├── .github
├── CODEOWNERS
├── PULL_REQUEST_TEMPLATE.md
└── workflows
│ ├── gh-pages.yml
│ └── tidy.yml
├── .gitignore
├── .pr-preview.json
├── CONTRIBUTING.md
├── LICENSE.md
├── README.md
├── custom-schemes.md
├── explainer.md
├── horizontal-reviews
└── security-privacy.md
├── index.html
├── proposals
├── digital-credential-proposal.md
├── digital-credentials-2-proposal.md
├── identity-credential-proposal.md
├── mobile-document-request-api-proposal.md
├── navigator-identity-proposal.md
└── structure.svg
├── resources
├── DigitalCredentialsAPI-Layering-v20240301.pdf
└── IdentityCredentialAPI-Layering-2023.pdf
├── tidyconfig.txt
└── w3c.json
/.github/CODEOWNERS:
--------------------------------------------------------------------------------
1 | /.github/ @marcoscaceres
2 | index.html @w3c-fedid/dc-editors
3 |
--------------------------------------------------------------------------------
/.github/PULL_REQUEST_TEMPLATE.md:
--------------------------------------------------------------------------------
1 | Closes #???
2 |
3 | The following tasks have been completed:
4 |
5 | - [ ] Modified Web platform tests (link)
6 |
7 | Implementation commitment:
8 |
9 | - [ ] WebKit (link to issue)
10 | - [ ] Chromium (link to issue)
11 | - [ ] Gecko (link to issue)
12 |
13 | Documentation and checks
14 |
15 | - [ ] Affects privacy
16 | - [ ] Affects security
17 | - [ ] Pinged MDN
18 | - [ ] Updated Explainer
19 | - [ ] Updated digitalcredentials.dev
20 |
21 |
--------------------------------------------------------------------------------
/.github/workflows/gh-pages.yml:
--------------------------------------------------------------------------------
1 | # Simple workflow for deploying static content to GitHub Pages
2 | name: Deploy static content to Pages
3 |
4 | on:
5 | # Runs on pushes targeting the default branch
6 | push:
7 | branches:
8 | - main
9 | paths:
10 | - 'index.html'
11 | - 'w3c.json'
12 |
13 | # Allows you to run this workflow manually from the Actions tab
14 | workflow_dispatch:
15 |
16 | # Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
17 | permissions:
18 | contents: read
19 | pages: write
20 | id-token: write
21 |
22 | # Allow only one concurrent deployment, skipping runs queued between the run in-progress and latest queued.
23 | # However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
24 | concurrency:
25 | group: "pages"
26 | cancel-in-progress: false
27 |
28 | jobs:
29 | # Single deploy job since we're just deploying
30 | deploy:
31 | environment:
32 | name: github-pages
33 | url: ${{ steps.deployment.outputs.page_url }}
34 | runs-on: ubuntu-latest
35 | steps:
36 | - name: Checkout
37 | uses: actions/checkout@v4
38 | - name: Setup Pages
39 | uses: actions/configure-pages@v5
40 | - name: Upload artifact
41 | uses: actions/upload-pages-artifact@v3
42 | with:
43 | # Upload entire repository
44 | path: '.'
45 | - name: Deploy to GitHub Pages
46 | id: deployment
47 | uses: actions/deploy-pages@v4
48 |
--------------------------------------------------------------------------------
/.github/workflows/tidy.yml:
--------------------------------------------------------------------------------
1 | name: Tidy document
2 | on:
3 | workflow_dispatch: {}
4 | push:
5 | branches:
6 | - main
7 | paths:
8 | - 'index.html'
9 |
10 | jobs:
11 | tidy:
12 | name: Tidy up
13 | runs-on: macos-latest
14 | steps:
15 | - uses: actions/checkout@v4
16 | - run: brew install tidy-html5
17 | - run: tidy -config tidyconfig.txt -o index.html index.html
18 | - uses: peter-evans/create-pull-request@v6
19 | with:
20 | title: "Tidied up document using tidy-html5"
21 | commit-message: "chore: tidy up index.html"
22 | branch: html-tidy
23 |
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | # Created by https://www.toptal.com/developers/gitignore/api/macos,windows
2 | # Edit at https://www.toptal.com/developers/gitignore?templates=macos,windows
3 |
4 | ### macOS ###
5 | # General
6 | .DS_Store
7 | .AppleDouble
8 | .LSOverride
9 |
10 | # Icon must end with two \r
11 | Icon
12 |
13 |
14 | # Thumbnails
15 | ._*
16 |
17 | # Files that might appear in the root of a volume
18 | .DocumentRevisions-V100
19 | .fseventsd
20 | .Spotlight-V100
21 | .TemporaryItems
22 | .Trashes
23 | .VolumeIcon.icns
24 | .com.apple.timemachine.donotpresent
25 |
26 | # Directories potentially created on remote AFP share
27 | .AppleDB
28 | .AppleDesktop
29 | Network Trash Folder
30 | Temporary Items
31 | .apdisk
32 |
33 | ### macOS Patch ###
34 | # iCloud generated files
35 | *.icloud
