Episode 164 - GluuFederation/identerati-office-hours GitHub Wiki

Title: Why not a Passkey-based Wallet?

• Host: Mike Schwartz, Founder/CEO Gluu
• Guest: Leif Johansson, Technologist SIROS Foundation

Channels

• Linkedin Event
• Youtube Video

Description

Most people think of wallets as a mobile phone-based construct, but a new "web wallet" called wwWallet has emerged as one of the leading solutions in the EU digital identity wallet pilots, where the primary security device is a passkey or a webauthn token. It turns out you can do a lot with the browser--even in-person proximity flows. The need for native device API access is very small--passkeys do almost everythign needed by a wallet. In this livestream, we'll discuss some of the challenges, including selective disclosure and trust models.

Homework

• wwWallet GithuB Project
• Siros Foundation
• Notes from IIW 41 Session "Platform-independent Identity Wallets"

Takeaways

• ⚡ wwWallet enables you to restore your wallet from either a passkey or hardware security key -- to any browser. This lets people choose how much security they need, e.g. is iCloud keychain secure enough, or do they need this key on a physical hardware token? It also moves the crypto to the edge of the network--where it can scale. We can't have thousands of 99.999% HSMs running in the cloud to support identity presentation for all European citizens.

• ⚡ Isolated Web Apps ("IWA") in Chromium treat a web app like signed software, not a live website--it's more like a software distribution that can support attestations about integrity served from a certain origin. This is an interesting property for a wallet, where the RP has to trust not only the assertion from the issuer, but the credential protection properties of the wallet.

• ⚡ wwWallet is working on Zero Knowledge Proofs for selective disclosure using Google's Longfellow ZK mechanism. JS doesn't have enough crypto to accomplish this, so they plan to use web assembly (WASM) to support cross platform wallets.

• ⚡ Yubico is advocating  FIDO Alliance to add something called the "Rule Signing Extension". With asynchronous remote key generation and rule signing your security key could become a mini HSM--it would allow you to do hardware tested signatures and asymmetric key generation in a way that gives you very strong unlinkability properties, use Bitcoin extension number 32 (BIP 32). Stay tuned!

Livestream Audio Archive

here