Digital Credentials

This document specifies an API to enable [=user agents=] to mediate presentation and issuance of digital credentials such as a driver's license, government-issued identification card, and/or [=credential type examples|other types of digital credential=]. The API builds on [[[credential-management-1]]] as a means by which to request or issue a digital credential from a user agent or underlying platform.

This is an unofficial proposal.

Introduction

This document defines an API enabling a website to request presentation and issuance of a [=digital credential=].

The API design is agnostic to both credential [=digital credential/presentation requests|presentation=] [=digital credential/exchange protocols=], credential [=digital credential/issuance request|issuance=] [=digital credential/issuance protocols|protocols=] and credential formats. However, to promote interoperability this document includes a [[[#protocol-registry]]].

The API is designed to support the following goals:

Keep the acts of [=digital credential/presentation requests|requesting=] and [=digital credential/issuance requests|issuing=] separate from the specific [=digital credential/exchange protocol=] and [=digital credential/issuance protocol=] respectively; thereby enabling the extensibility of such protocols and credential formats.
Require [=digital credential/presentation requests=] and [=digital credential/issuance requests=] to be unencrypted, enabling user-agent inspection for risk analysis.
Assume opaque (i.e., encrypted) [=digital credential/presentation responses=] and [=digital credential/issuance responses=], enabling issuers, verifiers, and holders to control where potentially sensitive personally identifiable information is exposed.
Require [=transient activation=] to perform [=digital credential/presentation requests=] or [=digital credential/issuance requests=], ensuring that sites cannot silently query for nor issue digital credentials, nor communicate with wallet providers, without the user's active participation and confirmation of each action.
Enable platform-provided credential selection UX when multiple wallet applications have credentials that match a [=digital credential/presentation request=].
Enable platform-provided wallet selection UX when multiple wallet applications support an [=digital credential/issuance request=].
Enable platforms to provide secure cross-device [=digital credential/presentation requests=] and [=digital credential/issuance requests=] with proximity checks.

[=Digital credentials=] of many types can be presented and issued using this API. Examples of these types include:

a driving license, passport, or other identity card issued by a government institution
a travel authorization document issued by an embassy or consulate
a proof of employment issued by a public or private organization
a proof of education or professional training issued by an institution
and many other scenarios as described in Verifiable Credentials Use Cases

Model

The goal of the definitions in this section is to reuse or establish terminology that is common across a variety of digital credential formats and protocols. Discussions surrounding these definitions are active and the definitions are likely to change over the next several months.

Digital credential: A cryptographically signed digital document containing one or more [=claims=] made by an [=issuer=] about one or more [=subjects=].
This specification is currently focused on digital credentials pertaining to people.
Presentation request: A presentation request is a request for a [=digital credential=] composed of [=digital credential/request data=] and a [=digital credential/exchange protocol=].
request data: A format that [=verifier=] software or a [=user agent=] uses, via an [=digital credential/exchange protocol=], to request a [=digital credential=] from a [=holder=].
Presentation response: A format that a [=holder's=] software, such as a digital wallet, uses, via an [=digital credential/exchange protocol=], to respond to a [=digital credential/presentation request=] by a [=verifier=].
Issuance request: An issuance request is a request to issue a [=digital credential=] composed of some [=digital credential/issuance request data=] and an [=digital credential/issuance protocol=].
issuance request data: A data structure that an [=issuer=] or a [=user agent=], via an [=digital credential/issuance protocol=], to request the issuance of a [=digital credential=] by an [=issuer=].
Issuance response: A format that [=holder=] uses, via an [=digital credential/issuance protocol=], to respond to an [=digital credential/issuance request=] by an [=issuer=].
Exchange protocol: A protocol used for exchanging a [=digital credential=] between a [=holder=] and a [=verifier=]. See section [[[#protocol-registry]]].
Issuance protocol: A protocol used for communication between an [=issuer=] and a [=holder=] during the issuance of a [=digital credential=]. See section [[[#protocol-registry]]].

Scope

The following items are within the scope of this specification:

Requesting a [=digital credential=], including mechanisms for secure presentation.
Requesting issuance of a [=digital credential=].
Ensuring that when an API call is made, the website does not learn anything about the a holder's [=digital credentials=] or their software unless the [=user agent=] has previously received user consent.
Ensuring that any installed application software will not learn anything about a given [=request=] unless the [=holder=] explicitly consents to use that software.

The following items are out of scope:

UI/UX considerations, with the exception of privacy considerations, which are addressed to ensure the protection of user data during the request process.

Extensions to `CredentialRequestOptions` dictionary

    partial dictionary CredentialRequestOptions {
      DigitalCredentialRequestOptions digital;
    };

The `digital` member

The digital member allows for options to configure the request for a [=digital credential=].

