Difference between revisions of "W3C Credential Management"
(→Comentary) |
(→Google) |
||
| Line 9: | Line 9: | ||
==Solutions== | ==Solutions== | ||
===Google=== | ===Google=== | ||
| + | * [https://www.linkedin.com/feed/update/urn:li:activity:7237086383712985088/ Post from Gianluca Varisco Security @ Google Cloud] | ||
* [https://developer.chrome.com/blog/digital-credentials-api-origin-trial Introducing the Digital Credentials API origin trial] 2024-08 Supporting OID4VP which is not yet a standard | * [https://developer.chrome.com/blog/digital-credentials-api-origin-trial Introducing the Digital Credentials API origin trial] 2024-08 Supporting OID4VP which is not yet a standard | ||
Revision as of 10:47, 6 September 2024
Contents
Full Title or Meme
The W3C Credential Management Level 1 specification was published in July 2023.
Context
- Google has specified the Identity Credential type for Android as part of the W3C Credential Management framework.
- Apple has specified the Mobile Document Request API, which is a new web API that allows websites to request a mobile document as defined in ISO 18013-5.
Solutions
- Post from Gianluca Varisco Security @ Google Cloud
- Introducing the Digital Credentials API origin trial 2024-08 Supporting OID4VP which is not yet a standard
Digital Credential API
- Digital Credentials - Draft Community Group Report last download 2024-08-29
Comentary
Sep 19, 2023 Open Wallet Architecture WG
Andrew Hughes via lists.openwallet.foundation <andrewhughes=pingidentity.com@lists.openwallet.foundation> Sep 19, 2023, 7:55 AM (7 days ago) to torsten, technical-discuss@lists.openwallet.foundation, sebastian.elfors
I noticed that in the meeting notes for this topic nobody talked about how this would work on mobile devices - it sounded like people were thinking about desktop OS/browser implementations. I'm learning more about the sandboxing and other restrictions on mobile devices - and how this prevents / controls native app invocation and discovery in ways that force use of OS/mobile browser facilities, and precludes use of third party systems. Does anyone else observe similar things?
Andrew Hughes Director - Identity Standards - since left for facetec Mobile/Signal: +1 250 888 9474
On Tue, Sep 19, 2023 at 7:22 AM Torsten Lodderstedt via lists.openwallet.foundation <torsten=lodderstedt.net@lists.openwallet.foundation> wrote: As far as I’m informed, the WICG just incubated the credential topic last week and will be pursuing a process to come up with a consolidated proposal for a browser API. I think the proposals on the table are a great staring point but are a bit narrow (esp. the Mobile Document Request API). A solution should support the credential formats that can be found in the market and not limit implementers. I have argued to specify an API that focuses on wallet discovery and invocation as I believe those are the core challenges current protocols for credential issuance and presentation are facing. I think we need to carefully watch the further development and contribute.
Am 19. Sept. 2023, 13:55 +0200 schrieb Sebastian Elfors via lists.openwallet.foundation <sebastian.elfors=idnow.io@lists.openwallet.foundation>:
W3C WICG, Google and Apple have made some advancements on identity credentials APIs.
The W3C Credential Management Level 1 specification was published in July 2023. Google has specified the Identity Credential type for Android as part of the W3C Credential Management framework. Apple has specificed the Mobile Document Request API, which is a new web API that allows websites to request a mobile document as defined in ISO/IEC 18013-5.
Is this something that should be considered by the OpenWallet Foundation – or is it already under consideration? (I’m asking because I’ve missed most of the OWF architecture meetings since they occur at night CET, so this may have been discussed already.)
E sebastian.elfors@idnow.io
Adrian Gropper via lists.openwallet.foundation
Sep 19, 2023, 8:18 AM (7 days ago)
to andrewhughes, sebastian.elfors, technical-discuss@lists.openwallet.foundation, torsten
I’m unfamiliar with the various protocols for issue and presentation of VCs but I’m under the impression that many of them make assumptions about whether the user agent is a browser or an app. I believe IETF GNAP is intentionally designed to work securely with both. Is this a consideration we can use to categorize the various protocols options?
