3A/ Need for hardware backed crypto on the web! (Would enable SSI with no mobile apps required.) Why we need to advocate as a community

From IIW

Need for hardware backed crypto on the web! (Would enable SSI with no mobile apps required.) Why we need to advocate as a community

Tuesday 3A

Convener: Liam McCarty (Unum ID)

Notes-taker(s): 

Tags for the session - technology discussed/ideas considered:

W3C, WebAuthn, WebCrypto, DIDs, wallets, VCs

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps

SESSION INFO:

tl;dr:

We need community action to advocate for general, hardware backed cryptographic signatures on the web! This would make it possible to build decentralized identity wallet web apps, not just mobile ones, dramatically improving the odds of adoption.

Short summary:

Short Summary:

Decentralized identity efforts have typically relied on mobile app wallets, since mobile operating systems offer crucial functionality, especially hardware backed cryptography and device biometrics. But mobile app wallets face enormous barriers to adoption because people are unlikely to install new apps they don’t yet know the value of. Mobile SDKs only partly address this problem because they must be embedded in host apps that many people may not yet have installed, and they must work largely behind the scenes, complicating the “sovereignty” of users over their identities.

Imagine if a web app could do the cryptography and biometrics a mobile app can. This would enable web app wallets, which have almost zero barriers to adoption, as users can access them from a URL rather than through an installation process. The result would be a dramatic increase in the usability of decentralized identity tech and therefore the odds of its adoption.

The problem is, current web standards don’t support what’s necessary! WebCrypto enables general cryptographic signatures but not tied to device hardware. WebAuthn enables hardware backed cryptographic signatures but only for the very narrow use case of authentication. I’ve made proposals to each of these groups to effectively combine the two functionalities to achieve general, hardware backed cryptographic signatures on the web, but each group is in a bind. WebCrypto committed awhile back not to focus on hardware, and WebAuthn in its very name has a mandate only for authentication.

So, at this point, we need to rally the community to support expansion/combination of these specs! It would be a true game changer for decentralized identity tech.

Links:

My presentation to the DIF Identifiers & Discovery WG on this topics (September 13): https://github.com/decentralized-identity/identifiers-discovery/blob/main/agenda.md#meeting---13-september-2021---1400-et-recording

WebAuthn W3C spec: https://www.w3.org/TR/webauthn-2/

WebCrypto W3C spec: https://www.w3.org/TR/WebCryptoAPI/

My proposal on WebAuthn GitHub issues: https://github.com/w3c/webauthn/issues/1608

My proposal on WebCrypto GitHub issues: https://github.com/w3c/webcrypto/issues/263

(Abandoned) Hardware Based Secure Services W3C group: https://www.w3.org/community/hb-secure-services/

(Abandoned) Hardware Based Secure Services W3C spec: https://rawgit.com/w3c/websec/gh-pages/hbss.html

Slides:

https://drive.google.com/file/d/1o7VuanEdJqnqVZGvzfgHmGp1eO17ETWd/view?usp=sharing