undefined | Better HN

0 pointshirsin23d ago0 comments

It can't be quite that simple because you have a couple additional problems to solve - (effectively restating bits of the article poorly and partially)

1. You don't want these to be replayable (give your JWT to someone else to use) so they need to be bounded in some ways (eg intended website, time, proof it came from you and not someone else).

2. You don't want the government to know which website you're going to, nor allow the government and the website to collaborate to deanonymize you (or have the government force a website to turn over the list of tokens they got). So the government can't just hand you a uuid that the website could hand back to them to deanonymize.

The SD JWT and related specs solve for these, which is how mDL and other digital IDs can preserve privacy in this situation.

0 comments

AnthonyMouse23d ago

> You don't want these to be replayable (give your JWT to someone else to use) so they need to be bounded in some ways (eg intended website, time, proof it came from you and not someone else).

But these are the things that make it non-anonymous, because then instead of one token that says "is over 18" that you get once and keep forever, everyone constantly has to request zillions of tokens. Which opens up a timing attack, because then the issuer and site can collude to see that every time notbob69 signs into the website, Bob Smith requested a token, and over really quite a small number of logins to the site, that correlation becomes uniquely identifying.

Meanwhile we don't need to solve it this way, because the much better solution is to have the site provide a header that says "this content is only for adults" than to have the user provide the site with anything, and then let the user's device do what it will with that information, i.e. not show the content if the user is a minor.

hirsinOP23d ago

Which is why you separate the credential issuance from the credential use, per the standard mentioned.

AnthonyMouse23d ago

The cryptography provides nothing to establish that this separation is actually being maintained and there is plenty of evidence (e.g. Snowden) of governments doing exactly the opposite while publicly claiming the contrary.

On top of that, it's a timing attack, so all you need is the logs from both of them. Government gets breached and the logs published, all the sites learn who you are. Government becomes corrupt/authoritarian, seizes logs from sites openly or in secret (and can use the ones from e.g. Cloudflare without the site itself even knowing about it), retroactively identifies people.

1 more reply

AuthAuth22d ago

The government can already do this with the ISP. I dont think government should be part of the average person's threat model.

AnthonyMouse22d ago

> The government can already do this with the ISP.

This is what VPNs or public libraries are for.

> I dont think government should be part of the average person's threat model.

Tell that to the people in places with governments that are a threat to the average person.

"It can't happen here" is a dangerous hubris.

On top of that, do notice that there is more than one government. What happens when Salt Typhoon comes for this stuff?

LorenPechtel22d ago

If the government can access it all too often bad actors can also access it. And all too often government and bad actors are one in the same.

nijave20d ago

Imo these are nice to haves. The physical system of ID cards already has these problems but works well enough.

People can loan their ID to someone else (ask college kids with an older sibling...)

When you use your physical ID, the government frequently can deanonymize you either through automated databases (especially when purchasing drugs) or subpoenaing for camera footage, visitor lists, etc

Izkata23d ago

But one overlooked advantage of manually copying JWTs is that the user doesn't have to blindly trust they're not hiding extra information. They can be decoded by the user to see there's only what should be there.

j / k navigate · click thread line to collapse

0 pointshirsin23d ago0 comments

It can't be quite that simple because you have a couple additional problems to solve - (effectively restating bits of the article poorly and partially)

1. You don't want these to be replayable (give your JWT to someone else to use) so they need to be bounded in some ways (eg intended website, time, proof it came from you and not someone else).

The SD JWT and related specs solve for these, which is how mDL and other digital IDs can preserve privacy in this situation.

0 comments

AnthonyMouse23d ago

> You don't want these to be replayable (give your JWT to someone else to use) so they need to be bounded in some ways (eg intended website, time, proof it came from you and not someone else).

hirsinOP23d ago

Which is why you separate the credential issuance from the credential use, per the standard mentioned.

AnthonyMouse23d ago

1 more reply

AuthAuth22d ago

The government can already do this with the ISP. I dont think government should be part of the average person's threat model.

AnthonyMouse22d ago

> The government can already do this with the ISP.

This is what VPNs or public libraries are for.

> I dont think government should be part of the average person's threat model.

Tell that to the people in places with governments that are a threat to the average person.

"It can't happen here" is a dangerous hubris.

On top of that, do notice that there is more than one government. What happens when Salt Typhoon comes for this stuff?

LorenPechtel22d ago

If the government can access it all too often bad actors can also access it. And all too often government and bad actors are one in the same.

nijave20d ago

Imo these are nice to haves. The physical system of ID cards already has these problems but works well enough.

People can loan their ID to someone else (ask college kids with an older sibling...)

Izkata23d ago

j / k navigate · click thread line to collapse