<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p><br>
</p>
<div class="moz-cite-prefix">On 10/06/2022 10:43, Torsten
Lodderstedt wrote:<br>
</div>
<blockquote type="cite"
cite="mid:2FF99EC7-11D7-44B9-8022-A454AC7C395D@lodderstedt.net">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<br class="">
<div><br class="">
<blockquote type="cite" class="">
<div class="">Am 10.06.2022 um 11:36 schrieb David Chadwick
<<a href="mailto:d.w.chadwick@verifiablecredentials.info"
class="moz-txt-link-freetext" moz-do-not-send="true">d.w.chadwick@verifiablecredentials.info</a>>:</div>
<br class="Apple-interchange-newline">
<div class="">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8" class="">
<div class="">
<p class=""><br class="">
</p>
<div class="moz-cite-prefix">On 10/06/2022 10:02, Torsten
Lodderstedt wrote:<br class="">
</div>
<blockquote type="cite"
cite="mid:960A77C2-F54E-48F1-A39C-F88BC60E07CE@lodderstedt.net"
class="">
<meta http-equiv="Content-Type" content="text/html;
charset=UTF-8" class="">
<br class="">
<div class=""><br class="">
<blockquote type="cite" class="">
<div class="">Am 10.06.2022 um 10:38 schrieb David
Chadwick via Openid-specs-ab <<a
href="mailto:openid-specs-ab@lists.openid.net"
class="moz-txt-link-freetext"
moz-do-not-send="true">openid-specs-ab@lists.openid.net</a>>:</div>
<br class="Apple-interchange-newline">
<div class="">
<meta http-equiv="Content-Type"
content="text/html; charset=UTF-8" class="">
<div class="">
<p class="">I think the latter included the
former.</p>
</div>
</div>
</blockquote>
Please explain the privacy implications of the fact
that the RP knows that an user uses a wallet provided
by provider a.<br class="">
</div>
</blockquote>
<p class="">Because then it can differentiate between
requests coming from different wallet providers, and,
depending upon how the wallet provider is indicated,
could have a correlating handle between requests.</p>
<div class=""><br class="">
</div>
</div>
</div>
</blockquote>
<br class="">
But why is that a privacy issue?</div>
</blockquote>
<p>Because if an RP can tell that the same user is continually
returning, when the user does not want this to occur (e.g. say its
an adult web site) then its violating the user's privacy and the
RP can build a profile of the user.</p>
<p>Kind regards</p>
<p>David<br>
</p>
<blockquote type="cite"
cite="mid:2FF99EC7-11D7-44B9-8022-A454AC7C395D@lodderstedt.net">
<div>
<blockquote type="cite" class="">
<div class="">
<div class="">
<p class=""><br class="">
</p>
<blockquote type="cite"
cite="mid:960A77C2-F54E-48F1-A39C-F88BC60E07CE@lodderstedt.net"
class="">
<div class="">
<blockquote type="cite" class="">
<div class="">
<div class="">
<p class=""> If the RP can differentiate between
user1 with wallet1 and user2 with wallet2 from
a different provider, then the requirement has
not been fulfilled. That is my interpretation.
