On Thu, Jan 9, 2025, 10:14 AM Watson Ladd <watsonbl...@gmail.com> wrote:
> > > On Thu, Jan 9, 2025, 10:10 AM Pierce Gorman <pierce.gor...@numeracle.com> > wrote: > >> Hi Watson, >> >> I thought it was a good suggestion and am looking forward to feedback >> from others. >> >> I didn't understand the part of the statement in the penultimate sentence >> which says, "but cannot work for Issuers". I should probably understand >> what you meant without having to ask, but I don't. >> >> Can you please elaborate what you meant about workarounds such as issuing >> multiple one-time-use credentials at once (if I understood that correctly) >> not working for issuers? >> > > Let's change that to "cannot prevent Issuers from linking issuance to > showing". Does that help? > Actually I see Brian already made a better edit to fix it in the PR > >> Pierce >> >> >> CONFIDENTIAL >> -----Original Message----- >> From: Watson Ladd <watsonbl...@gmail.com> >> Sent: Wednesday, January 8, 2025 5:51 PM >> To: IETF oauth WG <oauth@ietf.org> >> Subject: [OAUTH-WG] Reminder: Alternative text for sd-jwt privacy >> considerations. >> >> EXTERNAL EMAIL >> >> Dear oauth wg, >> >> Happy 2025! I hope everyone has had a nice set of holidays. As a reminder >> I put forward the following proposal for text to add to either privacy or >> security considerations of sd-jwt, but the timing was unfortunate, coming >> Christmas eve. >> Comments on it welcome. >> >> "SD-JWT conceals only the values that aren't revealed. It does not meet >> standard security notations for anonymous credentials. In particular >> Verifiers and Issuers can know when they have seen the same credential no >> matter what fields have been opened, even none of them. >> This behavior may not accord with what users naively expect or are lead >> to expect from UX interactions and lead to them make choices they would not >> otherwise make. Workarounds such as issuing multiple credentials at once >> and using them only one time can help for keeping Verifiers from linking >> different showing, but cannot work for Issuers. >> This issue applies to all selective disclosure based approaches, >> including mdoc. " >> >> Sincerely, >> Watson >> >> -- >> Astra mortemque praestare gradatim >> >> _______________________________________________ >> OAuth mailing list -- oauth@ietf.org >> To unsubscribe send an email to oauth-le...@ietf.org >> >
_______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
