[{"author": "Christopher Patton", "text": "<p>Hi everyone!</p>", "time": "2023-11-09T14:02:29Z"}, {"author": "Renzo Navas", "text": "<p>Hello</p>", "time": "2023-11-09T14:04:20Z"}, {"author": "Christopher Patton", "text": "<p>What are our use cases for BBS signatures?</p>", "time": "2023-11-09T14:25:39Z"}, {"author": "David Waite", "text": "<p>Representing rich credentials with identity attributes which may be redacted, and presented without correlation</p>", "time": "2023-11-09T14:28:44Z"}, {"author": "Christopher Wood", "text": "<p>@ChrisP: Privacy Pass is one use case</p>", "time": "2023-11-09T14:30:43Z"}, {"author": "David Waite", "text": "<p>There Jose-json-web-proofs is attempting to describe a container format for these sorts of signatures/proofs</p>", "time": "2023-11-09T14:30:47Z"}, {"author": "Christopher Patton", "text": "<p>I'm a bit worried of having two non-PQ secure tools for the same purpose, but it sounds like this gets us something that RSA blind signatures don't get us.</p>", "time": "2023-11-09T14:34:02Z"}, {"author": "Richard Barnes", "text": "<p>meetecho camera is not capturing the speaker</p>", "time": "2023-11-09T14:35:02Z"}, {"author": "Christopher Patton", "text": "<p>^ <span class=\"user-mention\" data-user-id=\"3062\">@Nick Sullivan</span></p>", "time": "2023-11-09T14:35:44Z"}, {"author": "Lorenzo Miniero", "text": "<p>Richard: there doesn't seem to be one?</p>", "time": "2023-11-09T14:35:48Z"}, {"author": "Hubert Kario", "text": "<p>there a 3 microphones and 2 cameras, so I'm guessing that's why</p>", "time": "2023-11-09T14:35:49Z"}, {"author": "Lorenzo Miniero", "text": "<p>Or are they in a different spot?</p>", "time": "2023-11-09T14:35:54Z"}, {"author": "Richard Barnes", "text": "<p>not sure.  sounded like they were in the room</p>", "time": "2023-11-09T14:36:36Z"}, {"author": "Lorenzo Miniero", "text": "<p>Hubert: that may be it, we have two cameras that are pointing at the mic lines in the corridor</p>", "time": "2023-11-09T14:37:21Z"}, {"author": "Kristina Yasuda", "text": "<p>To be very clear, EU eIDAS digital identity wallet work cannot use BBS signatures without JWP work (credentials/payload layer) in JOSE WG</p>", "time": "2023-11-09T14:38:14Z"}, {"author": "Nick Sullivan", "text": "<p>There are three mic lines, but I think only cameras on two of the three.</p>", "time": "2023-11-09T14:38:54Z"}, {"author": "Richard Barnes", "text": "<p>Also, it's not clear that \"issuing credentials frequently\" is a non-starter.  There is also work on automating credential issuance that could support a fair degree of unlinkability without needing BBS</p>", "time": "2023-11-09T14:44:19Z"}, {"author": "Phillip Hallam-Baker", "text": "<p>We might be seeing a case here for moving from GCM to OCB for authenticated encryption - the Tamrin models will cost so much less to run.</p>", "time": "2023-11-09T14:54:03Z"}, {"author": "Christopher Patton", "text": "<p>This is very cool work.</p>", "time": "2023-11-09T14:56:11Z"}, {"author": "Phillip Hallam-Baker", "text": "<p>This might actually be a serious point, the state space required to verify will expand when using AEADs that are non nonce reuse resistant.</p>\n<p>Composing one protocol on another is going to cause things to grow expopnentially.</p>", "time": "2023-11-09T14:56:50Z"}, {"author": "Justus Winter", "text": "<p>(s/GPG/OpenPGP/g please)</p>", "time": "2023-11-09T14:57:21Z"}, {"author": "Alison Becker", "text": "<p>this would be great work to present/discuss to the UFMRG group as well!</p>", "time": "2023-11-09T14:57:56Z"}, {"author": "Richard Barnes", "text": "<p>tbh when i was reading the agenda, i read this as \"The Majestic VDAF\" on first pass, and was like \"awww yeah it is\"</p>", "time": "2023-11-09T14:58:23Z"}, {"author": "Christopher Patton", "text": "<p>lol</p>", "time": "2023-11-09T14:58:48Z"}, {"author": "Christopher Patton", "text": "<p>We can call it that if you want, Ricahrd</p>", "time": "2023-11-09T15:00:15Z"}, {"author": "Vasilis Kalos", "text": "<p><span class=\"user-mention silent\" data-user-id=\"526\">Richard Barnes</span> <a href=\"#narrow/stream/267-cfrg/topic/ietf-118/near/100298\">said</a>:</p>\n<blockquote>\n<p>Also, it's not clear that \"issuing credentials frequently\" is a non-starter.  