From cb9ec984347ebba902935494969e3ac94f98e2e9 Mon Sep 17 00:00:00 2001 From: Simone Onofri Date: Thu, 12 Jun 2025 20:47:43 +0200 Subject: [PATCH 01/14] Update index.html --- index.html | 61 ++++++++++++++++++++++++++++++++++++++++++++++++------ 1 file changed, 55 insertions(+), 6 deletions(-) diff --git a/index.html b/index.html index 225f66ac..2d5f22b3 100644 --- a/index.html +++ b/index.html @@ -62,7 +62,35 @@ date: "2025-05-28", publisher: "W3C" }, + "threat-model-web": { + title: "Threat Model for the Web", + href: "https://github.com/w3c/threat-model-web/blob/main/index.md", + authors: ["Simone Onofri", "Joe Andreieu"], + date: "2025-06-12", + publisher: "W3C" + }, + "concerns-with-custom-schemes-for-identity-presentment": { + title: "Threat Model for the Web", + href: "https://github.com/w3c/threat-model-web/blob/main/index.md", + authors: ["Rick Byers"], + date: "2024-03-01", + publisher: "W3C" + }, + "fido-security-reference": { + title: "FIDO Security Reference", + href: "https://fidoalliance.org/specs/common-specs/fido-security-ref-v2.1-ps-20220523.html", + authors: ["Rolf Lindemann"], + date: "2023-05-23", + publisher: "FIDO Alliance" + }, + "identity-web-impact": { + title: "FIDO Security Reference", + href: "https://www.w3.org/reports/identity-web-impact/", + authors: ["Simone Onofri"], + date: "2025-02-25", + publisher: "W3C" }, + xref: { profile: "web-platform", }, @@ -771,15 +799,33 @@

Security Considerations

-
+

- This section is a work in progress as this document evolves. + This section is a work in progress as this document evolves.

+

- The documents listed below outline initial security considerations - for Digital Credentials, both broadly and for presentation on the - web. Their contents will be integrated into this document gradually. + This section provides a few of the security considerations for the Digital Credentials API. + Note that there is a separate section for Privacy Considerations +

+

Introduction

+

+ Digital Credentials APIs are part of and integrated into a broader ecosystem related to digital credentials. Therefore, this section do not specify all security considerations, threats, and mitigations of the ecosystem, but only those related to, directly linked to, or influenced by the Digital Credentials API. +

+

+ Digital Credentials APIs mediate the communication of the presentation from a verifier using a web application to the user's wallet, and the issuance of the credential to the user's wallet when the issuer uses a web application. However, there are other elements that come into play with regard to the security aspects of these interactions, e.g. +

+ Therefore, the Threat Model for Digital Credentials API - and the resulting security considerations - is linked to other Threat Models, e.g., the Threat Model for Decentralized Credentials [[threat-model-decentralized-identities]], which describes threats at a broader level; the Threat Model for the Web [[threat-model-web]], which describes threats related to the Web Platform; the FIDO Security Reference, which describes threats related to the cross-device flow; as well as those related to other threat categories, such as Privacy. +

+

+ Furthermore, it assumes certain specific conditions and therefore provides requirements to other elements of the ecosystem (e.g., other standards and related implementations). +

+

+ To conclude this introductory section, it is important to note that Digital Credentials APIs were created as a mitigation to other possible approaches to presenting digital credentials on the web, such as customs schemes [[concerns-with-custom-schemes-for-identity-presentment]], and that Digital Credentials are also a mitigation to sending paper documents (e.g., scanned government documents) over the web. +

+

References

+

+ The documents listed below outline initial security considerations for Digital Credentials API. Their contents will be integrated into this document gradually.

From cfeaf75967f860b88a6949b210622d3b217e2d9e Mon Sep 17 00:00:00 2001 From: Simone Onofri Date: Mon, 16 Jun 2025 03:13:59 +0200 Subject: [PATCH 02/14] Update index.html --- index.html | 79 +++++++++++++++++++++++++++++++++++++++++------------- 1 file changed, 60 insertions(+), 19 deletions(-) diff --git a/index.html b/index.html index 2d5f22b3..266815b7 100644 --- a/index.html +++ b/index.html @@ -804,25 +804,66 @@

This section is a work in progress as this document evolves.

-

- This section provides a few of the security considerations for the Digital Credentials API. - Note that there is a separate section for Privacy Considerations -

-

Introduction

-

- Digital Credentials APIs are part of and integrated into a broader ecosystem related to digital credentials. Therefore, this section do not specify all security considerations, threats, and mitigations of the ecosystem, but only those related to, directly linked to, or influenced by the Digital Credentials API. -

-

- Digital Credentials APIs mediate the communication of the presentation from a verifier using a web application to the user's wallet, and the issuance of the credential to the user's wallet when the issuer uses a web application. However, there are other elements that come into play with regard to the security aspects of these interactions, e.g. -

- Therefore, the Threat Model for Digital Credentials API - and the resulting security considerations - is linked to other Threat Models, e.g., the Threat Model for Decentralized Credentials [[threat-model-decentralized-identities]], which describes threats at a broader level; the Threat Model for the Web [[threat-model-web]], which describes threats related to the Web Platform; the FIDO Security Reference, which describes threats related to the cross-device flow; as well as those related to other threat categories, such as Privacy. -

