- From: Steven Rowat <steven_rowat@sunshine.net>
- Date: Tue, 26 Aug 2014 16:50:42 -0700
- To: public-credentials@w3.org
On 8/24/14 1:08 PM, Manu Sporny wrote: > Use Case: Given the permission of the participants (payer, payee, buyer, > merchant) of a transaction, the transaction metadata can be used to > discover additional attributes associated with those participants. For > example, given the buyer's authorization, a merchant could query the > identity URL for the buyer contained in a digital receipt and obtain an > up-to-date email address. IMO, it would be best to add "opt-in" before "permission" in the first sentence. If this isn't written into the spec then I believe someone will abuse it and begin harvesting data about unsuspecting users merely on the basis that they haven't opted-out, and explain it as 'assumed permission'. "Discover additional attributes", later in that sentence, is, after all, the Web's current honeypot. I think there needs to be clarity about who the owner of this honeypot is, and 'opt-in' might help nail that down. > Use Case: Use an existing, widely deployed identity provider mechanism > (i.e. OpenID Connect) to integrate with the digital credentials sharing > and payments initiation process. As written, this could be interpreted as using *only* OpenID Connect. Isn't that against the spirit of the open standard and W3C expectations? (Or do I misinterpret all those corporate logos at the OpenID site?) But is this actually what is intended? (And if so, is there a technical reason why OpenID Connect must be used?) --Or is it an option, ie., there will be a socket for it but there could be sockets for other things written as well? If the latter I think the wording needs to change. If the former I think that technical reason needs to be put in, or available by a link, to explain why. Steve Rowat
Received on Tuesday, 26 August 2014 23:51:05 UTC