US: User having attestations whose subject is someone else than the user

[joelposti]

Description

Section 7.7.3 of the ARF has the following two sentences:

This means that the Wallet Instance SHALL verify that the person handling the Wallet Instance and approves the request is the User, i.e., the person to whom the attributes in the attestation apply. If this is not the case, then the person handling the Wallet Instance is legally not allowed to approve to release the attributes.

Additionally:

Note that use cases in which the User and the subject of the attributes are two different persons, such as when somebody has power of attorney or custodianship, are out of scope of this version of this document.

The user is not necessarily the subject of an attestation. For example, there are guardianship use cases where a user has attestations in their wallet whose subject is someone else than the user. Another example: an adult of a family has attestations of the family's children in the adult's wallet. These use cases should come into scope.

User Story

User: Guardian or person in custody of another person
Goal: EUDI Wallet supports guardianship use cases
Reason: User should be allowed to release attributes whose subject is another person. Guardianship use cases should be supported.

Acceptance Criteria

The following scenarios shall be covered.

Scenario 1: User can release attributes whose subject is a person over whom the user has guardianship or custody

1. User is a guardian of person X.
2. Provider issues to the user's wallet an attestation which contains attributes about person X.
3. User can release said attributes to a relying party.