Identity Credential�Background and status for OWF

Rick Byers - Google Chrome Web Platform Area Tech Lead

rbyers@chromium.org

​

Nov 13, 2023

CAVEATS

• I’m not a credentials expert
• I work on browser APIs & standards, trying to learn this space rapidly�
• I can only speak for Chrome and Android
• Collaborating with other browsers vendors including Apple, Microsoft and Mozilla but we don’t yet have consensus on which goals are shared vs. independent �
• Details subject to change
• Chrome and Android are just getting into this space and we’re learning a lot. This is a snapshot of our current thinking which may change as we learn more.

Chrome and Android share the OWF vision

• "Trusted digital future" based on:
• Interoperability
• Open solutions: open source and open standards
• User choice
• Privacy
• Security�
• Note: Chromium and AOSP are the open source projects behind Chrome and Android

Concerns from the web standards community

• Privacy
• Which actors are trusted in what ways? Will issuers and verifiers collude to track?
• Un-forgeability, potentially difficult to reset
• Bugs leading to unintended disclosure or credential fraud
• Coercion to over-share
• Discrimination (long-term)
• Risk of exclusion
• Free expression (long-term)
• Potential chilling effects on free speech (eg. if all social media requires RWI)
• Potential for gatekeeping / centralizing forces

Specific issues with custom schemes

• UX concerns
• What is the user experience when the wallet has completed?
• What is the user experience when multiple wallet apps are installed?
• What is the user experience when no wallet app is installed or when the user cancels wallet invocation?
• What is the user experience on a desktop operating system?
• How much friction is there in app switching?
• Can wallets reliably determine their invoker?
• Can wallets limit requests to secure contexts?
• What are the privacy implications of a wallet accepting custom schemes?
• How can users be assured that they have control over where their personal information is shared?

Chromium & Android goals for Identity Credential API

• Wallet discovery and invocation:
• Allow websites to seamlessly request credentials from mobile wallet apps
• Easily support multiple wallets
• Without users having to remember which credentials are in which wallets
• Get consent from users prior to wallets learning any context
• Enable cross-device requests
• eg. Chrome on Windows opening Android wallet, similar to passkeys
• Enable competition and choice in credential formats and wallet apps
• Focus on pragmatic solutions that can be brought to market rapidly
• In particular, enable eIDAS 2.0 deployments by 2025 with minimal changes to the ARF
• While encouraging ongoing innovation and iteration - in and outside the browser
• Enable browsers to help protect user privacy, security and choice
• While enabling wallets to keep sensitive data hidden from the browser & OS

Chromium's approach to building web standards

• Start by focusing on a problem, in public, with any motivated stakeholders
• W3C Web Incubator Community Group (WICG), includes IP protection etc.
• "Dev trial": Iterate on a prototype available behind a flag
• Chrome canary ships daily, experimental features available under chrome://flags
• All code, code reviews, and most bugs are open to the public to view and comment on
• Test with one or two motivated customers and iterate until it seems to work in the lab
• Start to develop a draft specification and conformance test suite
• Widen review, eg. request public signals from other browser vendors, W3C's TAG, others
• "Origin Trial"
• Experimental API available to any website that wants to sign up for a key.
• Can be used in production but expected to change (with notice)
• Iterate on feedback
• "Ship"
• Complete spec and conformance test suite
• Public debate about interoperability risk vs. value to the web, etc.
• Iterate to keep improving and standardize
• Graduate from "incubation" to standards venue as maturity & interoperability allows

Identity Credential status

• W3C WICG github repo identity-credential
• Converging around proposal #4
• Designed to architecturally separate invocation from request protocol
• So can integrate with OpenID4VP
• Started having weekly meetings Oct 4, 2023�
• Chrome + Android working prototype available for testing
• In dev trial now, have a couple wallets trying it out and open to more
• Could be ready to Origin Trial in production in Q1 2024
• Hoping to ship V1 sometime in 2024, no concrete plans yet - will depend on OT feedback

Very rough prototype

For illustration only

const {response} = await navigator.credentials.requestClaims({

providers: [{

protocol: 'mdoc-simple'

request: {

type: 'org.iso.18013.5.1.mDL',

fields: [

'org.iso.18013.5.1.family_name',

'org.iso.18013.5.1.portrait',

]

},

nonce: '1234',

publicKey: 'ftl+VEHPB17r2 ... Nioc9QZ7X/6w…'

}]

}

​

const {response} = await navigator.credentials.requestClaims({

providers: [{

protocol: 'mdoc-simple'

request: {

type: 'org.iso.18013.5.1.mDL',

fields: [

'org.iso.18013.5.1.family_name',

'org.iso.18013.5.1.portrait',

]

},

nonce: '1234',

publicKey: 'ftl+VEHPB17r2 ... Nioc9QZ7X/6w…'

}]

}

​

Open questions / discussion

• Do you agree there’s value in browser / OS involvement?
• To what extent are the issues with custom schemes a concern for you?
• Is a browser API sufficiently better than alternatives like custom schemes to get adoption?
• What concerns do you have around browser / OS involvement?
• Are there things we can put into the design to reduce those concerns?
• Eg. mandatory response encryption, commitments around respecting user preference of wallet app
• What areas are important after we have a minimum viable product?
• Cross-device presentment?
• Issuance API?
• Web wallets?

Next steps

​

• If you'd like to help shape the API & browser behavior
• Contribute to discussion on issues in the Identity Credential repo
• Join the WICG (free) and participate in our calls / slack channel, and/or make PRs

ANNEX