Nick Doty
Nick Doty
> Thanks for the feedback! Quick clarifying questions! > > > strong identification/authentication of who's requesting the credential > > Is requiring HTTPS for the requesting site sufficient for strongly...
> > But given the likelihood for abuse, accountability mechanisms (either pre-registration and approval, or an effective regime for reporting and disabling abusive requests) would seem to be necessary. >...
> > Requestors would need to provide the detail of the purpose, because it would be in the context that they are requesting it (surrounding site documentation, etc.). > >...
Definitely a question that PING should discuss, and I've opened a corresponding issue for the w3cping credentials considerations doc. But also good for the identity-credential group to consider in API...
My understanding has been that meaningful selective disclosure depends on unlinkable presentation (at least, unlinkable between presentations of claims to different origins). If selective disclosure of age or country or...
I'm not as confident as you are that, at least in practice, verifier-verifier unlinkability will be trivially achieved. Basic verifier-verifier unlinkability should be considered a pre-requisite for selective disclosure, but...
This is a novel use of privacy and security reviews for Registry updates, so I don't know that we have settled guidance yet. Please bear with us / let's do...
If a specification is not freely and publicly available, I'm skeptical that we could effectively conduct privacy and security reviews. Individual W3C participants could pay the cost to access a...
Would mitigating script injection attacks through CSPs be more challenging for implementer adoption than handling a separate key for signing requests and server-side decryption of credential responses? (As a not-very-advanced...
It does seem like a promising setting for an interaction model where the user indicates their interest by taking action on an element in the page. Especially so because this...