Nick Doty

I did re-read the OpenID4VP Editor's Draft and RFC 7591 again before opening this issue to confirm that while it might be possible to use those to communicate some of...

It sounds like one option is for us to punt this question to the protocol and then for the protocol to punt this question to some vague set of trust...

@marcoscaceres this is _not_ usually what web or native apps do for permission requests. Usually, sites provide no context and inundate users with permission requests and hope they just shrug...

Boolean testing is often preferred to providing a set for privacy reasons. Also a privacy risk though if the test/set reveals any configuration-specific information (whether you have installed a particular...

Is this intended to use the pre-authorized code flow? Has the user already authenticated with the issuer via their website and provided all the info necessary to determine that they...

Part of the reasoning is that this is unlike normative references generally because registry inclusion requires privacy and security review of the registered protocols. We cannot meaningfully conduct privacy and...

Is this intended to only reveal information on what the browser version supports passing through and specifically not to reveal any details of what wallets are available, what the user...

Browsers could modify the response based on some knowledge of wallet availability or configuration. I think we should just specify that the UA shouldn't use that kind of knowledge for...

As in, a browser vendor trying to implement this section could try to use their knowledge of system/app/wallet/user-configuration properties to modify the return value, and I think this API should...

I can try to propose something (tomorrow, likely) that would set some SHOULD NOT/MUST NOT conditions to try to capture what I think is the agreement.