So the RP should not be able to distinguish
between requests from<br class="">
</p>
<p class="">user1 with wallet1</p>
<p class="">user1 with wallet2</p>
<p class="">user2 with wallet1</p>
<p class="">user2 with wallet2</p>
<p class="">They should all look like different
requests from different users to the RP. This
is how the original SAML worked before
persistent IDs were introduced. Personally I
think it is a superb privacy protecting
feature, and its what we have implemented in
our product.<br class="">
</p>
</div>
</div>
</blockquote>
<div class="">Please explain how this can be
implemented. As soon as the RP needs to check the
compliance of the wallet using a cert, there is an
identifier to identify and distinguish wallet
services. <br class="">
</div>
</div>
</blockquote>
<p class="">I already explained this in my original
message. Please re-read it again<br class="">
</p>
</div>
</div>
</blockquote>
<div>I read it and I think the public key id in the cert is a
correlation handle. </div>
<br class="">
<blockquote type="cite" class="">
<div class="">
<div class="">
<p class=""> </p>
<p class="">Kind regards</p>
<p class="">David<br class="">
</p>
<blockquote type="cite"
cite="mid:960A77C2-F54E-48F1-A39C-F88BC60E07CE@lodderstedt.net"
class="">
<div class="">
<blockquote type="cite" class="">
<div class="">
<div class="">
<div class=""> <br
class="webkit-block-placeholder">
</div>
<p class="">Kind regards</p>
<p class="">David<br class="">
</p>
<div class="moz-cite-prefix">On 10/06/2022
07:53, Kristina Yasuda via Openid-specs-ab
wrote:<br class="">
</div>
<blockquote type="cite"
cite="mid:BYAPR00MB088712E3E8D0CB25CDDEC455E5A69@BYAPR00MB0887.namprd00.prod.outlook.com"
class="">
<meta http-equiv="Content-Type"
content="text/html; charset=UTF-8" class="">
<div dir="ltr" class="">
<div class="">
<div dir="ltr" class="">Thank you, David.</div>
<div dir="ltr" class=""><br class="">
</div>
<div dir="ltr" class="">+1 to Torsten’s
question and interpretation that the
text refers to verifier not being able
to differentiate two different wallet
instances and use that to identify a
unique<span style="font-size: inherit;"
class=""> user.</span></div>
<div dir="ltr" class=""><br class="">
</div>
</div>
<div
id="mail-editor-reference-message-container"
class="ms-outlook-mobile-reference-message">
<hr style="display:inline-block;width:98%"
tabindex="-1" class="">
<div id="divRplyFwdMsg" dir="ltr" class=""><font
class="" face="Calibri, sans-serif"><b
class="">From:</b> Openid-specs-ab <a
class="moz-txt-link-rfc2396E"
href="mailto:openid-specs-ab-bounces@lists.openid.net"
moz-do-not-send="true"><openid-specs-ab-bounces@lists.openid.net></a>
on behalf of Torsten Lodderstedt via
Openid-specs-ab <a
class="moz-txt-link-rfc2396E"
href="mailto:openid-specs-ab@lists.openid.net"
moz-do-not-send="true"><openid-specs-ab@lists.openid.net></a><br
class="">
<b class="">Sent:</b> Thursday, June
9, 2022 12:06 PM<br class="">
<b class="">To:</b> Artifact
Binding/Connect Working Group<br
class="">
<b class="">Cc:</b> Torsten
Lodderstedt<br class="">
<b class="">Subject:</b> Re:
[Openid-specs-ab] SIOP call
2022-June-9
<div class=""> </div>
</font></div>
Thanks for sharing.
<div class=""><br class="">
</div>
<div class="">I would like to understand
whether "two certified EUDI Wallets“ in
this statement refer to two different
implementations/service providers or
just two different instances for
different users. I assume the later
since the former does not have privacy
implications.</div>
<div class=""><br class="">
</div>
<div class="">best regards,</div>
<div class="">Torsten. <br class="">
<div class=""><br class="">
<blockquote type="cite" class="">
<div class="">Am 09.06.2022 um 20:36
schrieb David Chadwick via
Openid-specs-ab <<a
href="mailto:openid-specs-ab@lists.openid.net"
class="moz-txt-link-freetext"
moz-do-not-send="true">openid-specs-ab@lists.openid.net</a>>:</div>
<br
class="Apple-interchange-newline">
<div class="">
<div class="">
<p class="">During today's call
I asserted that the EU Digital
Identity Wallet should be able
to prove to an RP that it is
certified without revealing
its identity or who the
software provider is. I was
asked to find a reference to
this. It is on page 26 of
"European Digital Identity
Architecture and Reference
Framework" available here: <br
class="">
</p>
<p class=""><a
class="moz-txt-link-freetext"
href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcloud.eid.as%2Findex.php%2Fs%2FDQ5aRjyzJDNKXpW&data=05%7C01%7CKristina.Yasuda%40microsoft.com%7Cdde2e2735d554c67888308da4a4af495%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637903984091677249%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C2000%7C%7C%7C&sdata=AXMbHKj5%2FQ1fHgTGQIhlzNuwaqUTdHxyYNad%2BMHlp2o%3D&reserved=0"
originalsrc="https://cloud.eid.as/index.php/s/DQ5aRjyzJDNKXpW"
shash="E53rDx/Yn3rFWDcmKW/GwvdQ2oGP0eiBuStjRDCOjMD34a1vdDDZ+msQqL3SjKbAjlaN/u65RaDWdoWcSjI2NkjqTJTgwma3C3HKLvoKII/xqr7Ri9BEs74q2XPmMeFsWA0XGezo87mcVgt8jHBSpK5dV7WZPW/f+6t1d8ZYo7s="
moz-do-not-send="true">https://cloud.eid.as/index.php/s/DQ5aRjyzJDNKXpW</a><br
class="">
</p>
<p class="">Here is the relevant
text</p>
<p class="">"In addition, the
mechanism for relying parties
to verify whether a EUDI
Wallet used is genuine and
certified, shall not enable
the relying party to
distinguish between two
certified EUDI Wallets, in
order to preserve the privacy
of the user when performing
pseudonymous authentication."
