Closed peppelinux closed 4 months ago
IMO, neither the "Token Status List", nor to the "OAuth Status Attestations" are the right way to address two privacy considerations: "Unlinkability between verifiers" and "Untrackability by digital credential issuers".
here my notes
Unlinkability between verifiers Status Attestations are designed to be privacy-preserving by not requiring verifiers to gather any additional information from third-party entities. This means that each verifier independently verifies the status of a digital credential, though the status attestation, without needing to interact with or reveal information to other verifiers or third-party status list providers. This approach ensures that actions performed by one verifier cannot be linked to actions performed by another verifier, maintaining unlinkability between them.
Untrackability by digital credential issuers Since Status Attestations can be verified statically without further communication with the credential issuer or any other party, the issuer cannot track when or where the digital credential is being verified. This is in contrast to models where the verifier must query a central status list or the issuer directly, which would allow the issuer to track the usage of the digital credential. By providing all necessary information within the Status Attestation itself, it ensures that the issuer cannot track the verification activities related to a specific digital credential.
it is really required and also requested be ppl from the IETF ML