Inter-Wallet Credential Exchange describes a simple way to exchange [=identity=] information in a secure, decentralized, and scalable manner. It uses standardized data structures, formats, and transport protocols to enable applications (particularly [=identity=] [=wallets=]) from different manufacturers to communicate with each other, without a third party or an intermediary. The main purpose of this approach is to establish a [=claim=]-based [=identity=] management model in the World Wide Web.
This is required.
In the real world, [=identity=] could be proofed physically showing the own ID card, driver's license, or student ID to any other person requesting it. In the digital world, things become more complicated. Here a way expressing the information of such credentials is needed, also a way of proofing possession and to sending it to a requesting party.
The Verifiable Credentials Data Model [[vc-data-model]] is used to solve the first aforementioned challenge. The ecosystem of this model consists of multiple roles and their actors identifiable by some kinds of [=identifiers=]. These can be [=decentralized identifiers=] (DIDs) [[did-core]], [=Uniform Resource Identifiers=] (URIs) [[rfc3986]], [=Uniform Resource Locators=] (URLs) and so on. By the use of DIDs and their corresponding [=DID documents=], the [=identifier=] is fully under the control of its owning [=entity=]. Therefore, they are neither trustworthy nor make any statement about their owner itself.
To address this problem, [=verifiable credentials=] (VCs) and their corresponding [=verifiable presentations=] (VPs) can be used. VCs are cryptographically signed by a (supposedly) trusted [=issuer=] and make [=claims=] about the aforementioned owner of an [=identifier=]. This owner is referred to as the [=holder=]. If the [=holder=] wishes to prove ownership of a VC, VPs are used. These are cryptographically signed by the [=holder=] to prove control of the [=identifier=]. Therefore VPs solve the second listed challenge mentioned at the beginning.
The Inter-Wallet Credential Exchange uses DIDs, VCs, and VPs in conjunction with HTTPS to transport [=identity=] information between two applications directly. For optimal decentralization, it is recommended to use special URLs known as Universal-Links [[universallinks]] or App-Links [[applinks]] respectively. In the case of web applications running on a desktop, in conjunction with a mobile device, these links can be transferred using a QR code. So Inter-Wallet Credential Exchange proposes a solution to the third listed challenge in the digitalization of credentials.
This proposal mainly specifies two data structures, their encoding, and transport over HTTPS. It describes the use of Universal- or App-Links and their advantages in terms of decentralization. Furthermore, VCs and an additional special data structure are used so that users can reveal only certain personal information, without the complexity of [=zero-knowledge proofs=].
Out of scope are any semantics of concrete VCs and related data structures. Moreover, no detailed implementation instructions are given concerning different development environments, programming languages, and operating systems. Additionally, the issuing process of a VC isn't addressed. This process is designed by each service acting as [=issuer=] individually. It is assumed that corresponding VCs have already been issued to a user in an [=issuer=]'s [=wallet=] application.
Inter-Wallet Credential Exchange is not a solution for [=single sign-on=] (SSO) and hence not about the login process currently mostly solved with username and password. Rather, the aim is to speed up the registration process for new services and to replace the login with passwordless procedures. The latter takes place exclusively within a service's own domain (see [[[#sds]]] and [[[#anti-correlation]]]). However, the authentication of devices or applications against their own backend is not the actual concern either. The DIDs described here or other asymmetric cryptography methods (e.g. Web Authentication) are suitable for this. For existing systems, it is also conceivable that other authentication methods currently in widespread use, such as the legacy username and password, or centralized schemes such as OAuth [[rfc6749]] or OpenID Connect [[openidconnect]], could be used to authenticate within one's domain.
DIDs as defined in [[did-core]] are a new type of [=identifiers=]. They are generated and controlled by an [=entity=] itself. Therefore the number of DIDs an [=entity=] can create is unlimited. Proof of control over a DID is provided by cryptographic methods, e.g. [=digital signatures=].
