Revision as of 14:08, 10 September 2024

Full Title or Meme

The W3C Credential Management Level 1 specification was published in July 2023.

Context

• Google has specified the Identity Credential type for Android as part of the W3C Credential Management framework.
• Apple has specified the Mobile Document Request API, which is a new web API that allows websites to request a mobile document as defined in ISO 18013-5.

Solutions

Google

• Post from Gianluca Varisco Security @ Google Cloud
• Introducing the Digital Credentials API origin trial 2024-08 Supporting OID4VP which is not yet a standard

Digital Credential API

• Digital Credentials - Draft Community Group Report last download 2024-08-29

Comentary

Sep 19, 2023 Open Wallet Architecture WG

Andrew Hughes via lists.openwallet.foundation <andrewhughes=pingidentity.com@lists.openwallet.foundation> Sep 19, 2023, 7:55 AM (7 days ago) to torsten, technical-discuss@lists.openwallet.foundation, sebastian.elfors

I noticed that in the meeting notes for this topic nobody talked about how this would work on mobile devices - it sounded like people were thinking about desktop OS/browser implementations. I'm learning more about the sandboxing and other restrictions on mobile devices - and how this prevents / controls native app invocation and discovery in ways that force use of OS/mobile browser facilities, and precludes use of third party systems. Does anyone else observe similar things?

Andrew Hughes Director - Identity Standards - since left for facetec Mobile/Signal: +1 250 888 9474

On Tue, Sep 19, 2023 at 7:22 AM Torsten Lodderstedt via lists.openwallet.foundation <torsten=lodderstedt.net@lists.openwallet.foundation> wrote: As far as I’m informed, the WICG just incubated the credential topic last week and will be pursuing a process to come up with a consolidated proposal for a browser API. I think the proposals on the table are a great staring point but are a bit narrow (esp. the Mobile Document Request API). A solution should support the credential formats that can be found in the market and not limit implementers. I have argued to specify an API that focuses on wallet discovery and invocation as I believe those are the core challenges current protocols for credential issuance and presentation are facing. I think we need to carefully watch the further development and contribute.

Am 19. Sept. 2023, 13:55 +0200 schrieb Sebastian Elfors via lists.openwallet.foundation <sebastian.elfors=idnow.io@lists.openwallet.foundation>:

W3C WICG, Google and Apple have made some advancements on identity credentials APIs.

The W3C Credential Management Level 1 specification was published in July 2023. Google has specified the Identity Credential type for Android as part of the W3C Credential Management framework. Apple has specificed the Mobile Document Request API, which is a new web API that allows websites to request a mobile document as defined in ISO/IEC 18013-5.

Is this something that should be considered by the OpenWallet Foundation – or is it already under consideration? (I’m asking because I’ve missed most of the OWF architecture meetings since they occur at night CET, so this may have been discussed already.)

E sebastian.elfors@idnow.io

=

John, Anil via lists.openwallet.foundation <anil.john=hq.dhs.gov@lists.openwallet.foundation> Sep 25, 2023, 7:06 AM (1 day ago) to technical-discuss@lists.openwallet.foundation

There appear to be critical differences between the “Mobile Document Request API” (Originally proposed by Apple but also supported by Google at that time) and the “Identity Credential” work (proposed by Google).

The following is my understanding in non-spec-speak (which may be incomplete or wrong, so would appreciate corrections):

Both seek to define a standardized way for a browser to present digital credentials stored in a digital wallet to a web site; this is good Potentially competes with or could serve to enhance any web based credential presentation protocols

Then they go their separate ways …

Mobile Document Request API

Supports only ISO/IEC 18013-5 mDLs Marks as being ‘out-of-scope’ the manner in which the browser interacts with the digital wallet. Implications of this are profound in that If you are a platform that has a digital wallet (Apple Wallet / Google Wallet / Microsoft Authenticator? ) AND are also a browser vendor (Safari / Chrome / Edge), the platform gets to connect their wallet to their browser because that connection is not open but under their control.

“Identity Credential” API

References – Meeting Minutes & Presentation Slides by folks from the WICG to the W3C VC WG Group at the TPAC @ https://www.w3.org/2017/vc/WG/Meetings/Minutes/2023-09-15-vcwg#section2 Support multiple credential types (gratified to see prototype/demos of both mDL and W3C VCs in the presentation) Support for multiple wallets << I am making an assumption here that ensuring this support requires standardizing and opening up the API connecting the wallet to the browser; which, if true, is A.Good.Thing!

This is my understanding of the primary differences … Corrections welcome!

