Hi David, Thank you for the feedback. Blinding claim names has been considered. Here is the issue: https://github.com/oauthstuff/draft-selective-disclosure-jwt/issues/3 We made a choice not to hash claim names because SD-JWT already reveals information about the issuer and the schema, and revealing the claim names does not provide any additional information. The more comprehensive explanation is in this section in the draft: https://datatracker.ietf.org/doc/html/draft-fett-oauth-selective-disclosure-jwt-01#section-8.1 Best, Kristina
From: OAuth <oauth-boun...@ietf.org> On Behalf Of David Chadwick Sent: Thursday, June 23, 2022 10:20 AM To: oauth@ietf.org Subject: Re: [OAUTH-WG] Presenting Selective Disclosure JWT (SD-JWT) Hi Daniel Whilst I commend your initial efforts at SD, I find that the current draft is too privacy invasive since it reveals to the RP every property type that the user possesses, even though it does not reveal the property values. Revealing property types might be too privacy invasive in many cases. Some users may not wish to reveal that they have these properties to every RP. Can you investigate blinding the property types in the next version please? Kind regards David On 23/06/2022 17:32, Daniel Fett wrote: All, Kristina and I would like to bring to your attention a new draft that we have been working on with many others over the past weeks. "Selective Disclosure JWT (SD-JWT)" describes a format for signed JWTs that support selective disclosure (SD-JWT), enabling sharing only a subset of the claims included in the original signed JWT instead of releasing all the claims to every verifier. https://www.ietf.org/archive/id/draft-fett-oauth-selective-disclosure-jwt-01.html<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Farchive%2Fid%2Fdraft-fett-oauth-selective-disclosure-jwt-01.html&data=05%7C01%7CKristina.Yasuda%40microsoft.com%7C50dbdf4ea1f14ffa1ecc08da553cb2b5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637916016459774572%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=H%2BOYheOSWlEG6ODB4Wkd4Y3pW12EfrPGnPR12WaaCzg%3D&reserved=0> Initial feedback we got was positive and we now would like to hear from the working group with the eventual goal of asking for working group adoption. Issues are tracked in our GitHub repository: https://github.com/oauthstuff/draft-selective-disclosure-jwt/issues<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Foauthstuff%2Fdraft-selective-disclosure-jwt%2Fissues&data=05%7C01%7CKristina.Yasuda%40microsoft.com%7C50dbdf4ea1f14ffa1ecc08da553cb2b5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637916016459774572%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=r3u6aj69vZwGBOux%2BV0gJDK2LUiB8DqYE8zOa0%2FcQYg%3D&reserved=0> The approach to selective disclosure described in the document is based on salted hashes. We have discussed and explored other approaches based on encryption as well. If you are interested in following this discussion, we would like to invite you to read this issue: https://github.com/oauthstuff/draft-selective-disclosure-jwt/issues/30<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Foauthstuff%2Fdraft-selective-disclosure-jwt%2Fissues%2F30&data=05%7C01%7CKristina.Yasuda%40microsoft.com%7C50dbdf4ea1f14ffa1ecc08da553cb2b5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637916016459774572%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=AmVVvd3%2FY1f3E7C7j%2FqGovtXO3efRe6Uh%2F0kYiMBJKo%3D&reserved=0> One main goal with this work is that the format should be easy to implement, requiring little more than a regular JWT library. Three working implementations show that this goal has been achieved: https://github.com/oauthstuff/draft-selective-disclosure-jwt#implementations<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Foauthstuff%2Fdraft-selective-disclosure-jwt%23implementations&data=05%7C01%7CKristina.Yasuda%40microsoft.com%7C50dbdf4ea1f14ffa1ecc08da553cb2b5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637916016459774572%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=WA5RQfpDdTiAx8M7QTCHeXKB7w9dvwTlFbw%2FglolB%2BA%3D&reserved=0> We are looking forward to your feedback! -Daniel _______________________________________________ OAuth mailing list OAuth@ietf.org<mailto:OAuth@ietf.org> https://www.ietf.org/mailman/listinfo/oauth<https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.ietf.org%2Fmailman%2Flistinfo%2Foauth&data=05%7C01%7CKristina.Yasuda%40microsoft.com%7C50dbdf4ea1f14ffa1ecc08da553cb2b5%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637916016459774572%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=bFTf0i25Toh9xJUhzcaLjXnd%2B2az01Jl6pxWuVMHLww%3D&reserved=0>
_______________________________________________ OAuth mailing list OAuth@ietf.org https://www.ietf.org/mailman/listinfo/oauth
