<html><head><meta http-equiv="Content-Type" content="text/html; charset=utf-8"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;" class=""><br class=""><div><br class=""><blockquote type="cite" class=""><div class="">Am 10.06.2022 um 11:36 schrieb David Chadwick <<a href="mailto:d.w.chadwick@verifiablecredentials.info" class="">d.w.chadwick@verifiablecredentials.info</a>>:</div><br class="Apple-interchange-newline"><div class="">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" class="">
<div class=""><p class=""><br class="">
</p>
<div class="moz-cite-prefix">On 10/06/2022 10:02, Torsten
Lodderstedt wrote:<br class="">
</div>
<blockquote type="cite" cite="mid:960A77C2-F54E-48F1-A39C-F88BC60E07CE@lodderstedt.net" class="">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" class="">
<br class="">
<div class=""><br class="">
<blockquote type="cite" class="">
<div class="">Am 10.06.2022 um 10:38 schrieb David Chadwick
via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" class="moz-txt-link-freetext" moz-do-not-send="true">openid-specs-ab@lists.openid.net</a>>:</div>
<br class="Apple-interchange-newline">
<div class="">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8" class="">
<div class=""><p class="">I think the latter included the former.</p>
</div>
</div>
</blockquote>
Please explain the privacy implications of the fact that the RP
knows that an user uses a wallet provided by provider a.<br class="">
</div>
</blockquote><p class="">Because then it can differentiate between requests coming from
different wallet providers, and, depending upon how the wallet
provider is indicated, could have a correlating handle between
requests.</p><div class=""><br class=""></div></div></div></blockquote><br class="">But why is that a privacy issue?</div><div><blockquote type="cite" class=""><div class=""><div class=""><p class=""><br class="">
</p>
<blockquote type="cite" cite="mid:960A77C2-F54E-48F1-A39C-F88BC60E07CE@lodderstedt.net" class="">
<div class="">
<blockquote type="cite" class="">
<div class="">
<div class=""><p class=""> If the RP can differentiate between user1
with wallet1 and user2 with wallet2 from a different
provider, then the requirement has not been fulfilled.
That is my interpretation. So the RP should not be able
to distinguish between requests from<br class="">
</p><p class="">user1 with wallet1</p><p class="">user1 with wallet2</p><p class="">user2 with wallet1</p><p class="">user2 with wallet2</p><p class="">They should all look like different requests
from different users to the RP. This is how the original
SAML worked before persistent IDs were introduced.
Personally I think it is a superb privacy protecting
feature, and its what we have implemented in our
product.<br class="">
</p>
</div>
</div>
</blockquote>
<div class="">Please explain how this can be implemented. As soon as the
RP needs to check the compliance of the wallet using a cert,
there is an identifier to identify and distinguish wallet
services. <br class="">
</div>
</div>
</blockquote><p class="">I already explained this in my original message. Please re-read
it again<br class=""></p></div></div></blockquote><div>I read it and I think the public key id in the cert is a correlation handle. </div><br class=""><blockquote type="cite" class=""><div class=""><div class=""><p class="">
</p><p class="">Kind regards</p><p class="">David<br class="">
</p>
<blockquote type="cite" cite="mid:960A77C2-F54E-48F1-A39C-F88BC60E07CE@lodderstedt.net" class="">
<div class="">
<blockquote type="cite" class="">
<div class="">
<div class=""><div class=""> <br class="webkit-block-placeholder"></div><p class="">Kind regards</p><p class="">David<br class="">
</p>
<div class="moz-cite-prefix">On 10/06/2022 07:53, Kristina
Yasuda via Openid-specs-ab wrote:<br class="">
</div>