There is also work on automating credential issuance that could support a fair degree of unlinkability without needing BBS</p>\n</blockquote>\n<p>Agreed that it is not a \"non starter\". I think it depends on the use case. BBS seem better suited when unlinkability against the Issuer is desirable, (and also maybe cases that credentials will be used at a high rate).</p>", "time": "2023-11-09T15:01:17Z"}, {"author": "Richard Barnes", "text": "<p><span class=\"user-mention\" data-user-id=\"1102\">@Vasilis Kalos</span> What do you mean \"unlinkability agains the issuer\"?  The point of a credential is to encode information the issuer associates with the subject, so presumably the verifier / relying party needs to know at least that the issuer is a party that the verifier trusts.</p>", "time": "2023-11-09T15:04:05Z"}, {"author": "Christopher Patton", "text": "<p><span class=\"user-mention\" data-user-id=\"128\">@Christopher Wood</span> We don't yet have an apples-to-apples comparison. Probably the CPU time will be higher and the communication cost slightly higher.</p>", "time": "2023-11-09T15:09:20Z"}, {"author": "Christopher Wood", "text": "<p>As I said at the mic, I think performance is the least interesting aspect right now :)</p>", "time": "2023-11-09T15:12:10Z"}, {"author": "Vasilis Kalos", "text": "<p><span class=\"user-mention silent\" data-user-id=\"526\">Richard Barnes</span> <a href=\"#narrow/stream/267-cfrg/topic/ietf-118/near/100363\">said</a>:</p>\n<blockquote>\n<p><span class=\"user-mention silent\" data-user-id=\"1102\">Vasilis Kalos</span> What do you mean \"unlinkability agains the issuer\"?  The point of a credential is to encode information the issuer associates with the subject, so presumably the verifier / relying party needs to know at least that the issuer is a party that the verifier trusts.</p>\n</blockquote>\n<p>That's correct. Sorry, should have clarified. I meant that the Issuer will not be able to \"track\" the credential. So if the Verifiers work together with the Issuer (or if they are the same entity), the Issuer will not be able to link a BBS proof presentation to the user that created it (or rather the signature/signed-messages that where used to generate it).</p>", "time": "2023-11-09T15:14:49Z"}, {"author": "Richard Barnes", "text": "<p>I see, thanks!</p>", "time": "2023-11-09T15:18:25Z"}, {"author": "Richard Barnes", "text": "<p>I agree that that's a property you can't get from simply issuing multiple credentials with standard signatures.  though you might not need full BBS; a blinded signature seems like it could suffice</p>", "time": "2023-11-09T15:19:13Z"}, {"author": "Phillip Hallam-Baker", "text": "<p>I can't see any point in trying to move away from RSA 1.5, I am only supporting RSA for compatibility at this point.<br>\n(EC) Diffie Hellman based approaches do appear to be a lot more robust as a matter of structure.</p>", "time": "2023-11-09T15:24:08Z"}, {"author": "Hubert Kario", "text": "<p>as long as you have support for it, you will be vulnerable, even if it's just the compatibility API</p>", "time": "2023-11-09T15:28:02Z"}, {"author": "Vasilis Kalos", "text": "<p><span class=\"user-mention silent\" data-user-id=\"526\">Richard Barnes</span> <a href=\"#narrow/stream/267-cfrg/topic/ietf-118/near/100456\">said</a>:</p>\n<blockquote>\n<p>I agree that that's a property you can't get from simply issuing multiple credentials with standard signatures.  though you might not need full BBS; a blinded signature seems like it could suffice</p>\n</blockquote>\n<p>Yes that's true. The hope is that BBS will provide an easier (and more efficient) way to provide the combination of those features (note unlinkability against the Issuer does not need blinding in BBS), together with the ability to be easily combined with other zk-protocols as well.</p>", "time": "2023-11-09T15:30:22Z"}]