This document specifies an API to enable [=user agents=] to mediate access to, and presentation of, digital credentials such as a driver's license, government-issued identification card, and/or [=credential type examples|other types of digital credential=]. The API builds on [[[credential-management-1]]] as a means by which to request a digital credential from a user agent or underlying platform.

This is an unofficial proposal.

Introduction

There are many types of digital credential that can be presented using this API. Examples of these types include:

Model

The goal of the definitions in this section is to reuse or establish terminology that is common across a variety of digital credential formats and protocols. Discussions surrounding these definitions are active and the definitions are likely to change over the next several months.

Digital credential
A cryptographically signed digital document containing one or more [=claims=] made by an [=issuer=] about one or more [=subjects=].

This specification is currently focused on digital credentials pertaining to people.

Presentation request
A presentation request is a request for a [=digital credential=] composed of [=digital credential/request data=] and a [=digital credential/exchange protocol=].
request data
A format that [=verifier=] software or a [=user agent=] uses, via an [=digital credential/exchange protocol=], to request a [=digital credential=] from a [=holder=].
Presentation response
A format that a [=holder|holder's=] software, such as a digital wallet, uses, via an [=digital credential/exchange protocol=], to respond to a [=digital credential/request data=] by a [=verifier=].
Exchange protocol
A protocol used for exchanging a [=digital credential=] between a [=holder=] and a [=verifier=]. See section [[[#protocol-registry]]].

Scope

The following items are within the scope of this specification:

The following items are out of scope:

Extensions to `CredentialRequestOptions` dictionary

    partial dictionary CredentialRequestOptions {
      DigitalCredentialRequestOptions digital;
    };
    

The `digital` member

The digital member allows for options to configure the request for a [=digital credential=].

The `DigitalCredentialRequestOptions` dictionary

    dictionary DigitalCredentialRequestOptions {
      sequence<DigitalCredentialsRequest> requests;
    };
    

The `requests` member

The requests specify an [=digital credential/exchange protocol=] and [=digital credential/request data=], which the user agent MAY match against a holder's software, such as a digital wallet.

The `DigitalCredentialsRequest` dictionary

The {{DigitalCredentialsRequest}} dictionary represents a [=digital credential/presentation request=]. It is used to specify an [=digital credential/exchange protocol=] and a [=digital credential/request data=], which the user agent MAY match against software used by a holder, such as a digital wallet.

    dictionary DigitalCredentialsRequest {
      required DOMString protocol;
      required object data;
    };
    

The `protocol` member

The protocol member denotes the [=digital credential/exchange protocol=] when requesting an identify credential.

The {{DigitalCredentialsRequest/protocol}} member's value is be one of the well-defined keys defined in [[[#protocol-registry]]] or any other custom one.

The `data` member

The data member is the [=digital credential/request data=] to be handled by the holder's software, such as a digital wallet.

The `DigitalCredential` interface

The DigitalCredential interface represents a conceptual [=digital credential=].

[=User mediation=] is always {{CredentialMediationRequirement/"required"}}. [=Request a credential|Requesting a DigitalCredential credential=] does not support {{CredentialMediationRequirement/"conditional"}}, {{CredentialMediationRequirement/"optional"}}, or {{CredentialMediationRequirement/"silent"}} [=user mediation=]. If {{CredentialsContainer/get()}} is called with anything other than {{CredentialMediationRequirement/"required"}}, a {{TypeError}} will be thrown.

    [Exposed=Window, SecureContext]
    interface DigitalCredential : Credential {
      readonly attribute DOMString protocol;
      readonly attribute object data;
    };
    

{{DigitalCredential}} instances are [=Credential/origin bound=].

Integration with Credential Management API

The `protocol` member

The protocol member is the [=digital credential/exchange protocol=] that was used to request the [=digital credential=].

The `data` member

The data member is the credential's response data. It contains the subset of JSON-parseable object types.

[[\DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) internal method

When invoked, the [[\DiscoverFromExternalSource]](origin, options, sameOriginWithAncestors) internal method MUST:

  1. Let |global| be [=this=]'s [=relevant global object=].
  2. Let |document| be |global|'s [=associated `Document`=].
  3. If |document| is not a [=Document/fully active descendant of a top-level traversable with user attention=], [=exception/throw=] {{"NotAllowedError"}} {{DOMException}}.
  4. If |window| does not have [=transient activation=], [=exception/throw=] {{"NotAllowedError"}} {{DOMException}}.
  5. [=Consume user activation=] of |window|.
  6. Let |requests| be |options|'s {{CredentialRequestOptions/digital}}'s {{DigitalCredentialRequestOptions/requests}} member.
  7. If |requests| is empty, [=exception/throw=] a {{TypeError}}.
  8. Return a {{DigitalCredential}}.

