Inter-Wallet Credential Exchange describes a simple way to exchange [=identity=] information in a secure, decentralized, and scalable manner. It uses standardized data structures, formats, and transport protocols to enable applications (particularly [=identity=] [=wallets=]) from different manufacturers to communicate with each other, without a third party or an intermediary. The main purpose of this approach is to establish a [=claim=]-based [=identity=] management model in the World Wide Web.

This is required.

Introduction

In the real world, [=identity=] could be proofed physically showing the own ID card, driver's license, or student ID to any other person requesting it. In the digital world, things become more complicated. Here a way expressing the information of such credentials is needed, also a way of proofing possession and to sending it to a requesting party.

The Verifiable Credentials Data Model [[vc-data-model]] is used to solve the first aforementioned challenge. The ecosystem of this model consists of multiple roles and their actors identifiable by some kinds of [=identifiers=]. These can be [=decentralized identifiers=] (DIDs) [[did-core]], [=Uniform Resource Identifiers=] (URIs) [[rfc3986]], [=Uniform Resource Locators=] (URLs) and so on. By the use of DIDs and their corresponding [=DID documents=], the [=identifier=] is fully under the control of its owning [=entity=]. Therefore, they are neither trustworthy nor make any statement about their owner itself.

To address this problem, [=verifiable credentials=] (VCs) and their corresponding [=verifiable presentations=] (VPs) can be used. VCs are cryptographically signed by a (supposedly) trusted [=issuer=] and make [=claims=] about the aforementioned owner of an [=identifier=]. This owner is referred to as the [=holder=]. If the [=holder=] wishes to prove ownership of a VC, VPs are used. These are cryptographically signed by the [=holder=] to prove control of the [=identifier=]. Therefore VPs solve the second listed challenge mentioned at the beginning.

The Inter-Wallet Credential Exchange uses DIDs, VCs, and VPs in conjunction with HTTPS to transport [=identity=] information between two applications directly. For optimal decentralization, it is recommended to use special URLs known as Universal-Links [[universallinks]] or App-Links [[applinks]] respectively. In the case of web applications running on a desktop, in conjunction with a mobile device, these links can be transferred using a QR code. So Inter-Wallet Credential Exchange proposes a solution to the third listed challenge in the digitalization of credentials.

Scope

This proposal mainly specifies two data structures, their encoding, and transport over HTTPS. It describes the use of Universal- or App-Links and their advantages in terms of decentralization. Furthermore, VCs and an additional special data structure are used so that users can reveal only certain personal information, without the complexity of [=zero-knowledge proofs=].

Out of scope are any semantics of concrete VCs and related data structures. Moreover, no detailed implementation instructions are given concerning different development environments, programming languages, and operating systems. Additionally, the issuing process of a VC isn't addressed. This process is designed by each service acting as [=issuer=] individually. It is assumed that corresponding VCs have already been issued to a user in an [=issuer=]'s [=wallet=] application.

Inter-Wallet Credential Exchange is not a solution for [=single sign-on=] (SSO) and hence not about the login process currently mostly solved with username and password. Rather, the aim is to speed up the registration process for new services and to replace the login with passwordless procedures. The latter takes place exclusively within a service's own domain (see [[[#sds]]] and [[[#anti-correlation]]]). However, the authentication of devices or applications against their own backend is not the actual concern either. The DIDs described here or other asymmetric cryptography methods (e.g. Web Authentication) are suitable for this. For existing systems, it is also conceivable that other authentication methods currently in widespread use, such as the legacy username and password, or centralized schemes such as OAuth [[rfc6749]] or OpenID Connect [[openidconnect]], could be used to authenticate within one's domain.

