Building Consensus on the Role of Real World Identities on the Web

[martinthomson]

Session description

People already share their real identity on the Web, but they primarily share them through unsophisticated means: selfies, photographs of documents, and typing out numbers from identity documents. Countries are increasingly issuing their residents' identity documents in digital, cryptographic formats. Some jurisdictions, like the EU, will require that digital credentials be respected in multiple contexts, including on the Web.

We are at a critical point for the use of these identities on the Web; they are, for now, not part of the web platform and are not being presented online by most users. How long this lasts does not depend entirely on browsers. OpenID4VP describes multiple mechanisms to allow a website to request another application on the device that holds credentials to ask the user to prove their identity.

Work on building an API for presenting digital identity documents and designing how that must interact with wallets and existing identity protocols has begun in WICG. While the discussion there does extend beyond the purely technical, we think there is benefit in bringing a discussion to a broader audience with emphasis on the ecosystem, security, and privacy impacts of that work.

The following are just some of the questions that don’t have clear consensus:

• What should a browser store about wallets, credentials, and their use?
• To what extent should we trust the issuing government? Does that include trust for privacy properties?
• What are the use cases we should support? What justifies different approaches? What common aspects are shared?
• How does the role of the wallet as a user agent interact with that of the browser?
• What criteria must be required of real-world identity protocols to be included in the web platform?
• What conditions should be placed on release of data? Is consent the right control to apply here? Or should a credential issuer have a say as well?
• How do we ensure that use of credentials is justified and proportionate? Is there a need to establish a means to limit who can obtain credentials?

Session goal

Work toward a consensus view of what the role of Real World Identity should be on the Web in the next 5-10 years.

Session type

Breakout (Default)

Additional session chairs (Optional)

@marcoscaceres

IRC channel (Optional)

#rwi

Other sessions where we should avoid scheduling conflicts (Optional)

#3, #7, #9, #2

Instructions for meeting planners (Optional)

• We would prefer a time that is friendly to our European colleagues. Though some of us are in Australia, we're willing to suffer the awful hours this one time.
• Avoid conflict with other identity sessions

Agenda (link or inline) (Optional)

• 5 min: Chair describes the problem and state of the world for RWI and provides some leading open questions
• 35 min: Open discussion of participant’s views on what the role of Real World Identity should be
• 10 min: Focus discussion toward common beliefs among attendees, or common beliefs among constituencies

Link to calendar (Optional)

Calendar entry

Meeting materials (Optional)

• Minutes

[tpac-breakout-bot]

Thank you for proposing a session!

You may update the session description as needed and at any time before the meeting, but please keep in mind that tooling relies on issue formatting: follow the instructions and leave all headings and other formatting intact in particular. Bots and W3C meeting organizers may also update the description, to fix formatting issues or add links and other relevant information. Please do not revert these changes. Feel free to use comments to raise questions.

Do not expect formal approval; W3C meeting organizers endeavor to schedule all proposed sessions that are in scope for a breakout. Actual scheduling should take place shortly before the meeting.

[marcoscaceres]

Should also avoid conflict with #2

[timcappalli]

Also should try to avoid #18

[TomCJones]

i tried to get access to this breakout but the ics given did not work for me - i seem to have some sort of conflict on this windows computer - is there anywhere else i can see the schedule? ..tom

[tidoust]

@TomCJones, the overall schedule is available at: https://www.w3.org/2024/03/breakouts-day-2024/
(This particular session took place several hours ago though)