=

This document contains pre-decisional and/or deliberative process information exempt from mandatory disclosure under the Freedom of Information Act, 5 U.S.C. 552(b)(5). Do not release without prior approval of the Department of Homeland Security.

From: technical-discuss@lists.openwallet.foundation <technical-discuss@lists.openwallet.foundation> On Behalf Of Sebastian Elfors via lists.openwallet.foundation Sent: Tuesday, September 19, 2023 7:56 AM To: technical-discuss@lists.openwallet.foundation Subject: [technical-discuss] W3C WICG Identity Credentials API

All,

W3C WICG, Google and Apple have made some advancements on identity credentials APIs.

The W3C Credential Management Level 1 specification was published in July 2023. Google has specified the Identity Credential type for Android as part of the W3C Credential Management framework. Apple has specificed the Mobile Document Request API, which is a new web API that allows websites to request a mobile document as defined in ISO/IEC 18013-5.

Is this something that should be considered by the OpenWallet Foundation – or is it already under consideration? (I’m asking because I’ve missed most of the OWF architecture meetings since they occur at night CET, so this may have been discussed already.)

Sebastian Elfors

Senior Architect

Adrian Hope-Bailie via lists.openwallet.foundation AttachmentsSep 25, 2023, 7:55 AM (1 day ago) Hi Anil, I chaired the payments WG at W3C for almost 8 years. In my experience Apple's approach to this work is to be a passive supporter of the standards but t

David Zeuthen via lists.openwallet.foundation <zeuthen=google.com@lists.openwallet.foundation> Attachments Sep 25, 2023, 2:07 PM (22 hours ago) to anil.john, technical-discuss@lists.openwallet.foundation

Hi,

On Mon, Sep 25, 2023 at 10:06 PM John, Anil via lists.openwallet.foundation <anil.john=hq.dhs.gov@lists.openwallet.foundation> wrote: There appear to be critical differences between the “Mobile Document Request API” (Originally proposed by Apple but also supported by Google at that time) and the “Identity Credential” work (proposed by Google).

The following is my understanding in non-spec-speak (which may be incomplete or wrong, so would appreciate corrections):

Both seek to define a standardized way for a browser to present digital credentials stored in a digital wallet to a web site; this is good Potentially competes with or could serve to enhance any web based credential presentation protocols

Then they go their separate ways …

Mobile Document Request API

Supports only ISO/IEC 18013-5 mDLs Marks as being ‘out-of-scope’ the manner in which the browser interacts with the digital wallet. Implications of this are profound in that If you are a platform that has a digital wallet (Apple Wallet / Google Wallet / Microsoft Authenticator? ) AND are also a browser vendor (Safari / Chrome / Edge), the platform gets to connect their wallet to their browser because that connection is not open but under their control.

Someone recently told me that https://developer.apple.com/wallet/get-started-with-verify-with-wallet/ had an update to say something about the Mobile Document Request API and third party applications. I think that may be of interest to people here.

“Identity Credential” API

References – Meeting Minutes & Presentation Slides by folks from the WICG to the W3C VC WG Group at the TPAC @ https://www.w3.org/2017/vc/WG/Meetings/Minutes/2023-09-15-vcwg#section2 Support multiple credential types (gratified to see prototype/demos of both mDL and W3C VCs in the presentation) Support for multiple wallets << I am making an assumption here that ensuring this support requires standardizing and opening up the API connecting the wallet to the browser; which, if true, is A.Good.Thing!

This is my understanding of the primary differences … Corrections welcome!

Yes, so, the "Identity Credential" API proposal is closely based on Apple's Mobile Document Request API but - for a multitude of reasons - we wanted to change the API so it isn't tied to mdoc/mDL credential format. I obviously can't speak for Apple but my read is that they are OK with this change and will continue to participate in the WICG.

The last point about support for multiple wallets, yes, Chrome has made statements about this being a goal for the implementation of Chrome on Android (see https://groups.google.com/a/chromium.org/g/blink-dev/c/O9A9fq-0IdI/m/sqdVA17iBQAJ) and this is also how you could read Apple's page linked to in the paragraph above.

We are starting to make this API available behind flags in Android and Chrome so RPs and Wallets can experiment with it. The attached presentation is what we shared with ISO SC17 WG10 (the ISO WG working on Mobile Driving Licenses and 18913-5 and -7) and has more information about how we think this API could work on Android. There's nothing mdoc/mDL specific about this API and any Android application can be a credential provider for this API.

Hope this clarifies!