=
John, Anil via lists.openwallet.foundation <anil.john=hq.dhs.gov@lists.openwallet.foundation> Sep 25, 2023, 7:06 AM (1 day ago) to technical-discuss@lists.openwallet.foundation
There appear to be critical differences between the “Mobile Document Request API” (Originally proposed by Apple but also supported by Google at that time) and the “Identity Credential” work (proposed by Google).
The following is my understanding in non-spec-speak (which may be incomplete or wrong, so would appreciate corrections):
Both seek to define a standardized way for a browser to present digital credentials stored in a digital wallet to a web site; this is good Potentially competes with or could serve to enhance any web based credential presentation protocols
Then they go their separate ways …
Mobile Document Request API
Supports only ISO/IEC 18013-5 mDLs Marks as being ‘out-of-scope’ the manner in which the browser interacts with the digital wallet. Implications of this are profound in that If you are a platform that has a digital wallet (Apple Wallet / Google Wallet / Microsoft Authenticator? ) AND are also a browser vendor (Safari / Chrome / Edge), the platform gets to connect their wallet to their browser because that connection is not open but under their control.
“Identity Credential” API
References – Meeting Minutes & Presentation Slides by folks from the WICG to the W3C VC WG Group at the TPAC @ https://www.w3.org/2017/vc/WG/Meetings/Minutes/2023-09-15-vcwg#section2 Support multiple credential types (gratified to see prototype/demos of both mDL and W3C VCs in the presentation) Support for multiple wallets << I am making an assumption here that ensuring this support requires standardizing and opening up the API connecting the wallet to the browser; which, if true, is A.Good.Thing!
This is my understanding of the primary differences … Corrections welcome!
=
This document contains pre-decisional and/or deliberative process information exempt from mandatory disclosure under the Freedom of Information Act, 5 U.S.C. 552(b)(5). Do not release without prior approval of the Department of Homeland Security.
From: technical-discuss@lists.openwallet.foundation <technical-discuss@lists.openwallet.foundation> On Behalf Of Sebastian Elfors via lists.openwallet.foundation Sent: Tuesday, September 19, 2023 7:56 AM To: technical-discuss@lists.openwallet.foundation Subject: [technical-discuss] W3C WICG Identity Credentials API
CAUTION: This email originated from outside of DHS. DO NOT click links or open attachments unless you recognize and/or trust the sender. Contact your component SOC with questions or concerns.
All,
W3C WICG, Google and Apple have made some advancements on identity credentials APIs.
The W3C Credential Management Level 1 specification was published in July 2023. Google has specified the Identity Credential type for Android as part of the W3C Credential Management framework. Apple has specificed the Mobile Document Request API, which is a new web API that allows websites to request a mobile document as defined in ISO/IEC 18013-5.
Is this something that should be considered by the OpenWallet Foundation – or is it already under consideration? (I’m asking because I’ve missed most of the OWF architecture meetings since they occur at night CET, so this may have been discussed already.)
Kind regards,
Sebastian Elfors
Senior Architect
M +49 174 17 22 150
E sebastian.elfors@idnow.io
IDnow.io | LinkedIn
IDnow GmbH Auenstraße 100 | 80469 Munich | Germany Registration Court: Amtsgericht München HRB 283590 VAT Reg.No. DE360162051 Managing Directors: Andreas Bodczek, Joseph Lichtenberger, Armin Bauer
A picture containing monitor, large
Description automatically generated
_._,_._,_
Links:
You receive all messages sent to this group.
