11A/ Bridging Digital and Physical to Make Identifiers Identify (a terrible gap in web standards...)

From IIW

Bridging Digital and Physical to Make Identifiers Identify (a terrible gab in web standards…)

Wednesday 11A

Convener: Liam McCarty (Unum ID)

Notes-taker(s): David Chadwick (additional info)

Tags for the session - technology discussed/ideas considered: identifiers, keys, W3C,

WebAuthn, WebCrypto, DIDs, wallets, VCs

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps



Do identifiers identify? Only if they’re associated with a person or thing consistently over time. For human identity, this is easy with a mobile app but impossible with a web app, due to a terrible gap in web standards. We need community action to advocate for general, hardware backed cryptographic signatures on the web! This would make it possible to build decentralized identity wallet web apps, not just mobile ones, dramatically improving the odds of adoption.

Short Summary:

Decentralized identity efforts have typically relied on mobile app wallets, since mobile operating systems offer crucial functionality, especially hardware backed cryptography and device biometrics. But mobile app wallets face enormous barriers to adoption because people are unlikely to install new apps they don’t yet know the value of. Mobile SDKs only partly address this problem because they must be embedded in host apps that many people may not yet have installed, and they must work largely behind the scenes, complicating the “sovereignty” of users over their identities.

Imagine if a web app could do the cryptography and biometrics a mobile app can. This would enable web app wallets, which have almost zero barriers to adoption, as users can access them from a URL rather than through an installation process. The result would be a dramatic increase in the usability of decentralized identity tech and therefore the odds of its adoption.

The problem is, current web standards don’t support what’s necessary! WebCrypto enables general cryptographic signatures but not tied to device hardware. WebAuthn enables hardware backed cryptographic signatures but only for the very narrow use case of authentication. I’ve made proposals to each of these groups to effectively combine the two functionalities to achieve general, hardware backed cryptographic signatures on the web, but each group is in a bind. WebCrypto committed awhile back not to focus on hardware, and WebAuthn in its very name has a mandate only for authentication.

So, at this point, we need to rally the community to support expansion/combination of these specs! It would be a true game changer for decentralized identity tech.

Additional material

Verifiable Credentials Ltd has integrated WebAuthn (FIDO2) with the Verifiable Credentials Data Model to provide the bridge this talk is looking for. A presentation about this is available here


And a description of our first prototype (based on FIDO UAF) is published here

David W Chadwick, Romain Laborde, Arnaud Oglaza, Remi Venant, Samer Wazan, Manreet Nijjar “Improved Identity Management with Verifiable Credentials and FIDO”. IEEE Communications Standards Magazine. Vol 3, Issue 4, Dec 2019, Pages 14-20


My presentation to the DIF Identifiers & Discovery WG on this topics (September 13): https://github.com/decentralized-identity/identifiers-discovery/blob/main/agenda.md#meeting---13-september-2021---1400-et-recording

WebAuthn W3C spec: https://www.w3.org/TR/webauthn-2/

WebCrypto W3C spec: https://www.w3.org/TR/WebCryptoAPI/

My proposal on WebAuthn GitHub issues: https://github.com/w3c/webauthn/issues/1608

My proposal on WebCrypto GitHub issues: https://github.com/w3c/webcrypto/issues/263

(Abandoned) Hardware Based Secure Services W3C group: https://www.w3.org/community/hb-secure-services/

(Abandoned) Hardware Based Secure Services W3C spec: https://rawgit.com/w3c/websec/gh-pages/hbss.html

Session Slides: