Scope of Privacy Considerations

[johannhof]

trafficstars

I discussed this with @npdoty - I think there could be a tendency to want to explore the entire credentials space when writing Privacy Considerations, I.e. write a comprehensive guide for all end-to-end participants. In my view we should not do that, and instead focus on giving practical guidance on the areas that the API has direct influence over - e.g. presentation of data shared and data purpose, excessive requests for data, exclusion risks, etc.

Conversely we should not focus on responsibilities of verifiers, holders, issuers that go beyond the influence of the API - e.g. data retention, revocation (again, unless we see a way to actively influence this through API design).

I have a draft for a section introduction that would clarify this. I wanted to file this issue to see if there are particularly strong feelings about this.

cc @martinthomson