36 |
37 | ### Windows ###
38 | # Windows thumbnail cache files
39 | Thumbs.db
40 | Thumbs.db:encryptable
41 | ehthumbs.db
42 | ehthumbs_vista.db
43 |
44 | # Dump file
45 | *.stackdump
46 |
47 | # Folder config file
48 | [Dd]esktop.ini
49 |
50 | # Recycle Bin used on file shares
51 | $RECYCLE.BIN/
52 |
53 | # Windows Installer files
54 | *.cab
55 | *.msi
56 | *.msix
57 | *.msm
58 | *.msp
59 |
60 | # Windows shortcuts
61 | *.lnk
62 |
63 | # End of https://www.toptal.com/developers/gitignore/api/macos,windows
--------------------------------------------------------------------------------
/.pr-preview.json:
--------------------------------------------------------------------------------
1 | {
2 | "src_file": "index.html",
3 | "type": "respec",
4 | "params": {
5 | "force": 1
6 | }
7 | }
8 |
9 |
--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
1 | # Digital Credentials: Federated Identity on the Web Working Group
2 |
3 | This repository is being used for work in the W3C Federated Identity on the Web Working Group, governed by the [W3C Patent Policy](http://www.w3.org/Consortium/Patent-Policy-20040205/) and
4 | [Spftware and Document License](https://www.w3.org/copyright/software-license-2023/). To contribute, you must
5 | either participate in the relevant W3C Working Group or make a [non-member patent licensing
6 | commitment](https://www.w3.org/policies/process/#contributor-license).
7 |
8 |
9 | If you are not the sole contributor to a contribution (pull request), please identify all
10 | contributors in the pull request comment.
11 |
12 | To add a contributor (other than yourself, that's automatic), mark them one per line as follows:
13 |
14 | ```
15 | +@github_username
16 | ```
17 |
18 | If you added a contributor by mistake, you can remove them in a comment with:
19 |
20 | ```
21 | -@github_username
22 | ```
23 |
24 | If you are making a pull request on behalf of someone else but you had no part in designing the
25 | feature, you can remove yourself with the above syntax.
26 |
--------------------------------------------------------------------------------
/LICENSE.md:
--------------------------------------------------------------------------------
1 | All Reports in this Repository are licensed by Contributors
2 | under the
3 | [W3C Software and Document License](http://www.w3.org/Consortium/Legal/2015/copyright-software-and-document).
4 |
5 | Contributions to Specifications are made under the
6 | [W3C CLA](https://www.w3.org/community/about/agreements/cla/).
7 |
8 | Contributions to Test Suites are made under the
9 | [W3C 3-clause BSD License](https://www.w3.org/Consortium/Legal/2008/03-bsd-license.html)
10 |
11 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # Digital Credentials
2 |
3 | 📄 [Digital credentials explainer](explainer.md) and [draft spec](https://w3c-fedid.github.io/digital-credentials/).
4 |
5 | This draft (migrated to the Federated Identity on the Web WG in April 2025) specifies an API for user agents that would mediate access to, and representation of, verifiably-issued digital credentials.
6 |
7 | These identities can range from government-issued documents, such as driver's licenses and passports, to start with, to other credential types, potentially in the future.
8 |
9 | [Digital Credentials](https://w3c-fedid.github.io/digital-credentials/) builds upon [Credential Management](https://www.w3.org/TR/credential-management-1/) to enable the secure and private exchange of digital identity information. It facilitates authenticated interactions by representing digital credentials through the `DigitalCredential` interface, which embodies verifiable claims about an individual's identity.
10 |
11 | ## Scope
12 |
13 | This project covers the requesting mechanisms for digital credentials, including secure presentation aspects. It does not yet encompass the issuance process for establishing a digital identity nor UI/UX considerations beyond privacy aspects related to data protection during the request process.
14 |
15 | ## Trying out the API
16 |
17 | **🚧 Note: The API is still extremely unstable and undergoing a lot of changes (almost daily!). 🚧**
18 |
19 | However, if you want to try it out:
20 |
21 | - [Try out the API in Chrome](https://digitalcredentials.dev/docs/requirements/)
22 |
23 | ## Contributing
24 |
25 | This is a draft (migrated to the Federated Identity on the Web WG in April 2025) under development. Contributions, feedback, and discussions are highly encouraged to refine and enhance the API specification.
