From cf0d81c95805791165e980743bfc40c114ab1699 Mon Sep 17 00:00:00 2001 From: simoneonofri Date: Fri, 17 May 2024 21:18:56 +0200 Subject: [PATCH 01/13] Update the mission (cosmetics) --- 2024/wg-fedid.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/2024/wg-fedid.html b/2024/wg-fedid.html index 74ff709..716ad59 100644 --- a/2024/wg-fedid.html +++ b/2024/wg-fedid.html @@ -75,7 +75,7 @@

DRAFT Federated Identity Working Group Charter

-

The mission of the Federated Identity Working Group is to develop specifications that allow a website to request an identity credential from an Identity Provider or credential container (i.e., a wallet) to authenticate a user and request a set of claims in a way that is compatible with other protocols like OIDC, SAML, and OpenID4VP.

+

The mission of the Federated Identity Working Group is to develop specifications that allow a website to request an identity credential from an Identity Provider or a Credential Container (i.e., a wallet) to authenticate a user and request a set of claims in a way that is compatible with other protocols (e.g., OIDC, SAML, and OpenID4VC).

Join the Federated Identity Working Group.

From 33e1a5e407a1a92a9c286c0a78bae23aced79690 Mon Sep 17 00:00:00 2001 From: simoneonofri Date: Fri, 17 May 2024 21:21:11 +0200 Subject: [PATCH 02/13] Update "Motivation and Background" - Clarification of the motivation - Added the open wallet ecosystem --- 2024/wg-fedid.html | 19 ++++++++++++------- 1 file changed, 12 insertions(+), 7 deletions(-) diff --git a/2024/wg-fedid.html b/2024/wg-fedid.html index 716ad59..6e44e28 100644 --- a/2024/wg-fedid.html +++ b/2024/wg-fedid.html @@ -150,18 +150,23 @@

Motivation and Background

- Identity on the Web is critical to online interaction, privacy, and security. W3C fosters an ecosystem where privacy, security, and user sovereignty are all considered. That includes developing new mechanisms for individuals to have the ability to select the identity information, such as assertions, specific credentials, or specific attributes, relevant to a given interaction. These mechanisms must also be viable for the issuers, verifiers, identity providers, and relying parties to exchange information in a secure and privacy-preserving manner. + Identity on the Web is critical to online interaction, with many privacy and security implications.

- The user agent is the coordinator for these transactions. So, while the request and response protocols are being developed elsewhere (e.g., ISO, IETF, OpenID, and other W3C groups), the web platform layer must also be standardized to provide the privacy and security API framework in a protocol-agnostic and formats-agnostic fashion in a manner that is compatible with identity request/response protocols and different formats. + The W3C fosters an ecosystem that addresses privacy, security, and user sovereignty.

- The group would like to: + This includes developing new mechanisms that allow individuals to select identity information relevant to a given interaction, such as assertions, specific credentials, or specific attributes, supporting an open wallet ecosystem. +

+

+ These mechanisms must also be viable for issuers, identity providers, verifiers, and relying parties to exchange information securely and privacy-preserving. +

+

+ The user agent is the coordinator of these transactions. +

+

+ Thus, while protocols and formats are being developed elsewhere (e.g., ISO, IETF, OIDF, and other W3C Groups), the Web platform layer must also be standardized to provide a secure and privacy-preserving API framework that is protocol-and-format-agnostic and compatible with identity request/response protocols and different formats.

-
From 8bd846cd060ddfdd6a12bbb3ccbe344dfecfbb80 Mon Sep 17 00:00:00 2001 From: simoneonofri Date: Fri, 17 May 2024 21:27:43 +0200 Subject: [PATCH 03/13] Update "scope" - Which are the deliverables that can be considered in the scope, in particular, the ones related to identities - Provided specific examples for federated and decentralized identities models - Stil out-of scope for new authentication methods --- 2024/wg-fedid.html | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) diff --git a/2024/wg-fedid.html b/2024/wg-fedid.html index 6e44e28..9b22a7b 100644 --- a/2024/wg-fedid.html +++ b/2024/wg-fedid.html @@ -172,11 +172,26 @@

Motivation and Background

Scope

- The Working Group will specify new web platform features intended to be implemented in user agents like browsers. The purpose of these features is to support privacy-preserving authentication, authorization flows, and requesting federated identities without compromising security principles for Identity Providers (IdPs) or Relying Parties (RPs) (in a ‘traditional’ federation model) or Issuers, Verifiers, and Holders (in a digital identity wallet architecture), and User Agents. Here, “privacy” minimally refers to the appropriate processing of personal information and preventing third parties from gleaming anything about the end-user’s environment (e.g., which wallets are available and their capabilities). This work results in developing new mechanisms that define how information is passed by the browser between the different entities and authentication intermediaries to facilitate federated authentication; these mechanisms are not authentication methods. + The Federated Identity Working Group defines Web Platform features that allow user agents to support secure and privacy-preserving interactions related to digital identities.