View/Reply Online (#166) | Reply To Sender | Reply To Group | Mute This Topic | New Topic
Adrian Hope-Bailie via lists.openwallet.foundation AttachmentsSep 25, 2023, 7:55 AM (1 day ago) Hi Anil, I chaired the payments WG at W3C for almost 8 years. In my experience Apple's approach to this work is to be a passive supporter of the standards but t
David Zeuthen via lists.openwallet.foundation <zeuthen=google.com@lists.openwallet.foundation> Attachments Sep 25, 2023, 2:07 PM (22 hours ago) to anil.john, technical-discuss@lists.openwallet.foundation
Hi,
On Mon, Sep 25, 2023 at 10:06 PM John, Anil via lists.openwallet.foundation <anil.john=hq.dhs.gov@lists.openwallet.foundation> wrote: There appear to be critical differences between the “Mobile Document Request API” (Originally proposed by Apple but also supported by Google at that time) and the “Identity Credential” work (proposed by Google).
The following is my understanding in non-spec-speak (which may be incomplete or wrong, so would appreciate corrections):
Both seek to define a standardized way for a browser to present digital credentials stored in a digital wallet to a web site; this is good Potentially competes with or could serve to enhance any web based credential presentation protocols
Then they go their separate ways …
Mobile Document Request API
Supports only ISO/IEC 18013-5 mDLs Marks as being ‘out-of-scope’ the manner in which the browser interacts with the digital wallet. Implications of this are profound in that If you are a platform that has a digital wallet (Apple Wallet / Google Wallet / Microsoft Authenticator? ) AND are also a browser vendor (Safari / Chrome / Edge), the platform gets to connect their wallet to their browser because that connection is not open but under their control.
Someone recently told me that https://developer.apple.com/wallet/get-started-with-verify-with-wallet/ had an update to say something about the Mobile Document Request API and third party applications. I think that may be of interest to people here.
“Identity Credential” API
References – Meeting Minutes & Presentation Slides by folks from the WICG to the W3C VC WG Group at the TPAC @ https://www.w3.org/2017/vc/WG/Meetings/Minutes/2023-09-15-vcwg#section2 Support multiple credential types (gratified to see prototype/demos of both mDL and W3C VCs in the presentation) Support for multiple wallets << I am making an assumption here that ensuring this support requires standardizing and opening up the API connecting the wallet to the browser; which, if true, is A.Good.Thing!
This is my understanding of the primary differences … Corrections welcome!
Yes, so, the "Identity Credential" API proposal is closely based on Apple's Mobile Document Request API but - for a multitude of reasons - we wanted to change the API so it isn't tied to mdoc/mDL credential format. I obviously can't speak for Apple but my read is that they are OK with this change and will continue to participate in the WICG.
The last point about support for multiple wallets, yes, Chrome has made statements about this being a goal for the implementation of Chrome on Android (see https://groups.google.com/a/chromium.org/g/blink-dev/c/O9A9fq-0IdI/m/sqdVA17iBQAJ) and this is also how you could read Apple's page linked to in the paragraph above.
We are starting to make this API available behind flags in Android and Chrome so RPs and Wallets can experiment with it. The attached presentation is what we shared with ISO SC17 WG10 (the ISO WG working on Mobile Driving Licenses and 18913-5 and -7) and has more information about how we think this API could work on Android. There's nothing mdoc/mDL specific about this API and any Android application can be a credential provider for this API.
Hope this clarifies!
Thanks, David
--
David Zeuthen | zeuthen@google.com |
| Android Hardware-Backed Security
_._,_._,_ Links: You receive all messages sent to this group.
View/Reply Online (#168) | Reply To Sender | Reply To Group | Mute This Topic | New Topic
Your Subscription | Contact Group Owner | Unsubscribe [thomasclinganjones@gmail.com]
_._,_._,_
One attachment • Scanned by Gmail
John, Anil via lists.openwallet.foundation <anil.john=hq.dhs.gov@lists.openwallet.foundation> Sep 25, 2023, 4:09 PM (19 hours ago) to zeuthen@google.com, technical-discuss@lists.openwallet.foundation
David,
Thank you for the additional information and the clarification.
Best Regards,
Anil
Email Response Time – 24 Hours or more; I sometimes send emails outside of business days/times because it works for me; please do not feel any obligation to reply to them outside of your normal working patterns.
