> On 28 Jul 2022, at 08:30, Torsten Lodderstedt <[email protected]> wrote:
>
>
>
>> Am 28.07.2022 um 08:57 schrieb Neil Madden <[email protected]>:
>>
>> {
>> “iss”: “gov.uk”,
>> “over_18”: true
>> }
>>
>> If this is signed using a deterministic signature algorithm (eg EdDSA) then
>> the token will be identical for everyone that is over 18 and so naturally
>> unlinkable.
>
> Such a credential needs to be bound to the legit holder, which is typically
> achieved by adding a public key (reference) to it (which is missing in your
> example). The holder must then create a presentation signed with the
> corresponding private key to proof possession and with that legitimate
> holdership. That key results in likability.
Well, it doesn’t *need* to be bound to such a key. Bearer credentials are still
widely used, after all.
But even if it does, the problem then seems to be one of defining unlinkable
proof of possession (PoP) schemes, not a JWT alternative. Indeed, this would
seem to be a problem in JWP too - if an issuer adds a PoP constraint via a
“cnf” claim (RFC 7800) then that PoP scheme needs to be unlinkable regardless
of the use of JWP. (Can the holder choose to selectively not disclose that
“cnf” claim? If so, yikes).
In current usage, PoP is usually applied and linked to clients (apps) not
individual users, so one simple approach would be to take the FIDO/WebAuthn
approach and require the client to reuse the same key for at least 10,000 users
to prevent linkability. That’s obviously not a universally applicable approach,
and I would be in favour of new privacy-preserving PoP schemes.
— Neil
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
