Episode 125 - GluuFederation/identerati-office-hours GitHub Wiki

Title: Is W3C's Credentials API the Future?

• Host: Mike Schwartz, Founder/CEO Gluu
• Guest: Dr. Daniel Fett, Security and standardization expert

Channels

• Linkedin Event
• Youtube Video

Description

There's been a lot of noise recently around the potential adoption of the W3C Digital Credentials API for the EUDI Wallet. While some of the issues addressed by this API can be solved in other ways, it is the only option Dr. Daniel Fett sees for solving the cross-device session fixation vulnerability. Join us on the episode to hear why.

Homework

• Cross-Device Session Fixation and how the DC API solves it
• Linkedin discussion
• IOH Episode 37: The Rise of Browser APIs with Sam Goto, Senior Staff Software Engineer - Google Chrome

Takeaways

• ⚡ The problem is phishing: trick a user to interact with an attacker website, and wallet credential presentation can be proxied. Passkeys prevent phishing--but it's limited to one single browser (or device). But with two different devices, you need to somehow connect them--physically. This would prevent any remote browsers from establishing trust.

• ⚡ The clever use of the latptop bluetooth ("BT") beacon to broadcast part of the content used to generate an ephemeral encryption key enables the browser to prove proximity to a different device.

• ⚡ Daniel says: focus on the standards so Europe has options to make their own tech stack later.

• ⚡ Apple only announced support for 18013-7 protocol for DC API with mDOC (and it seems the set of allowed credential types is limited to four: mDL, EU PID, Japan My Number Card, and PhotoID). EUDI Wallet advocates would like to see support for OpenID Verifiable Credentials too. This is a problem, but it can be addressed. The security benefits of browser/operating system integration are too high to delay due to current limited credential optionality.

Diagrams from the episode

Livestream Audio Archive

here