tlodderstedt
commented
7 months ago @tplooker thanks for filing this issue. My biggest concern is that implementers of a credential exchange protocol need to wait for browser vendors to adjust their software before they can rollout extensions/modifications to the credential exchange protocol. That's not just a technical and timing but essentially also a governance question.
We need to find the right balance between robustness and flexibility for implementers.
RByers
hlflanagan
For those unfamiliar with this principle, it boils down to
With regard to this API I would suggest the user agent / browser apply this philosophy when considering whether to, or how to perform request validation, to the extent it makes sense.
For example it may make sense for the browser to validate parts of a request to ensure it is well formed syntax wise, which might have certain developer ergonomic benefits and or security benefits, I do think this needs to be carefully analysed though and not just assumed the whole request must be strictly validated. Furthermore, I think it would be a mistake and would severely limit future extensibility if the user agent were to strictly validate the request, that is, in the event the browser receives a request which contains elements it doesn't understand, it shouldn't error, fail to forward the request to a wallet or only forward the request to the wallet with known request elements.