[Openid-specs-ab] user consent
thomasclinganjones at gmail.com
Thu Apr 8 17:53:56 UTC 2021
well that's definitely a point of major disagreement then. If the rp asks
the wallet for some details in a pe, the wallet MUST NOT respond to the
request without user consent.
Be the change you want to see in the world ..tom
On Thu, Apr 8, 2021 at 10:43 AM Tim Cappalli <Tim.Cappalli at microsoft.com>
> The wallet and/or holder governs which claims are disclosed in the VP/VC.
> I don't see why any consent would apply at the ID token layer when carrying
> a VP.
> *From:* Openid-specs-ab <openid-specs-ab-bounces at lists.openid.net> on
> behalf of Tom Jones via Openid-specs-ab <openid-specs-ab at lists.openid.net>
> *Sent:* Thursday, April 8, 2021 12:32
> *To:* Artifact Binding/Connect Working Group <
> openid-specs-ab at lists.openid.net>
> *Cc:* Tom Jones <thomasclinganjones at gmail.com>
> *Subject:* [Openid-specs-ab] user consent
> Before we talk any more about opaque blobs being added to the id token, I
> would like to talk about user consent. What little i have heard from the PE
> group the RP gets to ask for whatever info he wants and consent magically
> happens at some other level. Since the creds group of DIF is not discussing
> the problem I guess it must come up here. If the request/response of the
> VC/VP protocol is not known to the open id protocol, how can anybody know
> if the user has given informed consent to the release of the claims? As far
> as I can tell DIF is punting the issue altogether. (That comes from Daniel
> @ MSFT)
> First - in SIOP user explicit consent MUST be obtained.
> Second - in SIOP the data request from the RP (claims) must be presented
> to the user in a form they can understand before the id token (etc.) is
> When we understand that we can talk about vc-xyz.
> Be the change you want to see in the world ..tom
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Openid-specs-ab