A DID contains the names of a schema and a [=DID method=] as well as the [=identifier=] itself. These parts are separated by a colon:
The schema denotes that it is a DID. The [=DID method=] identifies the way the [=identifier=] can be created and managed. The W3C maintains an official list of [=DID methods=] and their specifications for this purpose [[did-spec-registries]]. The specification of a [=DID method=] contains information about all important operations, such as creating, reading, updating, and deleting DIDs.
A DID is resolved by a [=DID resolver=] into a [=DID document=] stored on a [=verifiable data registry=]. This can be a [=blockchain=], [=content-addressable storage=] (CAS), or any other (web) server. The [=DID document=] contains additional information about a DID, such as further public keys, authentication and authorization methods, or so-called service endpoints. The latter are details of services or storage locations that can be linked to the [=identifier=]. A [=DID document=] never contains personal information.
In some [=DID methods=], the [=identifiers=] have cryptographic material or a fingerprint of a public key, just as they do in a [=blockchain=]. In this way, a DID can authenticate directly against a smart contract in the corresponding [=blockchain=]. Furthermore, some [=digital signature=] methods such as the Elliptic Curve Digital Signature Algorithm (ECDSA) allow the recovery of the public key directly from a [=digital signature=]. This feature makes it possible to use a signed message directly for authentication between two hosts. The method for generating the [=identifier=], e.g. a DID or an address in the context of [=blockchain=], from a public key is usually known. From this point of view, it is not urgent to keep a [=DID document=] as long as the relationship between private key, public key, and the [=identifier=] is computable. For example, in the ETHR DID Method (`did:ethr:xyz`) the [=DID document=] is created by the [=DID resolver=].
This proposal makes use of VCs and VPs according to the [[[vc-data-model]]]. VCs are data structures making statements about a person or an object according to the principles of [=claim=]-based [=identity=]. They are cryptographically verifiable because they are signed by an [=issuer=]. The [=claims=] are simple statements associated with an [=identifier=] and some metadata. Basically, anyone can act as an [=issuer=], e.g., a trusted [=entity=] or even oneself. The latter type of VCs are called self-issued credentials and are useful, for example, for delegating one's own credential to another [=identifier=]. What should be considered as a trusted [=entity=] for certain statements is not part of this proposal.
Additionally to VCs described in the aforementioned specification [[[vc-data-model]]] this proposal supports a special way that implementing the [=selective disclosure=] feature. This feature allows the credential [=holder=] to choose which attributes should be shown to the [=verifier=]. To achieve this, every attribute value a [=verifiable credential=] contains, is hashed with a cryptographic [=salt=]. The final [=verifiable credential=] will only contain these [=hashes=] - the [=salts=] and the values are stored in a separate JSON data object, called the [=plaintext credential=]. The following examples will show such a [=plaintext credential=] and its corresponding VC.
The VCs are issued to a [=subject=] (owned by a [=holder=]) and its [=identifier=], e.g. a DID. This [=holder=] can generate a VP with one or more VCs, in which he can prove by a [=digital signature=] that he controls the [=identifier=](s) of one or more VCs. The aggregation of this information typically expresses some aspect of a person, organization, or other [=entity=]. He finally sends the VP to a [=verifier=] that can cryptographically validate the VC's trustworthiness.
In addition, a VP itself can also have an [=identifier=]. It is also possible for each of the VCs to be issued to a different [=identifier=]. For each of these [=identifiers=] (of each [=subject=]), the corresponding proof can be included in the array of proofs in the VP. A challenge within one or more proofs authenticates for example a session.
In addition to an expiration date (`expirationDate` or `validUntil`) for credentials, [=issuers=] also have the option to revoke it. For this purpose, the [[[vc-data-model]]] defines the property `credentialStatus`, which links to a revocation list. This list can be stored on a [=blockchain=], [=content-addressable storage=] (CAS), or any other (web) server.
Universal or app links are a way in mobile operating systems to retrieve certain data from an app using a URL. For Apple's iOS, they are documented as universal links [[universallinks]], for Google they are called Android App Links [[applinks]]. These links are a form of deep links that are handled specifically in the operating systems. During the installation of an app, a handler for a specific URL is created in the operating system that uniquely identifies the app. To prove ownership of a URL, a check is made for a specific machine-readable document that must be provided under the URLs domain. After this check is successful, requests to this URL are passed directly to the installed app without any further interaction from the user. Binding to a domain ensures uniqueness and the mandatory use of HTTPS ensures authenticity and secrecy.
