[OAUTH-WG] Re: SD-JWT linkability

On Tue, Dec 24, 2024, 8:18 AM Brian Campbell wrote: > > > On Mon, Dec 23, 2024 at 2:03 PM Watson Ladd wrote: > >> >> On Mon, Dec 23, 2024 at 6:17 AM Joseph Heenan >> wrote: >> >>> I don’t think it is helpful to repeatedly make very similar proposals >>> whilst ignoring the feedback on why that

[OAUTH-WG] Re: SD-JWT linkability

On Mon, Dec 23, 2024 at 2:03 PM Watson Ladd wrote: > > On Mon, Dec 23, 2024 at 6:17 AM Joseph Heenan wrote: > >> I don’t think it is helpful to repeatedly make very similar proposals >> whilst ignoring the feedback on why that proposal is inappropriate, nor >> does it look like trying to meet ha

[OAUTH-WG] Re: SD-JWT linkability

At the risk of drawing oauth chairs ire and only because I happened to be reading this thread w/ chagrin. No one thinks that SD-JWT is a perfect answer to the problem. It isn't. Sadly the perfect solution doesn't exist. So as we make our way to better and better solutions, let us take this n

[OAUTH-WG] Re: SD-JWT linkability

I take serious exception to just about everything you've said here. You have been given multiple opportunities, and even encouragement, to contribute text on the subject. That what you've proposed hasn't been well received in no way makes it acceptable to level such accusations towards me. On S

[OAUTH-WG] Re: SD-JWT linkability

On Mon, Dec 23, 2024 at 6:17 AM Joseph Heenan wrote: > Hi > > On 22 Dec 2024, at 20:35, Watson Ladd wrote: > > The fact that you and everyone else feels content to shoot down text > rather than try to meet me halfway shows that this isn't an honest > attempt to achieve rough consensus or convers

[OAUTH-WG] Re: SD-JWT linkability

Hi Joseph, You wrote: Although I’m somewhat puzzled why you didn’t go on to name what is the best technology, it seemed more like you were agreeing it is the best technology and explaining how it can be extended using available extension points to build a good solution for this

[OAUTH-WG] Re: SD-JWT linkability

Hi all, resurfacing this approach as it may provide issuer-verifier unlinkability for SD-JWTs and formats like it depending on your threat model. https://csrc.nist.gov/Presentations/2024/wpec2024-3b4 Best, Wayne Chang Founder & CEO | SpruceID | LinkedIn

[OAUTH-WG] Re: SD-JWT linkability

> On 23 Dec 2024, at 16:02, Denis wrote: > > Joseph wrote: > > I believe I've said that, including in your PR I linked above: there are > situations where SD-JWT is the best currently available deployable technology > for a user disclosing their age to a verifier, and yes, it is absolutely

[OAUTH-WG] Re: SD-JWT linkability

Hi > On 22 Dec 2024, at 20:35, Watson Ladd wrote: > > The fact that you and everyone else feels content to shoot down text > rather than try to meet me halfway shows that this isn't an honest > attempt to achieve rough consensus or conversely say my views are in > the rough because of actually t

[OAUTH-WG] Re: SD-JWT linkability

On Sun, Dec 22, 2024, 2:35 PM Brian Campbell wrote: > > > > On Sat, Dec 21, 2024 at 1:37 PM Joseph Heenan wrote: >> >> >> < ... snip ... > >> >> The current text is clear that there are situations where issuer-verifier >> linkability can’t be fully prevented. >> >> Process wide, I believe if y

[OAUTH-WG] Re: SD-JWT linkability

On Sat, Dec 21, 2024 at 1:37 PM Joseph Heenan wrote: > > < ... snip ... > > > The current text is clear that there are situations where issuer-verifier > linkability can’t be fully prevented. > > Process wide, I believe if you think the text currently in the > specification is inadequate, you n

[OAUTH-WG] Re: SD-JWT linkability

e what all the problematic cases will be. > > Pierce > > CONFIDENTIAL > -Original Message- > From: Watson Ladd > Sent: Friday, December 20, 2024 12:07 PM > To: Joseph Heenan > Cc: IETF oauth WG > Subject: [OAUTH-WG] Re: SD-JWT linkability > > EXTERNAL

