<!DOCTYPE html>
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body>
<p>This example indicates to me that we have the design wrong. The
typical IETF design is that a minimum to support subset is
mandated for all implementations, so that interop is guaranteed.
Then additional nice to haves can be optionally built on top of
this. And as time progresses, the mandatory subset evolves. What
is wrong with this very successful model?</p>
<p>Kind regards</p>
<p>David<br>
</p>
<div class="moz-cite-prefix">On 25/10/2023 23:40, Giuseppe De Marco
via Openid-specs-digital-credentials-protocols wrote:<br>
</div>
<blockquote type="cite"
cite="mid:CAP_qYymeqCY=BH6VigAnLJmkuTnJp2M-K9F8GjkNMqsV79bmjA@mail.gmail.com">
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<div dir="auto">This Is an example wallet instance with wallet
protocol specific capabilities in It
<div dir="auto"><br>
</div>
<div dir="auto">The sub value is a thumbprint value of the
cnf.jwk or It may be equal to iss</div>
<div dir="auto"><br>
</div>
<div dir="auto">There's nothing to be configured by users</div>
<div dir="auto"><br>
</div>
<div dir="auto">I'm not fond of my ideas, I develop solutions
and I see the potential and convenience of certain choices.
Let's do it together<br>
<div dir="auto"><br>
</div>
<div dir="auto">{</div>
<div dir="auto"> "alg": "ES256",</div>
<div dir="auto"> "kid":
"5t5YYpBhN-EgIEEI5iUzr6r0MR02LnVQ0OmekmNKcjY",</div>
<div dir="auto"> "trust_chain": [</div>
<div dir="auto"> "eyJhbGciOiJFUz...6S0A",</div>
<div dir="auto"> "eyJhbGciOiJFUz...jJLA",</div>
<div dir="auto"> "eyJhbGciOiJFUz...H9gw",</div>
<div dir="auto"> ],</div>
<div dir="auto"> "typ": "wallet-attestation+jwt",</div>
<div dir="auto">}</div>
<div dir="auto">.</div>
<div dir="auto">{</div>
<div dir="auto"> "iss": "<a
href="https://wallet-provider.example.org"
moz-do-not-send="true" class="moz-txt-link-freetext">https://wallet-provider.example.org</a>",</div>
<div dir="auto"> "sub":
"vbeXJksM45xphtANnCiG6mCyuU4jfGNzopGuKvogg9c",</div>
<div dir="auto"> "attested_security_context": "<a
href="https://wallet-provider.example.org/LoA/basic"
moz-do-not-send="true" class="moz-txt-link-freetext">https://wallet-provider.example.org/LoA/basic</a>",</div>
<div dir="auto"> "cnf":</div>
<div dir="auto"> {</div>
<div dir="auto"> "jwk":</div>
<div dir="auto"> {</div>
<div dir="auto"> "crv": "P-256",</div>
<div dir="auto"> "kty": "EC",</div>
<div dir="auto"> "x":
"4HNptI-xr2pjyRJKGMnz4WmdnQD_uJSq4R95Nj98b44",</div>
<div dir="auto"> "y":
"LIZnSB39vFJhYgS3k7jXE4r3-CoGFQwZtPBIRqpNlrg",</div>
<div dir="auto"> "kid":
"vbeXJksM45xphtANnCiG6mCyuU4jfGNzopGuKvogg9c"</div>
<div dir="auto"> }</div>
<div dir="auto"> },</div>
<div dir="auto"> "authorization_endpoint": "eudiw:",</div>
<div dir="auto"> "response_types_supported": [</div>
<div dir="auto"> "vp_token"</div>
<div dir="auto"> ],</div>
<div dir="auto"> "response_modes_supported": [</div>
<div dir="auto"> "form_post.jwt"</div>
<div dir="auto"> ],</div>
<div dir="auto"> "vp_formats_supported": {</div>
<div dir="auto"> "jwt_vp_json": {</div>
<div dir="auto"> "alg_values_supported": ["ES256"]</div>
<div dir="auto"> },</div>
<div dir="auto"> "jwt_vc_json": {</div>
<div dir="auto"> "alg_values_supported": ["ES256"]</div>
<div dir="auto"> }</div>
<div dir="auto"> },</div>
<div dir="auto">
"request_object_signing_alg_values_supported": [</div>
<div dir="auto"> "ES256"</div>
<div dir="auto"> ],</div>
<div dir="auto"> "presentation_definition_uri_supported":
false,</div>
<div dir="auto"> "iat": 1687281195,</div>
<div dir="auto"> "exp": 1687288395</div>
<div dir="auto">}</div>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">Il mar 24 ott 2023, 23:31 Tom
Jones <<a href="mailto:thomasclinganjones@gmail.com"
moz-do-not-send="true" class="moz-txt-link-freetext">thomasclinganjones@gmail.com</a>>
ha scritto:<br>
</div>
<blockquote class="gmail_quote"
style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div>
<div dir="ltr" class="gmail_signature"
data-smartmail="gmail_signature">
<div dir="ltr">
<div><span
style="background-color:rgb(242,242,242);color:rgba(0,0,0,0.9);font-family:-apple-system,system-ui,system-ui,"Segoe UI",Roboto,"Helvetica Neue","Fira Sans",Ubuntu,Oxygen,"Oxygen Sans",Cantarell,"Droid Sans","Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Lucida Grande",Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap">I very much doubt that the wallet configurations will not be settable by the user.</span></div>
