Open TomCJones opened 3 days ago
c2bo
commented
2 days ago How exactly is data being provided without informed user consent in OpenID4VP? The Wallet receives an Authorization Request (which might also be signed and linked to a trust ecosystem to identify the RP within that ecosystem and allow a better informed decision by the user), gets user consent for the requested data and only then sends a response. Maybe I am misunderstanding your question, but I don't see a problem?
jogu
commented
2 days ago The EU is one of the jurisdictions where informed consent is required, and their recent letter to OIDF (which identified various gaps between legislation and the OID4VC/HAIP specs) did not identify any gaps in OID4VP in this area.
If you believe there is a gap, please be very specific about where it is and exactly what part is happening without user consent, ideally using specific example OID4VP queries and responses; I agree with Christian's above description of how user consent is obtained.
TomCJones
commented
2 days ago we tried to document the problem - here is part of the text from the EU - The purpose is designed to meet the desires of the verifier which includes compliance with local privacy requirements. The following wording is taken from the EU GDPR but should satisfy most jurisdictions. The EU website describes when data processing is allowed: “Data Protection under the GDPR” https://europa.eu/youreurope/business/dealing-with-customers/data-protection/data-protection-gdpr/index_en.htm EU data protection rules mean the data controller (aka verifier) should process data fairly and lawfully, for a “specified and legitimate purpose” and only process “the data necessary to fulfill this purpose”.
We just talked to someone that participated in the California hack-a-thon using VP - the user gets a url on their phone and must make a trust decision based on that - the phone does get a signature evaluation, but that just says that the sender owned the url. I have heard the the EU states will replace the CA system used in the CA/B browser TLS support. But experience does not indicate that will be even as good as the CA/B system. And there does not appear to be any redress POC as required.
TomCJones
commented
2 days ago The inclusion problem is separate - perhaps this should be a separate issue? I added this as #335
TomCJones
commented
2 days ago For those in other part of the world the ACM 2018 Code of Ethics and Professional Conduct would always apply "Only the minimum amount of personal information necessary should be collected in a system. The retention and disposal periods for that information should be clearly defined, enforced, and communicated to data subjects. Personal information gathered for a specific purpose should not be used for other purposes without the person's consent. Merged data collections can compromise privacy features present in the original collections. Therefore, computing professionals should take special care for privacy when merging data collections" https://www.acm.org/code-of-ethics if the spec is released as is i intend to report it to the ACM for action under the above statement.
jogu
commented
2 days ago Hi Tom
I have finding this very difficult to follow.
To try and clarify: you agree that user consent is happening, your doubt is to whether the consent is sufficiently informed?
How does moving text around in the standard or removing text from the standard ("It is proposed that the query be moved either to the front or altogether outside of the OID4VP document") solve any of the above issues?
c2bo
commented
8 hours ago we tried to document the problem - here is part of the text from the EU - The purpose is designed to meet the desires of the verifier which includes compliance with local privacy requirements. The following wording is taken from the EU GDPR but should satisfy most jurisdictions. The EU website describes when data processing is allowed: “Data Protection under the GDPR” https://europa.eu/youreurope/business/dealing-with-customers/data-protection/data-protection-gdpr/index_en.htm EU data protection rules mean the data controller (aka verifier) should process data fairly and lawfully, for a “specified and legitimate purpose” and only process “the data necessary to fulfill this purpose”.
We just talked to someone that participated in the California hack-a-thon using VP - the user gets a url on their phone and must make a trust decision based on that - the phone does get a signature evaluation, but that just says that the sender owned the url. I have heard the the EU states will replace the CA system used in the CA/B browser TLS support. But experience does not indicate that will be even as good as the CA/B system. And there does not appear to be any redress POC as required.
I would not mix how parts of a spec (basically a profile) was used in a hackathon with what options the spec provides. OpenID4VP supports different schemes for RP authentication which can go way beyond just proving ownership of a URL etc.
OpenID4VP provides a lot of different options and needs to be profiled depending on the requirements of the ecosystem (use-cases) that people are trying to build - the capabilities exist in the protocol, people just need to use them according to their requirements.
Several governments have legislation requiring that data is not provided without obtains informed consent from users. This requirement is not met by the VC or the OID4VC. It is proposed that the query be moved either to the front or altogether outside of the OID4VP document. A detail for this proposal is being developed as a report from Kantara. The current draft is contained in this doc. https://docs.google.com/document/d/1n7HobJ6QTsNld5rn1uuIiNw0A__L44ug/edit?usp=sharing&ouid=109794657323597753486&rtpof=true&sd=true