If a request is made to the URL and there is no corresponding app installed, it will be opened in the browser. The request, therefore, does not end in an error state but can be answered by the own web server as desired. For example, the user gets a hint to install the corresponding app or is redirected to an online application.
To request VCs within a VP the following simple JSON data structure MUST be used, which MUST then be encoded with Base64url [[rfc4648]] and attached as a query parameter with key `ìwce` to a URL. The URIs used comply with the [[[rfc3986]]] specification. VCs and VPs are compliant with the [[[vc-data-model]]].
A [=credential request=] is defined with the following properties:
To respond to a request for a VP the following data structure MUST be used, which MUST be encoded with Base64url [[rfc4648]] and attached as a query parameter with key `iwce` to a URL. The URIs used comply with the [[[rfc3986]]] specification. VCs and VPs are compliant with the [[[vc-data-model]]].
The use of multiple proofs in a VP makes it possible to strictly separate the domains of [=identity=] information. For best decentralization, VCs SHOULD only be issued within a domain and SHOULD only be stored in a domain's own application. To be faithful to the concept of Inter-Wallet Credential Exchange, the only way to exchange VCs with external or third-party applications MUST be the use of VPs. The private key of a [=subject=]'s [=identifier=] MUST NOT leave its own applications within a domain. This has several advantages:
Since the proofs in a VP can be made for different [=identifiers=], an [=issuer=]'s application is able to interoperate with different types of [=identifiers=]. For example, the [=identifier=] of a VP can be an address in [=blockchain=] A and the [=identifiers=] of the VCs are DIDs anchored in [=blockchain=] B. The latter is a [=blockchain=] in the [=issuer=]'s domain, [=blockchain=] A is that of a third-party application. In that way, a user can prove control over an address in any [=blockchain=] or any other [=identifier=] in combination with verifiable personal information. For this to work, both, the [=issuer=] and the [=verifier=] MUST implement all DID methods of the [=identifiers=] used.
The issuing process is domain-specific and an [=issuer=] decides what types of [=identifiers=] he is using for its own VCs. An [=issuer=] SHOULD use DIDs as specified in [[[did-core]]] to authenticate a VC on a device (`id` of `credentialSubject`) to the own backend. An [=issuer=] MAY use DIDs for the `issuer` property to authenticate himself to the [=verifier=]. In that case, the [[[didconfiguration]]] SHOULD be used for trust, see [[[#trust]]] for more details.
Considerations about end-user experience are closely related to the use of app or universal links and VCs/VPs. App or universal links enable a seamless user experience during the exchange of VPs between apps on the user's device, because, when implemented correctly, they identify the app the operating system should open. Additionally, these links are normal URLs and can be represented in any form a URL can take, e.g. as a QR code. Therefore, an exchange between different devices (smartphone and desktop) is possible without a loss in user experience, because the QR code can be scanned with every app capable of doing so and the user is redirected to the requested app.
With VCs/VPs it is possible to exchange personal information in a verifiable and data-conserving manner. In most use cases they simplify the disclosure of this information during for example a registration process. Using VCs/VPs the user must not input the information by hand but only has to send a VP. The service requesting the information could rely on them because they are signed by an [=issuer=] (only if the service trusts the [=issuer=]).
Additionally, this proposal enables every service provider that has its own app including credential and their exchange functionality without relying on a central [=identity=] [=wallet=] to store the issued credential. From the user's perspective, he or she only has to rely on the [=issuer=] and its application, not in an intermediary [=wallet=] service or app for storing the credentials.
Because HTTPS is used to transport [=credential requests=] and [=credential responses=] between two applications, [=perfect forward secrecy=] (PFS) is substantial in many of the available implementations. Note, that this applies only to the network connection while [=credential requests=] or [=credential responses=] are made. The including VP and its VCs signed by the [=holder=] and one or more [=issuers=] are unaffected. When using QR codes for a [=credential request=], this security requirement is obsolete.