26 | Join the WG to help us in shape the future of digital identity management on the web.
27 |
28 | ### Weekly Meetings
29 |
30 | - Slack ["fedid-wg"](https://app.slack.com/client/T010EGK9PQE/C06RR5RQUDT) in W3C Community instance.
31 | - [Meeting notes](https://github.com/w3c-fedid/meetings)
32 | - [Calendar](https://www.w3.org/groups/wg/fedid/calendar/)
33 | - [Agenda doc](https://docs.google.com/document/d/1Sq9tjh4Hv887Mzjoor-ZauXJ1glq6MCdjTsyUYNHjWA/)
34 |
35 | ## Initial proposals
36 |
37 | The initial proposals have been moved to the proposals folder. They are still available as historical references.
38 |
--------------------------------------------------------------------------------
/custom-schemes.md:
--------------------------------------------------------------------------------
1 | # Concerns with custom schemes for identity presentment
2 |
3 | Existing specifications like [OpenID4VP](https://openid.net/specs/openid-4-verifiable-presentations-1_0.html#name-wallet-invocation) and [ISO 18013-7](https://www.iso.org/standard/82772.html) currently define the use of custom URL schemes (eg. `openid4vp:` and `mdoc:`) to enable verifier websites to invoke holder (wallet) applications. This approach works in some scenarios, but has a number of problems we aim to solve by designing a browser API which can replace the use of custom URL schemes in these specifications. This DRAFT document aims to outline the questions and concerns with the use of custom URL schemes for identity presentment in order to provide more detail on potential benefits of a dedicated browser API.
4 |
5 | ## Can wallets reliably determine their invoker?
6 |
7 | - Android and iOS offer no facility to determine the web origin which triggered a navigation to a custom URL scheme.
8 | - This seems to increase the opportunity for attacks such as replay attacks, man-in-the-middle attacks and phishing. It also seems to limit the opportunity for abuse detection and prevention.
9 | - A browser API can securely pass the requesting origin on to the wallet so that the wallet can know with confidence what origin the user was on when the request was initiated.
10 |
11 | ## Can wallets limit requests to secure contexts?
12 |
13 | - If a user uses a website via http (not https) and it invokes a custom scheme, it's possible that an attacker with access to the network could eavesdrop on or even modify the request (such as by replacing the verifier's public key with their own).
14 | - A browser API could (and almost certainly should) take the position that it will function only within the context of a secure context (https).
15 |
16 | ## User experience concerns
17 |
18 | ### What is the user experience when the wallet has completed?
19 |
20 | - After launching an application via a custom URL scheme, mobile operating systems don't provide a mechanism for switching back to the invoking application / browser tab.
21 | - Wallet applications may choose to start a new navigation to a new web page to complete the journey, but that can be slow and jarring, may not open in the same browser the user was originally using, and leaves a "dead tab" behind.
22 | - Alternatively wallet applications could rely on the user manually switching back to the browser application they were in, but that can be hard to communicate to users and risks the web page being reloaded due to mobile operating system memory management facilities, and therefore risks user abandomment.
23 | - A browser API can ensure the original webpage remains resident during the wallet application and seamlessly return to it with the credential data.
24 |
25 | ### What is the user experience when multiple wallet apps are installed?
26 |
27 | - When multiple Android applications register for the same custom URL scheme, the operating system presents the user with a picker every time that scheme is invoked. Even if the verifier provides the user with appropriate context, a user may have trouble remembering which application has which credentials and so be more likely to cancel or fail the request.
28 | - On iOS, when multiple applications are installed that register for the same custom URL scheme, the behavior is [undefined](https://stackoverflow.com/questions/13130442/multiple-apps-with-the-same-url-scheme-ios). At present, one indeterminate wallet will be invoked without any indication that other wallets were available.
29 |
30 | ### What is the user experience when no wallet app is installed or when the user cancels wallet invocation?
31 |
32 | - Browsers generally silently ignore navigation to URL schemes with no handler installed. This likely means a website cannot distinguish between nothing happening while waiting for a wallet to process a request and nothing happening because no wallet app is installed.
33 | - Additionally browsers on Android and iOS often offer the user the choice of whether or not to invoke an application for a custom URL scheme navigation (even if there is only one such app). The user canceling at this stage is also indistinguishable from no valid application being installed.
34 | - A browser-based API could show the user some meaningful error message when no relevant wallets are installed.
