<div dir="auto"><br><span style="color:rgb(240,246,252);font-family:-apple-system,blinkmacsystemfont,"segoe ui","noto sans",helvetica,arial,sans-serif,"apple color emoji","segoe ui emoji";font-size:16px;background-color:rgb(22,27,34)">All parties communicate with each other using a set of protocols, or just "protocol" in the following. In the case of OpenID4VP, the protocols are OpenID for Verifiable Credential Issuance [@!OpenID.VCI] and OpenID for Verifiable Presentations [@!OpenID.VP], with an optional use of SIOP v2 [@!OpenID.SIOPv2].</span><br><div data-smartmail="gmail_signature">thx ..Tom (mobile)</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, Sep 14, 2023, 4:17 AM David Chadwick <<a href="mailto:d.w.chadwick@truetrust.co.uk">d.w.chadwick@truetrust.co.uk</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div>
<p>Hi Tom</p>
<p>if you read my proposed text I think it caters for the use cases
you are suggesting. If it does not, can you say why not please<br>
</p>
<p>thanks</p>
<p>David<br>
</p>
<div>On 14/09/2023 05:35, Tom Jones wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">you guys are missing the point - i guess i was not
clear.
<div><br>
</div>
<div>The current CBP-ONE app is used at the border of the US to
schedule sessions to acquire asylum. Similarly the child
trying to get access to the US may need creds. These children
are the subjects of credential. They do not hold
smartphones which are held by (for example) their father as
guardian. In the US 51 million people do not have smart phones
but may need digital creds for one reason or another. I
suspect that in many countries the numbers are even more dire.</div>
<div><br>
</div>
<div>If the wallet cannot handle the case where the subject is
not the holder, then it should not be considered adequate to
hold government creds because of the many eligible people \who
cannot be accommodated.</div>
<div><br>
</div>
<div>Somehow this spec (and the rest of the VC specs) needs to
address the problem where the holder and the subject are not
the same person.</div>
<div><br clear="all">
<div>
<div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature">
<div dir="ltr">
<div><span style="background-color:rgb(242,242,242);color:rgba(0,0,0,0.9);font-family:-apple-system,system-ui,system-ui,"Segoe UI",Roboto,"Helvetica Neue","Fira Sans",Ubuntu,Oxygen,"Oxygen Sans",Cantarell,"Droid Sans","Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Lucida Grande",Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap"> </span>..tom</div>
</div>
</div>
</div>
<br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Wed, Sep 13, 2023 at
3:32 AM David Chadwick via
Openid-specs-digital-credentials-protocols <<a href="mailto:openid-specs-digital-credentials-protocols@lists.openid.net" target="_blank" rel="noreferrer">openid-specs-digital-credentials-protocols@lists.openid.net</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p><br>
</p>
<div>On 12/09/2023 20:53, Joseph Heenan via
Openid-specs-digital-credentials-protocols wrote:<br>
</div>
<blockquote type="cite"> Hi Tom
<div><br>
</div>
<div>Focussing on this particular document, is your
concern resolved if sentences like this:</div>
<div><br>
</div>
<div>"Identity of Holder: A Verifier can trust that the
party presenting the claims in a session with the
Verifier is (controlled by) the subject of the claims.”</div>
<div><br>
</div>
<div>(From <a href="https://github.com/vcstuff/oid4vc-security-and-trust/blob/main/draft-oid4vc-security-and-trust.md#trust-in-the-issuer-holder-verifier-model" target="_blank" rel="noreferrer">https://github.com/vcstuff/oid4vc-security-and-trust/blob/main/draft-oid4vc-security-and-trust.md#trust-in-the-issuer-holder-verifier-model</a>)</div>
<div><br>
</div>
<div>are replaced with something like this:</div>
<div><br>
</div>
<div>
<div style="color:rgb(0,0,0)">"Identity of Holder: A
Verifier can trust that the party presenting the
claims in a session with the Verifier is (controlled
by) the party that the credential was intended to be
issued to.”</div>
</div>
</blockquote>
<p>I don't think the above is precise enough, since the