<div><span
style="background-color:rgb(242,242,242);color:rgba(0,0,0,0.9);font-family:-apple-system,system-ui,system-ui,"Segoe UI",Roboto,"Helvetica Neue","Fira Sans",Ubuntu,Oxygen,"Oxygen Sans",Cantarell,"Droid Sans","Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Lucida Grande",Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap">I very much doubt that a secure wallet attestation can be made without an instance id.</span></div>
<div><span
style="background-color:rgb(242,242,242);color:rgba(0,0,0,0.9);font-family:-apple-system,system-ui,system-ui,"Segoe UI",Roboto,"Helvetica Neue","Fira Sans",Ubuntu,Oxygen,"Oxygen Sans",Cantarell,"Droid Sans","Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Lucida Grande",Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap">I very much doubt that the collection of creds in a wallet will not identify the user to a high level of assurance.</span></div>
<div><span
style="background-color:rgb(242,242,242);color:rgba(0,0,0,0.9);font-family:-apple-system,system-ui,system-ui,"Segoe UI",Roboto,"Helvetica Neue","Fira Sans",Ubuntu,Oxygen,"Oxygen Sans",Cantarell,"Droid Sans","Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Lucida Grande",Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap">As I said, you are free to build to these specifications.</span></div>
<div><span
style="background-color:rgb(242,242,242);color:rgba(0,0,0,0.9);font-family:-apple-system,system-ui,system-ui,"Segoe UI",Roboto,"Helvetica Neue","Fira Sans",Ubuntu,Oxygen,"Oxygen Sans",Cantarell,"Droid Sans","Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Lucida Grande",Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap">I very much doubt that they would be acceptable to users.</span></div>
<div><span
style="background-color:rgb(242,242,242);color:rgba(0,0,0,0.9);font-family:-apple-system,system-ui,system-ui,"Segoe UI",Roboto,"Helvetica Neue","Fira Sans",Ubuntu,Oxygen,"Oxygen Sans",Cantarell,"Droid Sans","Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Lucida Grande",Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap">
</span></div>
<div><span
style="background-color:rgb(242,242,242);color:rgba(0,0,0,0.9);font-family:-apple-system,system-ui,system-ui,"Segoe UI",Roboto,"Helvetica Neue","Fira Sans",Ubuntu,Oxygen,"Oxygen Sans",Cantarell,"Droid Sans","Apple Color Emoji","Segoe UI Emoji","Segoe UI Symbol","Lucida Grande",Helvetica,Arial,sans-serif;font-size:14px;white-space:pre-wrap"> </span>..tom</div>
</div>
</div>
</div>
<br>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Tue, Oct 24, 2023 at
2:25 PM Giuseppe De Marco <<a
href="mailto:demarcog83@gmail.com" target="_blank"
rel="noreferrer" moz-do-not-send="true"
class="moz-txt-link-freetext">demarcog83@gmail.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="auto">Wallet capabilities are not configured by
user, they show information about the wallet solution
with some delta where devices needs (rare cases,
hopefully never)
<div dir="auto"><br>
</div>
<div dir="auto">Wallet instance attestations are
ephemeral</div>
<div dir="auto"><br>
</div>
<div dir="auto">Subject Is opaque or meaningless,
cnf.jwk Is ephemeral, iat and exp too</div>
<div dir="auto"><br>
</div>
<div dir="auto">Me, rogue RP, how may track an user by
the wia It presents?</div>
<div dir="auto"><br>
</div>
<div dir="auto">The hkb in the Digital credential must
be different from the Key used for wia hkb, different
keys for different purposes</div>
<div dir="auto"><br>
</div>
<div dir="auto"><br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">Il mar 24 ott 2023,
23:18 Tom Jones <<a
href="mailto:thomasclinganjones@gmail.com"
target="_blank" rel="noreferrer"
moz-do-not-send="true" class="moz-txt-link-freetext">thomasclinganjones@gmail.com</a>>
ha scritto:<br>
</div>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="auto">You are conflating user information
with user tracking. It has been shown that tracking
a user device is all that is needed to track the
user. You can listen now before you commit to these
formats, or you can build the solutions and then
have them rejected. Your call.
