Define DC API behavior in Private Browsing Mode

[mohamedamir]

During the TAG review of the Digital Credentials (DC) API, it was noted that the current specification does not explicitly address the behavior of the API when the User Agent (UA) is in "Private" or "Incognito" browsing mode.

The exact feedback is

"The document does not address the behaviour of the proposed solution in private browsing mode.As per web platforms design principles (section 2.9), the UA should not exhibit different behaviour in this mode. However, there are specific use cases, such as proof of age, where certain disclosures are mandated by regulations even when the user is browsing in private mode. This could inadvertently reveal unnecessary information to entities other than the UA (e.g., the wallet, website, or verifier) about whether the user is browsing in private or normal mode."

We need to discuss and document the behavior for the DC API in private browsing mode.

[marcoscaceres]

The API works exactly the same in both regular and private browsing mode (same as Web Authn, Payment Request, etc.).

The API never reveals anything without user interaction and presenting the credential chooser.

I'm really not sure about what we would say here apart from "It works exactly the same in regular and private browsing mode."

[mohamedamir]

We should probably acknowledge that risk of revealing unnecessary information (e.g. if the request isn't ZKP)