+

+ These features are intended to support different interaction flows (e.g., authentication, authorization, requesting identities or credentials, and issuance) in a 'traditional' federated identity model - with Identity Providers (IdPs) or Relying Parties (RPs) - and in a digital wallet 'decentralized' model - with Issuers, Holders, and Verifiers.

If any mechanisms developed to support authentication and authorization flows would cause breaking changes for existing protocols, work on that mechanism must include a well-documented transition period.

+

+ Here, 'privacy' minimally refers to the appropriate processing of personal information and preventing third parties from learning anything about the end-user's environment (e.g., which wallets are available, their brand, and their capabilities). +

+

+ This group develops new mechanisms that define how information is passed by the user agent between the different entities to facilitate federated and digital identities: +

+ +

+ These mechanisms are not authentication methods, but if any mechanisms developed would cause breaking changes for existing protocols, work on that mechanism must include a well-documented transition period. +

Out of Scope

From 8539b9d314a3a0f767f104d5db39ce7fb66383c2 Mon Sep 17 00:00:00 2001 From: simoneonofri Date: Fri, 17 May 2024 21:28:35 +0200 Subject: [PATCH 04/13] Update "Out-of-scope" - proofreading --- 2024/wg-fedid.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/2024/wg-fedid.html b/2024/wg-fedid.html index 9b22a7b..2e614f1 100644 --- a/2024/wg-fedid.html +++ b/2024/wg-fedid.html @@ -203,7 +203,7 @@

Out of Scope

-

Timeline

From 6fc20b3c4dbf40a73e0f694ea298f53c23d356f7 Mon Sep 17 00:00:00 2001 From: simoneonofri Date: Fri, 17 May 2024 21:48:59 +0200 Subject: [PATCH 07/13] Update "Success Criteria" - Cosmetics - For Digital Credentials API, added the support for at least to formats (e.g., VCDM and mdoc) --- 2024/wg-fedid.html | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) diff --git a/2024/wg-fedid.html b/2024/wg-fedid.html index d891588..7d0eb2e 100644 --- a/2024/wg-fedid.html +++ b/2024/wg-fedid.html @@ -317,12 +317,18 @@

Success Criteria

interoperable implementations of every feature defined in the specification, where interoperability can be verified by passing open test suites, and two or - more implementations (distinct browser engines) interoperating with each other. In order to advance to - Proposed Recommendation, each normative specification must have an open - test suite of every feature defined in the specification. + more implementations (distinct browser engines) interoperating with each other. +

+

+ In order to advance to Proposed Recommendation, each normative specification must have an open test suite of every feature defined in the specification.

-

There should be testing plans for each specification, starting from the earliest drafts.

+ In order to advance to Proposed Recommendation, the Digital Credential API must demonstrate support for at least two formats (e.g., VCDM, mdoc). +

+

+ Each specification should have testing plans, starting from the earliest drafts. +

+

> To promote interoperability, all changes made to specifications in Candidate Recommendation or to features that have deployed implementations From 40fd86a89267cc4d0ba09e7e395e7d3429f4ce6d Mon Sep 17 00:00:00 2001 From: simoneonofri Date: Fri, 17 May 2024 21:53:00 +0200 Subject: [PATCH 08/13] Update "Success Criteria" for Horizontal Review - Cosmetics - Added the focus on specific privacy aspects that at a minimum must be considered/supported --- 2024/wg-fedid.html | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/2024/wg-fedid.html b/2024/wg-fedid.html index 7d0eb2e..effcd74 100644 --- a/2024/wg-fedid.html +++ b/2024/wg-fedid.html @@ -338,11 +338,13 @@

Success Criteria

-

Each specification should contain a Security Considerations section that must include a Threat Model with threats, attacks, mitigations, and residual risks and a Privacy Consideration section as specified in Self-Review Questionnaire: Security and Privacy and RFC 3552, detailing all known security and privacy implications for implementers, Web authors, and end users.