<div dir="auto"><br>
<div dir="auto">thx ..Tom (mobile)</div>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Tue, Oct 24,
2023, 2:07 PM Giuseppe De Marco <<a
href="mailto:demarcog83@gmail.com"
rel="noreferrer noreferrer" target="_blank"
moz-do-not-send="true"
class="moz-txt-link-freetext">demarcog83@gmail.com</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="auto">Hey Tom
<div dir="auto"><br>
</div>
<div dir="auto">An ordinary web browser
discloses more information that we may ever
imagine</div>
<div dir="auto"><br>
</div>
<div dir="auto">From my perspective an RP may
know the wallet capabilities and should know
the wallet reliability. The first helps the
interoperability when the wallet ecosystem
will grow, with future tecnologies and
approaches.</div>
<div dir="auto"><br>
</div>
<div dir="auto">These information doesn't bring
information about to the user. </div>
<div dir="auto"><br>
</div>
<div dir="auto">I think that attributes like
key_type and user_authentication should not be
exposed, while an AAL value, properly defined
in a security assurance profile, is the way to
go for a good privacy</div>
<div dir="auto"><br>
</div>
<div dir="auto"><br>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">Il mar 24 ott
2023, 22:49 Tom Jones via
Openid-specs-digital-credentials-protocols
<<a
href="mailto:openid-specs-digital-credentials-protocols@lists.openid.net"
rel="noreferrer noreferrer noreferrer"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">openid-specs-digital-credentials-protocols@lists.openid.net</a>>
ha scritto:<br>
</div>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div dir="auto">I am completely opposed to the
very idea that the verifier can ask for any
data about the configuration of an app
installed by the user. It is an extremely
useful means to track the user.
<div dir="auto"><br>
</div>
<div dir="auto">The verifier should be
limited to expressing a purpose and
authority. No requests for anything that
the user cannot understand!!<br>
<br>
<div dir="auto">thx ..Tom (mobile)</div>
</div>
</div>
<br>
<div class="gmail_quote">
<div dir="ltr" class="gmail_attr">On Tue,
Oct 24, 2023, 1:30 PM Kristina Yasuda via
Openid-specs-digital-credentials-protocols
<<a
href="mailto:openid-specs-digital-credentials-protocols@lists.openid.net"
rel="noreferrer noreferrer noreferrer noreferrer" target="_blank"
moz-do-not-send="true"
class="moz-txt-link-freetext">openid-specs-digital-credentials-protocols@lists.openid.net</a>>
wrote:<br>
</div>
<blockquote class="gmail_quote"
style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<div lang="EN-US">
<div>
<p class="MsoNormal">Hi SIOP/DCP WG!</p>
<p class="MsoNormal">Setting up a
special topic call this week to
discuss this PR:
<a
href="https://github.com/openid/OpenID4VP/pull/52"
rel="noreferrer noreferrer noreferrer noreferrer noreferrer"
target="_blank"
moz-do-not-send="true"
class="moz-txt-link-freetext">https://github.com/openid/OpenID4VP/pull/52</a>.</p>
<p class="MsoNormal">Sorry it is a
little last minute – we have been
coordinating with those who
reviewed/requested changes to the PR
(DavidC, Giuseppe, DanielF, Gabe and
Torsten).</p>
<p class="MsoNormal">No pressure to
join, we will report back in the
main WG call.</p>
<p class="MsoNormal">Thank you!</p>
<p class="MsoNormal">Kristina</p>
<p class="MsoNormal"> </p>
<p class="MsoNormal">---</p>