This document contains pre-decisional and/or deliberative process information exempt from mandatory disclosure under the Freedom of Information Act, 5 U.S.C. 552(b)(5). Do not release without prior approval of the Department of Homeland Security.
_._,_._,_ Links: View/Reply Online (#169) | Reply To Sender | Reply To Group | Mute This Topic | New Topic
John, Anil via lists.openwallet.foundation <anil.john=hq.dhs.gov@lists.openwallet.foundation> 8:36 AM (3 hours ago) to zeuthen@google.com, technical-discuss@lists.openwallet.foundation
Hi David,
Request for one additional clarification as people a whole lot smarter pointed out to me that there is a gap in the current proposal for supporting “web wallets” i.e. web app based wallets as opposed to wallet applications on mobile devices, as that functionality appears to be missing in the current proposal.
Speaking to the needs of my organization, we are very interested in ensuring that both web and native wallets are equally supported.
What is Google’s intention/perspective regarding support for both in the work you are putting forward?
Best Regards,
Anil
Anil John
Technical Director, Silicon Valley Innovation Program
Science and Technology Directorate
US Department of Homeland Security
Washington, DC, USA
Email Response Time – 24 Hours or more; I sometimes send emails outside of business days/times because it works for me; please do not feel any obligation to reply to them outside of your normal working patterns.
A picture containing graphical user interface
Description automatically generated/Users/holly.johnson/Library/Containers/com.microsoft.Outlook/Data/Library/Caches/Signatures/signature_1972159395
This document contains pre-decisional and/or deliberative process information exempt from mandatory disclosure under the Freedom of Information Act, 5 U.S.C. 552(b)(5). Do not release without prior approval of the Department of Homeland Security.
From: technical-discuss@lists.openwallet.foundation <technical-discuss@lists.openwallet.foundation> On Behalf Of John, Anil via lists.openwallet.foundation Sent: Monday, September 25, 2023 7:09 PM To: zeuthen@google.com Cc: technical-discuss@lists.openwallet.foundation Subject: Re: [technical-discuss] W3C WICG Identity Credentials API
David,
Thank you for the additional information and the clarification.
Best Regards,
Anil
Email Response Time – 24 Hours or more; I sometimes send emails outside of business days/times because it works for me; please do not feel any obligation to reply to them outside of your normal working patterns.
This document contains pre-decisional and/or deliberative process information exempt from mandatory disclosure under the Freedom of Information Act, 5 U.S.C. 552(b)(5). Do not release without prior approval of the Department of Homeland Security.
From: technical-discuss@lists.openwallet.foundation <technical-discuss@lists.openwallet.foundation> On Behalf Of David Zeuthen via lists.openwallet.foundation Sent: Monday, September 25, 2023 4:52 PM To: John, Anil <anil.john@hq.dhs.gov> Cc: technical-discuss@lists.openwallet.foundation
Hi,
On Mon, Sep 25, 2023 at 10:06 PM John, Anil via lists.openwallet.foundation <anil.john=hq.dhs.gov@lists.openwallet.foundation> wrote:
There appear to be critical differences between the “Mobile Document Request API” (Originally proposed by Apple but also supported by Google at that time) and the “Identity Credential” work (proposed by Google).
The following is my understanding in non-spec-speak (which may be incomplete or wrong, so would appreciate corrections):
Both seek to define a standardized way for a browser to present digital credentials stored in a digital wallet to a web site; this is good Potentially competes with or could serve to enhance any web based credential presentation protocols
Then they go their separate ways …
Mobile Document Request API
Supports only ISO/IEC 18013-5 mDLs Marks as being ‘out-of-scope’ the manner in which the browser interacts with the digital wallet. Implications of this are profound in that If you are a platform that has a digital wallet (Apple Wallet / Google Wallet / Microsoft Authenticator? ) AND are also a browser vendor (Safari / Chrome / Edge), the platform gets to connect their wallet to their browser because that connection is not open but under their control.
