[wbs] response to 'Call for Review: Federated Identity WG Charter - Adding Digital Credentials ' from Torsten Lodderstedt via WBS Mailer on 2024-09-10 (public-review-comments@w3.org from September 2024)

From: Torsten Lodderstedt via WBS Mailer <sysbot+wbs@w3.org>
Date: Tue, 10 Sep 2024 07:18:01 +0000
To: public-review-comments@w3.org
CC: torsten.lodderstedt@sprind.org
Message-Id: <wbs-ef8fa6e1ef14a996e50ab7665d06cbae@w3.org>

The following answers have been successfully submitted to 'Call for Review:
Federated Identity WG Charter - Adding Digital Credentials ' (Advisory
Committee) for SPRIND GmbH by Torsten Lodderstedt.


The reviewer's organization suggests changes to this Charter, but supports
the proposal whether or not the changes are adopted.

Additional comments about the proposal:
   Scope 1st and 2nd paragraph: it’s not clear to me whether digital
credential issuance is in scope for the WG. The 1st paragraph mentions
presentation only while the 2nd paragraph also mentions issuance. Suggest
clarification. 

Deliverables/ Digital Credentials API: the examples given in the 1st
sentence (e.g.. Wc3 Verifiable Credentials …) are examples for credential
formats but they are listed after protocols. I also miss IETF credential
formats being mentioned. I suggest the following text to correct this and
an example protocol and an IETF credential format:

"This specification defines an API that enables user agents to mediate
access to and presentation of Digital Credentials in a format-agnostic
(e.g., W3C Verifiable Credentials, ISO mDoc, IETF SD-JWT VC etc.) and
protocol-agnostic fashion (e.g. OpenID4VP etc.) ..."

Success Criteria 7th paragraph: "a Privacy Consideration section - that
must contain an analysis of privacy aspects such as Unlinkability, Data
Minimization and Tracking“ I’m a bit worried the expedition regarding
privacy considerations on the level of the DG API. The majority of privacy
implications are tied to credential formats and cryptography and the
concrete protocol run through the DG API. Is this differentiation accepted?
I’m asking since I assume the DG API’s security recommendations and its
actionability will be significantly limited by this factor. Suggest
clarification. 

External Organizations

IETF - I suggest to add coordination also on digital credential formats.

Here is my text proposal.

"Coordinate with the IETF research groups and working groups, such as
OAuth, for protocol components on which authentication and authorization
features depend and credential formats."

Participation

This section misses Wallet Providers. 



The reviewer's organization intends to participate in these groups:
   - Federated Identity Working Group

The reviewer's organization:
   - intends to review drafts as they are published and send comments.
   - intends to develop experimental implementations and send experience
reports.
   - intends to develop products based on this work.
   - intends to apply this technology in our operations.


Comments about the deliverables:
   The DG API could be a cornerstone of the EU Digital Identity Wallet
(EUDIW). We would like to use it in the German EUDIW.   



Comments about implementation schedule:
   as soon as possible


Answers to this questionnaire can be set and changed at
https://www.w3.org/2002/09/wbs/33280/fedid-digitalcredentials/ until
2024-09-10.

 Regards,

 The Automatic WBS Mailer

Received on Tuesday, 10 September 2024 07:18:03 UTC