What is the defined trust boundary between the user, wallet, and browser?

[kdenhartog]

trafficstars

I think something that's leading to a common point of disagreement here is how the user is represented by these two points of software. Under the traditional definition of "user agent" a browser is acting on behalf of the user in a way that couples trust. Now, we've seen in recent times that this may not always be the case.

For example, there have been malicious builds of browsers I've seen that are attempting to steel user data (such as credit cards and cryptocurrency seed phrases) under the guise of being a well known browser but it's actually a malicious copy. There's other instances where the browser may be gathering data that the user doesn't expect which is not as direct of an example, but does seem pertinent to the privacy model here. We will likely face similar issues with wallets even though they too are meant to be representing the users interests as a "user agent".

So this brings into question how should we establish the internal trust boundaries between the different components that establish the role of the "holder". Here's a few different ways I could see it being represented:

User trusts wallet and browser equally to act on it's interests User trust browser, but not wallet to act on it's interests User trust wallet, but not browser to act on its interests User does not trust browser or wallet to act on its interests

There's also a fifth option that presents some weird edge cases which is: User trusts wallet and browser equally to act on it's interests in isolation, but wallet and browser don't trust each other to work together

Given that these scenarios each can lead to different trust boundaries I think it would be useful to figure out if we have consensus on this or if there's presumed assumptions here that we need to work through first before resolving some of the other issues like https://github.com/WICG/digital-credentials/issues/161.