<p class="MsoNormal"
style="margin-bottom:12pt"><span> <a
name="m_6747125415261569495_m_-3722318256714378999_m_1259477922573704117_m_6176092609149807898_m_-1980085689192036939_m_5328052972316379746_zBegin"
rel="noreferrer noreferrer noreferrer noreferrer noreferrer"
moz-do-not-send="true"></a>Kristina
Yasuda (OIDF) is inviting you to a
scheduled Zoom meeting.<br>
<br>
Join Zoom Meeting<br>
<a
href="https://zoom.us/j/98883940545?pwd=KzlmYVdCanFmNEY3SExNOEI0Vng1UT09&from=addon"
rel="noreferrer noreferrer noreferrer noreferrer noreferrer"
target="_blank"
moz-do-not-send="true">https://zoom.us/j/98883940545?pwd=KzlmYVdCanFmNEY3SExNOEI0Vng1UT09&from=addon</a><br>
<br>
Meeting ID: 988 8394 0545<br>
Passcode: 114060<br>
<br>
---<br>
<br>
One tap mobile<br>
+12532158782,,98883940545# US
(Tacoma)<br>
+12532050468,,98883940545# US<br>
<br>
---<br>
<br>
Dial by your location<br>
• +1 253 215 8782 US (Tacoma)<br>
• +1 253 205 0468 US<br>
• +1 719 359 4580 US<br>
• +1 346 248 7799 US (Houston)<br>
• +1 669 444 9171 US<br>
• +1 669 900 9128 US (San Jose)<br>
• +1 507 473 4847 US<br>
• +1 564 217 2000 US<br>
• +1 646 558 8656 US (New York)<br>
• +1 646 931 3860 US<br>
• +1 689 278 1000 US<br>
• +1 301 715 8592 US (Washington
DC)<br>
• +1 305 224 1968 US<br>
• +1 309 205 3325 US<br>
• +1 312 626 6799 US (Chicago)<br>
• +1 360 209 5623 US<br>
• +1 386 347 5053 US<br>
<br>
Meeting ID: 988 8394 0545<br>
<br>
Find your local number: <a
href="https://zoom.us/u/acC5SB3rp"
rel="noreferrer noreferrer noreferrer noreferrer noreferrer"
target="_blank"
moz-do-not-send="true"
class="moz-txt-link-freetext">https://zoom.us/u/acC5SB3rp</a><a
name="m_6747125415261569495_m_-3722318256714378999_m_1259477922573704117_m_6176092609149807898_m_-1980085689192036939_m_5328052972316379746_zEnd"
rel="noreferrer noreferrer noreferrer noreferrer noreferrer"
moz-do-not-send="true"></a></span></p>
</div>
</div>
-- <br>
Openid-specs-digital-credentials-protocols
mailing list<br>
<a
href="mailto:Openid-specs-digital-credentials-protocols@lists.openid.net"
rel="noreferrer noreferrer noreferrer noreferrer noreferrer"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">Openid-specs-digital-credentials-protocols@lists.openid.net</a><br>
<a
href="https://lists.openid.net/mailman/listinfo/openid-specs-digital-credentials-protocols"
rel="noreferrer noreferrer noreferrer noreferrer noreferrer noreferrer"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.openid.net/mailman/listinfo/openid-specs-digital-credentials-protocols</a><br>
</blockquote>
</div>
-- <br>
Openid-specs-digital-credentials-protocols
mailing list<br>
<a
href="mailto:Openid-specs-digital-credentials-protocols@lists.openid.net"
rel="noreferrer noreferrer noreferrer noreferrer" target="_blank"
moz-do-not-send="true"
class="moz-txt-link-freetext">Openid-specs-digital-credentials-protocols@lists.openid.net</a><br>
<a
href="https://lists.openid.net/mailman/listinfo/openid-specs-digital-credentials-protocols"
rel="noreferrer noreferrer noreferrer noreferrer noreferrer"
target="_blank" moz-do-not-send="true"
class="moz-txt-link-freetext">https://lists.openid.net/mailman/listinfo/openid-specs-digital-credentials-protocols</a><br>
</blockquote>
</div>
</blockquote>
</div>
</blockquote>
</div>
</blockquote>
</div>
</blockquote>
</div>
<br>
<fieldset class="moz-mime-attachment-header"></fieldset>
</blockquote>
</body>
</html>