Brian, I'm glad we've finally reached rough consensus on adding the paragraph I've wanted since SF, and more importantly highlighting the issues that the security failures of SD-JWT makes for users.
However, the editorial issues with the verbosity of the privacy considerations remains, and has gotten worse. Is there really no way to condense it? I hoped that instead of my hamfisted mass deletion in the first PR we'd have a more careful rewrite of the preceding text in light of the new consensus to express, vs. not touching it. I think it would read better as follows: - Move the summary paragraph (with some edits (s/above/below/ etc)) to the top of the section - Delete the paragraph that goes "Issuer/Verifier unlinkability with a careless," as it is subsumed by the summary entirely. We'll put the data minimization note in somewhere else - "Contrary to that, Issuer/Verifier unlinkability" - add in the data minimization note here Probably this will need some more chopping at. IMHO it seems that rather than agree on what we want to say, then say it, we've agreed to say 3 or 4 different things all at the same time. I don't think that's actually recording agreement on the substance of what we want to say. When we talk about batch issuance we say it achieves presentation unlinkability. However, that's not how we defined presentation unlinkability, which applies to multiple showing of the same, not different credentials. I'm not really sure what to do with that: maybe "achieves" should become "works around the lack of". Or maybe we need a different notion of same, but that's going to force some very sweeping changes. Sincerely, Watson -- Astra mortemque praestare gradatim _______________________________________________ OAuth mailing list -- oauth@ietf.org To unsubscribe send an email to oauth-le...@ietf.org