<br class="">
</p>
<p class="">This could be
implemented using traditional
asymmetric crypto, in which
each EUDI wallet is issued its
own VC, stating that it is a
certified wallet, issued by
the EUDI certification
authority, in which the
subject ID is the public key
of the wallet. There would be
no information to indicate who
the wallet provider is, or who
the wallet holder is. However,
this certificate, if long
lived, would then be a
correlating handle, so by
issuing transient short lived
VCs to the wallet each time an
RP requires assurance, the
public key would change every
time thereby removing the
ability to correlate the
certifying VCs.<br class="">
</p>
<p class="">Kind regards</p>
<p class="">David<br class="">
</p>
<span role="presentation" dir="ltr" class="" style="padding:0px; margin:0px; white-space:pre; font-style:normal; font-variant-ligatures:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; orphans:2; text-align:start; text-indent:0px; text-transform:none; widows:2; word-spacing:0px; background-color:rgb(255,255,255); left:120.04px; top:565.163px; font-size:18.4px; font-family:sans-serif">In
addition,</span><span role="presentation" dir="ltr" class="" style="padding:0px; margin:0px; white-space:pre; font-style:normal; font-variant-ligatures:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; orphans:2; text-align:start; text-indent:0px; text-transform:none; widows:2; word-spacing:0px; background-color:rgb(255,255,255); left:208.01px; top:565.163px; font-size:18.4px; font-family:sans-serif">
</span><span role="presentation" dir="ltr" class="" style="padding:0px; margin:0px; white-space:pre; font-style:normal; font-variant-ligatures:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; orphans:2; text-align:start; text-indent:0px; text-transform:none; widows:2; word-spacing:0px; background-color:rgb(255,255,255); left:215.233px; top:565.163px; font-size:18.4px; font-family:sans-serif">the
mechanism for</span><span role="presentation" dir="ltr" class="" style="padding:0px; margin:0px; white-space:pre; font-style:normal; font-variant-ligatures:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; orphans:2; text-align:start; text-indent:0px; text-transform:none; widows:2; word-spacing:0px; background-color:rgb(255,255,255); left:361.955px; top:565.163px; font-size:18.4px; font-family:sans-serif">
</span><span role="presentation" dir="ltr" class="" style="padding:0px; margin:0px; white-space:pre; font-style:normal; font-variant-ligatures:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; orphans:2; text-align:start; text-indent:0px; text-transform:none; widows:2; word-spacing:0px; background-color:rgb(255,255,255); left:369.083px; top:565.163px; font-size:18.4px; font-family:sans-serif">relying
parties</span><span role="presentation" dir="ltr" class="" style="padding:0px; margin:0px; white-space:pre; font-style:normal; font-variant-ligatures:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; orphans:2; text-align:start; text-indent:0px; text-transform:none; widows:2; word-spacing:0px; background-color:rgb(255,255,255); left:478.214px; top:565.163px; font-size:18.4px; font-family:sans-serif">
</span><span role="presentation" dir="ltr" class="" style="padding:0px; margin:0px; white-space:pre; font-style:normal; font-variant-ligatures:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; orphans:2; text-align:start; text-indent:0px; text-transform:none; widows:2; word-spacing:0px; background-color:rgb(255,255,255); left:485.483px; top:565.163px; font-size:18.4px; font-family:sans-serif">to
verify whether</span><span role="presentation" dir="ltr" class="" style="padding:0px; margin:0px; white-space:pre; font-style:normal; font-variant-ligatures:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; orphans:2; text-align:start; text-indent:0px; text-transform:none; widows:2; word-spacing:0px; background-color:rgb(255,255,255); left:620.797px; top:565.163px; font-size:18.4px; font-family:sans-serif">
