<div dir="ltr">Tom, I am in complete agreement that informed consent MUST be gathered from the Subject by the Holder. I'm not sure where the best forum for this topic is either, but at the point we're detailing any Presentation Exchange protocols here it is definitely relevant.<div><br></div><div>I did bring up an aspect of this on the DIF repo back in March, on the working group call it was deferred to a future revision: <a href="https://github.com/decentralized-identity/presentation-exchange/issues/204">https://github.com/decentralized-identity/presentation-exchange/issues/204</a></div><div><br></div><div>Jer</div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Apr 8, 2021 at 12:05 PM Tom Jones via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr">well, for starters the consent needs to come from the subject, not the holder.<div><br clear="all"><div><div dir="ltr"><div dir="ltr"><div><span style="background-color:rgb(242,242,242);color:rgba(0,0,0,0.9);font-family:-apple-system,system-ui,system-ui,"Segoe UI",Roboto,"Helvetica Neue","Fira Sans",Ubuntu,Oxygen,"Oxygen Sans",Cantarell,"Droid Sans","Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Lucida Grande",Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap">Be the change you want to see in the world </span>..tom</div></div></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Apr 8, 2021 at 10:58 AM Tim Cappalli <<a href="mailto:Tim.Cappalli@microsoft.com" target="_blank">Tim.Cappalli@microsoft.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div style="font-family:Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
Not sure I understand how that disagrees with what I said.</div>
<div style="font-family:Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
<br>
</div>
<div style="font-family:Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
>> <span style="background-color:rgb(255,255,255);display:inline">The wallet and/or holder governs which claims are disclosed in the VP/VC.</span></div>
<div id="gmail-m_-5154810693345376601gmail-m_-675540688187391201appendonsend"></div>
<hr style="display:inline-block;width:98%">
<div id="gmail-m_-5154810693345376601gmail-m_-675540688187391201divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" style="font-size:11pt" color="#000000"><b>From:</b> Tom Jones <<a href="mailto:thomasclinganjones@gmail.com" target="_blank">thomasclinganjones@gmail.com</a>><br>
<b>Sent:</b> Thursday, April 8, 2021 13:53<br>
<b>To:</b> Tim Cappalli <<a href="mailto:Tim.Cappalli@microsoft.com" target="_blank">Tim.Cappalli@microsoft.com</a>><br>
<b>Cc:</b> <a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a> <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>><br>
<b>Subject:</b> Re: [Openid-specs-ab] user consent</font>
<div> </div>
</div>
<div>
<div dir="ltr">well that's definitely a point of major disagreement then. If the rp asks the wallet for some details in a pe, the wallet MUST NOT respond to the request without user consent.
<div><br clear="all">
<div>
<div dir="ltr">
<div dir="ltr">
<div><span style="background-color:rgb(242,242,242);color:rgba(0,0,0,0.9);font-size:14px;white-space:pre-wrap">Be the change you want to see in the world
</span>..tom</div>
</div>
</div>
</div>
<br>
</div>
</div>
<br>
<div>
<div dir="ltr">On Thu, Apr 8, 2021 at 10:43 AM Tim Cappalli <<a href="mailto:Tim.Cappalli@microsoft.com" target="_blank">Tim.Cappalli@microsoft.com</a>> wrote:<br>
</div>
<blockquote style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="ltr">
<div style="font-family:Arial,Helvetica,sans-serif;font-size:12pt;color:rgb(0,0,0)">
The wallet and/or holder governs which claims are disclosed in the VP/VC. I don't see why any consent would apply at the ID token layer when carrying a VP.</div>
<div id="gmail-m_-5154810693345376601gmail-m_-675540688187391201x_gmail-m_-7274599062385067212appendonsend"></div>
<hr style="display:inline-block;width:98%">
<div id="gmail-m_-5154810693345376601gmail-m_-675540688187391201x_gmail-m_-7274599062385067212divRplyFwdMsg" dir="ltr"><font face="Calibri, sans-serif" color="#000000" style="font-size:11pt"><b>From:</b> Openid-specs-ab <<a href="mailto:openid-specs-ab-bounces@lists.openid.net" target="_blank">openid-specs-ab-bounces@lists.openid.net</a>>
on behalf of Tom Jones via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>><br>
<b>Sent:</b> Thursday, April 8, 2021 12:32<br>
<b>To:</b> Artifact Binding/Connect Working Group <<a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>><br>
<b>Cc:</b> Tom Jones <<a href="mailto:thomasclinganjones@gmail.com" target="_blank">thomasclinganjones@gmail.com</a>><br>
<b>Subject:</b> [Openid-specs-ab] user consent</font>
<div> </div>
</div>
<div>
<div dir="ltr">Before we talk any more about opaque blobs being added to the id token, I would like to talk about user consent. What little i have heard from the PE group the RP gets to ask for whatever info he wants and consent magically happens at some other
level. Since the creds group of DIF is not discussing the problem I guess it must come up here. If the request/response of the VC/VP protocol is not known to the open id protocol, how can anybody know if the user has given informed consent to the release of
the claims? As far as I can tell DIF is punting the issue altogether. (That comes from Daniel @ MSFT)
<div><br>
</div>
<div>First - in SIOP user explicit consent MUST be obtained.</div>
<div>Second - in SIOP the data request from the RP (claims) must be presented to the user in a form they can understand before the id token (etc.) is created.<br>
<div><br>
</div>
<div>When we understand that we can talk about vc-xyz.</div>
<div><br>
<div>
<div>
<div dir="ltr">
<div dir="ltr">
<div><span style="background-color:rgb(242,242,242);color:rgba(0,0,0,0.9);font-size:14px;white-space:pre-wrap">Be the change you want to see in the world
</span>..tom</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
</blockquote>
</div>
</div>
</div>
</blockquote></div>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="http://lists.openid.net/mailman/listinfo/openid-specs-ab" rel="noreferrer" target="_blank">http://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br>
</blockquote></div>
<br>
<i style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:baseline;background:rgb(255,255,255);font-family:proxima-nova-zendesk,system-ui,-apple-system,system-ui,"Segoe UI",Roboto,Oxygen-Sans,Ubuntu,Cantarell,"Helvetica Neue",Arial,sans-serif;color:rgb(85,85,85)"><span style="margin:0px;padding:0px;border:0px;outline:0px;vertical-align:baseline;background:transparent;font-family:proxima-nova-zendesk,system-ui,-apple-system,BlinkMacSystemFont,"Segoe UI",Roboto,Oxygen-Sans,Ubuntu,Cantarell,"Helvetica Neue",Arial,sans-serif;font-weight:600"><font size="2">CONFIDENTIALITY NOTICE: This email may contain confidential and privileged material for the sole use of the intended recipient(s). Any review, use, distribution or disclosure by others is strictly prohibited. If you have received this communication in error, please notify the sender immediately by e-mail and delete the message and any file attachments from your computer. Thank you.</font></span></i>