Re: CHAPI Playground now supports VC-API

On 2023-08-25 15:48, Benjamin Young wrote:
> Hi all,
> 
> Last Friday, Morgan described the process of picking alternative API’s
> to be used in the Playground to explore integrations where CHAPI’s
> browser-side events may not be possible–such as between the user’s Web
> browser and a Native Wallet application on Android or iOS:
> https://lists.w3.org/Archives/Public/public-credentials/2023Aug/0054.html

I'm not convinced that this is a viable solution because deep links:
- Do not provide the invoking web page's security context.  *PHISHING WARNING*.
- Do not provide a response at the JS level, effectively forcing you to use awkward OOB arrangements

The only solution that actually support these desirable properties is Android's implementation of Payment Request:
https://cyberphone.github.io/doc/web/calling-apps-from-the-web.pdf
Although Apple also supports PaymentRequest, they only allow it to call Apple Pay.  Calling PaymentRequest a standard is quite a stretch.

When I first raised this issue (Web2Native) in W3C some 8 years(!) ago, the response was: we DO NOT encourage the use of native code on the Web because it introduces vulnerabilities. Right or wrong, Deep Links already do this, albeit in a much less useful fashion.

Anders

> 
> You can use that same set of steps to select VC-API (either separately
> or alongside OID4VCI).
> 
> Relatedly, I’ve done a bit more work on the chapi.io docs surrounding
> Native Wallets and there’s now a more complete description of how a
> Native Wallet would interact with the CHAPI UI in a Web browser and
> make Verifiable Presentation exchanges via VC-API:
> https://chapi.io/developers/wallets/native/#vc-api
> 
> As ever, documentation like this is an ongoing process, so please
> reach out if I can make anything clearer.
> 
> Cheers!
> Benjamin
> ---
> https://linkedin.com/in/benjaminyoung
> Developer Engagement Engineer - Digital Bazaar, Inc.
> https://www.digitalbazaar.com/
>

Received on Friday, 25 August 2023 14:27:14 UTC