Terminology

blockchain
Also referred to as distributed ledger, is a non-centralized system for recording events. These systems establish sufficient confidence for participants to rely upon the data recorded by others to make operational decisions. They typically use distributed databases where different nodes use a consensus protocol to confirm the ordering of cryptographically signed transactions. The linking of digitally signed transactions over time often makes the history of the ledger effectively immutable.
content-addressable storage
Content-addressable storage, also referred to as content-addressed storage or abbreviated CAS, is a way to store information so it can be retrieved based on its content, not its location. CAS typically uses a cryptographic [=hash=] function's digest generated from the document to identify that document in the storage system.
credential request
A data structure to make a request for a [=verifiable presentation=] containing one or more [=verifiable credentials=].
credential response
A data structure to make a response to a [=credential request=] containing one [=verifiable presentation=] with one or more [=verifiable credentials=]. Additionally, one or more [=plaintext credentials=] may be provided.
decentralized identifier
A globally unique URL-based [=identifier=], also known as a DID, associated with an [=entity=]. These [=identifiers=] are mostly used in a [=verifiable credential=] to identify its [=subject=].
DID document
A document that is accessible from a [=verifiable data registry=] using a [=DID resolver=] and contains information related to a specific [=decentralized identifier=], such as the associated public key information.
DID method
A definition of how a specific DID method scheme is implemented. A DID method is defined by a DID method specification, which specifies the precise operations by which DIDs and [=DID documents=] are created, resolved, updated, and deactivated
DID resolver
A DID resolver is a software and/or hardware component that performs the DID resolution function by taking a DID as input and producing a conforming [=DID document=] as output.
identity
The means for keeping track of [=entities=] across contexts. Digital identities enable tracking and customization of [=entity=] interactions across digital contexts, typically using [=identifiers=] and attributes.
entity
A thing with distinct and independent existence, such as a person, organization, or device that performs one or more roles in the ecosystem.
identifier
An identifier is a name that identifies either a unique object or a unique class of objects, where the "object" or class may be an idea, [=entity=] (or class thereof), physical object (or class thereof), or other. An identifier may be a word, number, letter, symbol, or any combination of those.
perfect forward secrecy
In cryptography, this is a feature of specific key agreement protocols that gives assurances that session keys will not be compromised even if long-term secrets used in the session key exchange are compromised. For HTTPS, the long-term secret is typically the Private signing key of the server. Forward secrecy protects past sessions against future compromises of keys or passwords.
plaintext credential
A data structure that stores plain values and [=salts=] serving as input to a [=hash=] function. It is used to implement the [=selective disclosure=] feature in a [=verifiable credential=].
public key infrastructure
A set of roles, policies, hardware, software, and procedures that are needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption.
single sign-on
An authentication scheme that allows a user to log in with a single [=identifier=] and password to any of several related, yet independent, software systems.
Transport Layer Security
A cryptographic protocol designed to provide communications security over a computer network. It aims primarily to provide privacy and data integrity between two or more communicating computer applications.
verifiable credential
A standard data model and representation format for cryptographically-verifiable digital credentials as defined by the W3C Verifiable Credentials specification [[vc-data-model]].
verifiable presentation
A standard data model and representation format for tamper-evident presentation of data derived from one or more [=verifiable credentials=] as defined by the W3C Verifiable Credentials specification [[vc-data-model]].
wallet
A wallet in the context of cryptocurrency or [=identity=] is a device, physical medium, program, or service which stores the public and/or private keys for cryptocurrency transactions or other data structures. In addition, a wallet usually offers the functionality of encrypting and/or signing data.
zero-knowledge proof
In cryptography, a zero-knowledge proof or zero-knowledge protocol is a method by which one party (the prover or [=holder=]) can prove to another party (the [=verifier=]) that they know a value, without conveying any information apart from the fact that they know this value.
holder
A role an [=entity=] might perform by possessing one or more [=verifiable credentials=] and generating [= verifiable presentations=] from them. A holder is usually, but not always, a [=subject=] of the [=verifiable credentials=] they are holding.
issuer
A role an [=entity=] can perform by asserting [=claims=] about one or more [=subjects=], creating a [=verifiable credential=] from these [=claims=], and transmitting the [=verifiable credential=] to a [=holder=].
subject
A thing about which [=claims=] are made.
verifier
A role an [=entity=] performs by receiving one or more [=verifiable credentials=] inside a [=verifiable presentation=] for processing. Other specifications might refer to this concept as a relying party.
Uniform Resource Identifier
A Uniform Resource Identifier, as defined by [[rfc3986]]. A special subtype of an URI is the Uniform Resource Locator.
digital signature
A mathematical scheme for demonstrating the authenticity of a digital message.
claim
An assertion made about a [=subject=].
selective disclosure
The ability of a [=holder=] to make fine-grained decisions about what information of a [=verifiable credential=] to share.
verifiable data registry
A system that facilitates the creation, verification, updating, and/or deactivation of [=decentralized identifiers=] and [=DID documents=]. A verifiable data registry might also be used for other cryptographically verifiable data structures such as [=verifiable credentials=]. For more information, see the W3C Verifiable Credentials specification [[vc-data-model]].
hash
The values returned by a hash function are called hash values, hash codes, digests, or simply hashes. A hash function is any one-way function that can be used to map data of arbitrary size to fixed-size values.
salt
In cryptography, a salt is random data that is used as an additional input to a one-way function that [=hashes=] data, a password, or a passphrase.
Hypertext Transfer Protocol
An application layer protocol for distributed, collaborative, hypermedia information systems designed within the framework of the Internet protocol suite. HTTP resources are identified and located on the network by URLs. An extension of HTTP is Hypertext Transfer Protocol Secure, which uses TLS to encrypt the communication protocol.
Time to live
A mechanism that limits the lifespan or lifetime of data in a computer or network. TTL may be implemented as a counter or timestamp attached to or embedded in the data.
Universally Unique Identifier
A 128-bit number described by [[rfc4122]] and used to uniquely identify some object or [=entity=] on the Internet. When generated according to the standard methods, UUIDs are, for practical purposes, unique. Their uniqueness does not depend on a central registration authority or coordination between the parties generating them.
Network address translation
A method of mapping an IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device.
firewall
A network security system that monitors and controls the incoming and outgoing network traffic based on predetermined security rules.