[OAUTH-WG] Re: SD-JWT linkability

> On 21 Dec 2024, at 19:10, Watson Ladd wrote: > > On Sat, Dec 21, 2024, 8:26 AM Joseph Heenan > wrote: >> >> >> >> On 20 Dec 2024, at 18:07, Watson Ladd wrote: >> >> On Fri, Dec 20, 2024 at 9:47 AM Joseph Heenan wrote: >> >> >> >> >> On 19 Dec 2024, at 21

[OAUTH-WG] Re: SD-JWT linkability

On Sat, Dec 21, 2024, 8:26 AM Joseph Heenan wrote: > > > > On 20 Dec 2024, at 18:07, Watson Ladd wrote: > > On Fri, Dec 20, 2024 at 9:47 AM Joseph Heenan wrote: > > > > > On 19 Dec 2024, at 21:54, Watson Ladd wrote: > > On Tue, Dec 17, 2024, 1:59 PM Joseph Heenan wrote: > > > Hi Watson > > Jus

[OAUTH-WG] Re: SD-JWT linkability

> On 20 Dec 2024, at 18:07, Watson Ladd wrote: > > On Fri, Dec 20, 2024 at 9:47 AM Joseph Heenan wrote: >> >> >> >> On 19 Dec 2024, at 21:54, Watson Ladd wrote: >> >> On Tue, Dec 17, 2024, 1:59 PM Joseph Heenan wrote: >> >> >> Hi Watson >> >> Just to respond to the suggested text: >>

[OAUTH-WG] Re: SD-JWT linkability

ierce CONFIDENTIAL -Original Message- From: Watson Ladd Sent: Friday, December 20, 2024 12:07 PM To: Joseph Heenan Cc: IETF oauth WG Subject: [OAUTH-WG] Re: SD-JWT linkability EXTERNAL EMAIL On Fri, Dec 20, 2024 at 9:47 AM Joseph Heenan wrote: > > > > On 19 Dec 2024, at 21:54, W

[OAUTH-WG] Re: SD-JWT linkability

On Fri, Dec 20, 2024 at 9:47 AM Joseph Heenan wrote: > > > > On 19 Dec 2024, at 21:54, Watson Ladd wrote: > > On Tue, Dec 17, 2024, 1:59 PM Joseph Heenan wrote: > > > Hi Watson > > Just to respond to the suggested text: > > > "When disclosures include information easily understood to be > identi

[OAUTH-WG] Re: SD-JWT linkability

> On 19 Dec 2024, at 21:54, Watson Ladd wrote: > > On Tue, Dec 17, 2024, 1:59 PM Joseph Heenan > wrote: >> >> Hi Watson >> >> Just to respond to the suggested text: >> >>> >>> "When disclosures include information easily understood to be >>> identifying, users i

[OAUTH-WG] Re: SD-JWT linkability

On Tue, Dec 17, 2024, 1:59 PM Joseph Heenan wrote: > > Hi Watson > > Just to respond to the suggested text: > > > > > "When disclosures include information easily understood to be > > identifying, users intuitive view of what they are revealing largely > > matches the underlying technical reality.

[OAUTH-WG] Re: SD-JWT linkability

endet:* Dienstag, 17. Dezember 2024 18:41 *An:* Steffen Schwalm *Cc:* Tom Jones ; Pierce Gorman ; IETF oauth WG *Betreff:* Re: [OAUTH-WG] Re: SD-JWT linkability *Caution:* This email originated from outside of the organization. Despite an upstream security check of attachments and links by

[OAUTH-WG] Re: SD-JWT linkability

Steffen Schwalm Cc: Tom Jones ; Pierce Gorman ; IETF oauth WG Betreff: Re: [OAUTH-WG] Re: SD-JWT linkability Caution: This email originated from outside of the organization. Despite an upstream security check of attachments and links by Microsoft Defender for Office, a residual risk always remai

[OAUTH-WG] Re: SD-JWT linkability

On 17. Dec 2024, at 21:04, Paul Bastian wrote: > > RFC7049 doesn't even have a privacy consideration section although it > contains linkable data structures that may be utilized to track users. I’m not sure why you pick an RFC that has been superseded a while ago by an Internet Standard, but l

