Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add suggestion to use Oblivious HTTP when fetching resources. #1322

Merged
merged 4 commits into from
Oct 29, 2023
Merged

Add suggestion to use Oblivious HTTP when fetching resources. #1322

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
668a581
Add suggestion to use Oblivious HTTP when fetching resources.
msporny Oct 21, 2023
30de700
Fix grammar in OHTTP section.
msporny Oct 24, 2023
0c37885
Update link to OHTTP draft at IETF.
msporny Oct 24, 2023
0234a2b
Add concrete examples of when OHTTP is useful.
msporny Oct 29, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 7 additions & 0 deletions common.js
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,13 @@ var vcwg = {
authors: ['Daniel Buchner', 'Brent Zundel', 'Martin Riedel', 'Kim Hamilton Duffy'],
status: 'DIF Ratified Specification',
publisher: 'Decentralized Identity Foundation'
},
'OHTTP': {
title: 'Oblivious HTTP ',
href: 'https://datatracker.ietf.org/doc/html/draft-ietf-ohai-ohttp',
authors: ['Martin Thomson', 'Christopher A. Wood'],
status: 'Working Group Draft',
publisher: 'IETF Oblivious HTTP Application Intermediation'
}
}
};
Expand Down
32 changes: 31 additions & 1 deletion index.html
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4385,7 +4385,7 @@ <h3>Long-Lived Identifier-Based Correlation</h3>
</section>

<section class="informative">
<h3>Device Fingerprinting</h3>
<h3>Device Tracking and Fingerprinting</h3>

<p>
There are mechanisms external to <a>verifiable credentials</a> that are used to
Expand All @@ -4406,6 +4406,36 @@ <h3>Device Fingerprinting</h3>
In some cases, tracking technologies might need to be disabled on devices that
transmit <a>verifiable credentials</a> on behalf of a <a>holder</a>.
</p>

<p>
The Oblivious HTTP protocol [[?OHTTP]] is one mechanism that implementers might
consider using when fetching external resources that are associated with a
<a>verifiable credential</a> or a <a>verifiable presentation</a>.
Oblivious HTTP allows a client to make multiple requests to an origin server
without that server being able to link those requests to that client or even to
identify those requests as having come from a single client, while placing only
limited trust in the nodes used to forward the messages. Hence, Oblivious HTTP
is one privacy-preserving mechanism that can be used to reduce the possibility
of device tracking and fingerprinting. Concrete examples for how Oblivious HTTP
can benefit ecosystem participants are included below.
Comment on lines +4419 to +4420
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
of device tracking and fingerprinting. Concrete examples for how Oblivious HTTP
can benefit ecosystem participants are included below.
of device tracking and fingerprinting. Concrete examples of ways that Oblivious
HTTP can benefit ecosystem participants are described below.

</p>

<ul>
<li>
A <a>holder</a> using a digital wallet can reduce the chances that they
will be tracked by a 3rd party when accessing external links within a
Comment on lines +4425 to +4426
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
A <a>holder</a> using a digital wallet can reduce the chances that they
will be tracked by a 3rd party when accessing external links within a
A <a>holder</a> using a digital wallet can reduce their chances of being
tracked by a third party when accessing external links within a

<a>verifiable credential</a> stored in their digital wallet.
For example, a digital wallet might fetch and render linked images, or
check the validity of a <a>verifiable credential</a> by fetching an
externally linked revocation list.
Comment on lines +4428 to +4430
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
For example, a digital wallet might fetch and render linked images, or
check the validity of a <a>verifiable credential</a> by fetching an
externally linked revocation list.
For example, a digital wallet might use Oblivious HTTP to fetch linked
images for rendering, or to fetch an externally linked revocation list
for use in checking the validity of a <a>verifiable credential</a>.

</li>
<li>
A <a>verifier</a> can reduce signalling to an <a>issuer</a> that the
<a>verifier</a> has received a specific <a>verifiable credential</a>.
For example, a <a>verifier</a> might fetch an externally linked revocation
list while performing status checks on a <a>verifiable credential</a>.
Comment on lines +4435 to +4436
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
For example, a <a>verifier</a> might fetch an externally linked revocation
list while performing status checks on a <a>verifiable credential</a>.
For example, a <a>verifier</a> might use Oblivious HTTP to fetch an
externally linked revocation list while performing status checks on a
<a>verifiable credential</a>.

</li>
</ul>
</section>

<section class="informative">
Expand Down