+1
(not confidential)
Am 29.01.25 um 22:15 schrieb Pierce Gorman:
+1 on advancing the draft.
CONFIDENTIAL
-----Original Message-----
From: Watson Ladd<watsonbl...@gmail.com>
Sent: Wednesday, January 29, 2025 12:09 PM
To: Brian Campbell<bcampbell=40pingidentity....@dmarc.ietf.org>
Cc: oauth<oauth@ietf.org>;oauth-cha...@ietf.org
Subject: [OAUTH-WG] Re: -15 of SD-JWT
EXTERNAL EMAIL
After discussion with the authors we've agreed that editorial improvements,
including to the security considerations section, can happen later in the
process, and that it shouldn't prevent advancing the draft.
On Thu, Jan 16, 2025 at 7:25 PM Watson Ladd<watsonbl...@gmail.com> wrote:
Brian,
I'm glad we've finally reached rough consensus on adding the paragraph
I've wanted since SF, and more importantly highlighting the issues
that the security failures of SD-JWT makes for users.
However, the editorial issues with the verbosity of the privacy
considerations remains, and has gotten worse. Is there really no way
to condense it? I hoped that instead of my hamfisted mass deletion in
the first PR we'd have a more careful rewrite of the preceding text in
light of the new consensus to express, vs. not touching it.
I think it would read better as follows:
- Move the summary paragraph (with some edits (s/above/below/ etc)) to
the top of the section
- Delete the paragraph that goes "Issuer/Verifier unlinkability with a
careless," as it is subsumed by the summary entirely. We'll put the
data minimization note in somewhere else
- "Contrary to that, Issuer/Verifier unlinkability" - add in the data
minimization note here
Probably this will need some more chopping at.
IMHO it seems that rather than agree on what we want to say, then say
it, we've agreed to say 3 or 4 different things all at the same time.
I don't think that's actually recording agreement on the substance of
what we want to say.
When we talk about batch issuance we say it achieves presentation
unlinkability. However, that's not how we defined presentation
unlinkability, which applies to multiple showing of the same, not
different credentials. I'm not really sure what to do with that: maybe
"achieves" should become "works around the lack of". Or maybe we need
a different notion of same, but that's going to force some very
sweeping changes.
Sincerely,
Watson
--
Astra mortemque praestare gradatim
--
Astra mortemque praestare gradatim
_______________________________________________
OAuth mailing list --oauth@ietf.org
To unsubscribe send an email tooauth-le...@ietf.org
_______________________________________________
OAuth mailing list --oauth@ietf.org
To unsubscribe send an email tooauth-le...@ietf.org
_______________________________________________
OAuth mailing list -- oauth@ietf.org
To unsubscribe send an email to oauth-le...@ietf.org
