[Openid-specs-digital-credentials-protocols] [SIOP/DCP WG] special topic call on OID4VP advanced flow PR #52

Tom Jones thomasclinganjones at gmail.com
Tue Oct 24 21:30:56 UTC 2023 

I very much doubt that the wallet configurations will not be settable by
the user.
I very much doubt that a secure wallet attestation can be made without an
instance id.
I very much doubt that the collection of creds in a wallet will not
identify the user to a high level of assurance.
As I said, you are free to build to these specifications.
I very much doubt that they would be acceptable to users.

..tom


On Tue, Oct 24, 2023 at 2:25 PM Giuseppe De Marco <demarcog83 at gmail.com>
wrote:

> Wallet capabilities are not configured by user, they show information
> about the wallet solution with some delta where devices needs (rare cases,
> hopefully never)
>
> Wallet instance attestations are ephemeral
>
> Subject Is opaque or meaningless, cnf.jwk Is ephemeral, iat and exp too
>
> Me, rogue RP, how may track an user by the wia It presents?
>
> The hkb in the Digital credential must be different from the Key used for
> wia hkb, different keys for different purposes
>
>
>
> Il mar 24 ott 2023, 23:18 Tom Jones <thomasclinganjones at gmail.com> ha
> scritto:
>
>> You are conflating user information with user tracking. It has been shown
>> that tracking a user device is all that is needed to track the user. You
>> can listen now before you commit to these formats, or you can build the
>> solutions and then have them rejected. Your call.
>>
>> thx ..Tom (mobile)
>>
>> On Tue, Oct 24, 2023, 2:07 PM Giuseppe De Marco <demarcog83 at gmail.com>
>> wrote:
>>
>>> Hey Tom
>>>
>>> An ordinary web browser discloses more information that we may ever
>>> imagine
>>>
>>> From my perspective an RP may know the wallet capabilities and should
>>> know the wallet reliability. The first helps the interoperability when the
>>> wallet ecosystem will grow, with future tecnologies and approaches.
>>>
>>> These information doesn't bring information about to the user.
>>>
>>> I think that attributes like key_type and user_authentication should not
>>> be exposed, while an AAL value, properly defined in a security assurance
>>> profile, is the way to go for a good privacy
>>>
>>>
>>>
>>> Il mar 24 ott 2023, 22:49 Tom Jones via
>>> Openid-specs-digital-credentials-protocols <
>>> openid-specs-digital-credentials-protocols at lists.openid.net> ha scritto:
>>>
>>>> I am completely opposed to the very idea that the verifier can ask for
>>>> any data about the configuration of an app installed by the user. It is an
>>>> extremely useful means to track the user.
>>>>
>>>> The verifier should be limited to expressing a purpose and authority.
>>>> No requests for anything that the user cannot understand!!
>>>>
>>>> thx ..Tom (mobile)
>>>>
>>>> On Tue, Oct 24, 2023, 1:30 PM Kristina Yasuda via
>>>> Openid-specs-digital-credentials-protocols <
>>>> openid-specs-digital-credentials-protocols at lists.openid.net> wrote:
>>>>
>>>>> Hi SIOP/DCP WG!
>>>>>
>>>>> Setting up a special topic call this week to discuss this PR:
>>>>> https://github.com/openid/OpenID4VP/pull/52.
>>>>>
>>>>> Sorry it is a little last minute – we have been coordinating with
>>>>> those who reviewed/requested changes to the PR (DavidC, Giuseppe, DanielF,
>>>>> Gabe and Torsten).
>>>>>
>>>>> No pressure to join, we will report back in the main WG call.
>>>>>
>>>>> Thank you!
>>>>>
>>>>> Kristina
>>>>>
>>>>>
>>>>>
>>>>> ---
>>>>>
>>>>>  Kristina Yasuda (OIDF) is inviting you to a scheduled Zoom meeting.
>>>>>
>>>>> Join Zoom Meeting
>>>>>
>>>>> https://zoom.us/j/98883940545?pwd=KzlmYVdCanFmNEY3SExNOEI0Vng1UT09&from=addon
>>>>>
>>>>> Meeting ID: 988 8394 0545
>>>>> Passcode: 114060
>>>>>
>>>>> ---
>>>>>
>>>>> One tap mobile
>>>>> +12532158782,,98883940545# US (Tacoma)
>>>>> +12532050468,,98883940545# US
>>>>>
>>>>> ---
>>>>>
>>>>> Dial by your location
>>>>> • +1 253 215 8782 US (Tacoma)
>>>>> • +1 253 205 0468 US
>>>>> • +1 719 359 4580 US
>>>>> • +1 346 248 7799 US (Houston)
>>>>> • +1 669 444 9171 US
>>>>> • +1 669 900 9128 US (San Jose)
>>>>> • +1 507 473 4847 US
>>>>> • +1 564 217 2000 US
>>>>> • +1 646 558 8656 US (New York)
>>>>> • +1 646 931 3860 US
>>>>> • +1 689 278 1000 US
>>>>> • +1 301 715 8592 US (Washington DC)
>>>>> • +1 305 224 1968 US
>>>>> • +1 309 205 3325 US
>>>>> • +1 312 626 6799 US (Chicago)
>>>>> • +1 360 209 5623 US
>>>>> • +1 386 347 5053 US
>>>>>
>>>>> Meeting ID: 988 8394 0545
>>>>>
>>>>> Find your local number: https://zoom.us/u/acC5SB3rp
>>>>> --
>>>>> Openid-specs-digital-credentials-protocols mailing list
>>>>> Openid-specs-digital-credentials-protocols at lists.openid.net
>>>>>
>>>>> https://lists.openid.net/mailman/listinfo/openid-specs-digital-credentials-protocols
>>>>>
>>>> --
>>>> Openid-specs-digital-credentials-protocols mailing list
>>>> Openid-specs-digital-credentials-protocols at lists.openid.net
>>>>
>>>> https://lists.openid.net/mailman/listinfo/openid-specs-digital-credentials-protocols
>>>>
>>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-digital-credentials-protocols/attachments/20231024/8e202b11/attachment-0001.html>

More information about the Openid-specs-digital-credentials-protocols mailing list