Assumptions

Decentralized Identifiers

DIDs as defined in [[did-core]] are a new type of [=identifiers=]. They are generated and controlled by an [=entity=] itself. Therefore the number of DIDs an [=entity=] can create is unlimited. Proof of control over a DID is provided by cryptographic methods, e.g. [=digital signatures=].

A DID contains the names of a schema and a [=DID method=] as well as the [=identifier=] itself. These parts are separated by a colon:

The schema denotes that it is a DID. The [=DID method=] identifies the way the [=identifier=] can be created and managed. The W3C maintains an official list of [=DID methods=] and their specifications for this purpose [[did-spec-registries]]. The specification of a [=DID method=] contains information about all important operations, such as creating, reading, updating, and deleting DIDs.

A DID is resolved by a [=DID resolver=] into a [=DID document=] stored on a [=verifiable data registry=]. This can be a [=blockchain=], [=content-addressable storage=] (CAS), or any other (web) server. The [=DID document=] contains additional information about a DID, such as further public keys, authentication and authorization methods, or so-called service endpoints. The latter are details of services or storage locations that can be linked to the [=identifier=]. A [=DID document=] never contains personal information.

In some [=DID methods=], the [=identifiers=] have cryptographic material or a fingerprint of a public key, just as they do in a [=blockchain=]. In this way, a DID can authenticate directly against a smart contract in the corresponding [=blockchain=]. Furthermore, some [=digital signature=] methods such as the Elliptic Curve Digital Signature Algorithm (ECDSA) allow the recovery of the public key directly from a [=digital signature=]. This feature makes it possible to use a signed message directly for authentication between two hosts. The method for generating the [=identifier=], e.g. a DID or an address in the context of [=blockchain=], from a public key is usually known. From this point of view, it is not urgent to keep a [=DID document=] as long as the relationship between private key, public key, and the [=identifier=] is computable. For example, in the ETHR DID Method (`did:ethr:xyz`) the [=DID document=] is created by the [=DID resolver=].