credential could have been passed from the first holder to
the second holder and then to the verifier. Therefore I
propose</p>
<p>"Identity of Holder: A Verifier can trust that the party
presenting the claims in a session with the Verifier is
the party who is authorised to hold the credential (from
the Verifier's perspective).”</p>
<p>The text in parentheses is important for at least the
following reasons</p>
<p>a) the credential could be a bearer credential<br>
</p>
<p>b) the verifier may be willing to completely ignore who
the issuer intended the credential to be presented by and
therefore will allow anyone to present it, e.g. because
the verifier gains a benefit from entering into a session
with the holder.</p>
<p>We have real life examples the above in the physical
world.<br>
</p>
<p>Kind regards</p>
<p>David<br>
</p>
<blockquote type="cite">
<div><br>
</div>
<div>?<br>
<div><br>
</div>
<div>Thanks</div>
<div><br>
</div>
<div>Joseph</div>
<div><br>
<blockquote type="cite">
<div>On 12 Sep 2023, at 16:06, Tom Jones via
Openid-specs-digital-credentials-protocols <a href="mailto:openid-specs-digital-credentials-protocols@lists.openid.net" target="_blank" rel="noreferrer"><openid-specs-digital-credentials-protocols@lists.openid.net></a>
wrote:</div>
<br>
<div>
<div dir="ltr">
<div>
<div dir="ltr" class="gmail_signature">
<div dir="ltr">
<div>One major problem with the OAuth
model and this contribution is the
conflation of the subject and the
holder.</div>
<div>To be inclusive these two roles may
be entirely different entities.</div>
<div>It seems to be that this conflation
must be excised if OAuth is to be
acceptected as the digital credential
model to be used for government supplied
rights and privileges.</div>
<div><br>
</div>
<div>..tom</div>
</div>
</div>
</div>
<br>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Mon, Sep
11, 2023 at 8:14 AM Daniel Fett via
Openid-specs-digital-credentials-protocols
<<a href="mailto:openid-specs-digital-credentials-protocols@lists.openid.net" target="_blank" rel="noreferrer">openid-specs-digital-credentials-protocols@lists.openid.net</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div>
<p>Hi all,</p>
<p>I'd like to contribute the "Security and
Trust" document to the DCP WG: <a href="https://github.com/vcstuff/oid4vc-security-and-trust" target="_blank" rel="noreferrer">https://github.com/vcstuff/oid4vc-security-and-trust</a></p>
<p>It has been discussed earlier, but had no
official status so far. <br>
</p>
<p>-Daniel<br>
</p>
</div>
-- <br>
Openid-specs-digital-credentials-protocols
mailing list<br>
<a href="mailto:Openid-specs-digital-credentials-protocols@lists.openid.net" target="_blank" rel="noreferrer">Openid-specs-digital-credentials-protocols@lists.openid.net</a><br>
<a href="https://lists.openid.net/mailman/listinfo/openid-specs-digital-credentials-protocols" rel="noreferrer noreferrer" target="_blank">https://lists.openid.net/mailman/listinfo/openid-specs-digital-credentials-protocols</a><br>
</blockquote>
</div>
-- <br>
Openid-specs-digital-credentials-protocols mailing
list<br>
<a href="mailto:Openid-specs-digital-credentials-protocols@lists.openid.net" target="_blank" rel="noreferrer">Openid-specs-digital-credentials-protocols@lists.openid.net</a><br>
<a href="https://lists.openid.net/mailman/listinfo/openid-specs-digital-credentials-protocols" target="_blank" rel="noreferrer">https://lists.openid.net/mailman/listinfo/openid-specs-digital-credentials-protocols</a><br>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
</blockquote>
</div>
-- <br>
Openid-specs-digital-credentials-protocols mailing list<br>
<a href="mailto:Openid-specs-digital-credentials-protocols@lists.openid.net" target="_blank" rel="noreferrer">Openid-specs-digital-credentials-protocols@lists.openid.net</a><br>
<a href="https://lists.openid.net/mailman/listinfo/openid-specs-digital-credentials-protocols" rel="noreferrer noreferrer" target="_blank">https://lists.openid.net/mailman/listinfo/openid-specs-digital-credentials-protocols</a><br>
</blockquote>
</div>
</blockquote>
</div>
</blockquote></div>