+

+ Each specification should contain a Security Considerations section - that must include a Threat Model with threats, attacks, mitigations, and residual risks - and a Privacy Consideration section - that must contain an analysis of privacy aspects such as Unlinkability, Data Minimization and Tracking - as specified in Self-Review Questionnaire: Security and Privacy and RFC 3552, detailing all known security and privacy implications for implementers, Web authors, and end users. +

Each specification should contain a section on accessibility that describes the benefits and impacts, including ways specification features can be used to address them and - recommendations for maximising accessibility in implementations.

+ recommendations for maximizing accessibility in implementations.

From a507f0397c04ffa810063ec522fbde6e1983c8ba Mon Sep 17 00:00:00 2001 From: simoneonofri Date: Fri, 17 May 2024 21:55:43 +0200 Subject: [PATCH 09/13] Update the "W3C Coordination" - Sorting - Cosmetics - Coordination context - Added DID-WG --- 2024/wg-fedid.html | 45 ++++++++++++++++++--------------------------- 1 file changed, 18 insertions(+), 27 deletions(-) diff --git a/2024/wg-fedid.html b/2024/wg-fedid.html index effcd74..6f338b7 100644 --- a/2024/wg-fedid.html +++ b/2024/wg-fedid.html @@ -378,34 +378,25 @@

Coordination

W3C Groups

-
-
Federated Identity Community Group
-
This Working Group will work closely with FedIDCG. The expectation is -that FedIDCG will incubate proposals which it then hands off to this -Working Group for standardization. Most proposals in this Working Group -should start in FedIDCG.
-
Privacy Interest Group (PING)
-
This Working Group will coordinate with PING on the development of -principles that will guide the development of privacy-preserving -capabilities while still supporting federated authentication and -authorization flows.
-
Web Application Security Working Group (WebAppSec)
-
WebAppSec is both a potential venue for standardization of -security-related capabilities and a source of expertise on web privacy.
-
Privacy Community Group
-
The Privacy Community Group is developing privacy-focused features. This -working group is expected to regularly coordinate with the Privacy CG to -ensure that the work of the two groups is not in conflict.
-
Web Authentication (WebAuthn) Working Group
-
While we are not developing an authentication mechanism, this work must operate in conjunction with existing authentication mechanisms. The WebAuthn Working Group may provide input and guidance for this requirement.
-
Accessible Platform Architectures (APA) Working Group
-
The APA WG seeks to ensure that accessibility is kept front of mind, as authentication timing and the reliance on short term memory are known and thorny topics for people with disabilities. APA WG can represent these issues that have been raised in the Cognitive Accessibility (COGA) TF, and Accessibility Guidelines (AG) WG. -
Verifiable Credentials Working Group
-
The VC WG is a likely venue for standardization of Data Model for Verifiable Credentials and they are an important stakeholder in the identity space to coordinate with. - -
+
+
Accessible Platform Architectures Working Group
+
The Accessible Platform Architectures Working Group seeks to ensure that accessibility is kept front of mind, as authentication timing and the reliance on short-term memory are known and thorny topics for people with disabilities. Our group is expected to regularly coordinate with them for accessibility-related issues.
+
Decentralized Identifier Working Group
+
The Decentralized Identifier Working Group is the maintainer of Decentralized Identifiers, one of the core building blocks of Digital Identities. Our group is expected to communicate with them for Digital Identities related issues.
+
Federated Identity Community Group
+
The Federated Identity Community Group is to provide a forum focused on incubating web features that will both support federated identity and prevent untransparent, uncontrollable tracking of users across the web. Our group is expected to regularly coordinate with them to put in the standardization track incubated proposals.
+
Privacy Community Group
+
The Privacy Community Group is to incubate privacy-focused web features and APIs to improve user privacy on the web through enhanced browser behavior. Our group is expected to regularly coordinate with them for privacy-related issues.
+
Privacy Interest Group
+
The Privacy Community Interest Group monitors ongoing privacy issues that affect the Web, investigates potential areas for new privacy work, and provides guidelines and advice for addressing privacy in standards development, including privacy considerations in specifications. Our group is expected to coordinate with them regularly on privacy-related issues.
+
Web Application Security Working Group
+
The Web Application Security Working Group develops mechanisms and best practices that improve the security of Web Applications. Our group is expected to coordinate with them for security-related issues.
+
Verifiable Credentials Working Group
+
The Verifiable Credentials Working Group is the venue for standardizing the Data Model for Verifiable Credentials. Our group is expected to coordinate with them for format-related issues.
+
Web Authentication Working Group
+
The Web Authentication Working Group is to define a client-side API that provides strong authentication functionality to web applications. While we are not developing an authentication mechanism, our group is expected to coordinate with them to provide feedback on authentication-related issues.
+
-