[OAUTH-WG] Re: SD-JWT linkability

Hi Watson Just to respond to the suggested text: > > "When disclosures include information easily understood to be > identifying, users intuitive view of what they are revealing largely > matches the underlying technical reality. In cases where the > information being disclosed is not identifyin

[OAUTH-WG] Re: SD-JWT linkability

i don't disagree with Paul - my comments addressed the text of the change. Will "Disclosures" be a part of the standard (even security concerns?) If that is the case, then the means to address the disclosures will need to be realistic. AFAIK the only proposed use of the SD-JWT is in OID4VP. In th

[OAUTH-WG] Re: SD-JWT linkability

I think  people on this list are overly critical towards SD-JWT and I don't understand it. I'm not aware that these kind of statements have been done in other IETF standards in a comparable context. Please correct me why neither JWT, CWT, JOSE, COSE, CBOR nor X.509 have specific text about thes

[OAUTH-WG] Re: SD-JWT linkability

in the SIP Identity JWT or could be passed via a DID document reference (in theory). Pierce CONFIDENTIAL *From:*Tom Jones *Sent:* Monday, December 16, 2024 12:50 PM *To:* Watson Ladd *Cc:* IETF oauth WG *Subject:* [OAUTH-WG] Re

[OAUTH-WG] Re: SD-JWT linkability

> for one purpose to the police for another? This would legally not work > > > > *Von:* Tom Jones > *Gesendet:* Dienstag, 17. Dezember 2024 02:26 > *An:* Pierce Gorman > *Cc:* pe...@acm.org; IETF oauth WG > *Betreff:* [OAUTH-WG] Re: SD-JWT linkability > > > &

[OAUTH-WG] Re: SD-JWT linkability

n collected for one purpose to the police for another? This would legally not work Von: Tom Jones Gesendet: Dienstag, 17. Dezember 2024 02:26 An: Pierce Gorman Cc: pe...@acm.org; IETF oauth WG Betreff: [OAUTH-WG] Re: SD-JWT linkability Caution: This email originated from outside of the o

[OAUTH-WG] Re: SD-JWT linkability

t; I assume the VP could be encoded by value in the SIP Identity JWT or >> could be passed via a DID document reference (in theory). >> >> >> >> Pierce >> >> >> >> CONFIDENTIAL >> >> *From:* Tom Jones >> *Sent:* Monday, De

[OAUTH-WG] Re: SD-JWT linkability

ID document reference (in theory). > > > > Pierce > > > > CONFIDENTIAL > > *From:* Tom Jones > *Sent:* Monday, December 16, 2024 12:50 PM > *To:* Watson Ladd > *Cc:* IETF oauth WG > *Subject:* [OAUTH-WG] Re: SD-JWT linkability > > > > You don't o

[OAUTH-WG] Re: SD-JWT linkability

CONFIDENTIAL From: Tom Jones Sent: Monday, December 16, 2024 12:50 PM To: Watson Ladd Cc: IETF oauth WG Subject: [OAUTH-WG] Re: SD-JWT linkability You don't often get email from thomasclinganjo...@gmail.com<mailto:thomasclinganjo...@gmail.com>. Learn why this is important<

[OAUTH-WG] Re: SD-JWT linkability

The entire premise of SD-JWT in a VP transaction is basically fraudulent as there is not sufficient information in the VP to allow the user to make an informed consent decision. It gives the illusion of user control without the ability to deliver on the promise. For this proposal to have any value

[OAUTH-WG] Re: SD-JWT linkability

On Fri, Dec 13, 2024, 5:45 AM Daniel Fett wrote: > > Hi Watson, > > Thanks for proposing text for SD-JWT. While I agree on the underlying > problem, I would propose a different wording drawing a slightly different > conclusion. > > Your text implies that when identifying information is being sen

[OAUTH-WG] Re: SD-JWT linkability

This is all great, but it is informative text except for a few sprinkled interoperability keywords “for the implementer” (when, apparently, it already has been decided to use this mechanism). The point, however, is that this specification has a limited area of applicability. Outsourcing secur

[OAUTH-WG] Re: SD-JWT linkability

Hi Watson, Thanks for proposing text for SD-JWT. While I agree on the underlying problem, I would propose a different wording drawing a slightly different conclusion. Your text implies that when identifying information is being sent, this is clear to the user and there will not be an assumpt