The `DigitalCredentialRequestOptions` dictionary

    dictionary DigitalCredentialRequestOptions {
      sequence<DigitalCredentialGetRequest> requests;
    };

The `requests` member

The requests specify an [=digital credential/exchange protocol=] and [=digital credential/request data=], which the user agent MAY match against a holder's software, such as a digital wallet.

The `DigitalCredentialGetRequest` dictionary

The {{DigitalCredentialGetRequest}} dictionary represents a [=digital credential/presentation request=]. It is used to specify an [=digital credential/exchange protocol=] and some [=digital credential/request data=], which the user agent MAY match against software used by a holder, such as a digital wallet.

      dictionary DigitalCredentialGetRequest {
        required DOMString protocol;
        required object data;
      };

The `protocol` member

The protocol member denotes the [=digital credential/exchange protocol=].

The {{DigitalCredentialCreateRequest/protocol}} member's value can be one of the well-defined protocol identifiers defined in [[[#protocol-registry]]] or a custom protocol identifier.

The `data` member

The data member is the [=digital credential/request data=] to be handled by the holder's credential provider, such as a digital identity wallet.

Extensions to `CredentialCreationOptions` dictionary

    partial dictionary CredentialCreationOptions {
      DigitalCredentialCreationOptions digital;
    };

The `digital` member

The digital member allows for options to configure the issuance of a [=digital credential=].

The `DigitalCredentialCreationOptions` dictionary

    dictionary DigitalCredentialCreationOptions {
      sequence<DigitalCredentialCreateRequest> requests;
    };

The `requests` member

The requests specify an [=digital credential/issuance protocol=] and [=digital credential/request data=], which the user agent MAY forward to a [=holder=].

The `DigitalCredentialCreateRequest` dictionary

The {{DigitalCredentialCreateRequest}} dictionary represents an [=digital credential/issuance request=]. It is used to specify an [=digital credential/issuance protocol=] and some [=digital credential/request data=], to communicate the issuance request between the issuer and the holder.

    dictionary DigitalCredentialCreateRequest {
      required DOMString protocol;
      required object data;
    };

The `protocol` member

The protocol member denotes the [=digital credential/issuance protocol=].

The {{DigitalCredentialCreateRequest/protocol}} member's value is be one of the well-defined keys defined in [[[#protocol-registry]]] or any other custom one.

The `data` member

The data member is the [=digital credential/request data=] to be handled by the holder's credential provider, such as a digital identity wallet.

The `DigitalCredential` interface

The DigitalCredential interface represents a conceptual [=digital credential=].

[=User mediation=] is always {{CredentialMediationRequirement/"required"}}. [=Request a credential|Requesting a DigitalCredential credential=] does not support {{CredentialMediationRequirement/"conditional"}}, {{CredentialMediationRequirement/"optional"}}, or {{CredentialMediationRequirement/"silent"}} [=user mediation=]. If {{CredentialsContainer/get()}} is called with anything other than {{CredentialMediationRequirement/"required"}}, a {{TypeError}} will be thrown.

    [Exposed=Window, SecureContext]
    interface DigitalCredential : Credential {
      readonly attribute DOMString protocol;
      [SameObject] readonly attribute object data;
    };

{{DigitalCredential}} instances are [=Credential/origin bound=].

The `protocol` member

The protocol member is the [=digital credential/exchange protocol=] that was used to request the [=digital credential=], or the [=digital credential/issuance protocol=] that was used to issue the [=digital credential=].

The `data` member

The data member is the credential's response data. It contains the subset of JSON-parseable object types.

Integration with Credential Management API

[[\DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) internal method

When invoked, the [[\DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) internal method MUST:

Let |global| be [=this=]'s [=relevant global object=].
Let |document| be |global|'s [=associated `Document`=].
If |document| is not a [=Document/fully active descendant of a top-level traversable with user attention=], [=exception/throw=] {{"NotAllowedError"}} {{DOMException}}.
If |window| does not have [=transient activation=], [=exception/throw=] {{"NotAllowedError"}} {{DOMException}}.
[=Consume user activation=] of |window|.
Let |requests| be |options|'s {{CredentialRequestOptions/digital}}'s {{DigitalCredentialRequestOptions/requests}} member.
If |requests| is empty, [=exception/throw=] a {{TypeError}}.
Details of how to actually get the [=digital credential=] are forthcoming.
Return a {{DigitalCredential}}.

[[\Store]](credential, sameOriginWithAncestors) internal method

When invoked, the [[\Store]](credential, sameOriginWithAncestors) MUST call the default implementation of {{Credential}}'s {{Credential/[[Store]](credential, sameOriginWithAncestors)}} internal method with the same arguments.

