[Openid-specs-ab] user consent

Tom Jones thomasclinganjones at gmail.com
Thu Apr 8 18:05:01 UTC 2021


well, for starters the consent needs to come from the subject, not the
holder.

Be the change you want to see in the world ..tom


On Thu, Apr 8, 2021 at 10:58 AM Tim Cappalli <Tim.Cappalli at microsoft.com>
wrote:

> Not sure I understand how that disagrees with what I said.
>
> >> The wallet and/or holder governs which claims are disclosed in the
> VP/VC.
> ------------------------------
> *From:* Tom Jones <thomasclinganjones at gmail.com>
> *Sent:* Thursday, April 8, 2021 13:53
> *To:* Tim Cappalli <Tim.Cappalli at microsoft.com>
> *Cc:* openid-specs-ab at lists.openid.net <openid-specs-ab at lists.openid.net>
> *Subject:* Re: [Openid-specs-ab] user consent
>
> well that's definitely a point of major disagreement then. If the rp asks
> the wallet for some details in a pe, the wallet MUST NOT respond to the
> request without user consent.
>
> Be the change you want to see in the world ..tom
>
>
> On Thu, Apr 8, 2021 at 10:43 AM Tim Cappalli <Tim.Cappalli at microsoft.com>
> wrote:
>
> The wallet and/or holder governs which claims are disclosed in the VP/VC.
> I don't see why any consent would apply at the ID token layer when carrying
> a VP.
> ------------------------------
> *From:* Openid-specs-ab <openid-specs-ab-bounces at lists.openid.net> on
> behalf of Tom Jones via Openid-specs-ab <openid-specs-ab at lists.openid.net>
> *Sent:* Thursday, April 8, 2021 12:32
> *To:* Artifact Binding/Connect Working Group <
> openid-specs-ab at lists.openid.net>
> *Cc:* Tom Jones <thomasclinganjones at gmail.com>
> *Subject:* [Openid-specs-ab] user consent
>
> Before we talk any more about opaque blobs being added to the id token, I
> would like to talk about user consent. What little i have heard from the PE
> group the RP gets to ask for whatever info he wants and consent magically
> happens at some other level. Since the creds group of DIF is not discussing
> the problem I guess it must come up here. If the request/response of the
> VC/VP protocol is not known to the open id protocol, how can anybody know
> if the user has given informed consent to the release of the claims? As far
> as I can tell DIF is punting the issue altogether. (That comes from Daniel
> @ MSFT)
>
> First - in SIOP user explicit consent MUST be obtained.
> Second - in SIOP the data request from the RP (claims) must be presented
> to the user in a form they can understand before the id token (etc.) is
> created.
>
> When we understand that we can talk about vc-xyz.
>
> Be the change you want to see in the world ..tom
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20210408/4cc9b120/attachment.html>


More information about the Openid-specs-ab mailing list