re-consider allowing to "dynamically" obtain further data #6
Comments
|
The "dynamic" way of requesting required credentials is flexible, supports the data minimization principle, and will result in an optimized UX. In the "static" approach, the wallet is supposed all credentials that might be required to the issuer in the initial request. I state "might" since the issuer does not know anything about the user when providing the wallet with the list of required credentials, so it must be the set of all credentials potentially required. Let's assume the wallet is supposed to send a couple of credentials to the issuer. If the issuer then authenticates the user in the authentication process (step 3), it determines "well, I know you, you have already been onboarded and verified". And suddenly there is no longer a need for the additional credentials! But the user had to select the credentials. the wallet had to create the presentations (which can be a really time consuming process) and so on. |
|
added text in PR #7 to better describe and clarify both approaches |
If an issuer can dynamically obtain additional data from the user at their discretion, issuer can keep asking for more and more credentials. If the issuer's requirements could be documented in a "manifest" backed up by a trust framework, there is no such threat, and minimizes the complexity of dynamic negotiations.
Suggestion to reconsider allowing to "dynamically" obtain further data.
The text was updated successfully, but these errors were encountered: