Pull request https://github.com/oauth-wg/oauth-selective-disclosure-jwt/pull/535 incorporates text based on this suggestion into the end of the Unlinkability subsection of the Privacy Considerations. Barring objections/concerns with this, we'll look to merge it and publish a new draft next week.
On Wed, Jan 8, 2025 at 4:51 PM Watson Ladd <watsonbl...@gmail.com> wrote: > Dear oauth wg, > > Happy 2025! I hope everyone has had a nice set of holidays. As a > reminder I put forward the following proposal for text to add to > either privacy or security considerations of sd-jwt, but the timing > was unfortunate, coming Christmas eve. > Comments on it welcome. > > "SD-JWT conceals only the values that aren't revealed. It does not > meet standard security notations for anonymous credentials. In > particular Verifiers and Issuers can know when they have seen the same > credential no matter what fields have been opened, even none of them. > This behavior may not accord with what users naively expect or are > lead to expect from UX interactions and lead to them make choices they > would not otherwise make. Workarounds such as issuing multiple > credentials at once and using them only one time can help for keeping > Verifiers from linking different showing, but cannot work for Issuers. > This issue applies to all selective disclosure based approaches, > including mdoc. " > > Sincerely, > Watson > > -- > Astra mortemque praestare gradatim > > _______________________________________________ > OAuth mailing list -- oauth@ietf.org > To unsubscribe send an email to oauth-le...@ietf.org > -- _CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you._
_______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
