OpenID4VCI icon indicating copy to clipboard operation
OpenID4VCI copied to clipboard
verified publisher icon openid

Wallet Consent

Open gffletch opened this issue 2 years ago • 1 comments

Should the specification be more explicit about what consent the wallet should collect from the user. During the working group meeting prior to IIW, two wallet consents were discussed.

  1. Does the user trust the issuer (of the credentials)
  2. Does the user consent to storing the retrieved credentials from the issuance endpoint?

It may be possible to skip the first consent if the wallet and issuer are "first party" to each other.

Are there attacks that can be accomplished against the user if these consents are skipped?

gffletch avatar Oct 09 '23 17:10 gffletch

in the italian impl:

  1. the wallet instance must establish the trust with the issuer, the user trusts the wallet solution
  2. yes, since the access to the secure storage must be protected with a local authentication that include the consent given within the store action

peppelinux avatar Oct 10 '23 10:10 peppelinux