<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p><br>
</p>
<div class="moz-cite-prefix">On 12/09/2023 20:53, Joseph Heenan via
Openid-specs-digital-credentials-protocols wrote:<br>
</div>
<blockquote type="cite"
cite="mid:A4FA4D3E-29A2-40B2-BF39-04F02CC1055C@authlete.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
Hi Tom
<div><br>
</div>
<div>Focussing on this particular document, is your concern
resolved if sentences like this:</div>
<div><br>
</div>
<div>"Identity of Holder: A Verifier can trust that the party
presenting the claims in a session with the Verifier is
(controlled by) the subject of the claims.”</div>
<div><br>
</div>
<div>(From <a
href="https://github.com/vcstuff/oid4vc-security-and-trust/blob/main/draft-oid4vc-security-and-trust.md#trust-in-the-issuer-holder-verifier-model"
moz-do-not-send="true" class="moz-txt-link-freetext">https://github.com/vcstuff/oid4vc-security-and-trust/blob/main/draft-oid4vc-security-and-trust.md#trust-in-the-issuer-holder-verifier-model</a>)</div>
<div><br>
</div>
<div>are replaced with something like this:</div>
<div><br>
</div>
<div>
<div style="caret-color: rgb(0, 0, 0); color: rgb(0, 0, 0);">"Identity
of Holder: A Verifier can trust that the party presenting the
claims in a session with the Verifier is (controlled by) the
party that the credential was intended to be issued to.”</div>
</div>
</blockquote>
<p>I don't think the above is precise enough, since the credential
could have been passed from the first holder to the second holder
and then to the verifier. Therefore I propose</p>
<p>"Identity of Holder: A Verifier can trust that the party
presenting the claims in a session with the Verifier is the party
who is authorised to hold the credential (from the Verifier's
perspective).”</p>
<p>The text in parentheses is important for at least the following
reasons</p>
<p>a) the credential could be a bearer credential<br>
</p>
<p>b) the verifier may be willing to completely ignore who the
issuer intended the credential to be presented by and therefore
will allow anyone to present it, e.g. because the verifier gains a
benefit from entering into a session with the holder.</p>
<p>We have real life examples the above in the physical world.<br>
</p>
<p>Kind regards</p>
<p>David<br>
</p>
<blockquote type="cite"
cite="mid:A4FA4D3E-29A2-40B2-BF39-04F02CC1055C@authlete.com">
<div><br>
</div>
<div>?<br>
<div><br>
</div>
<div>Thanks</div>
<div><br>
</div>
<div>Joseph</div>
<div><br>
<blockquote type="cite">
<div>On 12 Sep 2023, at 16:06, Tom Jones via
Openid-specs-digital-credentials-protocols
<a class="moz-txt-link-rfc2396E" href="mailto:openid-specs-digital-credentials-protocols@lists.openid.net"><openid-specs-digital-credentials-protocols@lists.openid.net></a>
wrote:</div>
<br class="Apple-interchange-newline">
<div>
<div dir="ltr">
<div>
<div dir="ltr" class="gmail_signature"
data-smartmail="gmail_signature">
<div dir="ltr">
<div>One major problem with the OAuth model and
this contribution is the conflation of the
subject and the holder.</div>
<div>To be inclusive these two roles may be
entirely different entities.</div>
<div>It seems to be that this conflation must be
excised if OAuth is to be acceptected as the
digital credential model to be used for
government supplied rights and privileges.</div>
<div><br>
</div>
<div>..tom</div>
</div>
</div>
</div>
<br>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Mon, Sep 11, 2023
at 8:14 AM Daniel Fett via
Openid-specs-digital-credentials-protocols <<a
href="mailto:openid-specs-digital-credentials-protocols@lists.openid.net"
moz-do-not-send="true" class="moz-txt-link-freetext">openid-specs-digital-credentials-protocols@lists.openid.net</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">
<div>
<p>Hi all,</p>
<p>I'd like to contribute the "Security and Trust"
document to the DCP WG: <a
href="https://github.com/vcstuff/oid4vc-security-and-trust"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://github.com/vcstuff/oid4vc-security-and-trust</a></p>
<p>It has been discussed earlier, but had no
official status so far. <br>
</p>
<p>-Daniel<br>
</p>
</div>
-- <br>
Openid-specs-digital-credentials-protocols mailing
list<br>
<a
href="mailto:Openid-specs-digital-credentials-protocols@lists.openid.net"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">Openid-specs-digital-credentials-protocols@lists.openid.net</a><br>
<a
href="https://lists.openid.net/mailman/listinfo/openid-specs-digital-credentials-protocols"
rel="noreferrer" target="_blank"
moz-do-not-send="true" class="moz-txt-link-freetext">https://lists.openid.net/mailman/listinfo/openid-specs-digital-credentials-protocols</a><br>
</blockquote>
</div>
-- <br>
Openid-specs-digital-credentials-protocols mailing list<br>
<a class="moz-txt-link-abbreviated" href="mailto:Openid-specs-digital-credentials-protocols@lists.openid.net">Openid-specs-digital-credentials-protocols@lists.openid.net</a><br>
<a class="moz-txt-link-freetext" href="https://lists.openid.net/mailman/listinfo/openid-specs-digital-credentials-protocols">https://lists.openid.net/mailman/listinfo/openid-specs-digital-credentials-protocols</a><br>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
</blockquote>
</body>
</html>