DRAFT Web Identity Working Group Charter

This document was a draft for informal review. It led to the chartering of a separate Web Cryptography Working Group.

For informal discussion of Web identity work ideas, send comments and subscribe to public-identity@w3.org (public archives).

The mission of the Web Identity Working Group, part of the Security Activity, is to provide specifications to enable an improved and secure experience around identity on the Web, including multiple personae and private browsing on the Web.

Join the Web Identity Working Group.

End date	30 November 2013
Confidentiality	Proceedings are Public
Chairs	@@ (@@) @@ (@@)
Team Contacts	Harry Halpin (FTE %: @@)
Usual Meeting Schedule	Teleconferences: topic-specific calls may be held, normally weekly. Face-to-face: We will meet during the W3C's annual Technical Plenary week; other additional F2F meetings may be scheduled

Scope

The mission of the Web Identity Working Group is to provide Web developers secure and uniform access to elementary cryptographic operations, session state information, and authentication credentials for devices like browsers. We also will enable cross-device identity synchronization across these environments. These specifications will application programming interfaces (APIs) and, if necessary, formats.

The Web Identity Working Group deliverables must address issues of accessibility, internationalization, mobility, security, and privacy. This group will strive to make its work compatible with existing server-side identity solutions including SAML, OpenID, and OAuth and will focus on increasing uniform support for asymmetric cryptography amongst browsers and in existing solutions although password-based (symmetric) systems should be supported.

The Web Identity Working Group should aim to produce specifications that have wide deployment amongst end-users, and so should work carefully with as many major implementers as possible. The Web Identity Working Group should adopt, refine and when needed, extend, existing practices and community-driven draft specifications when possible. The identity work should integrate well with Web Applications and so should be developed in concert with Web Application developers and the Web Application and HTML Working Groups. Comprehensive test suites will be developed for each specification to ensure interoperability, and the Working Group will assist in the production of interoperability reports.

Success Criteria

In order to advance to Proposed Recommendation, each specification is expected to have two independent implementations of each of feature defined in the specification.

Deliverables

Recommendation-Track Deliverables

The working group will deliver at least the following:

Cryptography API

Commonly-used cryptographic primitives should be made available to web application developers via a standardized API to facilitate common operations such as asymmetric encryption key pair generation, encryption, and generation, as well as symmetric encryption, hashing, and signature verification. This work can be based upon DOMCrypt, which has already been discussed in the W3C WebApps WG, HTML WG, and IETF Web Security WG.
Web Identity Sync

This specification should specify how web application developers can synchronize of identity information across multiple devices like browsers. Synchronization should also work in the "Cloud" to support legacy browsers. Anonymous identities (i.e. an "empty" identity) and multiple identities should be supported. When possible, commonly used data-formats should be re-used and the design should take advantage of existing work such as Mozilla Sync.
Identity API

This specification should specify how web application developers access session-state information and authentication credentials to enable functionality such as easier sign-on to services. This API will build upon existing work such as the Verified Email and Session Description Protocols (BrowserID), BrowserAuth, and may optionally propose possible changes to HTML to the HTML WG as well as specify transfer of identity-related data.

Each specification must contain a section detailing any known security implications for implementors, Web authors, and end users. The Web Identity WG will actively seek an open security review on all its specifications.

To increase the convenience and security of deployment, these specifications may interact will take into account existing platform and operating system identity managers and so additional informative work in this area may be necessary.

Other Deliverables

Additionally, the Web Identity Working Group has the goal to improve the deployment of secure and privacy-respecting identity on the Web through outreach and interaction with the larger identity eco-system and by participating in both industry and government-led joint efforts with other organizations in the identity eco-system. So other non-normative documents may be created such as:

Test suites for each specification;
Primer or Best Practice documents to support web developers when designing applications dealing with identity;
Use-case documents or sections explaining the use-cases and requirements of Recommendation-track specifications

Milestones
Specification	FPWD	LC	CR	PR	Rec
Note: The group will document significant changes from this initial schedule on the group home page.
Cryptography API	December 2011	February 2012	July 2012	September 2012	November 2012
Web Identity Sync	March 2012	September 2012	March 2011	August 2012	October 2013
Identity API	March 2012	September 2012	March 2011	August 2012	October 2013

Milestones

The production of the deliverables depends upon the resources available, and will change as new information and implementation experience is reported to the group. The most up-to-date timeline is available from the Web WG Publication Status page.

Dependencies and Liaisons

HTML Working Group

To co-ordinate with any identity-specific features that may need to be added to HTML in order to better enable identity managers in browsers such as a proposals for session-specific form markup.

Web Applications Working Group

To co-ordinate with APIs and features around building Web Applications

Device APIs and Policy Working Group

To coordinate regarding features for devices services such as Contacts and the File API functionality.

Protocols and Formats Working Group

To ensure that Web Identity WG deliverables support accessibility requirements.

Privacy Interest Group

So that users have options to respect their privacy, the Web Identity working group should engage in any developments in privacy.

WebAppSec Working Group

To co-ordinate with any security requirements and specifications arising from the security needs of Web Applications.

So that users have options to respect their privacy as regards third-party tracking, the Web Identity Working Group may interact with preference expression mechanisms and technologies for selectively allowing or blocking tracking elements.

Furthermore, the Web Identity Working Group expects to follow the following W3C Recommendations, Guidelines and Notes and, if necessary, to liaise with the communities behind the following documents:

External Groups

The following is a tentative list of external bodies the Working Group should collaborate with:

Internet Engineering Task Force: The IETF is responsible for defining robust and secure protocols for Internet functionality. A clear relationship with IETF is vital to assure the security and success of elements of Web Identity that supervenes upon protocol-level work. For example, the work of the Web Authorization Protocol (OAuth) Working Group will likely be a crucial underpinning and security reviews should involve the IETF Web Security (WebSec) Working Group . New and upcoming work may also be important, such as the JSON based cryptography formats being done in the IETF Web Object Encryption and Signing (WOES) Working Group, the Application Bridging for Federated Access Beyond Web (AFAB) Working Group and a possible new version of HTTP Auth.
ECMA Technical Committee 39 (TC39): This is the group responsible for ECMAScript standardization and related features. As the Web Identity Working Group may require additional features to ECMAScript, it should collaborate with TC39.
Kantara Initiative: The Kantara Initative has several relevant groups such as the Identity and Access Services Work Group.
OASIS: The Web Identity Working Group's work should enable higher-security and wider deployment of the SAML family of specifications and monitor working group.
OpenID Foundation: The Web Identity Working Group's work should enable higher-security and wider deployment of the OpenID family of specifications.
Open Identity Exchange: The Web Identity Working Group may have some interaction with trust frameworks.

Participation

To be successful, the Web Identity Working Group is expected to have 10 or more active participants for its duration, and to have the participation of the industry leaders in fields relevant to the specifications it produces. The Chairs and specification Editors are expected to contribute one to two days per week towards the Working Group. There is no minimum requirement for other Participants.

The Web Identity Working Group will also allocate the necessary resources for building test suites for each specification.

The Web Identity Working Group welcomes participation from non-Members. The group encourages questions and comments on its public mailing lists, as described in Communication. As needed, the group may also call for joint teleconferences and meetings with related organizations and standards bodies in the field of identity.

The group also welcomes non-Members to contribute technical submissions for consideration, with the agreement from each participant to Royalty-Free licensing of those submissions under the W3C Patent Policy. The Working Group may also call for the formation of Community Groups or work in other standards bodies such as the IETF.