Full Title or Meme
The Web ID is designed by Google to give users an identifier that can be authenticated on their phone and used anywhere.
- Web ID Explainer which describes (1) the classification problem, (2) the RP tracking problem and (3) the IdP track problem.
- Web ID GitHub repository part of W3C Web Platform Incubation Community Group
- Most of Relying Parties (RPs) use one button per IdP on a web site that takes the user to an IdP sign-in experience.
- It has been proposed in OIDC Section 7 to enable URL links in the user's browser to enable self-issued identifiers with the URL "OPENID://".
- The common way for a user identification to be enabled on a web page with OIDC. This method works well, but is indistinguishable from tracking of user's across the web, which is something that Privacy experts have been trying to block.
- Millions of RPs and Billions of Users indicate that fast deployment of a new method will need to leverage both the deployed RPs and a User Experience (UX) that matches user expectations.
- In view of the changes to the way that identifiers are issued by the user rather than by some central authority, simply fixing the existing paradigm is insufficient. What we need is a paradigm shift to a better world where the user has more control.
- The path to a solution started on GitHub Early Explorations Which addresses Classification and IdP tracking, but does not address RP Identification or tracking directly. This proposal differs in two ways from that proposal:
- It addresses the user self-operated IdP and Identifier creation where the external IdP is replaced with verifiable credentials.
- It addresses the RP Identity and policy issues. Here the webid element is required at the RP site as well as at other providers of credentials.
- It is clear that there are relatively few public IDPs in use (say, tens), particularly in comparison to the number of RPs (say, millions) and their users (say, billions). A structural change that only requires adoption by IDPs and no changes or engagement on the part of RPs and users is significantly easier compared to redeploying millions of RPs or retraining billions of users.
- Least Disclosure: The data exchange should disclose as little as possible for a use that is as constrained as possible, incrementally increasing the scope of disclosure with additional explicit consent when that's relevant contextually. For example, unbundling overly broad scopes (e.g. unbundling authentication from authorization) into multiple granular steps that are asked independently and incrementally.
- Least Surprise: the data exchange should never have consequences that exceeds the level of consent and user understanding (including second-order consequences). For example, enforcing the use of directed profiles for the majority of the cases prevents unnecessary release of correlation handles.
- Path Dependence: the set of design options we have is limited by the decisions that have been made in up to this point, regardless of whether they are relevant or not. For example, it seems clear that breaking Server-Side Backwards Compatibility increases the deployment window exponentially and proportionally to the number of relying parties.
- User is in Control: the entire proposal should start with the user experience to be sure that the user is able to understand the options so that the user can make good choices.
High Level Identification API
- The browser sends a header value that can be interpreted by "woke" RPs
- User Intent is indicated by a gesture, such as a button click where the button has a clear meaning, like Personal in "woke" RPs UI.
- The browser evaluates the environment, for example:
- Does the web site have a recognizable Identifier? --> this is a new concept introduced with this API (e.g. vid = verifiable ID and a signature to prove it; may require round trip)
- Is the Identifier in a list of enterprises that the user has already established trust? --> If yes, just go through local user authentication steps.
- At this point the user may be presented by choices on which IdP to use, which can include a native app running on the browser. The RP will help with this decision.
- Note that a legacy RP that is not "woke" can just use an existing api. If the IdP is registered with the browser, the new experience can still be invoked.
- If neither the RP nor the IdP is "woke" the experience will not change from before. Eventually this method will be deprecated by new versions of the browser.
- Browser queries IdP, which may be on the device
- Browser asks user for consent to release data.
- If user consents the browser sends the ID token to the RP.
Add new HTTP header Personal, or in the interim x-Personal that will indicate both the capability of the browser and the intentions of the user to engage in the new protocol. This will take the place of an "key" that has to be set in some strange with a browser setting. The value of the personal tag will just be the version number, to start with #0.1".
Changes to RP web page
There are several actions that web sites can take to be "woke" to allowing the user more control of their own identifiers.
- Add the value vid = "URN" that identifies the real-world owner of the web site. It must be an identifiers known in the real-world, like a government, corporation or registered trademark.
Besides the setting the "Private" the user must perform some gesture on a page to initiate the process.
- Other solutions are, of course, possible some might include:
- Automatically select client certificates for these sites. This would give a user a certificate for any site that the user registered for. Mutual Authentication could then be performed and both the user and site well satisfied of the others identity. Unfortunately we have some experience with EV Certs that is less than satisfactory.
- A plugable USB (or NFC) device that contains user sign-in information.