> On 28 Jul 2022, at 00:08, Tobias Looker <[email protected]> wrote:
>
>
> > If you’re going to do this, why not just ask the issuer to give you
> > multiple tokens in the first place, each containing some subset of claims
> > you want to disclose? In the limit you could issue a separate JWT for each
> > claim. Is there a fundamental reason this doesn’t work?
>
> If I understand you correctly, the biggest limitation with that approach is
> that it requires the holder/prover to be online and able to contact the
> issuer in realtime to get what it requires for presentation. That might be an
> acceptable constraint for some use-cases but not all.
No more so than JWP does. To clarify what I’m suggesting here:
In JWP the prover at some point gets a credential from an issuer containing
claims {a, …, z}. They later on can selectively disclose some subset of those
claims to another party.
I am suggesting that you can do the same by asking the issuer to instead issue
you separate JWTs each with an individual claim (or minimal subset of claims):
{a}, …, {z}. At a later time, the holder of these JWTs can send a subset of
them to the other party to selectively disclose just those claims. There’s no
need to go back to the issuer in either case.
(As an aside, issuers are often required to be online anyway to check
revocation status.)
If the idea of going back to the issuer is to support unlinkability by ensuring
that the token is randomized, then I’m not convinced this is needed. For
example, to use the commonly cited scenario of proving that you are over 18 (or
21), assume I have a minimal JWT with the claimset:
{
“iss”: “gov.uk”,
“over_18”: true
}
If this is signed using a deterministic signature algorithm (eg EdDSA) then the
token will be identical for everyone that is over 18 and so naturally
unlinkable.
Such tokens only become linkable if they contain PII (eg email address), which
obviously is inherently linkable, or contain a unique combination of other
constraints (eg unique expiry time) - which is something that an issuer would
need to be mindful of in any case.
> Issuing each claim as a JWT as an approach to selective disclosure makes the
> representation of every claim pretty large too (e.g claim name + value + a
> base64 header + base64 signature).
Sure, but I just want to clarify whether what JWP is proposing is “just” an
optimisation of this naive approach, or actually is fundamentally different.
My suspicion also is that in many use-cases there will only be a few natural
subsets of claims that make sense to selectively disclose, so the issuer can
probably just issue the 2 or 3 JWTs with those subsets of claims that make
sense.
Another question that arises is how to handle constraints like “exp” or “aud”
that an issuer might impose on the tokens it issues. In JWP it seems that the
holder can also choose to selectively (not) disclose these, which seems like a
security flaw to me. Issuing separate JWTs allows the issuer to include these
in each one (and even to vary them based on the particular subset of claims).
> You'd probably want to wrap all of these in another JWT also to establish
> their relationship to one another which further bloats the overall
> credentials representation.
I’m not sure why? eg a JWT with my address and a JWT with a claim that I am
over 18 both stand up on their own and don’t need to be linked to each other.
If some subset of claims only make sense when taken as a group then the issuer
can issue them as a single JWT.
— Neil
_______________________________________________
jose mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/jose
