[Openid-specs-digital-credentials-protocols] Contribution: query syntax proposal

Tom Jones thomasclinganjones at gmail.com
Tue Mar 5 22:22:32 UTC 2024 

Please give me a pointer to a working smartphone/smartphone implementation
so that I can test your assertion.

What i hope the paper i sent made clear is that the user needs to see: (It
is still a work in progress)
Who is asking in a form that the user can understand
What authority/reason is the request made (I call it the purpose)
If necessary details about the data required.
etc.

What GDPR requires is
who is the legal entity storing the data (this could be redundant.)
How the user can contact the entity storing their data.
etc.

I have grown tired of explaining this - I told Daniel nearly two years ago
and got comments from him much worse than anything I said here.

Be the change you want to see in the world ..tom


On Tue, Mar 5, 2024 at 2:07 PM Joseph Heenan <joseph at authlete.com> wrote:

> Hi Tom
>
> Can you please explain which parts you disagree with and why you disagree?
>
> As far as I know, people have this working for smartphone to smartphone
> exchanges (certainly desktop <-> smartphone). It uses/will use the same
> technology that is used for cross device passkeys sign in so provides
> better security than the purely QR code based flows.
>
> On your comment: "You guys really don't seem to care about users at all.
> Nor about existing privacy regulations.”
>
> I ask that you please withdraw that remark, and replace it with one that
> explains in detail what you think we, the browser vendors and people like
> the EFF etc may have missed. I do not consider it acceptable to make vague
> and baseless statements like that, particularly not when I am giving you
> detailed responses that explain why your assumptions differ from the actual
> situation we see.
>
> Thanks
>
> Joseph
>
>
> On 5 Mar 2024, at 20:53, Tom Jones <thomasclinganjones at gmail.com> wrote:
>
> I disagree with most of what you said. You guys have built something that
> might work on an Internet interchange, but frankly I doubt even that. It
> certainly fails for a smart phone interchange with another smartphone.
>
> You guys really don't seem to care about users at all. Nor about existing
> privacy regulations.
>
> thx ..Tom (mobile)
>
> On Tue, Mar 5, 2024, 10:58 AM Joseph Heenan <joseph at authlete.com> wrote:
>
>> Hi Tom
>>
>>
>> On 5 Mar 2024, at 17:39, Tom Jones via
>> Openid-specs-digital-credentials-protocols <
>> openid-specs-digital-credentials-protocols at lists.openid.net> wrote:
>>
>> I really don't know how we got to the point of using OAuth syntax to
>> create a message that must be displayed and accepted by users.
>>
>>
>> We are not doing that. My expectation is that wallets will be asking the
>> user to consent to the data that is to be shared. There is no need to share
>> with users what was requested, the user only needs to know what will be
>> released to the verifier as far as I can see. This is consistent with how I
>> have seen OpenID Connect work; the user consents to the information that
>> will be sent to the relying party. So for example, an OpenID provider does
>> not tell the user that the relying party requested their address if the
>> OpenID provider does not have the user’s address to share.
>>
>> Equally there is no need for a wallet to tell a user that the verifier
>> requested the user’s name from passport or a mobile driving license or a EU
>> identity card or a Japanese residence card if the wallet only has a
>> passport to share. It is far user friendlier to ask the user if they want
>> to share the name from their passport.
>>
>> The proposed UI from the browser/OS vendors (which is being discussed in
>> https://github.com/WICG/digital-identities?tab=readme-ov-file ) is that
>> the OS will present to the user a choice of credentials that could satisfy
>> the request (possibly with an indication of which wallet the credential is
>> in), and the wallet will then be given control to collect any necessary
>> consent to the data sharing.
>> https://github.com/WICG/digital-identities?tab=readme-ov-file is really
>> the only sensible place to discuss the OS provided credential selector as
>> that is where the OS & Browser providers are participating. If that group
>> has made a mistake in what they are developing the best approach seems to
>> me to be to engage with that group, and only explore alternatives if that
>> engagement fails - but I think first it is important to understand what
>> that group has developed. They even have instructions on how to access the
>> experimental API on Android, which they would love implementers to try and
>> give feedback on.
>>
>> Thanks
>>
>> Joseph
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-digital-credentials-protocols/attachments/20240305/5a431e84/attachment-0001.html>

More information about the Openid-specs-digital-credentials-protocols mailing list