<html><head><meta http-equiv="content-type" content="text/html; charset=utf-8"></head><body style="overflow-wrap: break-word; -webkit-nbsp-mode: space; line-break: after-white-space;">Hi Tom<div><br></div><div>Can you point to one exact place in <a href="https://github.com/vcstuff/oid4vc-security-and-trust/blob/main/draft-oid4vc-security-and-trust.md">https://github.com/vcstuff/oid4vc-security-and-trust/blob/main/draft-oid4vc-security-and-trust.md</a> that prevents the situation you mention please?</div><div><br></div><div>Thanks</div><div><br></div><div>Joseph</div><div><br><div><br><blockquote type="cite"><div>On 14 Sep 2023, at 05:35, Tom Jones via Openid-specs-digital-credentials-protocols <openid-specs-digital-credentials-protocols@lists.openid.net> wrote:</div><br class="Apple-interchange-newline"><div><div dir="ltr">you guys are missing the point - i guess i was not clear.<div><br></div><div>The current CBP-ONE app is used at the border of the US to schedule sessions to acquire asylum. Similarly the child trying to get access to the US may need creds. These children are the subjects of credential. They do not hold smartphones which are held by (for example) their father as guardian. In the US 51 million people do not have smart phones but may need digital creds for one reason or another. I suspect that in many countries the numbers are even more dire.</div><div><br></div><div>If the wallet cannot handle the case where the subject is not the holder, then it should not be considered adequate to hold government creds because of the many eligible people \who cannot be accommodated.</div><div><br></div><div>Somehow this spec (and the rest of the VC specs) needs to address the problem where the holder and the subject are not the same person.</div><div><br clear="all"><div><div dir="ltr" class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><span style="background-color: rgb(242, 242, 242); font-family: -apple-system, system-ui, system-ui, "Segoe UI", Roboto, "Helvetica Neue", "Fira Sans", Ubuntu, Oxygen, "Oxygen Sans", Cantarell, "Droid Sans", "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol", "Lucida Grande", Helvetica, Arial, sans-serif; font-size: 14px; white-space: pre-wrap;"> </span>..tom</div></div></div></div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Wed, Sep 13, 2023 at 3:32 AM David Chadwick via Openid-specs-digital-credentials-protocols <<a href="mailto:openid-specs-digital-credentials-protocols@lists.openid.net">openid-specs-digital-credentials-protocols@lists.openid.net</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div><p><br>
</p>
<div>On 12/09/2023 20:53, Joseph Heenan via
Openid-specs-digital-credentials-protocols wrote:<br>
</div>
<blockquote type="cite">
Hi Tom
<div><br>
</div>
<div>Focussing on this particular document, is your concern
resolved if sentences like this:</div>
<div><br>
</div>
<div>"Identity of Holder: A Verifier can trust that the party
presenting the claims in a session with the Verifier is
(controlled by) the subject of the claims.”</div>
<div><br>
</div>
<div>(From <a href="https://github.com/vcstuff/oid4vc-security-and-trust/blob/main/draft-oid4vc-security-and-trust.md#trust-in-the-issuer-holder-verifier-model" target="_blank">https://github.com/vcstuff/oid4vc-security-and-trust/blob/main/draft-oid4vc-security-and-trust.md#trust-in-the-issuer-holder-verifier-model</a>)</div>
<div><br>
</div>
<div>are replaced with something like this:</div>
<div><br>
</div>
<div>
<div style="">"Identity
of Holder: A Verifier can trust that the party presenting the
claims in a session with the Verifier is (controlled by) the
party that the credential was intended to be issued to.”</div>
</div>
</blockquote><p>I don't think the above is precise enough, since the credential
could have been passed from the first holder to the second holder
and then to the verifier. Therefore I propose</p><p>"Identity of Holder: A Verifier can trust that the party
