Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selective-disclosure-jwt-06.txt

> On 7 Nov 2023, at 15:50, Denis wrote: > > Hi Neil, > >> On 7 Nov 2023, at 13:13, Denis > > wrote: >>> >>> Hi Neil, >>> >>> You wrote: >>> "Note that unlinkability is explicitly already not a goal for SD-JWT >>> according to section 12.4". >>> This is untrue: >>>

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selective-disclosure-jwt-06.txt

Hi Neil, On 7 Nov 2023, at 13:13, Denis wrote: Hi Neil, You wrote: "Note that unlinkability is explicitly already not a goal for SD-JWT according to section 12.4". This is untrue: 12.4.  Unlinkability Colluding Issuer/Verifier or Verifier/Verifier pairs could link issuan

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selective-disclosure-jwt-06.txt

On 7 Nov 2023, at 13:13, Denis wrote: > > Hi Neil, > > You wrote: > "Note that unlinkability is explicitly already not a goal for SD-JWT > according to section 12.4". > This is untrue: > 12.4. Unlinkability > > Colluding Issuer/Verifier or Verifier/Verifier pairs could link > issuance/presen

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selective-disclosure-jwt-06.txt

Hi Neil, You wrote: "Note that unlinkability is explicitly already not a goal for SD-JWT according to section 12.4". This is untrue: 12.4.  Unlinkability Colluding Issuer/Verifier or Verifier/Verifier pairs could link issuance/presentation or two presentation sessions to the same

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selective-disclosure-jwt-06.txt

Hi Neil. Thank you for suggesting text! I agree we’re closing in on some actionable changes here (I've added some issues in the github repo to keep track FWIW) and we'll work to incorporate the text you've suggested. I do see how the text you've cited in 11.8 11.6, and 8.3 (there is no 8.4 so maki

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selective-disclosure-jwt-06.txt

> On 6 Nov 2023, at 16:43, Watson Ladd wrote: > > On Mon, Nov 6, 2023 at 5:46 AM Neil Madden wrote: > >> >> How about the following: >> >> — >> An Issuer MUST NOT allow any security-critical claim to be selectively >> disclosable. The exact list of “security-critical” claims will depend on

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selective-disclosure-jwt-06.txt

On Mon, Nov 6, 2023 at 5:46 AM Neil Madden wrote: > > How about the following: > > — > An Issuer MUST NOT allow any security-critical claim to be selectively > disclosable. The exact list of “security-critical” claims will depend on the > application, and SHOULD be listed by any application-spe

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selective-disclosure-jwt-06.txt

Hi Brian, Apologies for the late reply. I *think* we’re closing in on agreement here. Comments and some wording suggestions inline below. > On 27 Oct 2023, at 00:26, Brian Campbell wrote: > > Thanks Neil! Appreciate the productive discussion. Some more responses below > (while also attemptin

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selective-disclosure-jwt-06.txt: Collaborative attacks against a Verifier

Hi Denis, Am 31.10.23 um 17:10 schrieb Denis: Hi Daniel, Hi Denis, a discussion on claims-based/biometric binding, probably what you're hinting at, I am not hinting at a discussion "on claims-based/biometric binding". Ok. "Collaborative attacks against a Verifier" should be added to t

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selective-disclosure-jwt-06.txt: Collaborative attacks against a Verifier

Hi Daniel, Hi Denis, a discussion on claims-based/biometric binding, probably what you're hinting at, I am not hinting at a discussion "on claims-based/biometric binding". is out of the scope of this document, since we define neither mechanisms nor rules for that. This should be part of

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selective-disclosure-jwt-06.txt: Collaborative attacks against a Verifier

Hi Denis, a discussion on claims-based/biometric binding, probably what you're hinting at, is out of the scope of this document, since we define neither mechanisms nor rules for that. This should be part of a discussion with a larger scope, like the Security & Trust document in OIDF's DCP gro

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selective-disclosure-jwt-06.txt

On Thu, Oct 26, 2023 at 5:26 PM Brian Campbell wrote: > > I think you might underestimate the difficulty in > creating/changing/establishing such a registry and overestimate its > effectiveness and usefulness. And I think the selective disclosability > treatment of many claims is ultimately cont

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selective-disclosure-jwt-06.txt

Thanks Neil! Appreciate the productive discussion. Some more responses below (while also attempting to snip out and declutter the message). On Thu, Oct 26, 2023 at 7:03 AM Neil Madden wrote: On 25 Oct 2023, at 22:00, Brian Campbell wrote: > > The draft currently says that second-preimage r

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selective-disclosure-jwt-06.txt

On 25 Oct 2023, at 22:00, Brian Campbell wrote:Thanks for the comments and questions Neil. With the help of the draft co-authors, I've tried to reply (probably inadequately!) inline below. Thanks. Some responses below. On Tue, Oct 24, 2023 at 3:48 AM Neil Madden wrote:I

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selective-disclosure-jwt-06.txt: Collaborative attacks against a Verifier

Hi All, Section 11.6. is about "Key Binding" which is indeed an important security feature. However, in the context of "selective disclosure" while this feature is essential, it is insufficient. Let us take an example: If a Token indicates that an individual has the nationality X, in case of

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selective-disclosure-jwt-06.txt

Thanks for the comments and questions Neil. With the help of the draft co-authors, I've tried to reply (probably inadequately!) inline below. On Tue, Oct 24, 2023 at 3:48 AM Neil Madden wrote: > I’ve had a look through this new draft and I have some comments and > questions. Some of which are si

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selective-disclosure-jwt-06.txt

I’ve had a look through this new draft and I have some comments and questions. Some of which are similar to comments I already raised [1], but haven’t been addressed. Are we concerned about Holders and Issuers colluding? For example, now that claim names are blinded an Issuer can add the same c

Re: [OAUTH-WG] I-D Action: draft-ietf-oauth-selective-disclosure-jwt-06.txt

Hi all, this release of SD-JWT includes one important normative change, which is a hash in the key binding JWT to ensure the integrity of presentations. The second biggest change is that we restructured some sections of the document to make it more readable. As always, we're looking forward

[OAUTH-WG] I-D Action: draft-ietf-oauth-selective-disclosure-jwt-06.txt

Internet-Draft draft-ietf-oauth-selective-disclosure-jwt-06.txt is now available. It is a work item of the Web Authorization Protocol (OAUTH) WG of the IETF. Title: Selective Disclosure for JWTs (SD-JWT) Authors: Daniel Fett Kristina Yasuda Brian Campbell Name: