W3C Credential Management

Full Title or Meme

The W3C Draft Community Group Report 20 specification was published 2025-02-20. The report was still under active development at that time.

Context

• Google has specified the Identity Credential type for Android as part of the W3C Credential Management framework.
• Apple has specified the Mobile Document Request API, which is a new web API that allows websites to request a mobile document as defined in ISO 18013-5.

Solutions

Google

• Post from Gianluca Varisco Security @ Google Cloud
• Introducing the Digital Credentials API origin trial 2024-08 Supporting OID4VP which is not yet a standard

Digital Credential API

• Digital Credentials - Draft Community Group Report last download 2024-08-29

History

John, Anil via lists.openwallet.foundation <anil.john=hq.dhs.gov@lists.openwallet.foundation> Sep 25, 2023, 7:06 AM to technical-discuss@lists.openwallet.foundation

There appear to be critical differences between the “Mobile Document Request API” (Originally proposed by Apple but also supported by Google at that time) and the “Identity Credential” work (proposed by Google).

The following is my understanding in non-spec-speak (which may be incomplete or wrong, so would appreciate corrections):

• Both seek to define a standardized way for a browser to present digital credentials stored in a digital wallet to a web site; this is good Potentially competes with or could serve to enhance any web based credential presentation protocols
• Then they go their separate ways …
• Mobile Document Request API Supports only ISO/IEC 18013-5 mDLs Marks as being ‘out-of-scope’ the manner in which the browser interacts with the digital wallet. Implications of this are profound in that If you are a platform that has a digital wallet (Apple Wallet / Google Wallet / Microsoft Authenticator? ) AND are also a browser vendor (Safari / Chrome / Edge), the platform gets to connect their wallet to their browser because that connection is not open but under their control.
• “Identity Credential” API

References – Meeting Minutes & Presentation Slides by folks from the WICG to the W3C VC WG Group at the TPAC @ https://www.w3.org/2017/vc/WG/Meetings/Minutes/2023-09-15-vcwg#section2 Support multiple credential types (gratified to see prototype/demos of both mDL and W3C VCs in the presentation) Support for multiple wallets << I am making an assumption here that ensuring this support requires standardizing and opening up the API connecting the wallet to the browser; which, if true, is A.Good.Thing!

This is my understanding of the primary differences … Corrections welcome!

---

From: technical-discuss@lists.openwallet.foundation <technical-discuss@lists.openwallet.foundation> On Behalf Of Sebastian Elfors via lists.openwallet.foundation Sent: Tuesday, September 19, 2023 7:56 AM To: technical-discuss@lists.openwallet.foundation Subject: [technical-discuss] W3C WICG Identity Credentials API

W3C WICG, Google and Apple have made some advancements on identity credentials APIs.

The W3C Credential Management Level 1 specification was published in July 2023. Google has specified the Identity Credential type for Android as part of the W3C Credential Management framework. Apple has specified the Mobile Document Request API, which is a new web API that allows websites to request a mobile document as defined in ISO/IEC 18013-5.

Is this something that should be considered by the OpenWallet Foundation – or is it already under consideration? (I’m asking because I’ve missed most of the OWF architecture meetings since they occur at night CET, so this may have been discussed already.)

Sebastian Elfors Senior Architect

---

Yes, so, the "Identity Credential" API proposal is closely based on Apple's Mobile Document Request API but - for a multitude of reasons - we wanted to change the API so it isn't tied to mdoc/mDL credential format. I obviously can't speak for Apple but my read is that they are OK with this change and will continue to participate in the WICG.

The last point about support for multiple wallets, yes, Chrome has made statements about this being a goal for the implementation of Chrome on Android (see https://groups.google.com/a/chromium.org/g/blink-dev/c/O9A9fq-0IdI/m/sqdVA17iBQAJ) and this is also how you could read Apple's page linked to in the paragraph above.

We are starting to make this API available behind flags in Android and Chrome so RPs and Wallets can experiment with it. The attached presentation is what we shared with ISO SC17 WG10 (the ISO WG working on Mobile Driving Licenses and 18913-5 and -7) and has more information about how we think this API could work on Android. There's nothing mdoc/mDL specific about this API and any Android application can be a credential provider for this API.

Hope this clarifies! David

W3C WICG, Google and Apple have made some advancements on identity credentials APIs. The W3C Credential Management Level 1 specification was published in July 2023. Google has specified the Identity Credential type for Android as part of the W3C Credential Management framework. Apple has specified the Mobile Document Request API, which is a new web API that allows websites to request a mobile document as defined in ISO/IEC 18013-5.

Current Status

• 2025-03 presentation by Tim Cappeli There will be an API registry (OID4VP & OID4VCI currently known)

• 2024 Custom schemes and QR codes which have poor security and even worse user experiences, for example:
  • openid://
  • openid4vp://
  • mdoc://
• Some problems with custom schemes
  • invocation from insecure contexts
  • on-device phishing via app selection
  • no requestor origin / identity
  • not standardized & not guaranteed
  • context switch during app launch
  • no graceful fallback from errors
  • no context to help the user understand what the choice means

References