<blockquote type="cite" cite="mid:BYAPR00MB088712E3E8D0CB25CDDEC455E5A69@BYAPR00MB0887.namprd00.prod.outlook.com" class="">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8" class="">
<div dir="ltr" class="">
<div class="">
<div dir="ltr" class="">Thank you, David.</div>
<div dir="ltr" class=""><br class="">
</div>
<div dir="ltr" class="">+1 to Torsten’s question and
interpretation that the text refers to verifier
not being able to differentiate two different
wallet instances and use that to identify a unique<span style="font-size: inherit;" class=""> user.</span></div>
<div dir="ltr" class=""><br class="">
</div>
</div>
<div id="mail-editor-reference-message-container" class="ms-outlook-mobile-reference-message">
<hr style="display:inline-block;width:98%" tabindex="-1" class="">
<div id="divRplyFwdMsg" dir="ltr" class=""><font class="" face="Calibri, sans-serif"><b class="">From:</b>
Openid-specs-ab <a class="moz-txt-link-rfc2396E" href="mailto:openid-specs-ab-bounces@lists.openid.net" moz-do-not-send="true"><openid-specs-ab-bounces@lists.openid.net></a>
on behalf of Torsten Lodderstedt via
Openid-specs-ab <a class="moz-txt-link-rfc2396E" href="mailto:openid-specs-ab@lists.openid.net" moz-do-not-send="true"><openid-specs-ab@lists.openid.net></a><br class="">
<b class="">Sent:</b> Thursday, June 9, 2022
12:06 PM<br class="">
<b class="">To:</b> Artifact Binding/Connect
Working Group<br class="">
<b class="">Cc:</b> Torsten Lodderstedt<br class="">
<b class="">Subject:</b> Re: [Openid-specs-ab]
SIOP call 2022-June-9
<div class=""> </div>
</font></div>
Thanks for sharing.
<div class=""><br class="">
</div>
<div class="">I would like to understand whether
"two certified EUDI Wallets“ in this statement
refer to two different implementations/service
providers or just two different instances for
different users. I assume the later since the
former does not have privacy implications.</div>
<div class=""><br class="">
</div>
<div class="">best regards,</div>
<div class="">Torsten. <br class="">
<div class=""><br class="">
<blockquote type="cite" class="">
<div class="">Am 09.06.2022 um 20:36 schrieb
David Chadwick via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net" class="moz-txt-link-freetext" moz-do-not-send="true">openid-specs-ab@lists.openid.net</a>>:</div>
<br class="Apple-interchange-newline">
<div class="">
<div class=""><p class="">During today's call I asserted
that the EU Digital Identity Wallet
should be able to prove to an RP that it
is certified without revealing its
identity or who the software provider
is. I was asked to find a reference to
this. It is on page 26 of "European
Digital Identity Architecture and
Reference Framework" available here: <br class="">
</p><p class=""><a class="moz-txt-link-freetext" href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcloud.eid.as%2Findex.php%2Fs%2FDQ5aRjyzJDNKXpW&data=05%7C01%7CKristina.Yasuda%40microsoft.com%7Cdde2e2735d554c67888308da4a4af495%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637903984091677249%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=AXMbHKj5%2FQ1fHgTGQIhlzNuwaqUTdHxyYNad%2BMHlp2o%3D&reserved=0" originalsrc="https://cloud.eid.as/index.php/s/DQ5aRjyzJDNKXpW" shash="E53rDx/Yn3rFWDcmKW/GwvdQ2oGP0eiBuStjRDCOjMD34a1vdDDZ+msQqL3SjKbAjlaN/u65RaDWdoWcSjI2NkjqTJTgwma3C3HKLvoKII/xqr7Ri9BEs74q2XPmMeFsWA0XGezo87mcVgt8jHBSpK5dV7WZPW/f+6t1d8ZYo7s=" moz-do-not-send="true">https://cloud.eid.as/index.php/s/DQ5aRjyzJDNKXpW</a><br class="">
</p><p class="">Here is the relevant text</p><p class="">"In addition, the mechanism
for relying parties to verify whether a
EUDI Wallet used is genuine and
certified, shall not enable the relying
party to distinguish between two
certified EUDI Wallets, in order to
preserve the privacy of the user when
performing pseudonymous authentication."
