On 2022-07-28 9:30, Torsten Lodderstedt wrote:
Am 28.07.2022 um 08:57 schrieb Neil Madden <[email protected]
<mailto:[email protected]>>:
{
“iss”: “gov.uk <http://gov.uk/>”,
“over_18”: true
}
If this is signed using a deterministic signature algorithm (eg EdDSA) then the
token will be identical for everyone that is over 18 and so naturally
unlinkable.
Such a credential needs to be bound to the legit holder, which is typically
achieved by adding a public key (reference) to it (which is missing in your
example). The holder must then create a presentation signed with the
corresponding private key to proof possession and with that legitimate
holdership. That key results in likability.
Indeed.
A challenge-response solution may be a more logical way dealing with this kind
of application.
That is,
- the RP create a challenge and sends it to the Holder
- the Holder authenticates to Issuer and includes the challenge
- the Issuer returns an assertion including the challenge
- the Holder shows the assertion to the RP
Some 10Y+ back MSFT launched the UPROV system. I know very little about it but
it would be interesting to know the pros and cons of that compared to JWP.
Cheers,
Anders
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
