W3C home > Mailing lists > Public > public-credentials@w3.org > August 2014

Re: Preliminary Credentials Use Cases

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Tue, 26 Aug 2014 20:55:07 -0400
Message-ID: <53FD2C6B.9080401@digitalbazaar.com>
To: Anders Rundgren <anders.rundgren.net@gmail.com>, public-credentials@w3.org
On 08/26/2014 07:08 AM, Anders Rundgren wrote:
> On 2014-08-26 12:47, Manu Sporny wrote:
>> On 08/26/2014 03:34 AM, Anders Rundgren wrote:
>>> I think it is important realizing that web-based credential sync
>>> is already featured in iOS and in Google Wallet.
>> Which specific features are you talking about? The auto-credit
>> card features? Or request-autocomplete? Or something else?
> Credentials in iOS and Google Wallet only refer to cryptographic
> keys or userid/passwords.

Got it, thanks.

>>> AFAIK, these webs never expose any information to external
>>> parties, they are effectively cloud-based smart cards.
>> Hmm, depends on what you mean by "expose any information", clearly
>> some information has to be exposed for the service to be useful.
>> Are you talking PKI signatures here, or something else?
> The credential sync maintains private information in a remote server 
> which in the Google Wallet case only the user is supposed to have 
> access to.  The credentials are supposed to be used with local 
> applications or the browser using specific protocols like VPNs. 
> iCloud appears to be a more general solution for synced data: 
> http://images.apple.com/iphone/business/docs/iOS_Security_Feb14.pdf

The identity credentials stuff is usually 3-legged, meaning that there
are 3 parties involved. The first is the identity provider, the second
is your user agent (browser), the third is the relying party (website
that asked for the information).

We support the relaying of credentials from identity provider -> browser
-> relying party as well as authorizing a relying party to retrieve data
from an identity provider on an as-needed basis.

The latter is concerning as one could imagine that big and powerful
corporations would require all data they collect from you to be
up-to-date all the time and thus you may not use their service unless
you agree that they can pull your data whenever they feel like it. So,
that's something we need to consider.

>> There are a number of organizations each targeting something
>> slightly different. The use case is trying to capture the general
>> theme without being overly prescriptive. If you could elaborate on
>> the above (preferably with links) that would help us figure out
>> what you consider in scope and out of scope. :)
> I only wanted to highlight what parties like Apple and Google do in
> this space.

Thanks Anders, that was helpful. We should really do a deep dive into
what Google and Apple has at some point. Volunteers to do that?

-- manu

Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: The Marathonic Dawn of Web Payments
Received on Wednesday, 27 August 2014 00:55:35 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:24:38 UTC