Should we normatively define elements of a permission prompt?

[johannhof]

This isn't commonly done, but given some of the considerations forthcoming as part of #244 and #247 I'm wondering if it makes sense to normatively define parts of the permission experience that MUST be present before permission to share information can be considered granted, e.g.

• The origin of the verifier that requests the credential
• The information that is being requested
• Which wallet(s) can be used to fulfill the credential request
• Which credential would be used to share the requested information

If in practice user agents do this anyway it seems beneficial to make normative, although again it would be a little unconventional to venture so far into user agent UX on a spec level.

Any thoughts?

[marcoscaceres]

We should look at what’s in Geolocation for some inspiration?

[hlflanagan]

Discussed as part of issue triage on 13 May 2026 call.

Establishing guidance for optional elements as opposed to normative text made more sense to the group on this call. Note that only the two pieces of information are possible in the DC API (The origin of the verifier that requests the credential and The information that is being requested).

@johannhof do you have any text to suggest?

[johannhof]

I don't have concrete text suggestions, see original comment for suggestions on what could be part of it. Maybe @mohamedamir wants to look at this? I'm happy to review a PR :)