The entire idea of state-issued digital identifiers seems to be falling apart in the EU.
The issue is that some values, like vehicle ID, need to be viewed, or accessed, even when the rest of the user's private data is not.
The point is that data release permissions may be different for different data elements.
The state of Washington has 200 different ways to grant privileges to subjects.
Some states, BC, MD, Indonesia are using the wallet for multiple creds/purposes.
This gets back to purpose, which the EU spec (OID4VP), does not require.
If the purpose is not stated, the user must understand the purpose from the context, which may be very misleading as the state officer might be a traffic cop or wildlife enforcement.
This gets us back to the Collingridge dilemma which describes the challenge of regulating new technologies.
- Early stage: When a technology is new, its future impact is unclear, making regulation difficult.
- Later stage: Once the technology is widely adopted, it becomes harder to control or modify.
The one big flaw I see in ISO 18013-5 is that the wallet is not assumed to be trusted. The EU does require the wallet to be trusted. Perhaps PEMC needs a position on the wallet?
1. should it be trusted? (by issuer, holder, or verifier)
2. should it be considered to be the subject's agent?
My recollection is that ISO assumes the issuer is responsible for the wallet