<br class="">
</p><p class="">This could be implemented
using traditional asymmetric crypto, in
which each EUDI wallet is issued its own
VC, stating that it is a certified
wallet, issued by the EUDI certification
authority, in which the subject ID is
the public key of the wallet. There
would be no information to indicate who
the wallet provider is, or who the
wallet holder is. However, this
certificate, if long lived, would then
be a correlating handle, so by issuing
transient short lived VCs to the wallet
each time an RP requires assurance, the
public key would change every time
thereby removing the ability to
correlate the certifying VCs.<br class="">
</p><p class="">Kind regards</p><p class="">David<br class="">
</p>
<span role="presentation" dir="ltr" class="" style="padding:0px; margin:0px; white-space:pre; font-style:normal; font-variant-ligatures:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; orphans:2; text-align:start; text-indent:0px; text-transform:none; widows:2; word-spacing:0px; background-color:rgb(255,255,255); left:120.04px; top:565.163px; font-size:18.4px; font-family:sans-serif">In
addition,</span><span role="presentation" dir="ltr" class="" style="padding:0px; margin:0px; white-space:pre; font-style:normal; font-variant-ligatures:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; orphans:2; text-align:start; text-indent:0px; text-transform:none; widows:2; word-spacing:0px; background-color:rgb(255,255,255); left:208.01px; top:565.163px; font-size:18.4px; font-family:sans-serif">
</span><span role="presentation" dir="ltr" class="" style="padding:0px; margin:0px; white-space:pre; font-style:normal; font-variant-ligatures:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; orphans:2; text-align:start; text-indent:0px; text-transform:none; widows:2; word-spacing:0px; background-color:rgb(255,255,255); left:215.233px; top:565.163px; font-size:18.4px; font-family:sans-serif">the
mechanism for</span><span role="presentation" dir="ltr" class="" style="padding:0px; margin:0px; white-space:pre; font-style:normal; font-variant-ligatures:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; orphans:2; text-align:start; text-indent:0px; text-transform:none; widows:2; word-spacing:0px; background-color:rgb(255,255,255); left:361.955px; top:565.163px; font-size:18.4px; font-family:sans-serif">
</span><span role="presentation" dir="ltr" class="" style="padding:0px; margin:0px; white-space:pre; font-style:normal; font-variant-ligatures:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; orphans:2; text-align:start; text-indent:0px; text-transform:none; widows:2; word-spacing:0px; background-color:rgb(255,255,255); left:369.083px; top:565.163px; font-size:18.4px; font-family:sans-serif">relying
parties</span><span role="presentation" dir="ltr" class="" style="padding:0px; margin:0px; white-space:pre; font-style:normal; font-variant-ligatures:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; orphans:2; text-align:start; text-indent:0px; text-transform:none; widows:2; word-spacing:0px; background-color:rgb(255,255,255); left:478.214px; top:565.163px; font-size:18.4px; font-family:sans-serif">
</span><span role="presentation" dir="ltr" class="" style="padding:0px; margin:0px; white-space:pre; font-style:normal; font-variant-ligatures:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; orphans:2; text-align:start; text-indent:0px; text-transform:none; widows:2; word-spacing:0px; background-color:rgb(255,255,255); left:485.483px; top:565.163px; font-size:18.4px; font-family:sans-serif">to
verify whether</span><span role="presentation" dir="ltr" class="" style="padding:0px; margin:0px; white-space:pre; font-style:normal; font-variant-ligatures:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; orphans:2; text-align:start; text-indent:0px; text-transform:none; widows:2; word-spacing:0px; background-color:rgb(255,255,255); left:620.797px; top:565.163px; font-size:18.4px; font-family:sans-serif">