</span><span role="presentation" dir="ltr" class="" style="padding:0px; margin:0px; white-space:pre; font-style:normal; font-variant-ligatures:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; orphans:2; text-align:start; text-indent:0px; text-transform:none; widows:2; word-spacing:0px; background-color:rgb(255,255,255); left:628.117px; top:565.163px; font-size:18.4px; font-family:sans-serif">a</span><span role="presentation" dir="ltr" class="" style="padding:0px; margin:0px; white-space:pre; font-style:normal; font-variant-ligatures:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; orphans:2; text-align:start; text-indent:0px; text-transform:none; widows:2; word-spacing:0px; background-color:rgb(255,255,255); left:636.93px; top:565.163px; font-size:18.4px; font-family:sans-serif">
</span><span role="presentation" dir="ltr" class="" style="padding:0px; margin:0px; white-space:pre; font-style:normal; font-variant-ligatures:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; orphans:2; text-align:start; text-indent:0px; text-transform:none; widows:2; word-spacing:0px; background-color:rgb(255,255,255); left:644.117px; top:565.163px; font-size:18.4px; font-family:sans-serif">EUDI
W</span><span role="presentation" dir="ltr" class="" style="padding:0px; margin:0px; white-space:pre; font-style:normal; font-variant-ligatures:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; orphans:2; text-align:start; text-indent:0px; text-transform:none; widows:2; word-spacing:0px; background-color:rgb(255,255,255); left:704.117px; top:565.163px; font-size:18.4px; font-family:sans-serif">allet
used is genuine and</span><br role="presentation" class="" style="padding:0px; margin:0px; white-space:pre; font-family:Arial; font-size:16px; font-style:normal; font-variant-ligatures:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; orphans:2; text-align:start; text-indent:0px; text-transform:none; widows:2; word-spacing:0px; background-color:rgb(255,255,255)">
<p class=""><span role="presentation" dir="ltr" class="" style="padding:0px; margin:0px; white-space:pre; font-style:normal; font-variant-ligatures:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; orphans:2; text-align:start; text-indent:0px; text-transform:none; widows:2; word-spacing:0px; background-color:rgb(255,255,255); left:120.04px; top:590.763px; font-size:18.4px; font-family:sans-serif">certifie</span><span role="presentation" dir="ltr" class="" style="padding:0px; margin:0px; white-space:pre; font-style:normal; font-variant-ligatures:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; orphans:2; text-align:start; text-indent:0px; text-transform:none; widows:2; word-spacing:0px; background-color:rgb(255,255,255); left:172.833px; top:590.763px; font-size:18.4px; font-family:sans-serif">d</span><span role="presentation" dir="ltr" class="" style="padding:0px; margin:0px; white-space:pre; font-style:normal; font-variant-ligatures:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; orphans:2; text-align:start; text-indent:0px; text-transform:none; widows:2; word-spacing:0px; background-color:rgb(255,255,255); left:182.433px; top:590.763px; font-size:18.4px; font-family:sans-serif">,</span><span role="presentation" dir="ltr" class="" style="padding:0px; margin:0px; white-space:pre; font-style:normal; font-variant-ligatures:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; orphans:2; text-align:start; text-indent:0px; text-transform:none; widows:2; word-spacing:0px; background-color:rgb(255,255,255); left:187.033px; top:590.763px; font-size:18.4px; font-family:sans-serif">
</span><span role="presentation" dir="ltr" class="" style="padding:0px; margin:0px; white-space:pre; font-style:normal; font-variant-ligatures:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; orphans:2; text-align:start; text-indent:0px; text-transform:none; widows:2; word-spacing:0px; background-color:rgb(255,255,255); left:191.033px; top:590.763px; font-size:18.4px; font-family:sans-serif">shall</span><span role="presentation" dir="ltr" class="" style="padding:0px; margin:0px; white-space:pre; font-style:normal; font-variant-ligatures:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; orphans:2; text-align:start; text-indent:0px; text-transform:none; widows:2; word-spacing:0px; background-color:rgb(255,255,255); left:226.325px; top:590.763px; font-size:18.4px; font-family:sans-serif">
</span><span role="presentation" dir="ltr" class="" style="padding:0px; margin:0px; white-space:pre; font-style:normal; font-variant-ligatures:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; orphans:2; text-align:start; text-indent:0px; text-transform:none; widows:2; word-spacing:0px; background-color:rgb(255,255,255); left:230.433px; top:590.763px; font-size:18.4px; font-family:sans-serif">not
