Hi Daniel
Whilst I commend your initial efforts at SD, I find that the current draft is too privacy invasive since it reveals to the RP every property type that the user possesses, even though it does not reveal the property values. Revealing property types might be too privacy invasive in many cases. Some users may not wish to reveal that they have these properties to every RP.
Can you investigate blinding the property types in the next version please?
Kind regards
David
All,
Kristina and I would like to bring to your attention a new draft that we have been working on with many others over the past weeks. "Selective Disclosure JWT (SD-JWT)" describes a format for signed JWTs that support selective disclosure (SD-JWT), enabling sharing only a subset of the claims included in the original signed JWT instead of releasing all the claims to every verifier.
https://www.ietf.org/archive/id/draft-fett-oauth-selective-disclosure-jwt-01.html
Initial feedback we got was positive and we now would like to hear from the working group with the eventual goal of asking for working group adoption.
Issues are tracked in our GitHub repository: https://github.com/oauthstuff/draft-selective-disclosure-jwt/issues
The approach to selective disclosure described in the document is based on salted hashes. We have discussed and explored other approaches based on encryption as well. If you are interested in following this discussion, we would like to invite you to read this issue: https://github.com/oauthstuff/draft-selective-disclosure-jwt/issues/30
One main goal with this work is that the format should be easy to implement, requiring little more than a regular JWT library. Three working implementations show that this goal has been achieved: https://github.com/oauthstuff/draft-selective-disclosure-jwt#implementations
We are looking forward to your feedback!
-Daniel
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
