I agree that an identity verification protocol based on explicit consent should be a standard component of the web platform, but I think it should be designed so there would no need for a fixed “real-world” identity.
The third-party entities could validate an arbitrary set of attributes, some of which may identify a legal person i.e. passport or birth certificate, but others could be anonymous attributes such as membership of a club, a child’s age, an anonymous audience category, or any attribute that the parties need and agree to without the necessity to inform any of the parties, including the validating parties, of other identifying attributes.
It follows from this that the identity reference should be short lived and not linkable beyond a particular transaction, i.e. a session state protocol would be part of it. A reference associating a legal identity should not be capable of being linked beyond a “session”, outside a secure context or with another origin. This means for example a reference in a cookie or other http header should have a short expiry time and be deleted when no longer required. The user would give the UA explicit consent for the creation of a new reference without further user interaction for a limited period, for example to authenticate a login.
This could eventually replace the arbitrary use of cookies, fingerprinting, cross-origin data leakage etc., which have led to the security and privacy problems plaguing the web .
From: Dave Raggett [mailto:dsr@w3.org]
Sent: 13 February 2015 18:21
To: public-web-security@w3.org
Subject: [WebCrypto.Next] Linking web identities with real-world identities
The payments world has use cases for secure access to bank accounts from your browser and for installing and activating payment instruments as part of your digital wallet. Both of these require some way to bind web identities to real-world identities. An argument for an intent based approach is given in the following blog post for the Web Payments IG, see:
Please note that this is my personal viewpoint and should not be taken as that of the Payments IG, nor of W3C.