The Introduction should be reworded #157
Description
The introduction states:
Traditional OAuth security concepts perform client authentication
through a backend channel. In ecosystems such as the Issuer-Holder-
Verifier model used in [SD-JWT], this model raises privacy concerns,
as it would enable the backend to recognize which Holder (i.e.
client) interacts with which Issuer (i.e. Authorization Server) and
potentially furthermore see the credentials being issued.
I have a problem with the wordings "backend channel", "the backend", and "frontend channel".
Is a "client backend" identical to a "backend channel" ? I don't think so.
In the document history, there is:
-05
(...)
- rename client backend to client attester
Apparently, this renaming has not been fully done.
If "the backend" means "Client Attester", then the second sentence would become:
In ecosystems such as the Issuer-Holder-Verifier model used in [SD-JWT], this model raises privacy concerns,
as it would enable the Client Attester to recognize which Holder (i.e. client) interacts with which Issuer (i.e. Authorization Server)
and potentially furthermore see the credentials being issued.
However, it is doubtful that it is what was intended to be said.
I would believe that the whole paragraph should rather be changed into:
In ecosystems such as the Issuer-Holder-Verifier model used in [SD-JWT], this model raises privacy concerns,
as it can enable Authorization Servers to recognize which Holder (i.e. client) interacts with other Authorization Servers (i.e., Issuers).
The text continue with:
This primary purpose of this specification is the authentication of a
client instance enabled through the client backend attesting to it.
The client backend may also attest further technical properties about
the hardware and software of the client instance.
As already mentioned in an earlier issue (see issue #155), Remote ATtestation procedureS (RATS) Architecture RFC 9334 states in Section 11:
- Privacy Considerations
(...)
In many cases, the whole point of attestation procedures is to
provide reliable information about the type of the device and the
firmware/software that the device is running.
I would believe that the whole paragraph should be changed into:
This primary purpose of this specification is the authentication of a
client instance to an Authorisation Server, through the use of a
Client Attester, allowing to attest technical characteristics about the
type of the device and the firmware/software on which the client
instance is running.