Comments (9)
FWIW using intentional friction to reduce the likelihood of abuse is exactly the direction I've proposed for Chrome's implementation. I imagine some way of computing a risk score (eg. anonymous age verification is lower risk than known unique ID sharing or unknown arbitrary data sharing), then adapting the Chrome/Android UI in response to the risk score. I imagine the details are something we would need to experiment with and iterate on over time, but the principles for enabling such a tradeoff space seem good to be discussing now.
from digital-credentials.
I imagine some way of computing a risk score (eg. anonymous age verification is lower risk than known unique ID sharing or unknown arbitrary data sharing), then adapting the Chrome/Android UI in response to the risk score.
I generally like the direction of this. Most claims could likely be naively calculated (EFF has a good blogpost on this) based on a number of bits of entropy they reveal in which case we could warn the user about this and suggest that too much information is being requested/add additional friction.
from digital-credentials.
@kdenhartog will you be able to join any of the upcoming calls?
from digital-credentials.
@kdenhartog will you be able to join any of the upcoming calls?
Yup, I intend to. Are the events listed on the WICG calendar or on a separate one? Also, let me make sure I'm a member of the WICG.
from digital-credentials.
@kdenhartog will you be able to join any of the upcoming calls?
Yup, I intend to. Are the events listed on the WICG calendar or on a separate one? Also, let me make sure I'm a member of the WICG.
@kdenhartog Apologies, missed this comment. All meeting details are here: https://github.com/WICG/identity-credential/blob/main/README.md
from digital-credentials.
@npdoty do you think this is something that PING should discuss vs this group?
from digital-credentials.
do you think this is something that PING should discuss vs this group?
+1 from me. In my opinion, PING and TAG should both be weighing in on these topics early to make sure there's general alignment between the goals of the API and the broader web architecture goals before we start committing to particular solutions.
from digital-credentials.
Definitely a question that PING should discuss, and I've opened a corresponding issue for the w3cping credentials considerations doc.
But also good for the identity-credential group to consider in API design, how we intend to limit overasking or how to introduce friction to prevent that particular trend towards a bad outcome.
from digital-credentials.
We agree that this is a concern. Excerpted from Mozilla's standards position:
A Web that follows our principles respects an individual’s choice about the identity they present to others. This is an essential part of making the Web a safe place for everyone. Credentials offered by governments and similar entities generally do not recognize this aspect of identity.
The potential that requests for digital credentials might become an expected part of online interactions exists and could damage this important characteristic of the Web. There are very few online interactions where providing identity is truly necessary, but many where sites (and governments) might prefer that the identity of a person be known. Increasing requests for identity does not mean a trivial annoyance. It could mean that people might be excluded from services and communities when they cannot provide credentials or instead choose to protect their privacy.
During the last meeting we discussed that it would be useful to decide what use cases are abuse and which aren't, and I think Jevons Paradox is a useful lens to use when building that distinction.
from digital-credentials.
Related Issues (20)
- Threat Modeling for Decentralized Identities HOT 18
- Should we have a common and interoperable definition of request types and their privacy properties? HOT 4
- Web Platform Tests: refactoring digitial-credentials.tentative.https.html HOT 2
- What should be the data type for the response? HOT 3
- Are iframes supported by the Digital Credential API? HOT 2
- Should requests be assumed to be linkable by the browser? HOT 4
- Access to an Open Global Web Reduced HOT 1
- [spec] add statement about responses with PII MUST be encrypted HOT 1
- [spec] Add JSON (de)serialization methods
- Digital credential API should support requests for directed identifiers HOT 8
- Digital credential API should support identity verification HOT 3
- Define error handling
- Define WebDriver integration HOT 1
- Consider requiring mitigation of script injection attacks. HOT 3
- Consider requiring a strong signal of user intent. HOT 5
- Explainer: Expand alternatives considered section
- define a well-known way for a verifier to indicate registration, validation, trustmark assurances or other necessary info HOT 3
- Add placeholder security and privacy considerations section
- Issuer identity in selective disclosure cases HOT 3
- Disallow multiple types via navigator.credentials's methods HOT 9
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from digital-credentials.