Verifiable Credentials and Selective Disclosure

This proposal makes use of VCs and VPs according to the [[[vc-data-model]]]. VCs are data structures making statements about a person or an object according to the principles of [=claim=]-based [=identity=]. They are cryptographically verifiable because they are signed by an [=issuer=]. The [=claims=] are simple statements associated with an [=identifier=] and some metadata. Basically, anyone can act as an [=issuer=], e.g., a trusted [=entity=] or even oneself. The latter type of VCs are called self-issued credentials and are useful, for example, for delegating one's own credential to another [=identifier=]. What should be considered as a trusted [=entity=] for certain statements is not part of this proposal.

Additionally to VCs described in the aforementioned specification [[[vc-data-model]]] this proposal supports a special way that implementing the [=selective disclosure=] feature. This feature allows the credential [=holder=] to choose which attributes should be shown to the [=verifier=]. To achieve this, every attribute value a [=verifiable credential=] contains, is hashed with a cryptographic [=salt=]. The final [=verifiable credential=] will only contain these [=hashes=] - the [=salts=] and the values are stored in a separate JSON data object, called the [=plaintext credential=]. The following examples will show such a [=plaintext credential=] and its corresponding VC.

Verifiable Credentials and Verifiable Presentations

The VCs are issued to a [=subject=] (owned by a [=holder=]) and its [=identifier=], e.g. a DID. This [=holder=] can generate a VP with one or more VCs, in which he can prove by a [=digital signature=] that he controls the [=identifier=](s) of one or more VCs. The aggregation of this information typically expresses some aspect of a person, organization, or other [=entity=]. He finally sends the VP to a [=verifier=] that can cryptographically validate the VC's trustworthiness.

In addition, a VP itself can also have an [=identifier=]. It is also possible for each of the VCs to be issued to a different [=identifier=]. For each of these [=identifiers=] (of each [=subject=]), the corresponding proof can be included in the array of proofs in the VP. A challenge within one or more proofs authenticates for example a session.

Verifiable Credentials and Revocation

In addition to an expiration date (`expirationDate` or `validUntil`) for credentials, [=issuers=] also have the option to revoke it. For this purpose, the [[[vc-data-model]]] defines the property `credentialStatus`, which links to a revocation list. This list can be stored on a [=blockchain=], [=content-addressable storage=] (CAS), or any other (web) server.

Protocol Flow

Credential Request

To request VCs within a VP the following simple JSON data structure MUST be used, which MUST then be encoded with Base64url [[rfc4648]] and attached as a query parameter with key `ìwce` to a URL. The URIs used comply with the [[[rfc3986]]] specification. VCs and VPs are compliant with the [[[vc-data-model]]].

A [=credential request=] is defined with the following properties:

type
The `type` property is required and MUST be an URI. The value `"CredentialRequest"` MUST be used to determine that it is a [=credential request=].
accept
The `accept` property is required and describes the accepted data of a [=credential response=] to a [=credential request=]. It is defined with the following properties:
type
The `type` property is required and MUST be an URI. The value `"CredentialResponse"` MUST be used to determine that the requested data has to be provided in the form of a [=credential response=].
verifiablePresentation
The `verifiablePresentation` property is required.
type
The `type` property is required and MUST be an URI. It denotes the expected type of the [=verifiable presentation=].
credentialTypes
The `credentialTypes` property is required and MUST be an array of URIs. It denotes the accepted URIs of [=verifiable credential=] types within a [=verifiable presentation=].
selectiveDisclosure
The `selectiveDisclosure` property is optional. If it is not set, no method for [=selective disclosure=] is accepted.
type
The `type` property is required and MUST be an URI. It denotes the expected method of the [=selective disclosure=] feature.
requiredProperties
The `requiredProperties` property is type-specific. For the [=selective disclosure=] feature proposed in section [[[#selective-disclosure]]], the `requiredProperties` property MUST be an object that contains one or more arrays of strings corresponding to the property names of one or more [=plaintext credentials=] mandatorily being disclosed. To refer to properties in nested objects within the [=plaintext credential=] the notation `parentObjectKey.childPropertyKey` MUST be used. The key of each set MUST correspond to the credential type specified in property `credentialTypes`. Which properties are then really returned is not guaranteed and has to be checked in the response.
endpoint
The `endpoint` property is required. It describes the endpoint to which the requested data has to be sent.
type
The `type` property is required and MUST be an URI. It can take either the value `"AppLink"` or `"WebAddress"`. `"AppLink"` determines that the endpoint is a universal or app link and is RECOMMENDED for best decentralization, see section [[[#uniapplinks]]]. The value `"WebAddress"` determines that the endpoint is a normal web resource (web address). Future types could be e.g. `"DIDComm"` or similar.
location
The `location` property is required and MUST be an URL that links to a resource with HTTPS enabled.
challenge
The `challenge` property is required and MUST be a long random number. It is RECOMMENDED to use at least 128 bits. For example, an UUID [[rfc4122]] might be helpful for this task. The challenge is computed by the [=verifier=] and MUST have a [=Time to Live=] (TTL).
domain
The `domain` property is optional and MUST be an URI. It is used to announce domain-specific extensions in a [=credential request=].