[[\Create]](origin, options, sameOriginWithAncestors) internal method

When invoked, the [[\Create]](origin, options, sameOriginWithAncestors) internal method, if the user agent doesn't support issuance, call the default implementation of {{Credential}}'s {{Credential/[[Create]](origin,options, sameOriginWithAncestors)}} internal method with the same arguments. Otherwise:

Let |global| be [=this=]'s [=relevant global object=].
Let |document| be |global|'s [=associated `Document`=].
If |document| is not a [=Document/fully active descendant of a top-level traversable with user attention=], [=exception/throw=] {{"NotAllowedError"}} {{DOMException}}.
If |window| does not have [=transient activation=], [=exception/throw=] {{"NotAllowedError"}} {{DOMException}}.
[=Consume user activation=] of |window|.
Let |requests| be |options|'s {{CredentialCreationOptions/digital}}'s {{DigitalCredentialCreationOptions/requests}} member.
If |requests| is empty, [=exception/throw=] a {{TypeError}}.
Details of how to actually issue the [=digital credential=] are forthcoming.
Return a newly constructed {{DigitalCredential}} with {{DigitalCredential/protocol}} initialized to the protocol that was used to issue this credential, and {{DigitalCredential/data}} initialized to an [=digital credential/issuance response=] defined by that [=digital credential/issuance protocol=].

[[\type]] internal slot

The {{DigitalCredential}} [=interface object=] has an internal slot named [[\type]] whose value is "digital".

[[\discovery]] internal slot

The {{DigitalCredential}} [=interface object=] has an internal slot named [[\discovery]] whose value is "remote".

User permission

The Digital Credential API is a [=powerful feature=] that requires [=express permission=] from an end-user. This requirement is normatively enforced when calling {{CredentialsContainer}}'s {{CredentialsContainer/get()}} method.

Permissions Policy integration

This specification defines a [=policy-controlled feature=] identified by the string "digital-credentials-get". Its [=policy-controlled feature/default allowlist=] is [=default allowlist/'self'=].

Registry of protocols

Initiating the registration a protocol is done by filing an issue in our GitHub repository.

The following is the registry of [=digital credential/exchange protocols=] and [=digital credential/issuance protocols=] that are supported by this specification.

It is expected that this registry will be become a [=W3C registry=] in the future.

General inclusion criteria

To be included in the registry, the [=digital credential/exchange protocol=]:

MUST be standardized at a consortium the W3C liaises with
MUST be defined in a specification which is freely and publicly available at the stable URL listed in the registry.
MUST define a representation, as either a [[WebIDL]] [=dictionary=] or a JSON object, of the [=digital credential/exchange protocol=] request structure (i.e., the [=dictionary=] which defines the semantics and validation of the {{DigitalCredentialGetRequest}}'s {{DigitalCredentialGetRequest/data}} member) and the [=digital credential/issuance protocol=] request structure (i.e., the [=dictionary=] which defines the semantics and validation of the {{DigitalCredentialCreateRequest}}'s {{DigitalCredentialCreateRequest/data}} member).
MUST define a representation, as either a [[WebIDL]] [=dictionary=] or a JSON object, of the [=digital credential/exchange protocol=] response structure (i.e., the [=dictionary=] which defines the semantics and validation of the {{DigitalCredential}}'s {{DigitalCredential/data}} member.
MUST define validation rules for members of the request and response structures.
MUST have undergone privacy review by the W3C's Privacy Interest Group and Federated Identity Working Group.
Once an expression of registration is received via GitHub, the registry maintainers will organize the privacy review with the Privacy Interest Group . Please see the [[[[security-privacy-questionnaire]]] for the kind of questions that will be asked of the protocol you are registering.
MUST have undergone security review by the Security Interest Group.
MUST have implementation commitment from at least one browser engine, one credential provider/wallet, and one issuer or verifier (depending on the protocol type). Each component MUST be from independent organizations.
MUST have formally recorded consensus by the Federated Identity Working Group to be included in the registry.

Presentation-specific inclusion criteria

To be included as a presentation protocol in the registry (used with `navigator.credentials.get`), the [=digital credential/exchange protocol=]:

MUST support response encryption.
MUST encrypt any response containing personally identifiable information (PII).

Change process

To add a new [=digital credential/exchange protocol=] to the registry, or to update an existing one:

Define a protocol identifier.: The protocol identifier MUST be a unique string that is not already in use in the registry. Use only lowercase ASCII letters, digits, and hyphens (e.g., "protocol", "the-protocol"). The protocol identifier MUST uniquely define the set of required parameters and/or behavior that a digital credential provider implementation needs to support to successfully handle the request. If the set of required parameters or behaviors is updated in a way which would require a digital credential provider to also require an update to remain functional, a new protocol identifier MUST be assigned and be added to the registry.
Specify a protocol type.: The protocol type is either "Presentation" for presentation protocols used with `navigator.credentials.get` or "Issuance" for issuance protocols used with `navigator.credentials.create`.
Describe the protocol.: The description MUST be a brief summary of the protocol's purpose and use case.
Provide a link to the specification.: The specification MUST be a stable URL that points to the authoritative source for the protocol, including validation rules.

