- From: <torsten.lodderstedt@sprind.org>
- Date: Fri, 30 Aug 2024 17:34:25 +0200
- To: public-review-comments@w3.org
- Message-ID: <868b1ab2-187f-45d2-bc67-71b79fb541da@Spark>
Hi all, here are my comments on the proposed charter. Scope 1st and 2nd paragraph: it’s not clear to me whether digital credential issuance is in scope for the WG. The 1st paragraph mentions presentation only while the 2nd paragraph also mentions issuance. Deliverables/ Digital Credentials API: the examples given in the 1st sentence (e.g.. Wc3 Verifiable Credentials …) are examples for credential formats but they are listed after protocols. I also miss IETF credential formats being mentioned. I suggest the following text to correct this and an example protocol and an IETF credential format. This specification defines an API that enables user agents to mediate access to and presentation of Digital Credentials in a format-agnostic (e.g., W3C Verifiable Credentials, ISO mDoc, IETF SD-JWT VC etc.) and protocol-agnostic fashion (e.g. OpenID4VP etc.) ... Success Criteria 7th paragraph: "a Privacy Consideration section - that must contain an analysis of privacy aspects such as Unlinkability, Data Minimization and Tracking“ I’m a bit worried the expedition regarding privacy considerations on the level of the DG API. The majority of privacy implications are tied to credential formats and cryptography and the concrete protocol run through the DG API. Is this differentiation accepted? I’m asking since I assume the DG API’s security recommendations and its actionability will be significantly limited by this factor. External Organizations IETF - I suggest to add coordination also on digital credential formats.. Here is my text proposal. Coordinate with the IETF research groups and working groups, such as OAuth, for protocol components on which authentication and authorization features depend and credential formats. best regards, Torsten.
Received on Friday, 30 August 2024 15:41:17 UTC