2023 11 15 Meeting Notes - WICG/digital-credentials GitHub Wiki

2023-11-15 (B Call)

Organizer: Tim Cappalli

Scribe: Rick Byers

Meeting thread on Slack: https://w3ccommunity.slack.com/archives/C05UG0EJUDB/p1699998782734459

Agenda

  • Administrivia
    • Are folks around next week?
    • How about 12/27?
  • Intros from new folks
  • Updates from Blink incubation
    • Anyone prototyping with their wallet or verifier?
  • Google presentation to OWF (slides)
  • Tentative: feedback on the current proposal from the OpenID4VP community
  • New issues:
    • Do any wallets need TLS context from the browser (or app platform)?
  • Older issues:
    • API design should emphasize that sites should request minimal properties, not full identity documents
    • Jevons Paradox
    • Requests for multiple credentials
    • Credential format coexistence
  • Terminology doc
  • AOB

Attendees

  • Rick Byers, Google Chrome
  • Sam Goto, Google Chrome
  • Kristina Yasuda, Microsoft
  • Mike Jones, Independent
  • Lee Campbell, Google Android
  • Helen, Google / Android
  • Tobias Looker, Mattr
  • Marcos Caceres, Apple/Safari
  • David Z, Google Android
  • Tim Cappalli, Microsoft
  • Heather Flanagan (Spherical Cow Consulting)
  • Gareth Oliver, Google
  • Nick Doty, CDT
  • David Zeuthen, Google

Notes

Prototyping

Tobias: on Samsung, it works sometimes, is there something specific about Samsung, where there is a known issue

Helen: I’ve seen this once, but I think it started working again

Tobias:

Tim: does it require Android 14?

Helen/Lee: nope

Google presentation to OWF (slides)

Rick: OWF working on open source wallets

Rick: Some overlap with eidas group

Rick: Generally positive, some of the usual concerns around how much does the browser knows, a lot of people suggesting that Web wallets are critical, issuance APIs, etc. For an MVP, mobile/app only fast followed by Web wallets.

Lee: seemed to go very well, very positive so far … some of those folks may join these calls

Lee: Most people understand the restrictions of custom schemes

Rick: some people interested in understanding whether Apple is going to participate, noted that the explainer is written by an Apple engineer

Do any wallets need TLS context from the browser (or app platform)?

https://github.com/WICG/identity-credential/issues/46

Tobias: the web works on the origin model

Tim: these restrictions don’t quite exist in the context of WebAuthn … if the law says, in order to be a wallet in the EU .. you must be a verified QWAC certificate

Nick: Lee: how are they planning to roll out QWACs?

Tim: it is like any other certificate property

Rick: there is a bunch of details here, laws that browsers would have to comply to operate in the EU

Lee: are we going to deal with multiple certs, or are these typical TLS roots?

Tim: we are asking if browsers can pass along the information … like qwac=true

Nick: hard to say, i don’t know, if that’s not something that the browser is going to present to the user and pass along to the wallet, that could be a misrepresentation risk

Lee: should we maybe just punt on this until we have folks that are more familiar with this part of the regulation so that we have more information?

API design should emphasize that sites should request minimal properties, not full identity documents

https://github.com/WICG/identity-credential/issues/43

Marcos: Nick raises a good point

Nick: we don’t want to convey the message that we are not sharing the entire identity of the user, but rather the most constrained / limited part of the user’s identity we can possibly have.

Marcos:

Tobias: the syntax must always be at a client-level, but not default to requesting more information … e.g. you can’t just ask for everything, you have to specifically name the properties that you want … every syntax they see shows a very specific set of information that is needed, rather than just asking for all

Nick: that seems like a reasonable additional way to accomplish that

Lee: we could say that in order to add your protocol to the list you have to support selective disclosure

Kristina: there are cases where you want

Nick: Kristina: a verifier can technically ask for anything they want …. Mandating selective disclosure ..

Andrew:

Lee: what’s most important to me is that android can build a meaningful credential selector … if verifier can ask for *, then it is harder to display that UI

Tobias: one counter example … so OpenID is a profile scope

Kristina: if it is still the user who makes a decision … we are not preventing verifiers from receiving more claims than that they needed to … isn’t that a legal issue rather than a technical one?

Lee: form an Android POV, I want the specific attributes to show in the UI

Tim: where should the registry be defined?

Sam: before we over-generalize, can someone give me an example of protocols other than OpenID4VP?

Tobias: CCG community has some, not the CHAPI part. Where does a query language stop and protocol begin or are they the same?

Sam: I think the query language is a subset of the whole protocol. Protocol also contains a nonce etc.