presenting the claims in a session with the Verifier is the party
who is authorised to hold the credential (from the Verifier's
perspective).”</p><p>The text in parentheses is important for at least the following
reasons</p><p>a) the credential could be a bearer credential<br>
</p><p>b) the verifier may be willing to completely ignore who the
issuer intended the credential to be presented by and therefore
will allow anyone to present it, e.g. because the verifier gains a
benefit from entering into a session with the holder.</p><p>We have real life examples the above in the physical world.<br>
</p><p>Kind regards</p><p>David<br>
</p>
<blockquote type="cite">
<div><br>
</div>
<div>?<br>
<div><br>
</div>
<div>Thanks</div>
<div><br>
</div>
<div>Joseph</div>
<div><br>
<blockquote type="cite">
<div>On 12 Sep 2023, at 16:06, Tom Jones via
Openid-specs-digital-credentials-protocols
<a href="mailto:openid-specs-digital-credentials-protocols@lists.openid.net" target="_blank"><openid-specs-digital-credentials-protocols@lists.openid.net></a>
wrote:</div>
<br>
<div>
<div dir="ltr">
<div>
<div dir="ltr" class="gmail_signature">
<div dir="ltr">
<div>One major problem with the OAuth model and
this contribution is the conflation of the
subject and the holder.</div>
<div>To be inclusive these two roles may be
entirely different entities.</div>
<div>It seems to be that this conflation must be
excised if OAuth is to be acceptected as the
digital credential model to be used for
government supplied rights and privileges.</div>
<div><br>
</div>
<div>..tom</div>
</div>
</div>
</div>
<br>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Mon, Sep 11, 2023
at 8:14 AM Daniel Fett via
Openid-specs-digital-credentials-protocols <<a href="mailto:openid-specs-digital-credentials-protocols@lists.openid.net" target="_blank">openid-specs-digital-credentials-protocols@lists.openid.net</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div><p>Hi all,</p><p>I'd like to contribute the "Security and Trust"
document to the DCP WG: <a href="https://github.com/vcstuff/oid4vc-security-and-trust" target="_blank">https://github.com/vcstuff/oid4vc-security-and-trust</a></p><p>It has been discussed earlier, but had no
official status so far. <br>
</p><p>-Daniel<br>
</p>
</div>
-- <br>
Openid-specs-digital-credentials-protocols mailing
list<br>
<a href="mailto:Openid-specs-digital-credentials-protocols@lists.openid.net" target="_blank">Openid-specs-digital-credentials-protocols@lists.openid.net</a><br>
<a href="https://lists.openid.net/mailman/listinfo/openid-specs-digital-credentials-protocols" rel="noreferrer" target="_blank">https://lists.openid.net/mailman/listinfo/openid-specs-digital-credentials-protocols</a><br>
</blockquote>
</div>
-- <br>
Openid-specs-digital-credentials-protocols mailing list<br>
<a href="mailto:Openid-specs-digital-credentials-protocols@lists.openid.net" target="_blank">Openid-specs-digital-credentials-protocols@lists.openid.net</a><br>
<a href="https://lists.openid.net/mailman/listinfo/openid-specs-digital-credentials-protocols" target="_blank">https://lists.openid.net/mailman/listinfo/openid-specs-digital-credentials-protocols</a><br>
</div>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset></fieldset>
</blockquote>
</div>
-- <br>
Openid-specs-digital-credentials-protocols mailing list<br>
<a href="mailto:Openid-specs-digital-credentials-protocols@lists.openid.net" target="_blank">Openid-specs-digital-credentials-protocols@lists.openid.net</a><br>
<a href="https://lists.openid.net/mailman/listinfo/openid-specs-digital-credentials-protocols" rel="noreferrer" target="_blank">https://lists.openid.net/mailman/listinfo/openid-specs-digital-credentials-protocols</a><br>
</blockquote></div>
-- <br>Openid-specs-digital-credentials-protocols mailing list<br>Openid-specs-digital-credentials-protocols@lists.openid.net<br>https://lists.openid.net/mailman/listinfo/openid-specs-digital-credentials-protocols<br></div></blockquote></div><br></div></body></html>