Information

Building Consensus on the Role of Real World Identities on the Web
  • Past
  • Confirmed
  • Breakout Sessions

Meeting

Event details

Date:
Coordinated Universal Time
Status:
Confirmed
Location:
Ukulele
Participants:
Mikhail Ageev, Martin Alvarez-Espinar, Sebastien Bahloul, Virginia Balseiro, David Baron, Robin Berjon, Andreu Botella, Rick Byers, Marcos Caceres, Brian Campbell, Lee Campbell, Tim Cappalli, Arthur Coleman, Kyle Den Hartog, Wei Ding, Nick Doty, Amanda Ferrante, Heather Flanagan, Marie-Claire Forgue, Emmanuelle Franquelin, Sam Goto, Yi Gu, Dominique Hazaël-Massieux, Ivan Herman, Rew Islam, Philippe Le Hegaret, Hicham Lozi, Jacob Mccoy, Coralie Mercier, Enrico Morisi, Koichi Moriyama, Theresa O'Connor, Simone Onofri, Ondřej Pokorný, Hiroyuki Sano, Wendy Seltzer, Martin Thomson, Thomas Wehr, Chris Wilson, Fuqiao Xue, Jeffrey Yasskin, Kristina Yasuda, Lei Zhao
Big meeting:
W3C Breakouts Day 2024 (Calendar)

People already share their real identity on the Web, but they primarily share them through unsophisticated means: selfies, photographs of documents, and typing out numbers from identity documents. Countries are increasingly issuing their residents' identity documents in digital, cryptographic formats. Some jurisdictions, like the EU, will require that digital credentials be respected in multiple contexts, including on the Web.

We are at a critical point for the use of these identities on the Web; they are, for now, not part of the web platform and are not being presented online by most users. How long this lasts does not depend entirely on browsers. OpenID4VP describes multiple mechanisms to allow a website to request another application on the device that holds credentials to ask the user to prove their identity.

Work on building an API for presenting digital identity documents and designing how that must interact with wallets and existing identity protocols has begun in WICG. While the discussion there does extend beyond the purely technical, we think there is benefit in bringing a discussion to a broader audience with emphasis on the ecosystem, security, and privacy impacts of that work.

The following are just some of the questions that don’t have clear consensus:

  • What should a browser store about wallets, credentials, and their use?
  • To what extent should we trust the issuing government? Does that include trust for privacy properties?
  • What are the use cases we should support? What justifies different approaches? What common aspects are shared?
  • How does the role of the wallet as a user agent interact with that of the browser?
  • What criteria must be required of real-world identity protocols to be included in the web platform?
  • What conditions should be placed on release of data? Is consent the right control to apply here? Or should a credential issuer have a say as well?
  • How do we ensure that use of credentials is justified and proportionate? Is there a need to establish a means to limit who can obtain credentials?

Agenda

Chairs:
Martin Thomson, Marcos Caceres

Description:
People already share their real identity on the Web, but they primarily share them through unsophisticated means: selfies, photographs of documents, and typing out numbers from identity documents. Countries are increasingly issuing their residents' identity documents in digital, cryptographic formats. Some jurisdictions, like the EU, will require that digital credentials be respected in multiple contexts, including on the Web.

We are at a critical point for the use of these identities on the Web; they are, for now, not part of the web platform and are not being presented online by most users. How long this lasts does not depend entirely on browsers. OpenID4VP describes multiple mechanisms to allow a website to request another application on the device that holds credentials to ask the user to prove their identity.

Work on building an API for presenting digital identity documents and designing how that must interact with wallets and existing identity protocols has begun in WICG. While the discussion there does extend beyond the purely technical, we think there is benefit in bringing a discussion to a broader audience with emphasis on the ecosystem, security, and privacy impacts of that work.

The following are just some of the questions that don’t have clear consensus:

  • What should a browser store about wallets, credentials, and their use?
  • To what extent should we trust the issuing government? Does that include trust for privacy properties?
  • What are the use cases we should support? What justifies different approaches? What common aspects are shared?
  • How does the role of the wallet as a user agent interact with that of the browser?
  • What criteria must be required of real-world identity protocols to be included in the web platform?
  • What conditions should be placed on release of data? Is consent the right control to apply here? Or should a credential issuer have a say as well?
  • How do we ensure that use of credentials is justified and proportionate? Is there a need to establish a means to limit who can obtain credentials?

Goal(s):
Work toward a consensus view of what the role of Real World Identity should be on the Web in the next 5-10 years.

Agenda:

  • 5 min: Chair describes the problem and state of the world for RWI and provides some leading open questions
  • 35 min: Open discussion of participant’s views on what the role of Real World Identity should be
  • 10 min: Focus discussion toward common beliefs among attendees, or common beliefs among constituencies

Materials:

Track(s):

  • identity

Minutes

 Read minutes

Export options

Personal Links

Please log in to export this event with all the information you have access to.

Public Links

The following links do not contain any sensitive information and can be shared publicly.

Feedback

Report feedback and issues on GitHub.