Review by Swati Goel

[swatigoel]

Opening questions

• I have read the document for Wallet Building Block v1.0.0-rc
• I have read the Release Notes for Wallet Building Block v1.0.0-rc
• I agree to follow the GovStack Code of Conduct

Are these features and the model conceptually complete?

It summarises the Holder-Issuer-Verifier triangle, outlining the role of each participant. This provides a solid foundation for building the complete stack.

In the triangle diagram, Trust is indicated between the Issuer and the Verifier. We should provide more details on how that trust is established and maintained.

Below are my observations on the content:

• https://govstack.gitbook.io/bb-wallet/2-description - The Wallet Abstraction diagram: VC section where we have displayed multiple standard like W3C, mDL, ICAO ; we should add IETF’s Selective Disclosure JW. We have talked about W3C, mDL and SD JWT in release notes so would be good to present here
• https://govstack.gitbook.io/bb-wallet/2-description#issuer-holder-verifier-model - In issuer-holder-verifier diagram, text next to Verifier should be rephrased. We have mentioned request for proof. Shouldn’t it be request for credentials or claims? Are we referring proof as claims here?
• https://govstack.gitbook.io/bb-wallet/2-description#key-characteristics-of-a-digital-credential-wallet - In Interoperability section, we have mentioned They support multiple standards to ensure compatibility with diverse platforms and services. Should we mention what are those standards? Like OpenId4vCI for Issuance and storing in holder, OpenId4VP for presentation.

Are there any concepts from those listed that you would like to provide feedback on?

Terminology section looks fine.

Below are my observations on the content:

• Should the Terminology section come before the Description? The terms defined in the Terminology section are referenced throughout the Description. For example, "Digital Vault" is mentioned in the Description, but readers may not know what it means. Someone without prior knowledge of this domain might struggle to follow the Description without first understanding the key terms.
• https://govstack.gitbook.io/bb-wallet/3-terminology#credential - This line A credential is a set of one or more claims made by the same entity is not clear. We are saying claim made by same entity. What is that same entity? It will be issuer right? So shouldn’t we have it A credential is a set of one or more claims made by an issuer
• We have used the term digital credentials but haven't defined it. Digital credential is nothing but verifiable credentials so we should have that description under Verifiable Credential terminology.
• https://govstack.gitbook.io/bb-wallet/3-terminology#credential-issuer- The last lines talks about confirm the identity of the subject before issuing credentials. Should we explain who is the subject here? Instead of using subject, can we mention credential holder who is requesting for credential?
• https://govstack.gitbook.io/bb-wallet/3-terminology#repudiation - Last line of this section refers to Verifier involved. But in entire paragraph, verifier is not referred. It looks little disconnected.

Are there any concepts that are important, but not considered, on this list?

We can think of having two separate heading for Credential and Verifiable Credential.
We can first explain Credential terminology
Later explain Verifiable Credential and link it with Credential. Like Verifiable Credential is a Credential which is tamper-resistant and then cryptographically verifiable.

From the functionalities listed, would you like to provide feedback on their completeness?

It's good to see that we have covered the functionalities which are beyond the process. Like once VP is presented verifier, requesting verifier to delete it. Another is compliant submission to supervisor body.

Are there any functionalities related to Digital Credentials Wallet that are not considered here?

• Wallet synchronization - Mobile and Cloud(Web) wallet synchronization to access credential across
• Cryptographic keys recovery

Out of the requirements listed, would you like to provide feedback on the completeness of the description of the requirements, or on the requirement level assigned?

Level mentioned SHOULD, MUST, OPTIONAL, SHALL should be defined with reasoning to get better understanding why any requirement is marked optional or must.

Below are my observations on the content:

• https://govstack.gitbook.io/bb-wallet/5-cross-cutting-requirements#id-5.2.3.-trust-infrastructure - In diagram, text for verifier to Issuer direction need to be corrected. It should be Verifier MUST verify the Issuer after receiving the Presentation

Are there any requirements that are necessary to Digital Credentials Wallet that are not considered here?

No response

Out of the requirements listed, would you like to provide feedback on the completeness of the description of the requirements, or on the requirement level assigned?

No response

Are there any requirements that are necessary to Digital Credentials Wallet that are not considered here?

No response

Out of the data schemas provided, would you like to provide feedback on the completeness and formats of the schema definitions? Please go into as much detail as you can

The specified data structure provides a summary of the content aligned with the defined standards.

Below are my observations on the content:

• https://govstack.gitbook.io/bb-wallet/development-19/7-data-structures#id-7.1.3.-iso-mdoc-mobile-driving-license and https://govstack.gitbook.io/bb-wallet/development-19/7-data-structures#id-7.3.2.-credential-issuer-metadata

At one instance, mDL is referred as ldp_vc. While explaining credential issuer metadata it is referred as mso_mdoc* format. It would be good to be consistent whenever mDL is referred.

Are there any data structures that are necessary to Digital Credentials Wallet that are not considered here?

No response

Out of the API endpoints, available verbs and schemas provided, would you like to provide feedback on the completeness of them? Please go into as much detail as you can

Below are my observations on the content:

• https://govstack.gitbook.io/bb-wallet/8-service-apis#get-authorize
  -- Definition of code_challenge_method is wrong
  -- authorization_details click here link is broken, getting page not found
• Wherever we have defined attribute as enum, there is text as undefined

Are there any data structures that are necessary to Digital Credentials Wallet that are not considered here?

It would be good to add details about revocation, suspension which are achieved through credential status

Out of the available workflows, would you like to provide feedback on the completeness of them? Please go into as much detail as you can

These workflows summarises all the workflows across different specifications OpenId4VCI, OpenId4VP. It's good to have all at one place for adapters to kickstart.

Below are my observations on the content:

• https://govstack.gitbook.io/bb-wallet/8-service-apis#id-9.1.2.-credential-issuance-via.-pre-authorization-code-flow - In Holder-Wallet interaction, holder doesn't share pre-authorization code with Wallet. Wallet receives the pre-authorization code through credential offer. Holder shares the tx_code if present.
• https://govstack.gitbook.io/bb-wallet/8-service-apis#id-9.2.2.-presenting-credentials-cross-device - Sequence diagram shows holder interaction with Wallet first. As it's cross device, so holder will interact the wallet, open the camera to scan QR code. After that wallet interacts with verifier for authorization request

Are there extra workflows that are necessary to Digital Credentials Wallet that are not considered here?

Revocation
Suspension