35 |
36 | ### What is the user experience on a desktop operating system?
37 |
38 | - Most wallet applications exist only as mobile applications, and users are generally reluctant if not unable (due to enterprise security settings, for instance) to install native applications on desktop operating systems. What fallback will flows relying on custom URL schemes provide for users of desktop operating systems?
39 | - A browser-based API can potentially provide low-friction integration between a desktop browser and a wallet application running on a mobile phone or a website that provides an in-browser wallet experience on the same device.
40 |
41 | ### Friction and app switching
42 |
43 | - Opening a custom URL scheme will launch an entirely new application, which can be jarring for users, taking them out of the flow of the journey they were trying to complete on a website. This risks abandonment, and so is a disincentive for verifiers to invoke the flow.
44 | - A browser API could integrate with the operating system to provide a less jarring wallet overlay on top of the web page, keeping the user feeling in flow with the site's experience.
45 |
46 | ## What are the privacy implications of a wallet accepting custom schemes?
47 |
48 | - [Android aims](https://developer.android.com/training/package-visibility) to keep the list of installed applications private from other applications, but this capability is reduced for applications which handle arbitrary intents like custom URL schemes. By registering to support custom URL schemes, a wallet application may effectively be leaking PII (such as the user's likely citizenship status or state of residency) to other applications on the device.
49 | - A purpose-built OS API for wallet invocation (on top of which a browser API would be built) can avoid any such information leakage.
50 |
51 | ## How can users be assured that they have control over where their personal information is shared?
52 |
53 | - A buggy or poorly designed wallet application may store or transmit sensitive information about the user (such as which website(s) the user was visiting and when) without necessarily ensuring the user has provided informed consent. Malicious websites may exploit bugs in wallets to cause them to leak information without requiring any consent from the user. Wallets and credentials may come from any source, but users will expect their operating systems and browsers to protect their privacy from buggy or malicious wallet applications.
54 |
55 |
56 |
57 | Due to these concerns, Google Chrome has [proposed](https://groups.google.com/a/chromium.org/g/blink-dev/c/wcCrcMTELS0/m/ZSPxAT0LAgAJ) blocking website access to specific high-risk custom URL schemes, and instead invoking wallets via a browser-mediated API. Anyone interested in contributing to the design of such an API is encouraged to join the W3C's [Web Incubator Community Group](https://www.w3.org/community/wicg/) and contribute to the [Identity Credential proposal](https://github.com/WICG/identity-credential/). While websites will likely always be able to communicate directly with wallet applications in some fashion, it is the group's hope that a browser-based API can be designed which is a better option for wallets and verifiers, and which also provides users with confidence in having their sensitive identity information potentially exposed to websites they visit.
58 |
--------------------------------------------------------------------------------
/explainer.md:
--------------------------------------------------------------------------------
1 | # Digital Credentials API
2 |
3 | Government recognized digital credentials (e.g. driver’s licenses) are being increasingly utilized on the web. We propose a deliberate and flexible API to enable browsers to continuously improve the balance of benefits and risks for users and the entire online community.
4 |
5 | # Why?
6 |
7 | Government-recognized documents play a big and constructive role in society (e.g., drivers licenses, passports, etc.). Increasingly, with the movement of government and financial services online, and regulation (e.g. [eIDAS](https://en.wikipedia.org/wiki/EIDAS) and various [age verification regulations](https://en.wikipedia.org/wiki/Age_verification_system)), these paper-based documents are gaining digital counterparts
8 |
9 | Along with all of their potential from the physical world, the presentation of government recognized digital credentials also brings their associated risks of abuse, such as the potential for an increase in [surveillance](https://github.com/w3cping/credential-considerations/blob/main/credentials-considerations.md#no-phoning-home), [censorship](https://github.com/w3cping/credential-considerations/blob/main/risks.md#censorship-and-reduction-in-access-to-free-information), [discrimination](https://github.com/w3cping/credential-considerations/blob/main/credentials-considerations.md#free-expression), and intrusion to the online world.
10 |
11 | The most recent online presentation protocols (e.g. [OpenID4VP](https://openid.github.io/OpenID4VP/openid-4-verifiable-presentations-wg-draft.html)) and regulations (e.g. eIDAS) were designed around a Web that lacked the intentional support for such a critical task; depending instead on general purpose primitives such as custom schemes. Unfortunately, the use of [custom schemes](https://github.com/WICG/digital-identities/blob/main/custom-schemes.md#concerns-with-custom-schemes-for-identity-presentment) left us with two problems:
12 |
13 | Because custom schemes can be largely opaque to user agents, they substantially limit the user agent’s ability to exercise its agency in reducing the risk of abuse. Users rely on their browser to help provide transparency and control over the use of their data. From the subtle, like providing [UI](https://chromium.googlesource.com/chromium/src/+/HEAD/docs/security/url_display_guidelines/url_display_guidelines.md) [cues](https://blog.chromium.org/2023/05/an-update-on-lock-icon.html) as to the privacy and security risks of various operations. To the more severe, like [warning](https://blog.google/products/chrome/google-chrome-safe-browsing-real-time/) about interacting with known phishing sites.