Since [=Transport Layer Security=] (TLS) secures the communication channel before any user data is transmitted, it ensures that the information transferred within a URL is also protected (e.g. the query).
Because HTTPS is used to transport [=credential requests=] and [=credential responses=] between two applications, the underlying [=public key infrastructure=] (PKI) of TLS (X.509) [[rfc5280]] builds trust for this connection, in that way, that the communication endpoints are the intended ones. This is helpful to identify the applications that want to do a credential exchange.
Since DIDs are out of trust HTTPS can be used to map a DID to a domain. This is most useful for [=issuers=] since larger institutions usually use TLS certificates these days anyway. The [[[didconfiguration]]] specification describes an approach that makes use of Well-Known URIs [[rfc8615]].
An important goal in dealing with digital [=identities=] is to avoid or at least make it more difficult to conduct in-depth analyses of user behavior. The concept of SSO in particular does exactly the opposite, even across multiple services and for each individual login process. In the approach of the Inter-Wallet Credential Exchange, this is complicated by two conceptual improvements. First, technical authentication via DIDs or other types of [=identifiers=] takes place only within the domain of a single service and is strictly separated from the exchange of a user's [=identity=] information across domain boundaries (see section [[[#sds]]]). Second, even the [=identifiers=], e.g., in the form of a DID, are not limited to a single, unique one per user. When used in VCs, it is recommended that each VC should have a different [=identifier=].
Individual aspects of digital [=identity=] are stored only within the service's app acting as the [=issuer=]. Other services that trust the aforementioned one as [=issuer=] and are interested in these individual aspects of [=identity=] can submit a request to the app of this [=issuer=] to return a VP. Further aspects of a digital [=identity=] can in turn be requested from apps of other services or [=issuers=] in the same way. Each app acts as a [=wallet=] software and stores private keys that never leave it and are used to authenticate with its own backend (e.g., DID Auth). Services acting as [=issuers=] also store the VCs they issue to their users only in their own apps on the end devices of them (and possibly as a backup in their own backend). Only this app is ultimately able to sign a requested VP because only it has the corresponding private keys. The user's own digital [=identity=] is thus formed from a large number of apps from different manufacturers or services exchanging VPs with each other. As a result, the correlation of personal data by intermediaries is made more difficult and a high degree of decentralization is achieved by the direct exchange of [=identity=] information between two apps. The private keys stored in the respective apps also relieve the user of the need to enter passwords.
An app launched the first time and wanted to authenticate with its backend, it generates and sends a DID to it. By doing so, the backend system merely learns about a new device but does not yet have any verifiable information about the user and his [=identity=]. Therefore at least one other app should be installed on the user's device that provides a VC accepted by the first app. If this isn't the case a newly computed DID must be associated with a digital [=identity=] in some other way. In the worst case, the user must visit an [=issuer=] in person and identify himself to him (ID card, driver's license, etc.) and transmit the corresponding DID (e.g., by QR code). It is also conceivable that some [=issuers=] will additionally offer other procedures for proofing [=identity=]. For example, the combination with an online ID function of the ID card could be a suitable starting point for some [=issuers=]. In addition, government agencies could also act as [=issuers=] and offer VCs in their apps after authentication with the ID card succeeds. RFID cards, PINs/TANs/links via e-mail, second devices, and many more are also ways to support bootstrapping during the initial launch of an application on a new end device supporting VCs/VPs. The greater the variety of applications supporting VCs and VPs, the easier and more convenient it will be for the user.
Furthermore, TLS and PKIs according to X.509 [[rfc5280]] play an important role as a complement to DIDs. They support bootstrapping in terms of trustworthiness and channel security between two [=wallets=]. HTTPS in particular is widely used today. It ensures the authenticity of (mostly) domain names and provides encrypted transport of data. The trust hierarchies in today's PKIs are largely established, and TLS is easy to use as transport security in today's network infrastructures (NAT, [=firewalls=], etc.). With the more widespread use of DIDs and VCs and the associated trust structures, they can also be used later for server-side authentication, but initially, they will only replace the little-used TLS client certificates in a more flexible way.
This is required for specifications that contain normative material.