query language requirements discussion: purpose of the request?

[Sakurann]

Should a verifier be able to specify a purpose why it is requesting a specific credential? (multiple comments, not sure what is the direction)

[bc-pi]

from @dwaite over at https://github.com/openid/OpenID4VP/issues/144#issuecomment-2070732758 : " ... - the purpose string has issues around user presentation (such as the lack of any localization) as well as concerns about abuse (such as providing conflicting messaging to the wallet to socially engineer the user to release sensitive PII).

As such, I would suggest that a query syntax allow for other mechanisms to indicate purpose, such as (for examples) an index into issuer-provided purposes, generic localized handles for common purposes, or information gathered during determination of a verifiers authorization to request a credential and any restrictions on scope of usage."

[David-Chadwick]

It's not an essential feature because the user will usually be aware of the transaction they are undertaking with the RP, and will therefore be aware of the likely credentials that are being requested. The only time I can see value in it, is if the RP is asking for a credential that is not intuitively needed (from the perspective of the user).

[awoie]

I think free text without localization is not a good direction for defining purpose. Something like this https://kantara.atlassian.net/wiki/spaces/archive/pages/3508305/Appendix+CR+-+V.9.3+-+Example+Purpose+Categories might be more appropriate to second what @bc-pi said above.

[jogu]

Just to clarify: this issue is about whether the query language should support this feature at all (and to clarify what the feature is), not about whether it is mandatory to implement or optional.

So for example in that context I read David Chadwick's comment above as being supportive of the query language having this feature, and he may wish to clarify if that was not the intention :)

[David-Chadwick]

To clarify, given that it is not an essential feature, I do not mind it being removed in the interests of simplification. In my opinion this feature is bells and whistles rather than definitely needed.

[selfissued]

The purpose of the request seems fairly orthogonal to the rest of the query. If present, I would assert that it shouldn't affect the query result, and like intent-to-retain, it is at best ecosystem-specific. We should start without this.

That said, I do support the query language being extensible, using the standard "must ignore if not understood" treatment of parameters by recipients. This purpose could be expressed via such an extension parameter, when desired, as could intent-to-retain.

[Sakurann]

WG: need clearer requirements (informed consent etc) to decide if this is a requirement (to decide if obstacles like multilingual/free string need to be solved as all or not)