14 |
15 | Even in highly-regulated and non-abusive use cases (e.g. eIDAS), custom schemes have [security](https://github.com/WICG/digital-identities/blob/main/custom-schemes.md#can-wallets-limit-requests-to-secure-contexts) and [privacy](https://github.com/WICG/digital-identities/blob/main/custom-schemes.md#what-are-the-privacy-implications-of-a-wallet-accepting-custom-schemes) risks, as well as a series of suboptimal [user experiences. We posit that these limitations](https://github.com/WICG/digital-identities/blob/main/custom-schemes.md#user-experience-concerns) can be addressed by a purpose-built browser API. While some have reasonably argued that these limitations will slow-down and limit the deployment (and so, the abuse) of such technology, it seems more advantageous to rely on intentional design choices to manage this tradeoff than such accidents.
16 |
17 | In the pursuit of establishing a standard for web-based identity sharing, it is paramount that we not only strive for ease of use but also exercise utmost caution to uphold high standards of security and privacy. This is essential to safeguard users from potential identity theft and ensure they are fully informed about the implications of online identity sharing before providing their consent. We firmly believe that relying on a browser API and the mobile platform is the most reliable approach for identity digital credentials to be shared securely online.
18 |
19 |
20 | # What?
21 |
22 | First we must acknowledge, architecturally, that this is a rapidly evolving space with a large number of moving parts at various different levels of maturity. Users, regulations (e.g. eIDAS), wallets, verifiers, issuers, formats (e.g. [ISO mDocs](https://www.iso.org/obp/ui/en/#iso:std:iso-iec:18013:-5:ed-1:v1:en) and [W3C VCs](https://verifiablecredentials.dev/), just to name a few) and protocols (e.g. [OpenID4VP](https://openid.github.io/OpenID4VP/openid-4-verifiable-presentations-wg-draft.html), ISO REST’s API, [VC API](https://github.com/w3c-ccg/vc-api)), operating systems and browsers (e.g. evolving mitigation strategies, for [example](https://docs.google.com/document/d/1L68tmNXCQXucsCV8eS8CBd_F9FZ6TNwKNOaFkA8RfwI/edit#heading=h.8gq5f7p3it8q)) are all still in various stages of formation and need the space and autonomy to evolve efficiently.
23 |
24 | So, to the extent that we can, it is important to leave levels of indirections that would allow us to extend the API without having to redesign it. Sometimes, extensibility, autonomy (eg. of different standards bodies) and the ability/incentives of ecosystem adoption are in tension with other goals, such as the user’s privacy and security, so we often have to find a good and principled balance (e.g. more often than not, [users first, developers second, and browser engines third](https://www.w3.org/TR/design-principles/#priority-of-constituencies), guides our choices at the W3C).
25 |
26 | To balance this tension we propose an API with the following key properties:
27 |
28 | - By separating the act of requesting from the specific protocol, we can enable flexibility and adaptability in both the protocol and credential formats. This way, the pace of changes in browsers won't hinder progress or block new developments.
29 | - Require request transparency, enabling user-agent inspection for risk analysis
30 | - Assume response opacity (encrypted responses), enabling verifiers and holders to control where potentially sensitive PII is exposed
31 | - Websites cannot access any information without user interaction. This API ensures that sites cannot silently query for digital credentials or communicate with wallet providers without the user's active participation and confirmation of each action.
32 |
33 | At its core, the API is designed for a website ("verifier") to [transparently](https://github.com/w3cping/credential-considerations/blob/main/credentials-considerations.md#in-context-explanations) request the [selective disclosure](https://github.com/w3cping/credential-considerations/blob/main/credentials-considerations.md#selective-disclosure) of attributes from (issued) digital credentials that were provisioned - ahead of time - to wallets ("holders"), in a manner that is seamlessly compatible with existing architectural choices (such as [OpenID4VP integration](https://github.com/openid/OpenID4VP/issues/125)).
34 |
35 | Here is an example of how the the API might be used in practice:
36 |
37 | The API needs to be initiated through a user gesture, such as a button click:
38 |
39 | ```html
40 |