The problem is that it is entirely left up to the Verifier to ask for what information it wants. There is no way to determine the scope or "actual purpose" of the current transaction. Peace ..tom jones On Wed, Apr 23, 2025 at 11:36 PM Eric Drury <eric@forthco.io> wrote:
I’d like to better understand the risk in the scenario you lay out Tom.
Is the permission connected to the convenience store, or to the specific transaction?
I.e. just because the convenience store has permission to request information that applies to purchasing liquor or sim cards, wouldn’t that permission only be granted for the specific transaction of purchasing the liquor or sim cards?
*From: *Openid-specs-digital-credentials-protocols < openid-specs-digital-credentials-protocols-bounces@lists.openid.net> on behalf of steffen schwalm via Openid-specs-digital-credentials-protocols < openid-specs-digital-credentials-protocols@lists.openid.net> *Date: *Wednesday, 23 April 2025 at 20:27 *To: *peace@acm.org <peace@acm.org>, Digital Credentials Protocols List < openid-specs-digital-credentials-protocols@lists.openid.net> *Cc: *steffen schwalm <schwalm.steffen@googlemail.com>, pemc kantara < Wg-pemc@kantarainitiative.org> *Subject: *Re: [Openid-specs-digital-credentials-protocols] Second WGLC for OID4VP
Fully agree to Tom.
Tom Jones via Openid-specs-digital-credentials-protocols < openid-specs-digital-credentials-protocols@lists.openid.net> schrieb am Mi., 23. Apr. 2025, 18:21:
Here is a Dark Pattern of Verifier requests that was actually seen in the California mDL trials run lately.
The Verifier will get permission (or whatever it might be called) to ask for a collection of purposes, for example a convenience store could be selling chewing gum, hard liquor and sim cards for smartphones. This is what the ecosystem allows it to ask for, along with payments. So if I buy a stick of chewing gum and decide to pay with my EUDIW, it is within the approved permissions for this store to ask intrusive questions that apply to purchasing liquor or sim cards, which are very intrusive in some countries.
Peace ..tom jones
On Tue, Apr 22, 2025 at 3:53 PM Joseph Heenan via Openid-specs-digital-credentials-protocols < openid-specs-digital-credentials-protocols@lists.openid.net> wrote:
Dear DCP Working Group Members,
As discussed on today’s (yesterday now for some of you!) working group call (and as per my email) we would like to start a get WG consensus that the current OpenID4VP draft is ready to start the final specification approval process.
Please respond to this email within the next 2 days, by end of Thursday 22nd April, whether you believe the current draft should proceed to the public review or not.
The OpenID4VP document to be reviewed can be found here: https://openid.net/specs/openid-4-verifiable-presentations-1_0-27.html
There is one normative PRs that we agreed during the working group meeting to work on during working group last call (just waiting for final reviews please!):
Rename authorization_encrypted_response_enc parameter https://github.com/openid/OpenID4VP/pulls
The above should resolve the point Mike Jones raised during WGLC.
There’s an ongoing attempt to understand Tom Jones’s issue raised during WGLC.
There’s also a few non-breaking improvements in PRs that may be merged before public review.
If there are other topics working group members think need to be handled before the specification moves to final please reply to this email with details.
This is very much just a step on the journey, and it is likely that comments will arrive during the 60 day review period that the working group chooses to fix before the voting period starts.
The details of the specification approval process can be found here: https://openid.net/wg/resources/approving-specifications/.
This email is about the first bullet point on this list "Obtain working group consensus to propose foundation-wide approval of the draft specification", which is often called Working Group Last Call (WGLC).
The following steps are to start a 60-day Foundation-wide review, followed by the 7 day voting period (the poll itself will open 7 days before the end of the Foundation-wide review ends).
Kindest Regards,
Editors & Chairs
-- Openid-specs-digital-credentials-protocols mailing list Openid-specs-digital-credentials-protocols@lists.openid.net
https://lists.openid.net/mailman/listinfo/openid-specs-digital-credentials-p...
-- Openid-specs-digital-credentials-protocols mailing list Openid-specs-digital-credentials-protocols@lists.openid.net
https://lists.openid.net/mailman/listinfo/openid-specs-digital-credentials-p...