Re: Preliminary Credentials Use Cases

On 8/24/14 1:08 PM, Manu Sporny wrote:

> Use Case: Given the permission of the participants (payer, payee, buyer,
> merchant) of a transaction, the transaction metadata can be used to
> discover additional attributes associated with those participants. For
> example, given the buyer's authorization, a merchant could query the
> identity URL for the buyer contained in a digital receipt and obtain an
> up-to-date email address.

IMO, it would be best to add "opt-in" before "permission" in the first 
sentence. If this isn't written into the spec then I believe someone 
will abuse it and begin harvesting data about unsuspecting users 
merely on the basis that they haven't opted-out, and explain it as 
'assumed permission'.

"Discover additional attributes", later in that sentence, is, after 
all, the Web's current honeypot. I think there needs to be clarity 
about who the owner of this honeypot is, and 'opt-in' might help nail 
that down.


  > Use Case: Use an existing, widely deployed identity provider mechanism
> (i.e. OpenID Connect) to integrate with the digital credentials sharing
> and payments initiation process.

As written, this could be interpreted as using *only* OpenID Connect. 
Isn't that against the spirit of the open standard and W3C 
expectations? (Or do I misinterpret all those corporate logos at the 
OpenID site?) But is this actually what is intended? (And if so, is 
there a technical reason why OpenID Connect must be used?) --Or is it 
an option, ie., there will be a socket for it but there could be 
sockets for other things written as well? If the latter I think the 
wording needs to change. If the former I think that technical reason 
needs to be put in, or available by a link, to explain why.


Steve Rowat

Received on Tuesday, 26 August 2014 23:51:05 UTC