Someone recently told me that https://developer.apple.com/wallet/get-started-with-verify-with-wallet/ had an update to say something about the Mobile Document Request API and third party applications. I think that may be of interest to people here.
“Identity Credential” API
References – Meeting Minutes & Presentation Slides by folks from the WICG to the W3C VC WG Group at the TPAC @ https://www.w3.org/2017/vc/WG/Meetings/Minutes/2023-09-15-vcwg#section2 Support multiple credential types (gratified to see prototype/demos of both mDL and W3C VCs in the presentation) Support for multiple wallets << I am making an assumption here that ensuring this support requires standardizing and opening up the API connecting the wallet to the browser; which, if true, is A.Good.Thing!
This is my understanding of the primary differences … Corrections welcome!
Yes, so, the "Identity Credential" API proposal is closely based on Apple's Mobile Document Request API but - for a multitude of reasons - we wanted to change the API so it isn't tied to mdoc/mDL credential format. I obviously can't speak for Apple but my read is that they are OK with this change and will continue to participate in the WICG.
The last point about support for multiple wallets, yes, Chrome has made statements about this being a goal for the implementation of Chrome on Android (see https://groups.google.com/a/chromium.org/g/blink-dev/c/O9A9fq-0IdI/m/sqdVA17iBQAJ) and this is also how you could read Apple's page linked to in the paragraph above.
We are starting to make this API available behind flags in Android and Chrome so RPs and Wallets can experiment with it. The attached presentation is what we shared with ISO SC17 WG10 (the ISO WG working on Mobile Driving Licenses and 18913-5 and -7) and has more information about how we think this API could work on Android. There's nothing mdoc/mDL specific about this API and any Android application can be a credential provider for this API.
Hope this clarifies!
Thanks,
David
Best Regards,
Anil
Anil John
Technical Director, Silicon Valley Innovation Program
Science and Technology Directorate
US Department of Homeland Security
Washington, DC, USA
Email Response Time – 24 Hours or more; I sometimes send emails outside of business days/times because it works for me; please do not feel any obligation to reply to them outside of your normal working patterns.
A picture containing graphical user interface
Description automatically generated/Users/holly.johnson/Library/Containers/com.microsoft.Outlook/Data/Library/Caches/Signatures/signature_1972159395
This document contains pre-decisional and/or deliberative process information exempt from mandatory disclosure under the Freedom of Information Act, 5 U.S.C. 552(b)(5). Do not release without prior approval of the Department of Homeland Security.
From: technical-discuss@lists.openwallet.foundation <technical-discuss@lists.openwallet.foundation> On Behalf Of Sebastian Elfors via lists.openwallet.foundation Sent: Tuesday, September 19, 2023 7:56 AM To: technical-discuss@lists.openwallet.foundation Subject: [technical-discuss] W3C WICG Identity Credentials API
CAUTION: This email originated from outside of DHS. DO NOT click links or open attachments unless you recognize and/or trust the sender. Contact your component SOC with questions or concerns.
All,
W3C WICG, Google and Apple have made some advancements on identity credentials APIs.
The W3C Credential Management Level 1 specification was published in July 2023. Google has specified the Identity Credential type for Android as part of the W3C Credential Management framework. Apple has specificed the Mobile Document Request API, which is a new web API that allows websites to request a mobile document as defined in ISO/IEC 18013-5.
Is this something that should be considered by the OpenWallet Foundation – or is it already under consideration? (I’m asking because I’ve missed most of the OWF architecture meetings since they occur at night CET, so this may have been discussed already.)
Kind regards,
Sebastian Elfors
Senior Architect
M +49 174 17 22 150
E sebastian.elfors@idnow.io
IDnow.io | LinkedIn
IDnow GmbH Auenstraße 100 | 80469 Munich | Germany Registration Court: Amtsgericht München HRB 283590 VAT Reg.No. DE360162051 Managing Directors: Andreas Bodczek, Joseph Lichtenberger, Armin Bauer
David Zeuthen |
zeuthen@google.com |
| Android Hardware-Backed Security
