Digital Credential API

Full Title and Meme

The Digital Credential API (DCAPI) is a means to sort out request made to acquire presentation queries from a Verifier and directed them to a device applications that can process the request successfully.

• latest draft of Digital Credentials
• Digital Credentials - Draft Community Group Report last download 2024-08-29

Context

• 2025-06-21 The future of identity is interoperable - and Apple just stepped in support from Apple starts with iOS 26 or 27 - unclear

Security

Treats

The Digital Credentials API—designed to let users present verifiable credentials (like digital IDs or diplomas) directly through their browser—offers exciting potential, but it also raises serious security and privacy concerns. Here are some of the key issues being debated:

1. It's unclear what the criteria are for registering a query language that browsers must accept.
   1. Can an attacker get a bogus language inserted into a browser's list?
2. Overexposure of Personal Data - Websites could request more information than necessary, leading to overcollection or misuse of sensitive credentials. Without strict controls, this opens the door to:
   1. Cross-site tracking based on credential metadata
   2. Fingerprinting users by the types of credentials they hold
3. Browser and Wallet Trust Boundaries
   1. The API involves two user agents: the browser and the digital wallet. If either is compromised or poorly implemented:
   2. Malicious sites might trick users into sharing credentials
   3. Wallets might not clearly show what’s being shared or with whom
4. Lack of User Awareness
   1. Even with permission prompts, users may not fully understand:
   2. What data is being requested
   3. Who is requesting it
   4. Whether they can refuse without losing access
   5. This creates a consent theater problem—where users click “Allow” without informed choice.
5. No Universal Mitigation for All Threats
   1. Some threats—like websites inferring identity from credential types—don’t yet have clear technical solutions. Mozilla, for example, has raised formal objections, warning that the API could erode user agency and privacy if not carefully constrained.
6. “The Web Must Never Demand Your Papers”
   1. This principle, echoed by W3C’s Technical Architecture Group, warns against normalizing a web where users must prove identity to access content. If misused, the API could lead to a surveillance-by-default internet.
7. Registration operation is unclear - will that limit value?
   1. Could a channel (say BLE) be a decentralized self-describing protocol

Mitigations

Some proposed mitigations

• selective disclosure
• trust lists
• wallet-side policy enforcement
• Common UI from in-person and on-web queries