</span><span role="presentation" dir="ltr" class="" style="padding:0px; margin:0px; white-space:pre; font-style:normal; font-variant-ligatures:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; orphans:2; text-align:start; text-indent:0px; text-transform:none; widows:2; word-spacing:0px; background-color:rgb(255,255,255); left:628.117px; top:565.163px; font-size:18.4px; font-family:sans-serif">a</span><span role="presentation" dir="ltr" class="" style="padding:0px; margin:0px; white-space:pre; font-style:normal; font-variant-ligatures:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; orphans:2; text-align:start; text-indent:0px; text-transform:none; widows:2; word-spacing:0px; background-color:rgb(255,255,255); left:636.93px; top:565.163px; font-size:18.4px; font-family:sans-serif">
</span><span role="presentation" dir="ltr" class="" style="padding:0px; margin:0px; white-space:pre; font-style:normal; font-variant-ligatures:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; orphans:2; text-align:start; text-indent:0px; text-transform:none; widows:2; word-spacing:0px; background-color:rgb(255,255,255); left:644.117px; top:565.163px; font-size:18.4px; font-family:sans-serif">EUDI
W</span><span role="presentation" dir="ltr" class="" style="padding:0px; margin:0px; white-space:pre; font-style:normal; font-variant-ligatures:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; orphans:2; text-align:start; text-indent:0px; text-transform:none; widows:2; word-spacing:0px; background-color:rgb(255,255,255); left:704.117px; top:565.163px; font-size:18.4px; font-family:sans-serif">allet
used is genuine and</span><br role="presentation" class="" style="padding:0px; margin:0px; white-space:pre; font-family:Arial; font-size:16px; font-style:normal; font-variant-ligatures:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; orphans:2; text-align:start; text-indent:0px; text-transform:none; widows:2; word-spacing:0px; background-color:rgb(255,255,255)"><p class=""><span role="presentation" dir="ltr" class="" style="padding:0px; margin:0px; white-space:pre; font-style:normal; font-variant-ligatures:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; orphans:2; text-align:start; text-indent:0px; text-transform:none; widows:2; word-spacing:0px; background-color:rgb(255,255,255); left:120.04px; top:590.763px; font-size:18.4px; font-family:sans-serif">certifie</span><span role="presentation" dir="ltr" class="" style="padding:0px; margin:0px; white-space:pre; font-style:normal; font-variant-ligatures:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; orphans:2; text-align:start; text-indent:0px; text-transform:none; widows:2; word-spacing:0px; background-color:rgb(255,255,255); left:172.833px; top:590.763px; font-size:18.4px; font-family:sans-serif">d</span><span role="presentation" dir="ltr" class="" style="padding:0px; margin:0px; white-space:pre; font-style:normal; font-variant-ligatures:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; orphans:2; text-align:start; text-indent:0px; text-transform:none; widows:2; word-spacing:0px; background-color:rgb(255,255,255); left:182.433px; top:590.763px; font-size:18.4px; font-family:sans-serif">,</span><span role="presentation" dir="ltr" class="" style="padding:0px; margin:0px; white-space:pre; font-style:normal; font-variant-ligatures:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; orphans:2; text-align:start; text-indent:0px; text-transform:none; widows:2; word-spacing:0px; background-color:rgb(255,255,255); left:187.033px; top:590.763px; font-size:18.4px; font-family:sans-serif">
</span><span role="presentation" dir="ltr" class="" style="padding:0px; margin:0px; white-space:pre; font-style:normal; font-variant-ligatures:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; orphans:2; text-align:start; text-indent:0px; text-transform:none; widows:2; word-spacing:0px; background-color:rgb(255,255,255); left:191.033px; top:590.763px; font-size:18.4px; font-family:sans-serif">shall</span><span role="presentation" dir="ltr" class="" style="padding:0px; margin:0px; white-space:pre; font-style:normal; font-variant-ligatures:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; orphans:2; text-align:start; text-indent:0px; text-transform:none; widows:2; word-spacing:0px; background-color:rgb(255,255,255); left:226.325px; top:590.763px; font-size:18.4px; font-family:sans-serif">
