Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

How should we go about issuance? #167

Open
samuelgoto opened this issue Sep 9, 2024 · 17 comments
Open

How should we go about issuance? #167

samuelgoto opened this issue Sep 9, 2024 · 17 comments
Assignees
Labels

Comments

@samuelgoto
Copy link
Collaborator

samuelgoto commented Sep 9, 2024

We deliberately left issuance aside while we were trying to figure out presentation, so kicking this issue off just to make sure it doesn't fall through the cracks :)

As thing start to settle with presentation, we should starting thinking how to go about issuance. There are a lot of things and a lot of considerations, so we'll likely want to break this into smaller steps, but kicking this off just to get the ball rolling.

@OR13
Copy link
Contributor

OR13 commented Sep 9, 2024

In presentations, the verifier wants to select claims for the holder to disclose and be protected against replays with nonces / pops.

In issuance, the issuer wants to be assured the holder controls a key, and has consented to the claims that will be bound to that key... The holder wants to know which media types are supported, and what credential types are supported.

So there is some symmetry around proof of possession, media types, and credential schemas / types (known structures).

There is also: https://openid.github.io/OpenID4VCI/openid-4-verifiable-credential-issuance-wg-draft.html

Are you asking what are the essential parameters a browser API would need to collect in order to submit an issuance request to some backend?

What is the threat model you have in mind for issuance?

Is it necessary for the holder to encrypt their pop key or other credential information to the issuer?

Should the browser or OS be able to observe specific claims or credential types, or should they just see an encrypted request for issuance?

@timcappalli
Copy link
Member

I've been thinking about issuance in the Web Platform API as very similar to a presentation (pass the OID4VCI request to the app platform), except that there isn't really a response back through the web platform outside of some form of "ack". We should think about what that "ack" actually contains (e.g. what would an issuer's web frontend need/want).

Much of the complexity lives in the app platforms wallet selector.

@samuelgoto
Copy link
Collaborator Author

samuelgoto commented Oct 8, 2024

Ok, here is something to get the discussion started. WDYT?

// Prompts the user to select a wallet to have the digital credential issued, and sends the request to the wallet
// Throws an exception if the user denied the request or didn't have an accepting wallet installed indistinguishably
const credential = await navigator.credentials.create({
  digital: {
    protocol: "openid4vci",
    data: {
      // the openid4vci request body, omitted for brevity
    },
  }
});
// TODO(goto): should we use the navigator.credentials.store(new DigitalCredential()) instead of create()?

@timcappalli
Copy link
Member

timcappalli commented Oct 8, 2024

@samuelgoto what's the reasoning for .store? The ultimate result is the creation of a digital credential in an external container. I think it should be .create, similar to WebAuthn.

@samuelgoto
Copy link
Collaborator Author

@samuelgoto what's the reasoning for .store? The ultimate result is the creation of a digital credential in an external container. I think it should be .create, similar to WebAuthn.

Are you referring to this TODO that I left [1]? The code snippet I proposed uses create() rather than store(), right?

[1]

// TODO(goto): should we use the navigator.credentials.store(new DigitalCredential()) instead of create()?

@timcappalli
Copy link
Member

Sorry, looks like I saw an earlier version before it was edited.

@samuelgoto
Copy link
Collaborator Author

Question: is there an equivalent of a "un-issuance"? Can a wallet create and then invalidate / delete it?

@samuelgoto
Copy link
Collaborator Author

samuelgoto commented Oct 14, 2024

@marcoscaceres what's the difference between the credential manager's store() and create() call?
it seems like PublicKeyCredential uses create(), but PasswordCredential and FederatedCredential use store() instead (example).

Which one should we use here for issuance?

@timcappalli
Copy link
Member

timcappalli commented Oct 15, 2024

Question: is there an equivalent of a "un-issuance"? Can a wallet create and then invalidate / delete it?

Not typically via the front channel. WebAuthn will soon have some new methods that allow signaling to the client that credentials are no longer valid, but it's a background / opportunistic thing. Identity wallets will typically have out of band methods for credential revocation / status.

@marcoscaceres what's the difference between the credential manager's store() and create() call?
it seems like PublicKeyCredential uses create(), but PasswordCredential and FederatedCredential use store() instead > (example).

Which one should we use here for issuance?

Architecturally, digital credentials and wallets are the same as public key credentials and authenticators. Store is used with user agent internal credential stores. Like authenticators, digital wallets are external, and should use create.

@samuelgoto
Copy link
Collaborator Author

I've been trying to inform myself on how issuance works, and it seems like there is a pretty tight connection between Issuers and Holders ... meaning, it seems some (enough? all?) Issuers have an out-of-band agreement with Holders and only allow a certain set of enumerated and approved holders ...

That is, am I reading this correctly in that a "wallet chooser" isn't quite correct? -- or only to the extent that the issuer can pick the specific wallets that are offered to the user.

@dlongley
Copy link
Contributor

I've been trying to inform myself on how issuance works, and it seems like there is a pretty tight connection between Issuers and Holders ... meaning, it seems some (enough? all?) Issuers have an out-of-band agreement with Holders and only allow a certain set of enumerated and approved holders ...

