define consent and permission; explain split roles regarding consent

[npdoty]

Responsibility for consent was discussed at the June 16 call.

We should explicitly define what we mean by consent (as there is a very wide range of opinions or expectations about it) and explicitly define browser/user agent permission.

There may be general support for a split role, where the verifier provides all the necessary explanation in context, a permission prompt by the browser confirms that the user is willing to continue to the wallet, and then the wallet confirms with the user release of the information back to the verifier. (Some call the last dialog "consent"; some believe the user is burdened by having to provide "consent" 3 times; some believe that for "consent" to be informed that the in-context explanation is necessary.)

There remain different opinions on what information should be communicated to the wallet for the confirmation; some believe that a privacy policy link is sufficient, some believe that a privacy policy link is known to be unhelpful and uninformative and does not provide the relevant informed context.

[marcoscaceres]

This issue asked the spec to define the distinction between consent and permission, and explain the split roles between user agent and wallet.

The spec now has a dedicated "Permission vs. Consent" section:

"The permission mediated by the user agent is not consent, which has specific legal definitions which can vary among different legal jurisdictions."

The section defines the split: user agents gather permission, wallets handle consent. It lists structured information for both (privacy policy, purpose, use, retention, verifier attestations).

@npdoty, could you confirm within two weeks (by May 14) whether this addresses your concern? If we don't hear back, we'll proceed to close this issue.

[hlflanagan]

I haven't seen further updates, so closing. We can reopen if new information becomes available.