External Organizations

From df1bc207a5ec05a822c9ae5f75aef456e9a2e522 Mon Sep 17 00:00:00 2001 From: simoneonofri Date: Fri, 17 May 2024 22:00:10 +0200 Subject: [PATCH 10/13] Update "External Coordination" - Cosmetics - Added OpenWallet Foundation --- 2024/wg-fedid.html | 32 +++++++++++--------------------- 1 file changed, 11 insertions(+), 21 deletions(-) diff --git a/2024/wg-fedid.html b/2024/wg-fedid.html index 6f338b7..86f0bfa 100644 --- a/2024/wg-fedid.html +++ b/2024/wg-fedid.html @@ -401,31 +401,21 @@

W3C Groups

External Organizations

IETF
-
To coordinate with the IETF research groups and working groups, such as oauth, for - protocol components that authentication and authorization features - depend on.
+
Coordinate with the IETF research groups and working groups, such as OAuth, for protocol components on which authentication and authorization features depend.
OIDF
-
To coordinate with the OpenID Foundation (OIDF) for authorization and credentials used in the flows (i.e., OIDC and OpenID4VC - specs).
+
Coordinate with the OpenID Foundation (OIDF) for authorization and credentials flows (i.e., OIDC, OpenID4VC).
OASIS
-
To coordinate with OASIS for authorization flows used in the flows (i.e., SAML).
+
Coordinate with OASIS for authentication flows (i.e., SAML).
REFEDS
-
To coordinate with REFEDS for multi-lateral federation best practices and - a representative of the complex use cases of the research and education - communities around the world.
+
Coordinate with REFEDS for multi-lateral federation best practices and a representative of the complex use cases of the research and education communities worldwide.
European Telecommunications Standards Institute - Electronic Signatures and Infrastructure Technical Committee
-
- To coordinate with ETSI for eIDAS, which can use the deliverables of the Group. -
-
National Institute of Standards and Technology, U.S. Department of Commerce
-
- To coordinate with NIST for their guidelines of Digital Identity and implementations. -
-
ISO/IEC JTC 1 SC17 WG4 and WG10
-
- To coordinate with ISO for their work on interfaces and protocols for security devices and vehicle driver licence and related digital identities (i.e., mdocs). -
+
Coordinate with ETSI for eIDAS, which can use the deliverables of the Group.
+
National Institute of Standards and Technology, U.S. Department of Commerce
+
Coordinate with NIST for their guidelines on digital identity and implementations.
+
ISO/IEC JTC 1 SC17 WG4 and WG10
+
Coordinate with ISO for their work on interfaces and protocols for security devices, vehicle driver licenses, and related digital identities (i.e., mdoc).
+
OpenWallet Foundation
+
Coordinate with OpenWallet Foundation for their work on the Open Wallet Ecosystem..
From 48ace4e63ebc5acbc89af6fba685a5cfdfe051eb Mon Sep 17 00:00:00 2001 From: simoneonofri Date: Fri, 17 May 2024 22:03:07 +0200 Subject: [PATCH 11/13] Update "History" with proposed updates --- 2024/wg-fedid.html | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/2024/wg-fedid.html b/2024/wg-fedid.html index 86f0bfa..04483b8 100644 --- a/2024/wg-fedid.html +++ b/2024/wg-fedid.html @@ -611,8 +611,8 @@

Revised

-

in-scope/out-of-scope section

-

Added Digital Credentials API

+

movitation/scope/success-criteria

+

added deliverables: Digital Credentials API, harm model

-

This draft charter is available - on GitHub. - - Feel free to raise issues or see the ones that are open. -

+

+ This draft charter is available on GitHub. + Feel free to raise issues or see the ones that are open. +

From 48f7cb6c52bf10264769a39a5bf0f92743485745 Mon Sep 17 00:00:00 2001 From: simoneonofri Date: Fri, 17 May 2024 22:13:34 +0200 Subject: [PATCH 13/13] Update wg-fedid.html - Cosmetics --- 2024/wg-fedid.html | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/2024/wg-fedid.html b/2024/wg-fedid.html index 284bd1f..cbb2000 100644 --- a/2024/wg-fedid.html +++ b/2024/wg-fedid.html @@ -293,7 +293,7 @@

  • Implementation report for the specification.
  • Primer or Best Practice documents to support web developers when designing applications.
    • - +

    Timeline