No, this is certainly not true across the ecosystem. Open wallet choice (no prior agreement with issuers and no permission from issuers required) is important in many areas. In these cases, an issuer may not know or care which wallet a user happens to use. That particular subsets of the ecosystem are more closed does not mean that others aren't more open (they are).

But it is worth noting that even in the open case, some issuers will want to make suggestions to users about which wallets they can use, to enable "just in time" wallet acquisition to receive one or more credentials, etc.

@samuelgoto
Copy link
Collaborator Author

That particular subsets of the ecosystem are more closed does not mean that others aren't more open (they are).

Yeah, that makes sense. I guess, maybe the point that I was trying to make here is that the closed wallet choice is necessary (rather than, as you said, sufficient), and I think we don't yet know how to address that necessity.

@dlongley
Copy link
Contributor

I guess, maybe the point that I was trying to make here is that the closed wallet choice is necessary (rather than, as you said, sufficient), and I think we don't yet know how to address that necessity.

One way this sort of thing can be done with the VC API is for the issuer to ask for a VC from the wallet (where that VC is about the wallet itself) during an exchange, prior to (gating) issuance. Perhaps something similar can be modeled or "announced" in an issuance call via the browser API -- whereby a request is included in the issuance parameters (somewhere in store()) that could be evaluated in a similar way that requests in get() are / may be to determine applicability.

@samuelgoto
Copy link
Collaborator Author

Something occurred to us as we started to prototype this, and it is whether we'd need to support multiple protocols (e.g. so that wallets that speak one or the other can be shown in the wallet selector) or not, like we do for presentation.

Concretely, I'm wondering if the API should look like the following:

const credential = await navigator.credentials.create({
  digital: {
    requests: [{
      protocol: "openid4vci",
      data: {
        // the openid4vci request body, omitted for brevity
      }
   }, {
      protocol: "some-other-issuance-protocol",
      data: {
        // the request body, omitted for brevity
      }   
   }],
  }
});

Or what we wrote in #167 (comment).

@leecam
Copy link
Collaborator

leecam commented Jan 12, 2025

As per discussion on last week's call, some more background on Issuance that could potentially be included in the explainer.

One of the primary motivations for the Digital Credentials API for presentation was the issue of the use of custom schemes by protocols such as OpenID4VP and the references to those protocols in regulations (such as eIDAS2.0). A significant amount of work has gone into updating specifications such as OpenIdD4VP and HAIP to reference the DC API for presentation. Recently we've also seen governments start to make formal references to the DC API for presentation.

While we have made substantial progress with presentation, credential Issuance suffers from the same issues with regard to custom schemes. Protocols such as OpenID4VCI and the HAIP specification still have no choice but to mandate custom schemes to initiate issuance. As such we're seeing this being captured in regulations as these standards move to the final stages.

To address this the DC API should provide a means to allow an issuer website to initiate the issuance of credentials to the user's wallet of choosing. As with presentation, this would unblock Issuance protocols such as OpenID4VCI and specifications such as HAIP to formally reference the DC API as an alternate to custom schemes.

Its proposed that Issuance follow the same API design pattern as presentation, with the same key design principle around protocol agility and extensibility. The API should build upon the Credential Management API. As such we propose the use of navigator.credentials.create with a new DigitalCredentialCreationOptions extension to CredentialCreationOptions.

Mirroring the presentation call the API could take the following form:

const result = await navigator.credentials.create({
  digital: {
    requests: [{
      protocol: "openid4vci",
      data: {
        // the openid4vci request body, omitted for brevity
      }
   }, {
      protocol: "some-other-issuance-protocol",
      data: {
        // the request body, omitted for brevity
      }   
   }],
  }
});

The proposal to allow a list of credential offers may require some discussion. The intention is that a given wallet will only offer to process a single request within the list. As such, this implies that each request represents the same credential offer, just offered using different protocols. This is subtly different to the get() call where wallets may offer all the unique credentials that match across all the requests in the list.

The motivation here is to allow issuers to make a single call to make a credential offer, without knowing the protocols supported by the available wallets. For example lets say in the future a new OpenID4VCI v2.0 protocol is released and an Issuer wishes to upgrade to using that protocol, while still supporting legacy wallets. An Issuer can now make a call to offer a credential, such as a driving license, using both OpenID4VCI v1.0 and OpenID4VCI v2.0.

As with the presentation call, a DigitalCredential is returned containing the protocol that was used by the wallet to process the request. Likewise, the returned data object is defined by the protocol. It is expected that many issuance protocols will use this response object to merely convey the success or failure of the issuance request.

@samuelgoto
Copy link
Collaborator Author

Just a small update here: we are going to send a spec PR to get this proposed into the spec.

@npdoty
Copy link

npdoty commented Jan 22, 2025

Is this intended to use the pre-authorized code flow? Has the user already authenticated with the issuer via their website and provided all the info necessary to determine that they are the right person for this credential?

Or is this about defining a mechanism for the site to initiate a credential offer and then all authentication will be done by the wallet in the wallet's UI?

In perhaps both cases, it seems like there isn't much of a response to the website. Issuance of a credential into a wallet may have required additional steps, and it's not clear that the website will get a success value, or any details as to exactly which credential has been issued into which wallet. OpenID4VCI even indicates that the UX flow should just end in the wallet -- that the user shouldn't come back to the website after the credential is issued. Is that right?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

6 participants