Hi all, Recapping and extending my remarks here from the JWP BoF:
It seems like the two problems people are proposing to addressed relative to base JWT are (1) selective disclosure of claims and (2) unlinkability, in the sense of being able to derive unlinkable "presentations" from an issued "credential" (using those terms in the sense of W3C VC). On the selective disclosure side: The objective here seems clear and uncontroversial to me, but it also seems like it doesn't require any changes to JWS/JWT. The SD-JWT work [1] seems to validate this. What selective disclosure property is not provided by SD-JWT that JWP would provide? On the unlinkability side: I assume the underlying presumption here is that the credential from which presentations are being generated is a JWT, and that the JWP is something that someone other than the issuer would generate from that JWT such that different JWPs derived from the same JWT are not linkable with each other or with the source JWT. It seems like there are a few threshold questions to be addressed before chartering work here: 1. What transformations are necessary for unlinkability? Clearly the Issuer's signature has to change. In cases where the credential is associated to a public key for the Holder (e.g., a "did:jwk" identifier), it would be necessary for different presentations to have different associated public keys. 2. What transformations can the Holder make? The Holder is creating statements that the Issuer has never seen, which the Verifier will trust as if they came from the Issuer. The framework here needs to assure that any statement the Holder can generate is one that the Issuer would have made themselves. 3. In what sense is the Holder a privileged role? For example, if a credential were to leak to a their party, could that third party perform the same transformations as the intended Holder? If there is a separation between the Holder and any other party, how is it enforced? 4. To what extent are those constraints dependent on the ciphers used? It would not be good to create a generic container format that requires deep analysis to determine whether an algorithm is safe to use. JWS has "alg: none" vulnerabilities, but if you use a real signature algorithm, you get the properties you expect. 5. Why are these transformations not possible within the bounds of JWS/JWT? I can understand the appeal of unlinkability -- I was involved in the WebAuthn work to create unlinkable public-key credentials. But when you're talking about deriving unlinkable things that tie back to an Issuer, there's a lot more danger, and I'm not seeing the security analysis here that would support the idea that we could build a thing here that doesn't have massive security problems from the start. Thanks, --Richard [1] https://datatracker.ietf.org/doc/draft-fett-oauth-selective-disclosure-jwt/
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
