Add scoping language related to matching and consent. #89
Conversation
msporny
requested review from
marcoscaceres,
samuelgoto,
RByers and
timcappalli
as code owners
| anything about the a holder's [=digital credentials=] or their software | ||
| unless the [=user agent=] has gained explicit user consent. | ||
| </li> | ||
| <li>Ensuring that any non-[=user agent=] software will not learn anything |
There was a problem hiding this comment.
This one is little ambiguous. Maybe @samuelgoto can help us make it more clear?
There was a problem hiding this comment.
I was trying to generalize @leecam's notion of "wallet software". I'm wondering if we should call these things "native apps"? ... but then that leaves out "web apps", which could also hold/provide digital credentials. I think we do mean "any software that is not the user agent", but agree that the language is a bit unwieldy.
There was a problem hiding this comment.
I would avoid the term native as a prefix, based on comments of I seen on inclusive language elsewhere.
Platform specific is probably a better term.
There was a problem hiding this comment.
What about this?
| <li>Ensuring that any non-[=user agent=] software will not learn anything | |
| <li>Ensuring that any platform-specific software will not learn anything |
OR
| <li>Ensuring that any non-[=user agent=] software will not learn anything | |
| <li>Ensuring that any installed application software will not learn anything |
/cc @samuelgoto
There was a problem hiding this comment.
What if it is a PWA or browser extension running in another browser?
There was a problem hiding this comment.
Hmm, what about "software that is not involved in the consent-seeking process"? (though that's an unfortunate mouthful).
What we're trying to say here is that "The request is supposed to start off super secret and is only to be exposed to the holder via the software that they use to signal consent (the browser). After that point, the software that they chose to receive the request, and only that piece of software, is supposed to receive the request."
There was a problem hiding this comment.
This might work —
| <li>Ensuring that any non-[=user agent=] software will not learn anything | |
| <li>Ensuring that any software external to the consent-seeking process will not learn anything |
If that's not sufficient, some broader rephrasing may be called for, perhaps including minting some terms-of-art for "the software that they use to signal consent (the browser)" and/or "the software that they chose to receive the request"
Co-authored-by: Marcos Cáceres <marcos@marcosc.com>
| anything about the a holder's [=digital credentials=] or their software | ||
| unless the [=user agent=] has gained explicit user consent. | ||
| </li> | ||
| <li>Ensuring that any non-[=user agent=] software will not learn anything |
There was a problem hiding this comment.
This might work —
| <li>Ensuring that any non-[=user agent=] software will not learn anything | |
| <li>Ensuring that any software external to the consent-seeking process will not learn anything |
If that's not sufficient, some broader rephrasing may be called for, perhaps including minting some terms-of-art for "the software that they use to signal consent (the browser)" and/or "the software that they chose to receive the request"
Co-authored-by: Ted Thibodeau Jr <tthibodeau@openlinksw.com>
Closes #86 by asserting scoping around matching, consent, and what is learned by a website and 3rd party software.
Preview | Diff