Wallet Consent

[gffletch]

Should the specification be more explicit about what consent the wallet should collect from the user. During the working group meeting prior to IIW, two wallet consents were discussed.

1. Does the user trust the issuer (of the credentials)
2. Does the user consent to storing the retrieved credentials from the issuance endpoint?

It may be possible to skip the first consent if the wallet and issuer are "first party" to each other.

Are there attacks that can be accomplished against the user if these consents are skipped?

[peppelinux]

in the italian impl:

1. the wallet instance must establish the trust with the issuer, the user trusts the wallet solution
2. yes, since the access to the secure storage must be protected with a local authentication that include the consent given within the store action