It seems that a wallet is any mobile app that is not a Bowser but has access to some level of security. It appears that it securely stores creds as well.
Term "Wallet" is used without being defined
Both the OIDC4VP and OIDC4VCI specifications use the term “Wallet” without defining the abstraction or saying how it relates to other abstractions used in the specifications. I understand that the term is in common usage in some communities but if we use it in our specifications, we owe it to implementers to say what it is (and possibly what it is not), so that whatever it refers to is clearly defined and actionable by implementers and End-Users.
(Note that we chose to avoid the term entirely in the SIOPv2 spec exactly because the term “Wallet” appear to mean many different things to different people.)
I’m OK with us fixing this after the Implementer’s Draft is approved, but we should work on the fix in the meantime and be ready to update the specs at that point.
Official response
Comments (11)
-
-
- changed status to open
Discussed in 2022-01-06 SIOP call
-
If we are to define a term wallet, I think we may want to avoid defining the specific form of implementing a wallet (native app, PWA, local, in the cloud, etc.) and instead describe the functionality - storing, and presenting user claims, etc.
-
In the VC/VP specification the term wallet is not used. The term is Holder. Perhaps OIDC4VP should use this term instead of wallet
-
David might be right as defining wallet requires a description of how it operates internally. That sort of definition is not a black-box or external protocol definition, but rather an internal description of how the wallet handles the credentials, including the private key. OIDF has traditionally avoided talking about that, although i will point out that FAPI has moved more into that space. There is a DIF wg on wallet, but they seem to be floundering.
-
A
holder
is not necessarily awallet
. Usually, the former refers to an entity, which may or may not be the subject of a set of claims, while awallet
refers to the storage solution of sets of claims.OIDF has traditionally avoided talking about that
I agree. Even the term
OpenID Provider
is vague enough to refer to either an entity like Google or a piece of software implementing the specs.I am in favor of using
holder
, as it continues that trend. -
-
assigned issue to
Mike to do a PR (2022-01-10 Connect call)
-
assigned issue to
-
Definition below has been introduced to the Issuance spec per Whitepaper conversation. Could we agree to use the same definition in SIOPv2 and OpenID4VP specs?
Wallet
Entity that receives, stores, presents, and manages Credentials and key material of the End-User. There is no single deployment model of a Wallet: Credentials and keys can both be stored/managed locally by the end-user, or by using a remote self-hosted service, or a remote third party service. In the context of this specification, the Wallet acts as an OAuth 2.0 Client (see [@!RFC6749]) towards the Credential Issuer.
-
-
- changed milestone to Implementer's Draft
-
assigned issue to
-
- changed status to resolved
- Log in to comment
Discussed in 2022-01-06 SIOP call