Privacy Considerations: User permission and transparency

[johannhof]

trafficstars

Related to (but not fully overlapping with) #243, the spec and its Privacy considerations should make recommendations about how a credential exchange should be communicated to users, in particular at time of request. This could potentially leverage both regulatory trust mechanisms such as EUDI access certificates as well as more generic labels. We should also define which properties of a request would be important for users to understand, e.g. the legitimacy of the verifier, the purpose of the request, the data being requested, etc.

Traditionally, Web Platform specs have avoided normatively mandating specific user experiences, even in Privacy / Security areas. There are a variety of different user agents for different user bases and there are no one-size fits all solutions. We should continue honoring this principle and avoiding normative requirements around the user experience.