</span><span role="presentation" dir="ltr" class="" style="padding:0px; margin:0px; white-space:pre; font-style:normal; font-variant-ligatures:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; orphans:2; text-align:start; text-indent:0px; text-transform:none; widows:2; word-spacing:0px; background-color:rgb(255,255,255); left:230.433px; top:590.763px; font-size:18.4px; font-family:sans-serif">not
enable the relying party to distinguish between two certified</span><span role="presentation" dir="ltr" class="" style="padding:0px; margin:0px; white-space:pre; font-style:normal; font-variant-ligatures:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; orphans:2; text-align:start; text-indent:0px; text-transform:none; widows:2; word-spacing:0px; background-color:rgb(255,255,255); left:711.391px; top:590.763px; font-size:18.4px; font-family:sans-serif">
</span><span role="presentation" dir="ltr" class="" style="padding:0px; margin:0px; white-space:pre; font-style:normal; font-variant-ligatures:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; orphans:2; text-align:start; text-indent:0px; text-transform:none; widows:2; word-spacing:0px; background-color:rgb(255,255,255); left:715.717px; top:590.763px; font-size:18.4px; font-family:sans-serif">EUDI
W</span><span role="presentation" dir="ltr" class="" style="padding:0px; margin:0px; white-space:pre; font-style:normal; font-variant-ligatures:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; orphans:2; text-align:start; text-indent:0px; text-transform:none; widows:2; word-spacing:0px; background-color:rgb(255,255,255); left:772.917px; top:590.763px; font-size:18.4px; font-family:sans-serif">allets,
in order to</span><br role="presentation" class="" style="padding:0px; margin:0px; white-space:pre; font-family:Arial; font-size:16px; font-style:normal; font-variant-ligatures:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; orphans:2; text-align:start; text-indent:0px; text-transform:none; widows:2; word-spacing:0px; background-color:rgb(255,255,255)">
<span role="presentation" dir="ltr" class="" style="padding:0px; margin:0px; white-space:pre; font-style:normal; font-variant-ligatures:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; orphans:2; text-align:start; text-indent:0px; text-transform:none; widows:2; word-spacing:0px; background-color:rgb(255,255,255); left:120.04px; top:616.563px; font-size:18.4px; font-family:sans-serif">preserve
the privacy of the user when performing pseudonymous authentication.</span><span role="presentation" dir="ltr" class="" style="padding:0px; margin:0px; white-space:pre; font-style:normal; font-variant-ligatures:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; orphans:2; text-align:start; text-indent:0px; text-transform:none; widows:2; word-spacing:0px; background-color:rgb(255,255,255); left:726.651px; top:616.563px; font-size:18.4px; font-family:sans-serif">
</span></p>
</div>
_______________________________________________<br class="">
Openid-specs-ab mailing list<br class="">
<a href="mailto:Openid-specs-ab@lists.openid.net" class="moz-txt-link-freetext" moz-do-not-send="true">Openid-specs-ab@lists.openid.net</a><br class="">
<a class="moz-txt-link-freetext" href="https://lists.openid.net/mailman/listinfo/openid-specs-ab" moz-do-not-send="true">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br class="">
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
<br class="">
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Openid-specs-ab mailing list
<a class="moz-txt-link-abbreviated moz-txt-link-freetext" href="mailto:Openid-specs-ab@lists.openid.net" moz-do-not-send="true">Openid-specs-ab@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="https://lists.openid.net/mailman/listinfo/openid-specs-ab" moz-do-not-send="true">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
</blockquote>
</div>
_______________________________________________<br class="">
Openid-specs-ab mailing list<br class="">
<a href="mailto:Openid-specs-ab@lists.openid.net" class="moz-txt-link-freetext" moz-do-not-send="true">Openid-specs-ab@lists.openid.net</a><br class="">
<a class="moz-txt-link-freetext" href="https://lists.openid.net/mailman/listinfo/openid-specs-ab">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br class="">
</div>
</blockquote>
</div>
<br class="">
</blockquote>
</div>
</div></blockquote></div><br class=""></body></html>