Hi Watson,
deploying technologies can be complex because the incentives need to align. Not everything that looks great on paper gets adopted in the time frame or manner we like. In this specific case U-Prove has not been seen excitement in the industry. There are reasons but it is difficult to say what those exactly are. In the OAuth group we have been trying hard to rally the community around the use of specific technologies. I see SD-JWT as a stepping stone in the right direction. As time progresses we will see other technologies surface again and we have the JSON Web Proof work in our pipeline. In any case, we have to not just look at the list of features but also reach out to those who deploy the technologies in question and to listen to them. Ciao Hannes Am 23.08.2023 um 07:32 schrieb Watson Ladd:
Dear all, I read with alarm that the EU Digital Wallet is mandating SD-JWT, perhaps under the illusion that it meets the standard, 22 year old security definition for schemes of this type. It of course doesn't, as said quite clearly in the security considerations section 10.4 and 10.5. Why on earth are we pursing this "solution" when actual solutions to the problems presented have existed for 19 years? There's been substantial research on this area, as seen in Microsoft's U-Prove system just to name one instance. This is apparently an article of discussion on the EU Digital Wallet project as well, but I think the IETF needs to have its own discussion of the issues here and not just say "well, it would be nice if we had an RFC for this" especially given the negative privacy impacts. Sincerely, Watson Ladd PS: they appear quite aware, but apparently convening the right committee to approve the signature scheme is too hard. Anyway, not relevant to us in the IETF.
_______________________________________________ OAuth mailing list [email protected] https://www.ietf.org/mailman/listinfo/oauth
