<div dir="ltr">thanks for the response - I remain unconvinced that the privacy of the user can be protected with what i have seen. No PII can be released before the holder is aware of the entity receiving the pII and consented to the release. ANY ID, including the ID of the wallet, is PII as it can be used to track the user.<div><br clear="all"><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><span style="background-color:rgb(242,242,242);color:rgba(0,0,0,0.9);font-family:-apple-system,system-ui,system-ui,"Segoe UI",Roboto,"Helvetica Neue","Fira Sans",Ubuntu,Oxygen,"Oxygen Sans",Cantarell,"Droid Sans","Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Lucida Grande",Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap"> </span>..tom</div></div></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Sat, Jul 29, 2023 at 2:53 AM <<a href="mailto:torsten@lodderstedt.net">torsten@lodderstedt.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<div name="messageBodySection">
<div dir="auto">Hi Tom,</div>
</div>
<div name="messageReplySection">
<div dir="auto">Am 28. Juli 2023, 20:51 +0200 schrieb Tom Jones <<a href="mailto:thomasclinganjones@gmail.com" target="_blank">thomasclinganjones@gmail.com</a>>:</div>
<blockquote style="border-left:thin solid rgb(26,188,156);margin:5px;padding-left:10px"><span style="color:rgba(0,0,0,0.9);background-color:rgb(242,242,242);font-family:-apple-system,system-ui,system-ui,"Segoe UI",Roboto,"Helvetica Neue","Fira Sans",Ubuntu,Oxygen,"Oxygen Sans",Cantarell,"Droid Sans","Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Lucida Grande",Helvetica,Arial,sans-serif;font-size:14px">I have a fundamental problem with</span> <span style="font-family:"Noto Sans",Arial,Helvetica,sans-serif">OpenID for Verifiable Presentations over BLE flow diagrams.</span>It seems that the user wallet identifies itself to the verifier before the user knows the identifier of the verifier.<br>
There is a statement about the advertisement "5.2 <span style="font-family:"Noto Sans",Arial,Helvetica,sans-serif;font-size:14px">The QR Code contains the name and the ephemeral public key of the Verifier."</span>Is the presumption that the physical context of the QR code is sufficient?.<br>
It seems that anyone could go about pasting QR codes in any place that lead to attack sites.</blockquote>
<div dir="auto">The text in section 5 is still a bit misleading (esp. re encrypted:wallet provider clientid and encrypted:authentication context) and the information about verifier authentication is missing in the current revision. <br>
<br>
The fundamental idea of the draft is to use the messages defined in the OID4VP base spec and send them over a secure BLE connect. The description of the actual OID4VP message exchange starts at Section 7. <br>
<br>
<span>Section 7.2 states "</span>The Request contains a signed request object containing the parameters as defined in [OpenID4VP].“ but<span> does not </span><span>explain</span><span> the rest.</span><br>
<br>
T<span>he wallet can authenticate the verifier using this signed OID4VP request object, that is sent through the BLE connection. </span><br>
<br>
<span>It is still an early draft, we will improve the text. So thanks for raising that issue. </span><br>
<br>
<span>best</span><span> regards,</span><br>
<span>Torsten. </span><br></div>
<blockquote style="border-left:thin solid rgb(26,188,156);margin:5px;padding-left:10px"><br>
I am creating some BLE code to see if section 5.1 is any better. It is not clear from the docs that i have what information is in the ad.<br>
..tomj<br>
<br>
<br>
On Tue, Apr 25, 2023 at 4:37 AM Torsten Lodderstedt via Openid-specs-ab <<a href="https://mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a>> wrote:<br>
<blockquote style="border-left:thin solid rgb(230,126,34);margin:5px;padding-left:10px">Hi all, <br>
<br>
the initial revision of the OpenID for Verifiable Presentations over BLE draft is now available <a href="https://openid.bitbucket.io/connect/openid-4-verifiable-presentations-over-ble-1_0.html" target="_blank">https://openid.bitbucket.io/connect/openid-4-verifiable-presentations-over-ble-1_0.html</a>.<br>
<br>
Please review the specification and give feedback either here on the list or through issues at <a href="https://bitbucket.org/openid/connect/issues?status=new&status=open&status=submitted&is_spam=!spam" target="_blank">https://bitbucket.org/openid/connect/issues?status=new&status=open&status=submitted&is_spam=!spam</a>. <br>
<br>
Thanks in advance, <br>
Torsten. <br>
_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="https://mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><a href="https://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a></blockquote>
</blockquote>
</div>
</div>
</blockquote></div>