enable the relying party to distinguish between two certified</span><span role="presentation" dir="ltr" class="" style="padding:0px; margin:0px; white-space:pre; font-style:normal; font-variant-ligatures:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; orphans:2; text-align:start; text-indent:0px; text-transform:none; widows:2; word-spacing:0px; background-color:rgb(255,255,255); left:711.391px; top:590.763px; font-size:18.4px; font-family:sans-serif">
</span><span role="presentation" dir="ltr" class="" style="padding:0px; margin:0px; white-space:pre; font-style:normal; font-variant-ligatures:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; orphans:2; text-align:start; text-indent:0px; text-transform:none; widows:2; word-spacing:0px; background-color:rgb(255,255,255); left:715.717px; top:590.763px; font-size:18.4px; font-family:sans-serif">EUDI
W</span><span role="presentation" dir="ltr" class="" style="padding:0px; margin:0px; white-space:pre; font-style:normal; font-variant-ligatures:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; orphans:2; text-align:start; text-indent:0px; text-transform:none; widows:2; word-spacing:0px; background-color:rgb(255,255,255); left:772.917px; top:590.763px; font-size:18.4px; font-family:sans-serif">allets,
in order to</span><br role="presentation" class="" style="padding:0px; margin:0px; white-space:pre; font-family:Arial; font-size:16px; font-style:normal; font-variant-ligatures:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; orphans:2; text-align:start; text-indent:0px; text-transform:none; widows:2; word-spacing:0px; background-color:rgb(255,255,255)">
<span role="presentation" dir="ltr" class="" style="padding:0px; margin:0px; white-space:pre; font-style:normal; font-variant-ligatures:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; orphans:2; text-align:start; text-indent:0px; text-transform:none; widows:2; word-spacing:0px; background-color:rgb(255,255,255); left:120.04px; top:616.563px; font-size:18.4px; font-family:sans-serif">preserve
the privacy of the user when performing pseudonymous authentication.</span><span role="presentation" dir="ltr" class="" style="padding:0px; margin:0px; white-space:pre; font-style:normal; font-variant-ligatures:normal; font-variant-caps:normal; font-weight:400; letter-spacing:normal; orphans:2; text-align:start; text-indent:0px; text-transform:none; widows:2; word-spacing:0px; background-color:rgb(255,255,255); left:726.651px; top:616.563px; font-size:18.4px; font-family:sans-serif">
</span></p>
</div>
_______________________________________________<br class="">
Openid-specs-ab mailing list<br
class="">
<a
href="mailto:Openid-specs-ab@lists.openid.net"
class="moz-txt-link-freetext"
moz-do-not-send="true">Openid-specs-ab@lists.openid.net</a><br
class="">
<a class="moz-txt-link-freetext"
href="https://lists.openid.net/mailman/listinfo/openid-specs-ab"
moz-do-not-send="true">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br
class="">
</div>
</blockquote>
</div>
<br class="">
</div>
</div>
</div>
<br class="">
<fieldset class="moz-mime-attachment-header"></fieldset>
<pre class="moz-quote-pre" wrap="">_______________________________________________
Openid-specs-ab mailing list
<a class="moz-txt-link-abbreviated moz-txt-link-freetext" href="mailto:Openid-specs-ab@lists.openid.net" moz-do-not-send="true">Openid-specs-ab@lists.openid.net</a>
<a class="moz-txt-link-freetext" href="https://lists.openid.net/mailman/listinfo/openid-specs-ab" moz-do-not-send="true">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a>
</pre>
</blockquote>
</div>
_______________________________________________<br
class="">
Openid-specs-ab mailing list<br class="">
<a href="mailto:Openid-specs-ab@lists.openid.net"
class="moz-txt-link-freetext"
moz-do-not-send="true">Openid-specs-ab@lists.openid.net</a><br
class="">
<a class="moz-txt-link-freetext"
href="https://lists.openid.net/mailman/listinfo/openid-specs-ab"
moz-do-not-send="true">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a><br
class="">
</div>
</blockquote>
</div>
<br class="">
</blockquote>
</div>
</div>
</blockquote>
</div>
<br class="">
</blockquote>
</body>
</html>