Thanks, David

to zeuthen@google.com, technical-discuss@lists.openwallet.foundation

Hi David,

Request for one additional clarification as people a whole lot smarter pointed out to me that there is a gap in the current proposal for supporting “web wallets” i.e. web app based wallets as opposed to wallet applications on mobile devices, as that functionality appears to be missing in the current proposal.

Speaking to the needs of my organization, we are very interested in ensuring that both web and native wallets are equally supported. What is Google’s intention/perspective regarding support for both in the work you are putting forward?

To: John, Anil <anil.john@hq.dhs.gov> Cc: technical-discuss@lists.openwallet.foundation

On Mon, Sep 25, 2023 at 10:06 PM John, Anil via lists.openwallet.foundation <anil.john=hq.dhs.gov@lists.openwallet.foundation> wrote:

There appear to be critical differences between the “Mobile Document Request API” (Originally proposed by Apple but also supported by Google at that time) and the “Identity Credential” work (proposed by Google).

The following is my understanding in non-spec-speak (which may be incomplete or wrong, so would appreciate corrections):

Both seek to define a standardized way for a browser to present digital credentials stored in a digital wallet to a web site; this is good Potentially competes with or could serve to enhance any web based credential presentation protocols

Then they go their separate ways …

Mobile Document Request API

Supports only ISO/IEC 18013-5 mDLs Marks as being ‘out-of-scope’ the manner in which the browser interacts with the digital wallet. Implications of this are profound in that If you are a platform that has a digital wallet (Apple Wallet / Google Wallet / Microsoft Authenticator? ) AND are also a browser vendor (Safari / Chrome / Edge), the platform gets to connect their wallet to their browser because that connection is not open but under their control.

Someone recently told me that https://developer.apple.com/wallet/get-started-with-verify-with-wallet/ had an update to say something about the Mobile Document Request API and third party applications. I think that may be of interest to people here.

“Identity Credential” API

References – Meeting Minutes & Presentation Slides by folks from the WICG to the W3C VC WG Group at the TPAC @ https://www.w3.org/2017/vc/WG/Meetings/Minutes/2023-09-15-vcwg#section2 Support multiple credential types (gratified to see prototype/demos of both mDL and W3C VCs in the presentation) Support for multiple wallets << I am making an assumption here that ensuring this support requires standardizing and opening up the API connecting the wallet to the browser; which, if true, is A.Good.Thing!

This is my understanding of the primary differences … Corrections welcome!

Yes, so, the "Identity Credential" API proposal is closely based on Apple's Mobile Document Request API but - for a multitude of reasons - we wanted to change the API so it isn't tied to mdoc/mDL credential format. I obviously can't speak for Apple but my read is that they are OK with this change and will continue to participate in the WICG.

The last point about support for multiple wallets, yes, Chrome has made statements about this being a goal for the implementation of Chrome on Android (see https://groups.google.com/a/chromium.org/g/blink-dev/c/O9A9fq-0IdI/m/sqdVA17iBQAJ) and this is also how you could read Apple's page linked to in the paragraph above.

We are starting to make this API available behind flags in Android and Chrome so RPs and Wallets can experiment with it. The attached presentation is what we shared with ISO SC17 WG10 (the ISO WG working on Mobile Driving Licenses and 18913-5 and -7) and has more information about how we think this API could work on Android. There's nothing mdoc/mDL specific about this API and any Android application can be a credential provider for this API.

Hope this clarifies!

Thanks,

David

Best Regards,

From: technical-discuss@lists.openwallet.foundation <technical-discuss@lists.openwallet.foundation> On Behalf Of Sebastian Elfors via lists.openwallet.foundation Sent: Tuesday, September 19, 2023 7:56 AM To: technical-discuss@lists.openwallet.foundation Subject: [technical-discuss] W3C WICG Identity Credentials API

CAUTION: This email originated from outside of DHS. DO NOT click links or open attachments unless you recognize and/or trust the sender. Contact your component SOC with questions or concerns.

W3C WICG, Google and Apple have made some advancements on identity credentials APIs.

The W3C Credential Management Level 1 specification was published in July 2023. Google has specified the Identity Credential type for Android as part of the W3C Credential Management framework. Apple has specificed the Mobile Document Request API, which is a new web API that allows websites to request a mobile document as defined in ISO/IEC 18013-5.

Is this something that should be considered by the OpenWallet Foundation – or is it already under consideration? (I’m asking because I’ve missed most of the OWF architecture meetings since they occur at night CET, so this may have been discussed already.)

Kind regards,

Sebastian Elfors

References