Prioritization of credential providers

[timcappalli]

2023-11-01 meeting: add some text about precedence for multiple elements of the request array.

https://github.com/WICG/identity-credential/blob/main/digital-credentials-2-proposal.md

[tplooker]

Just adding to this one, a couple of things that were discussed which is probably worth elaborating on

• The providers array or set is expected to be interpreted as a logical XOR. That is, a request to this API which features more then one provider is to be interpreted as "please respond with one response matching one of the provider requests".
• This raises a side question on the above which wasn't discussed, can you have a request with multiple providers of the same protocol? I'd assume so.
• When a relying party (website) makes a multi-party request any prioritisation of the providers downstream in handling the request should be user driven through preferences.

[marcoscaceres]

Very similar issue came up in Payment Request with respect to the ordering of payment instruments. In practice, it's really the user's preference (in as far as they are able to set a preference and that may be outside the control of the browser, specially if the wallet or wallets are provided by the OS or as native apps)... we should be mindful of the language we use though, as it starts to encroach on UI decisions.

[timcappalli]

Thinking about this a bit more, I'm not sure this is something that the web platform API should address. It is ultimately up to the credential selector provided by the app platform to decide the ordering.

For presentation, this selector should be driven by context from the matcher logic based on the request and available credentials.

For issuance, still needs discussion (ex: is there any capability negotiation or is it fire and wait)

[timcappalli]

2024-06-26: this would be addressed by the OID4VP layer, and is being discussed in that WG in the context of the new query language