[=User agents=] MUST support the following [=digital credential/exchange protocols=]:

Table of officially registered [=digital credential/exchange protocols=].
[=registry/identifier\|Protocol identifier=]	[=registry/Type=]	[=registry/Description=]	[=registry/link\|Specification=]
Coming soon...

Security Considerations

This section is a work in progress as this document evolves.

The documents listed below outline initial security considerations for Digital Credentials, both broadly and for presentation on the web. Their contents will be integrated into this document gradually.

Credential Protocols

Explain that while the API provides security at the browser API level, that security for the underlying credential issuance or presentation protocol is a separate concern and that developers need to understand that layer of the stack to get a total picture of the protections that are in place during any given transaction.

Cross-device Protocols

Explain that cross-device issuance or presentation uses a separate protocol that has its own security characteristics.

Quishing

Explain that the API is designed to avoid the problem of quishing (phishing via QR Codes) and other QR Code and non-browser API-based attacks and to be aware of exposure of QR Codes during digital credential interactions.

Data Integrity

Explain that the API does not provide data integrity on the digital credential requests or responses and that responsibility is up to the underlying protocol used for the request or response.

Authentication

Explain that authentication (such as a PIN code to unlock) to a particular app, such as a digital wallet, that responds to an API request is crucial in high-risk use cases.

Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF)

Explain what attacks are possible via XSS and CSRF, if any.

Session Security

Explain that once a secure session is established at a website using credentials exchanged over this API, that the subsequent security is no longer a function of the credential used or this API and is up to the session management utilized on the website.

Privacy Considerations

This section is a work in progress as this document evolves.

The Digital Credentials API integrates into a complex ecosystem with multiple technology layers and various participants (including but not limited to Verifiers, Holders and Issuers), each of which have to consider different aspects of user privacy. This specification does not attempt to exhaustively list all considerations for the different participants. We would like to refer these parties to a variety of other resources that explore the digital credentials threat model more holistically:

[[[credential-considerations]]]
[[[threat-model-decentralized-identities]]]
VC Data Model Privacy Considerations
...

Instead, these considerations focus on the Digital Credentials API itself, and describe how user agents can satisfy their user agent duties in an implementation of the API, taking into account the relevant privacy properties of the ecosystem it interacts with.

The privacy considerations for digital credentials are not static. They will evolve over time as the ecosystem matures, and may be informed by the behavior of other actors in the ecosystem, improvements in other layers of the stack, new threats to user privacy, as well as changing societal norms and regulations.

It is expected that the various groups involved in the design and implementation of the Digital Credentials API actively monitor the evolving privacy landscape and participate in the corresponding evolution of the API.

Spectrum of Privacy

The Digital Credentials API serves a variety of use cases with different grades of data disclosure and individual users with different preferences depending on the context that they are in. Notably, the privacy properties of a credential exchange mediated by this API could be mandated by the legal and regulatory environment of an individual user.

This means that some users may not want, or be allowed, to use the most privacy-preserving means of exchanging credential information. Nonetheless, user agents need to serve users with an experience that is private by default and protect them from harm.

Because of this spectrum of preferences and use cases, it may be difficult for a user agent to discern whether a user means to expose their personal information or is being tricked into doing so. It is thus the user agent's responsibility to ensure that every user understands what data they are sharing and who will participate in the exchange of information, before the exchange begins.

Unnecessary Requests for Credentials

Explain how the API could be used to unnecessarily request digital credentials from individuals such as requesting a driver's license to log into a movie rating website and how the ecosystem can mitigate this risk.

Over Collection of Data

Explain how the API could be used to request more data than necessary for a transaction and how the ecosystem can mitigate that over collection.

Individual Consent

Explain how the API acquires an individual's consent to share a digital credential and how digital wallets can also provide further consent when sharing information.

Data Retention

Explain how verifiers might retain data and what the ecosystem does to mitigate excessive data retention policies.

Compliance with Privacy Regulations

Explain to what extent the API complies with known privacy regulations (e.g., consent) and what parts of those regulations are not possible to enforce via the API (e.g., retention).

Selective and Unlinkable Disclosure

Explain how selective disclosure and unlinkable disclosure help preserve privacy as well as their limitations in doing so.

Phoning Home

Explain how some systems might "phone home", the impact on privacy that might have, and what the ecosystem provides to mitigate the risk.

Transmission of Personally Identifiable Information

Explain that the API does enable the transmission of personally identifiable information and that it does its best to ensure there is informed consent by the individual, but that the consent might be provided due to exhaustion or not understanding what PII is being transmitted and how to mitigate those concerns.

Accessibility Considerations

This section is a work in progress as this document evolves.