Drivers' licenses / passports / etc. are a terrible analogy for JWP. They provide neither selective disclosure nor unlinkability. They are highly linkable by design, and as far as doing selective disclosure by covering up certain fields ... well, I wouldn't recommend trying this at Passport Control.
If you want something holder bound (cf. picture on a DL/passport), all you need is a subject public key, e.g., via a "cnf" claim in a JWT. A DL/passport is a JWT+cnf. I'm not pushing back on the work here, I'm asking whether we need a whole new struct for it. As SD-JWT shows, selective disclosure can be done within the bounds of JWT. I haven't caught up on the other thread yet, but it seems like it remains to be proven whether unlinkability cannot be done with JWTs. If we want to make a charter that says "define a structure that provides (a) holder binding (b) selective disclosure and (c) unlinkability" and then fight out in the working group whether it's a usage of JWT or something different, that's OK with me if it's OK with the AD. --RLB On Thu, Jul 28, 2022 at 3:20 PM Mike Jones <Michael.Jones= [email protected]> wrote: > *Three parties* are involved when using your physical driver’s license: > > - The Issuer – such as the Washington State Department of Motor > Vehicles > - The Holder – the person to whom the license was issued (you) > - The Verifier – the party you’re showing the license to, such as a > grocery store or policeman > > > > A key point is that you don’t have to (and don’t want to) involve the > issuer every time you use the license. The DMV doesn’t need to know where > and when I’m making age-restricted purchases. *You don’t “call home”.* > > > > Finally, *the license is holder-bound*; it is not a bearer token. Even > if you’re in possession of my license, you’re unable to use it (unless you > look just like me!). > > > > > > JWP enables these same properties in the online world. It uses the three > roles. Presentation to a verifier doesn’t involve the issuer. Issued > tokens are holder-bound. > > > > And unlike my physical driver’s license, where everyone I show it to can > see all the information – including my home address, JWPs enable selective > disclosure, so that only necessary claims are released. > > > > > > Many parties, both during the BoF > <https://datatracker.ietf.org/doc/bofreq-miller-json-web-proofs/> and on > this list, have expressed needs for this functionality backed by real-world > business use cases. I urge you to talk to them, understand their needs, > and understand how JWP will meet them. > > > > Let’s (re)create the working group and get going on the needed standards > work! > > > > -- Mike > > > _______________________________________________ > jose mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/jose >
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
