Groups keyboard shortcuts have been updated
Dismiss
See shortcuts

Intent to Extend Experiment: Digital Credential API

246 views
Skip to first unread message

Chromestatus

unread,
Jan 14, 2025, 10:23:04 AMJan 14
to blin...@chromium.org, go...@chromium.org, ma...@chromium.org, rby...@chromium.org

Contact emails

rby...@chromium.org, go...@chromium.org, ma...@chromium.org

Explainer

https://github.com/WICG/digital-credentials/blob/main/explainer.md

Specification

https://wicg.github.io/digital-credentials

Summary

Websites can and do get credentials from mobile wallet apps through a variety of mechanisms today (custom URL handlers, QR code scanning, etc.). This Web Platform feature would allow sites to request identity information from wallets via Android's IdentityCredential CredMan system. It is extensible to support multiple credential formats (eg. ISO mDoc and W3C verifiable credential) and allows multiple wallet apps to be used. Mechanisms are being added to help reduce the risk of ecosystem-scale abuse of real-world identity (see https://docs.google.com/document/u/1/d/1L68tmNXCQXucsCV8eS8CBd_F9FZ6TNwKNOaFkA8RfwI/edit).



Blink component

Blink>Identity>DigitalCredentials

TAG review

Mozilla feedback from Martin (also on the TAG) suggests we need to invest more in the threat model for the larger space and clarify specific privacy mitigations before shipping or requesting TAG review.

TAG review status

Pending

Origin Trial Name

Digital Credentials API

Chromium Trial Name

WebIdentityDigitalCredentials

Origin Trial documentation link

https://wicg.github.io/digital-credentials

WebFeature UseCounter name

kIdentityDigitalCredentials

Risks



Interoperability and Compatibility

There are multiple standards efforts involved here. We have been working with WebKit and Mozilla in the WICG on defining this specific API. But the greater interoperability risk will come from the data that is sent and returned via this API. Details of that are still in discussions but mostly driven outside the web browser community in the OpenID Foundation (eg. OpenID4VP: https://openid.net/specs/openid-4-verifiable-presentations-1_0.html) and ISO (18013-7 "mdoc": https://www.iso.org/standard/82772.html)



Gecko: Negative (https://github.com/mozilla/standards-positions/issues/1003) We share most of Mozilla's concerns and continue to work with them (and the broader community) on mitigations. I believe we feel greater risk for the established practice of custom schemes becoming prevalent than Mozilla does (eg. due to Google being mandated by eIDAS regulation to accept EUDI credentials).

WebKit: In development (https://github.com/WebKit/standards-positions/issues/332) WebKit implementation progress: https://bugs.webkit.org/show_bug.cgi?id=268516

Web developers: No signals

Other signals: This work in the W3C PING is relevant: https://github.com/w3cping/credential-considerations/

Ergonomics

There's a possibility that these credentials will be used alongside other types of credentials in the future - such as optionally minting a passkey when a digital credential is used to sign up for a site, or by allowing sign-up with either a digital credential or a federated credential via FedCM. As such we argued it was best to put this work in the context of the Credential Management API, and hence the support is added in 'navigator.identity.get() API .



Activation

The primary activation concern is enabling existing deployments using technology like OpenID4VP to be able to also support this API. As such we have left the request protocol unspecified at this layer, to be specified along with existing request protocols to maximize activation opportunity.



Security

See https://github.com/WICG/digital-credentials/blob/main/horizontal-reviews/security-privacy.md and https://github.com/WICG/digital-credentials/issues/115



WebView application risks

Does this intent deprecate or change behavior of existing APIs, such that it has potentially high risk for Android WebView-based applications?



Goals for experimentation



Reason this experiment is being extended

I'd like to request permission to extend an OT for this API. The experiment has been running for Android only so far, but in the meanwhile: 1- There has been progress on the spec https://wicg.github.io/digital-credentials/ and it is expected to graduate to the FedID WG soon. 2- We have added Desktop cross-device support. Therefore, we are requesting the extension.



Ongoing technical constraints

None



Debuggability

None necessary - just new JS API. For testing we may want to add a developer option to provide a fake wallet (as for the devtools fake authenticator for WebAuthn), but this is not urgent.



Will this feature be supported on all six Blink platforms (Windows, Mac, Linux, ChromeOS, Android, and Android WebView)?

No

Android and Desktop Only



Is this feature fully tested by web-platform-tests?

