[Openid-specs-digital-credentials-protocols] Second WGLC for OID4VP

Thu Apr 24 14:18:47 UTC 2025

The problem is that it is entirely left up to the Verifier to ask for what
information it wants.
There is no way to determine the scope or "actual purpose" of the current
transaction.
Peace ..tom jones

On Wed, Apr 23, 2025 at 11:36 PM Eric Drury <eric at forthco.io> wrote:

> I’d like to better understand the risk in the scenario you lay out Tom.
>
> Is the permission connected to the convenience store, or to the specific
> transaction?
>
>
>
> I.e. just because the convenience store has permission to request
> information that applies to purchasing liquor or sim cards, wouldn’t that
> permission only be granted for the specific transaction of purchasing the
> liquor or sim cards?
>
>
>
>
>
>
>
>
>
>
>
> *From: *Openid-specs-digital-credentials-protocols <
> openid-specs-digital-credentials-protocols-bounces at lists.openid.net> on
> behalf of steffen schwalm via Openid-specs-digital-credentials-protocols <
> openid-specs-digital-credentials-protocols at lists.openid.net>
> *Date: *Wednesday, 23 April 2025 at 20:27
> *To: *peace at acm.org <peace at acm.org>, Digital Credentials Protocols List <
> openid-specs-digital-credentials-protocols at lists.openid.net>
> *Cc: *steffen schwalm <schwalm.steffen at googlemail.com>, pemc kantara <
> Wg-pemc at kantarainitiative.org>
> *Subject: *Re: [Openid-specs-digital-credentials-protocols] Second WGLC
> for OID4VP
>
> Fully agree to Tom.
>
>
>
> Tom Jones via Openid-specs-digital-credentials-protocols <
> openid-specs-digital-credentials-protocols at lists.openid.net> schrieb am
> Mi., 23. Apr. 2025, 18:21:
>
> Here is a Dark Pattern of Verifier requests that was actually seen in the
> California mDL trials run lately.
>
>
>
> The Verifier will get permission (or whatever it might be called) to ask
> for a collection of purposes, for example a convenience store could be
> selling chewing gum, hard liquor and sim cards for smartphones.  This is
> what the ecosystem allows it to ask for, along with payments. So if I buy a
> stick of chewing gum and decide to pay with my EUDIW, it is within the
> approved permissions for this store to ask intrusive questions that apply
> to purchasing liquor or sim cards, which are very intrusive in some
> countries.
>
>
>
> Peace ..tom jones
>
>
>
>
>
> On Tue, Apr 22, 2025 at 3:53 PM Joseph Heenan via
> Openid-specs-digital-credentials-protocols <
> openid-specs-digital-credentials-protocols at lists.openid.net> wrote:
>
> Dear DCP Working Group Members,
>
>
>
>
> As discussed on today’s (yesterday now for some of you!) working group
> call (and as per my email) we would like to start a get WG consensus that
> the current OpenID4VP draft is ready to start the final specification
> approval process.
>
>
>
> Please respond to this email within the next 2 days, by end of Thursday
> 22nd April, whether you believe the current draft should proceed to the
> public review or not.
>
>
>
> The OpenID4VP document to be reviewed can be found here:
> https://openid.net/specs/openid-4-verifiable-presentations-1_0-27.html
>
>
>
> There is one normative PRs that we agreed during the working group meeting
> to work on during working group last call (just waiting for final reviews
> please!):
>
>
>
> Rename authorization_encrypted_response_enc parameter
> https://github.com/openid/OpenID4VP/pulls
>
>
>
> The above should resolve the point Mike Jones raised during WGLC.
>
>
>
> There’s an ongoing attempt to understand Tom Jones’s issue raised during
> WGLC.
>
>
>
> There’s also a few non-breaking improvements in PRs that may be merged
> before public review.
>
>
>
> If there are other topics working group members think need to be handled
> before the specification moves to final please reply to this email with
> details.
>
>
>
> This is very much just a step on the journey, and it is likely that
> comments will arrive during the 60 day review period that the working group
> chooses to fix before the voting period starts.
>
>
>
> The details of the specification approval process can be found here:
> https://openid.net/wg/resources/approving-specifications/.
>
>
>
> This email is about the first bullet point on this list "Obtain working
> group consensus to propose foundation-wide approval of the draft
> specification", which is often called Working Group Last Call (WGLC).
>
> The following steps are to start a 60-day Foundation-wide review, followed
> by the 7 day voting period (the poll itself will open 7 days before the end
> of the Foundation-wide review ends).
>
>
>
> Kindest Regards,
>
> Editors & Chairs
>
>
>
> --
> Openid-specs-digital-credentials-protocols mailing list
> Openid-specs-digital-credentials-protocols at lists.openid.net
>
> https://lists.openid.net/mailman/listinfo/openid-specs-digital-credentials-protocols
>
> --
> Openid-specs-digital-credentials-protocols mailing list
> Openid-specs-digital-credentials-protocols at lists.openid.net
>
> https://lists.openid.net/mailman/listinfo/openid-specs-digital-credentials-protocols
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-digital-credentials-protocols/attachments/20250424/9e5d3e24/attachment.htm>