- From: Jeffrey Yasskin <jyasskin@google.com>
- Date: Thu, 16 Oct 2025 15:39:47 -0700
- To: peace@acm.org
- Cc: public-security@w3.org
- Message-ID: <CANh-dXk+9s299vYYCTn5Ei3OJiP+ay+bLxbJZAigsPq2+qZ9YA@mail.gmail.com>
While the AAMVA guidelines look like good things for wallet apps to provide, and users ought to insist on them when they install a wallet app, using attestation adds a bunch of risks, and it's not clear those risks pay for themselves. As Adam Langley argued for WebAuthn <https://www.imperialviolet.org/2018/03/27/webauthn.html#attestation:~:text=Traditionally%2C%20anyone%20who,have%20to%20pay.>, if websites can restrict the wallet apps they work with, that's likely to prevent new wallet apps from entering the market. It'll also prevent users from using a minority OS of their choice, might require users to have several wallet apps to satisfy the conflicting requirements of the various apps they use, and might prevent users from choosing the best wallet app for their needs. Allowing attestation may also cause security risks, if it allows an app to insist on a less-secure wallet, or allows an OS to stop particular users from using their credentials. There's some ambiguity in Tom's post between allowing issuers to constrain the wallet apps, vs allowing verifiers to constrain them, but even just restricting issuance causes most of the above harms. Jeffrey On Wed, Oct 15, 2025 at 6:27 PM Tom Jones <thomasclinganjones@gmail.com> wrote: > At the W3C incubation cg there was some insistence that the mDL does not > need attestation. I am not sure if this security group can look ahead to > avoid security problems, but I find the idea of apps handling user private > data without attestation to be a security nightmare. Is it appropriate to > create a threat model of an incubation effort to prevent security > problems. I would do that if it will be reviewed. > > Just to be clear, other standards efforts, like the mDL in North America, > require issuers to provide creds only to apps that meet the AAMVA > guidelines. EUDIW has similar requirements. I really don't want to see the > W3C flouting these requirements. > > Quote AAMVA >>> In addition, Issuing Authorities must ensure that mDL apps > to which they provision data support at least the following: • In case the > request was received electronically, the mDL app must clearly convey what > data was requested, and whether the mDL verifier intends to retain the > information. If the request is presented in summarized form in the user > interface (e.g. “Identity and driving privilege data” as opposed to “First > Name, Last Name, DOB, Driving privileges”), means must be available to give > the mDL holder visibility of the details of such a summarized form, both > before and during a transaction. • The mDL app must provide the mDL holder > full control over which data elements to share with the mDL verifier. • > ISO/IEC 18013-5 requires the portrait image to be shared if the portrait > was requested and if any other data element is released (to enable the mDL > verifier to tie the mDL information to the person presenting the > information). The app must support a graceful and informed exit from the > request if the holder opts not to share the portrait image when requested. > • If blanket sharing options are used, measures must be implemented to > ensure that the mDL holder remains aware of what is being released when > such an option is in effect. An mDL holder must also be able to opt out of > or cancel any blanket sharing function. > > Peace ..tom jones >
Received on Thursday, 16 October 2025 22:40:06 UTC