Hey all, What JWP allows that I find very useful is the following: the Verifier will learn nothing more than what the user reveals, even if they (the Verifier) cooperate with the Issuer (or anyone else).
The above is essentially unlickability but it also says something stronger, which makes the protocols using it more robust. It also makes it easier to use jwp in other protocols easiest (instead of having to claim unlikability under only certain circumstances for example). Also, even if we remove the possibility of a Verifier/Issuer coalition, it is not straight forward to achieve the above property using (N) SD-JWT tokens. As an example, the Issuer could potentially measure the amount of time it takes for a user to request a new set of tokens and derive behavior statistics. Another thing worth considering is efficiency. Even if you could achieve a subset of the properties enlisted here by other “traditional” means, the proposed solutions are simpler, more flexible, and efficient. > That seems like a pretty exotic property compared to how current > authentication systems work. Even in the good old Web PKI, with 2-year > certificates, the issuer had to stay alive to serve OCSP responses or CRLs. > Even driver's licenses and passports have revocation! Yes, however, the token issuance protocol itself should not make that a requirement IMO since there are better (again MO) alternatives. Each use case is then free to utilize the Issuer to the extend it needs. > I'm having trouble imagining how you achieve that along with other properties, so an intro to the relevant crypto would be helpful. I will take BBS as an example. BBS are based on the extremely well studied and widely used Schnorr-proofs (or rather generalized Schnorr-proofs [1]). The BBS proof can be mathematically proven to be a zero-knowledge proof-of-knowledge i.e., that it does not reveal any information beyond the disclosed claims while proving knowledge of a signature [2]. Those properties may seem like “magic”, but they are based in very well studied and understood cryptographic schemes and techniques. Of course, I would be more than happy to go more over the crypto! All the best! Vasilis [1] https://link.springer.com/content/pdf/10.1007/978-3-642-01001-9_25.pdf [2] https://eprint.iacr.org/2016/663.pdf
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