[[\Store]](credential, sameOriginWithAncestors) internal method

When invoked, the [[\Store]](credential, sameOriginWithAncestors) MUST call the default implementation of {{Credential}}'s {{Credential/[[Store]](credential, sameOriginWithAncestors)}} internal method with the same arguments.

[[\Create]](origin, options, sameOriginWithAncestors) internal method

When invoked, the [[\Create]](origin, options, sameOriginWithAncestors) internal method MUST call the default implementation of {{Credential}}'s {{Credential/[[Create]](origin, options, sameOriginWithAncestors)}} internal method with the same arguments.

[[\type]] internal slot

The {{DigitalCredential}} [=interface object=] has an internal slot named [[\type]] whose value is "digital".

[[\discovey]] internal slot

The {{DigitalCredential}} [=interface object=] has an internal slot named [[\discovery]] whose value is "remote".

User consent

The Digital Credential API is a [=powerful feature=] that requires [=express permission=] from an end-user. This requirement is normatively enforced when calling {{CredentialsContainer}}'s {{CredentialsContainer/get()}} method.

Permissions Policy integration

This specification defines a [=policy-controlled feature=] identified by the string "digital-credentials-get". Its [=policy-controlled feature/default allowlist=] is [=default allowlist/'self'=].

Registry of protocols for requesting digital credential

The following is the registry of [=digital credential/exchange protocols=] that are supported by this specification.

It is expected that this registry will be become a [=W3C registry=] in the future.

Inclusion criteria

To be included in the registry...

[=User agents=] MUST support the following [=digital credential/exchange protocols=]:

Table of officially registered [=digital credential/exchange protocols=].
Protocol identifier Description Specification
Coming soon...

Security Considerations

This section is a work in progress as this document evolves.

The documents listed below outline initial security considerations for Digital Credentials, both broadly and for presentation on the web. Their contents will be integrated into this document gradually.

Credential Protocols

Explain that while the API provides security at the browser API level, that security for the underlying credential issuance or presentation protocol is a separate concern and that developers need to understand that layer of the stack to get a total picture of the protections that are in place during any given transaction.

Cross-device Protocols

Explain that cross-device issuance or presentation uses a separate protocol that has its own security characteristics.

Quishing

Explain that the API is designed to avoid the problem of quishing (phishing via QR Codes) and other QR Code and non-browser API-based attacks and to be aware of exposure of QR Codes during digital credential interactions.

Data Integrity

Explain that the API does not provide data integrity on the digital credential requests or responses and that responsibility is up to the underlying protocol used for the request or response.

Authentication

Explain that authentication (such as a PIN code to unlock) to a particular app, such as a digital wallet, that responds to an API request is crucial in high-risk use cases.

Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF)

Explain what attacks are possible via XSS and CSRF, if any.

Session Security

Explain that once a secure session is established at a website using credentials exchanged over this API, that the subsequent security is no longer a function of the credential used or this API and is up to the session management utilized on the website.

Privacy Considerations

This section is a work in progress as this document evolves.

The documents listed below outline various privacy considerations for Digital Credentials, both broadly and for presentation on the web. Their contents will be integrated into this document gradually.

Unnecessary Requests for Credentials

Explain how the API could be used to unnecessarily request digital credentials from individuals such as requesting a driver's license to log into a movie rating website and how the ecosystem can mitigate this risk.

Over Collection of Data

Explain how the API could be used to request more data than necessary for a transaction and how the ecosystem can mitigate that over collection.

Individual Consent

Explain how the API acquires an individual's consent to share a digital credential and how digital wallets can also provide further consent when sharing information.

Data Retention

Explain how verifiers might retain data and what the ecosystem does to mitigate excessive data retention policies.

Compliance with Privacy Regulations

Explain to what extent the API complies with known privacy regulations (e.g., consent) and what parts of those regulations are not possible to enforce via the API (e.g., retention).

Selective and Unlinkable Disclosure

Explain how selective disclosure and unlinkable disclosure help preserve privacy as well as their limitations in doing so.

Phoning Home

Explain how some systems might "phone home", the impact on privacy that might have, and what the ecosystem provides to mitigate the risk.

Transmission of Personally Identifiable Information

Explain that the API does enable the transmission of personally identifiable information and that it does its best to ensure there is informed consent by the individual, but that the consent might be provided due to exhaustion or not understanding what PII is being transmitted and how to mitigate those concerns.

Accessibility Considerations

This section is a work in progress as this document evolves.