Websites can and do get credentials from mobile wallet apps through a variety of mechanisms today (custom URL handlers, QR code scanning, etc.). This Web Platform feature would allow sites to request identity information from wallets via Android's IdentityCredential CredMan system. It is extensible to support multiple credential formats (eg. ISO mDoc and W3C verifiable credential) and allows multiple wallet apps to be used. Mechanisms are being added to help reduce the risks of ecosystem-scale abuse of real-world identity.
There are multiple standards efforts involved here. We have been working with WebKit and Mozilla in the WICG on defining this specific API. But the greater interoperability risk will come from the data that is sent and returned via this API. Details of that are still in discussions but mostly driven outside the web browser community in the OpenID Foundation (eg. OpenID4VP: https://openid.net/specs/openid-4-verifiable-presentations-1_0.html) and ISO (18013-7 "mdoc": https://www.iso.org/standard/82772.html)
There's a possibility that these credentials will be used alongside other types of credentials in the future - such as optionally minting a passkey when a digital credential is used to sign up for a site, or by allowing sign-up with either a digital credential or a federated credential via FedCM. As such we argued it was best to put this work in the context of the Credential Management API. However there's also a compelling argument that identity claims are much more than "credentials" and should evoke different developer expectations. The agreed upon compromise was to add a new credential container at 'navigator.identity'.
The primary activation concern is enabling existing deployments using technology like OpenID4VP to be able to also support this API. As such we have left the request protocol unspecified at this layer, to be specified along with existing request protocols to maximize activation opportunity.
See https://github.com/WICG/digital-credentials/blob/main/horizontal-reviews/security-privacy.md and https://github.com/WICG/digital-credentials/issues/115
No
None
None necessary - just new JS API. For testing we may want to add a developer option to provide a fake wallet (as for the devtools fake authenticator for WebAuthn), but this is not urgent.
Android only initially due to the nature of communicating with Android wallet apps. We will be creating another feature soon for "cross-device presentment" which will use the identical API on desktop, but will have a separate intent for that.
OriginTrial Android last | 134 |
OriginTrial Android first | 128 |
DevTrial on Android | 119 |
LGTM to experiment for 6 milestones from M128 to M133 inclusive.
--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFUtAY_t3qqjJ_SpuyXvStGiN9qvKSn4w%2BC2nEbR2tRbwHKm_g%40mail.gmail.com.
To view this discussion on the web visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/3ff9c35f-71b0-4a88-a5ad-023664df88ad%40chromium.org.
It would be good to see a more thorough considered alternatives section in the explainer. It's not immediately clear what (in code) the alternatives would entail.