Yes

https://wpt.fyi/results/digital-credentials?label=master&label=experimental&aligned



DevTrial instructions

https://github.com/WICG/digital-identities/wiki/HOWTO%3A-Try-the-Prototype-API-in-Chrome-Android

Flag name on about://flags

web-identity-digital-credentials

Finch feature name

WebIdentityDigitalCredentials

Requires code in //chrome?

True

Tracking bug

https://issues.chromium.org/issues/40257092

Launch bug

https://launch.corp.google.com/launch/4268575

Estimated milestones

Origin trial desktop first 134
Origin trial desktop last 139
Origin trial extension 1 end milestone 139
Origin trial Android first 128
Origin trial Android last 133
DevTrial on Android 119


Link to entry on the Chrome Platform Status

https://chromestatus.com/feature/5166035265650688?gate=5119315604668416

Links to previous Intent discussions

Intent to Prototype: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAL9PXLx3sHWmdE-ikAEDay_S3ijf0%2BfxB_LbsuOx8YJx%2BZA7%2Bg%40mail.gmail.com
Intent to Experiment: https://groups.google.com/a/chromium.org/d/msgid/blink-dev/CAFUtAY-421uDmu2WNDBG5bYRSWAhfmahsHPVjDwN5NLkUdCkvw%40mail.gmail.com


This intent message was generated by Chrome Platform Status.

Mike Taylor

unread,
Jan 14, 2025, 10:31:11 AMJan 14
to Chromestatus, blin...@chromium.org, go...@chromium.org, ma...@chromium.org, rby...@chromium.org

Hi Sam,

Can you clarify what milestones you're requesting the extension for? Is it 134 to 139?

I see evidence of substantial progress which is great, but an OT can only be renewed for up to 3 milestones.

thanks,
Mike

--
You received this message because you are subscribed to the Google Groups "blink-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
To view this discussion visit https://groups.google.com/a/chromium.org/d/msgid/blink-dev/6786814c.2b0a0220.1b83ac.051d.GAE%40google.com.

Mike Taylor

unread,
Jan 14, 2025, 10:58:06 AMJan 14
to Mohamed Amir Yosef, Chromestatus, blin...@chromium.org, go...@chromium.org, rby...@chromium.org

Thanks - LGTM to extend from M134 to M136.

On 1/14/25 10:41 AM, Mohamed Amir Yosef wrote:
Hi Mike,

Thank you for the prompt response, and I am sorry for the confusion, I thought an extension for up to 6 milestones is possible.

The OT expires in 133, so I would like to extend it to 136.

Thank you,
Mohamed

Mohamed Amir Yosef

unread,
Jan 14, 2025, 11:12:06 AMJan 14
to Mike Taylor, Chromestatus, blin...@chromium.org, go...@chromium.org, rby...@chromium.org
Hi Mike,

Thank you for the prompt response, and I am sorry for the confusion, I thought an extension for up to 6 milestones is possible.

The OT expires in 133, so I would like to extend it to 136.

Thank you,
Mohamed

On Tue, Jan 14, 2025 at 4:30 PM Mike Taylor <mike...@chromium.org> wrote:

Rick Byers

unread,
Jan 14, 2025, 12:17:04 PMJan 14
to Mike Taylor, Mohamed Amir Yosef, Chromestatus, blin...@chromium.org, go...@chromium.org
Whoops, I'm very embarrassed to admit that I told Mohamed that he could request a renewal for 6 milestones. Sorry, my bad!  I expect we'll likely need one more renewal before shipping, but we've got a bunch of progress we anticipate on the specification so hopefully it won't be controversial when we get there.

Thank you for the approval for 3 more milestones!

Rick

Mohamed Amir Yosef

unread,
Feb 3, 2025, 2:14:25 PM (12 days ago) Feb 3
to blink-dev, Rick Byers, Mohamed Amir Yosef, Chromestatus, blin...@chromium.org, Sam Goto, Mike Taylor
This is now enabled for OT on Win/Mac. (starting 134) (in addition to Android which has been already enabled )

Thank you!

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+unsubscribe@chromium.org.

Mohamed Amir Yosef

unread,
Feb 4, 2025, 6:22:28 AM (11 days ago) Feb 4
to blink-dev
This is now enabled for OT on Linux and ChromeOS as well

To unsubscribe from this group and stop receiving emails from it, send an email to blink-dev+...@chromium.org.
Reply all
Reply to author
Forward
0 new messages