Re: [OAUTH-WG] Presenting Selective Disclosure JWT (SD-JWT)

Fri, 24 Jun 2022 02:16:31 -0700

Hi Kristina

Yes I realise that if the RP knows the schema then it will know the structure of the VC. In cases where an Issuer issues more than one type of VC then hiding the claims names (using your terminology) does add value. Remember also that the schema will say which claim names are mandatory and which are optional, so in cases where a VC has a lot of optional claims then hiding the claim names is even more valuable.

The only case where hiding claim names has no value is when an issuer only issues one type of VC, and the schema makes all the claims mandatory.

I think for the above reasons, then hiding claim names should be an option.

Section 8.1 is only correct if claim names are revealed. If SD-JWT hid the claim names then it would not be revealing the schema of the JWT. (That is not to say that an RP might have alternate ways of discovering the schema, but SD-JWT would not be revealing it).

Kind regards

David

On 23/06/2022 20:57, Kristina Yasuda wrote:

Hi David,

Thank you for the feedback.

Blinding claim names has been considered.

Here is the issue: https://github.com/oauthstuff/draft-selective-disclosure-jwt/issues/3

We made a choice not to hash claim names because SD-JWT already reveals information about the issuer and the schema, and revealing the claim names does not provide any additional information.

The more comprehensive explanation is in this section in the draft: https://datatracker.ietf.org/doc/html/draft-fett-oauth-selective-disclosure-jwt-01#section-8.1

Best,

Kristina

 

From: OAuth <oauth-boun...@ietf.org> On Behalf Of David Chadwick
Sent: Thursday, June 23, 2022 10:20 AM
To: oauth@ietf.org
Subject: Re: [OAUTH-WG] Presenting Selective Disclosure JWT (SD-JWT)

 

Hi Daniel

Whilst I commend your initial efforts at SD, I find that the current draft is too privacy invasive since it reveals to the RP every property type that the user possesses, even though it does not reveal the property values. Revealing property types might be too privacy invasive in many cases. Some users may not wish to reveal that they have these properties to every RP.

Can you investigate blinding the property types in the next version please?

Kind regards

David

On 23/06/2022 17:32, Daniel Fett wrote:

All,

Kristina and I would like to bring to your attention a new draft that we have been working on with many others over the past weeks. "Selective Disclosure JWT (SD-JWT)" describes a format for signed JWTs that support selective disclosure (SD-JWT), enabling sharing only a subset of the claims included in the original signed JWT instead of releasing all the claims to every verifier.

https://www.ietf.org/archive/id/draft-fett-oauth-selective-disclosure-jwt-01.html

Initial feedback we got was positive and we now would like to hear from the working group with the eventual goal of asking for working group adoption.

Issues are tracked in our GitHub repository: https://github.com/oauthstuff/draft-selective-disclosure-jwt/issues

The approach to selective disclosure described in the document is based on salted hashes. We have discussed and explored other approaches based on encryption as well. If you are interested in following this discussion, we would like to invite you to read this issue: https://github.com/oauthstuff/draft-selective-disclosure-jwt/issues/30

One main goal with this work is that the format should be easy to implement, requiring little more than a regular JWT library. Three working implementations show that this goal has been achieved: https://github.com/oauthstuff/draft-selective-disclosure-jwt#implementations

We are looking forward to your feedback!

-Daniel



_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth



_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth

Reply via email to