On Thu, Jan 9, 2025, 10:10 AM Pierce Gorman <pierce.gor...@numeracle.com> wrote:
> Hi Watson, > > I thought it was a good suggestion and am looking forward to feedback from > others. > > I didn't understand the part of the statement in the penultimate sentence > which says, "but cannot work for Issuers". I should probably understand > what you meant without having to ask, but I don't. > > Can you please elaborate what you meant about workarounds such as issuing > multiple one-time-use credentials at once (if I understood that correctly) > not working for issuers? > Let's change that to "cannot prevent Issuers from linking issuance to showing". Does that help? > > Pierce > > > CONFIDENTIAL > -----Original Message----- > From: Watson Ladd <watsonbl...@gmail.com> > Sent: Wednesday, January 8, 2025 5:51 PM > To: IETF oauth WG <oauth@ietf.org> > Subject: [OAUTH-WG] Reminder: Alternative text for sd-jwt privacy > considerations. > > EXTERNAL EMAIL > > Dear oauth wg, > > Happy 2025! I hope everyone has had a nice set of holidays. As a reminder > I put forward the following proposal for text to add to either privacy or > security considerations of sd-jwt, but the timing was unfortunate, coming > Christmas eve. > Comments on it welcome. > > "SD-JWT conceals only the values that aren't revealed. It does not meet > standard security notations for anonymous credentials. In particular > Verifiers and Issuers can know when they have seen the same credential no > matter what fields have been opened, even none of them. > This behavior may not accord with what users naively expect or are lead to > expect from UX interactions and lead to them make choices they would not > otherwise make. Workarounds such as issuing multiple credentials at once > and using them only one time can help for keeping Verifiers from linking > different showing, but cannot work for Issuers. > This issue applies to all selective disclosure based approaches, including > mdoc. " > > Sincerely, > Watson > > -- > Astra mortemque praestare gradatim > > _______________________________________________ > OAuth mailing list -- oauth@ietf.org > To unsubscribe send an email to oauth-le...@ietf.org >
_______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