Kristina: I agree with what Lee. I'm concerned about people putting query languages just in a http request without a nonce etc. Martijn and Hicham have been asking in ISO group about this. Query should definitely be part of the bigger protocol to enable those protections.

Tim: Is VP request just a "raw" VP request/response?

Tobias: Query by frame in CHAPI. Will add example to terminology doc.

Tim: What is the protocol name for just simple mdoc?

Lee: doesn't exist yet. Mdoc is a format. Maybe the rest protocol?

Sam: I don't know enough about mdocs, but is -7 annex b the equivalent to OpenID4VP?

David: Hard to compare. I guess the rest API is some kind of presentation protocol.I wouldn't even say mdoc is a credential format, we've only defined how to convey it (just transmit, not receive/store).

Gareth: REST API is definitely a protocol, mdoc specific, currently only formatted to work via custom schemes

Tobias: My understanding is wouldn't be REST API or OpenID4VP. Create parts of session layer and session transport to get response back. I just wouldn't call them any of those names to avoid confusion. Could apply the principles to the browser API but should get a new name.

Kristina: We're talking about -7, not -5. Contains REST API, wouldn't want to try to map that to browser API - unclear how. 2nd protocol in -7 is OpenID4VP profile for mdocs. So what exists is OpenID4VP but it's being profiled to be used for different credential formats.

Sam: The reason I'm asking is from an API design perspective we have a registry of protocols. But if it's just containing one thing then it's not a registry. Level of indirection but we expect just one to exist. Or maybe there's a second one? What do we gain with this level of indirection

David: Yeah kind of weird to do it just for one protocol, but it highlights the profile of that protocol - which parts of it apply.

Sam: We're asking ourselves what principles / common things we'd put in the registry. But really hard to come up with principles when we have only one example.

Kristina: 3 things being discussed Using OpenID4VP directly in browser API Designing from scratch API request structure - forget about PE, OpenID4VP etc. Credential Implementation by reference - wallet endpoint? .. Can we reduce

Lee: What's the alternative? If we don't have a registry than W3C needs to define a full protocol. If there's only one today, maybe there will another tomorrow or in 3 years. It unblocks us.

Tobias: When it comes to protocol and query languages - more work to be done to separate them out. I do question what the different layer of abstraction is buying us. If we could resolve them in a browser context it would let us remove an entire layer of abstraction. But it might complicate the API and make it further difficulty to maintain.

Marcos: It would be a worthwhile exercise for us to figure out what are the overlaps. Map them out in parallel. A concern I'm personally hitting on with OpenID4VP, it seems like it's very open to accepting new protocols. What is the value add of having this thing that sits between mdoc and what we're calling protocols. I understand the query language is one thing, but shouldn't mdoc itself define it's own query language?

Kristina: I agree with Tobias. We should be package query language as part of transport protocol. We should treat it as part of OpenID4VP for our purposes here. Marcos, mdocs don't really have a query language. The layer separation here … means OpenID4VP as a transfer protocol that enables different credential formats.

Marcos: I'm worried that by supporting OpenID4VP we'd have to support n number of credential formats, which we don't want to do on the Apple side because it would be a lot of work. We only want to support, hypothetically, one or maybe two maximum. We don't want to be supporting a thing that's open to supporting even 3 or 4 different things

Michael: when you say protocol you mean data format?

Marcos: Yes

Kristina: OpenID4VP defines profiles - mdoc is one, jwot is another

Michael: Agree, we're not going to have 5 viable credential formats.

Marcos: If we can do one, that would be ideal in my world.

Kristina: But as browser API why do you care about this? As long as wallet supports credential format verifier is requesting, as an API you don't really care, do you?

Marcos: Yes because we still need to parse it

Kristina: But that belongs to the transport layer. Your code doesn't change in the browser part.

Marcos: right, but the wallet cares. In the Apple ecosystem it's all the same stack. What format does the wallet itself support. There may be a wallet that supports many, but in an an ideal world there will be only 2 supported formats. That may or may not be realistic.

Kristina: Trust me, we've all tried to convert data formats into one and we've all failed.

Marcos: But we could force that in some way by saying we only support these 2

Kristina: personally I may fully agree, but from a technical level you can still do this with OpenID4VP. You can still limit only to mdocs only for OpenID4VP.

Marcos: Yes but then some jurisdiction decides they want to mandate by law W3C VC. So I'm trying to understand what will be mandated in practice and can we just restrict to that. What is the actual things we need to support in practice?

Tim: Need to get that terminology doc filled out, lots of these things are questions in Sam's doc. Next pacific call we'll spend time on that discussion.

Tim: Will put an update on slack for monday call