Hi all, Unfortunately, I won't be able to make the BoF today due to some conflicts. So here are some comments ahead of the BoF. tl;dr: There are still some serious issues.
My most significant concern is that it's still not clear to me that the scheme here actually achieves the unlinkability it claims. If the issued objects are not to be bearer tokens, they need to be sender constrained, which means there needs to be a notion of "sender" that is intelligible to both the issuer and the verifier. It is not obvious to me that there is any cryptographic scheme that both provides this critical security property and provides unlinkability. I admit that this might be because I don't understand the nuances of the cryptography being applied here, but in any case, there is a missing layer of description here that would outline the overall cryptographic approach in a way that a generally crypto-savvy person could understand. Without that, I can't support chartering a working group, since it's not clear that it can actually achieve its stated goals. Speaking of goals, the proposed scope seems very specific to the Verifiable Credentials use case. This is very different from JWS and JWE, which are generic cryptographic functions applicable to many use cases. To some degree this is inherent, in that unlinkability doesn't make sense unless you have the multiple legs of the VC interaction pattern that you don't want linked. But the problem could be phrased more generally, in terms of the issuer, presenter, and verifier roles and their expected capabilities. Before chartering work here, the group needs to decide whether this work is VC-specific or not, reflect that in the charter, and if generic, provide the conceptual framework. The details of this framework can be worked out in the WG, but the charter needs to contain at least an outline. As I think I said at the last BoF, this work would be more compelling if it could be focused solely on unlinkability, instead of both unlinkability and selective disclosure. As SD-JWT demonstrates, the two properties are not inherently linked, and unlinkability is complicated enough to merit its own mechanisms. Even if selective disclosure is baked into the signature scheme (as with BBS IIUC), you could define this in terms of how the inputs are provided in a JWS. Hope this helps, and good luck with the BoF! --Richard
_______________________________________________ jose mailing list [email protected] https://www.ietf.org/mailman/listinfo/jose
