's desires will not be met.
thx ..Tom (mobile) On Tue, Dec 24, 2024, 6:34 AM Watson Ladd <watsonbl...@gmail.com> wrote: > I see that people are uncomfortable with making any mandates, and so I've > tried to be purely descriptive in this proposal. I leave it to the WG to > decide where to put it, but I see it as a wholesale replacement for some > sections to emphasize clarity. > > "SD-JWT conceals only the values that aren't revealed. It does not meet > standard security notations for anonymous credentials. In particular > Verifiers and Issuers can know when they have seen the same credential no > matter what fields have been opened, even none of them. This behavior may > not accord with what users naively expect or are lead to expect from UX > interactions and lead to them make choices they would not otherwise make. > Workarounds such as issuing multiple credentials at once and using them > only one time can help for keeping Verifiers from linking different > showing, but cannot work for Issuers. This issue applies to all selective > disclosure based approaches, including mdoc. " > > Sincerely, > Watson > _______________________________________________ > OAuth mailing list -- oauth@ietf.org > To unsubscribe send an email to oauth-le...@ietf.org >
_______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
