Should the specification be more explicit about what consent the wallet should collect from the user. During the working group meeting prior to IIW, two wallet consents were discussed.
Does the user trust the issuer (of the credentials)
Does the user consent to storing the retrieved credentials from the issuance endpoint?
It may be possible to skip the first consent if the wallet and issuer are "first party" to each other.
Are there attacks that can be accomplished against the user if these consents are skipped?
Should the specification be more explicit about what consent the wallet should collect from the user. During the working group meeting prior to IIW, two wallet consents were discussed.
It may be possible to skip the first consent if the wallet and issuer are "first party" to each other.
Are there attacks that can be accomplished against the user if these consents are skipped?