-

- Furthermore, it assumes certain specific conditions and therefore provides requirements to other elements of the ecosystem (e.g., other standards and related implementations). -

-

- To conclude this introductory section, it is important to note that Digital Credentials APIs were created as a mitigation to other possible approaches to presenting digital credentials on the web, such as customs schemes [[concerns-with-custom-schemes-for-identity-presentment]], and that Digital Credentials are also a mitigation to sending paper documents (e.g., scanned government documents) over the web. -

+

Use Scenario

+

This section lists the use scenarios for the API - in other words, information about its expected use.

+

Digital Credentials APIs are part of and integrated into a broader ecosystem related to digital credentials. + Therefore, this section does not specify all security considerations, threats, and mitigations of the ecosystem, but + only those related to, directly linked to, or influenced by the Digital Credentials API.

+

It is important to note that Digital Credentials APIs were created to mitigate other possible approaches to + presenting digital credentials on the web, such as customs schemes + [[concerns-with-custom-schemes-for-identity-presentment]], and that Digital Credentials are also a mitigation to + sending paper documents (e.g., scanned government documents) over the web.

+

Digital Credentials APIs mediate the communication of the presentation from a verifier using a web application to the + user's wallet, and the issuance of the credential to the user's wallet when the issuer uses a web + application.

+

Presentation Workflow

+
    +
  1. WebIDL Dispatch & Preconditions (Browser)
    2. +
  2. Internal Discovery Hook (Browser)
    3. +
  3. Cross-Device Handshake (Device / Browser)
    4. +
  4. Credential Matching (OS / Browser)
    5. +
  5. User-Picker UI (System)
    6. +
  6. Credential Retrieval (Wallet / Browser)
    7. +
  7. Promise Resolution & Object Construction (Browser)
    8. +
  8. Application-Level Handling (Browser / RP)
    9. +
+

External Dependencies

+

The section lists the external dependencies on other entities that can impact the security. These dependencies + contain assumptions made about the usage or behaviour of those other components or products. External + dependencies are requirements levied on systems outside the API.

+

Therefore, the Threat Model for Digital Credentials API - and the resulting Security considerations - depends to + other Threat Models:

+
    +
  • Threat Model for Decentralized Credentials, which describes threats at a broader level + [[threat-model-decentralized-credentials]].
    • +
  • Threat Model for the Web, which describes threats related to the Web Platform + [[threat-model-web]]
    • +
  • FIDO Security Reference, which describes threats related to the cross-device flow as it is + using CTAP [[fido-security-reference]].
    • +
+

Other dependencies relate to the ecosystem, in particular: supported protocols, credential format, and revocation + methods used.

+

Finally, another important aspect relates to the security posture of the verifier application, which, even if + legitimate, could have vulnerabilities e.g., Cross Site Scripting (XSS), Cross-Site Request Forgery (CSRF) or + otherwise be compromised.

+

Assumptions

+

This section describes the security assumptions, an implicit or explicit fact or condition upon which the API + security relies. These conditions or facts are expected to be true for the API to operate securely. If these + assumptions prove false, they can introduce vulnerabilities.

+

Browser

+

The browser assumes the role of a trusted entity. It enforces its security features - such as same-origin policies + (SOP), executes Content Security Policy (CSP) and Cross-Origin Resource Sharing (CORS) checks, presents a secure, + non-forgeable UI that users can trust, and avoids containing or executing malicious third-party scripts or malicious + extensions.

+

The browser is responsible for mediating the flow and preventing unauthorized access to credentials, and has a + trusted relationship with the Wallet.

+

Protocols

+

Given that the API acts as a mediator in the presentation of credentials, which are the asset to be protected, and + contains a registry of a series of protocols, it assumes that some threats are handled by the protocols and that, + being Internet protocols, they MUST comply with the provisions of RFC 3552 [[RFC3552]].

+

The protocols need to consider and mitigate at least for the following attacks: eavesdropping, replay, message + insertion, deletion, modification, and man-in-the-middle.

+

Furthermore, if they include query languages, they must be protected against injection vulnerabilities.

References

The documents listed below outline initial security considerations for Digital Credentials API. Their contents will be integrated into this document gradually. From d52ced8d811e4bce0af8a70bd1a5fb8e2231eb40 Mon Sep 17 00:00:00 2001 From: Simone Onofri Date: Mon, 16 Jun 2025 03:18:07 +0200 Subject: [PATCH 03/14] Update index.html --- index.html | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/index.html b/index.html index 266815b7..acd20169 100644 --- a/index.html +++ b/index.html @@ -518,7 +518,7 @@

  • Let |requests| be |options|'s {{CredentialRequestOptions/digital}}'s {{DigitalCredentialRequestOptions/requests}} member.
    • -
  • If |requests| is empty, [=exception/throw=] a {{TypeError}}. +
  • If |requests| is empty, [=exception/throw=] a {{TypeError}}.se