Credential Response

To respond to a request for a VP the following data structure MUST be used, which MUST be encoded with Base64url [[rfc4648]] and attached as a query parameter with key `iwce` to a URL. The URIs used comply with the [[[rfc3986]]] specification. VCs and VPs are compliant with the [[[vc-data-model]]].

type
The `type` property is required and MUST be an URI. The value `"CredentialResponse"` MUST be used to determine that it is a [=credential response=].
verifiablePresentation
The `verifiablePresentation` property is required and defined as an object that contains exactly one [=verifiable presentation=]. The proofs within a [=verifiable presentation=] MUST contain the `challenge` property that was received with a [=credential request=]. The proofs can also contain the `domain` property to announce domain-specific extensions
selectiveDisclosure
The `selectiveDisclosure` property is optional. If it is not set, no method for [=selective disclosure=] is supported.
type
The `type` property is required and MUST be an URI. It denotes the expected method of the [=selective disclosure=] feature.
plaintextCredential
The `plaintextCredential` property is type-specific. The expected return value is data conforming to the `type` information from a [=credential request=]. For the [=selective disclosure=] feature proposed in section [[[#selective-disclosure]]], the `plaintextCredential` property is defined as an array of objects containing one or more [=plaintext credentials=].

Strict Domain Separation

The use of multiple proofs in a VP makes it possible to strictly separate the domains of [=identity=] information. For best decentralization, VCs SHOULD only be issued within a domain and SHOULD only be stored in a domain's own application. To be faithful to the concept of Inter-Wallet Credential Exchange, the only way to exchange VCs with external or third-party applications MUST be the use of VPs. The private key of a [=subject=]'s [=identifier=] MUST NOT leave its own applications within a domain. This has several advantages:

Since the proofs in a VP can be made for different [=identifiers=], an [=issuer=]'s application is able to interoperate with different types of [=identifiers=]. For example, the [=identifier=] of a VP can be an address in [=blockchain=] A and the [=identifiers=] of the VCs are DIDs anchored in [=blockchain=] B. The latter is a [=blockchain=] in the [=issuer=]'s domain, [=blockchain=] A is that of a third-party application. In that way, a user can prove control over an address in any [=blockchain=] or any other [=identifier=] in combination with verifiable personal information. For this to work, both, the [=issuer=] and the [=verifier=] MUST implement all DID methods of the [=identifiers=] used.

The issuing process is domain-specific and an [=issuer=] decides what types of [=identifiers=] he is using for its own VCs. An [=issuer=] SHOULD use DIDs as specified in [[[did-core]]] to authenticate a VC on a device (`id` of `credentialSubject`) to the own backend. An [=issuer=] MAY use DIDs for the `issuer` property to authenticate himself to the [=verifier=]. In that case, the [[[didconfiguration]]] SHOULD be used for trust, see [[[#trust]]] for more details.

User Experience

Considerations about end-user experience are closely related to the use of app or universal links and VCs/VPs. App or universal links enable a seamless user experience during the exchange of VPs between apps on the user's device, because, when implemented correctly, they identify the app the operating system should open. Additionally, these links are normal URLs and can be represented in any form a URL can take, e.g. as a QR code. Therefore, an exchange between different devices (smartphone and desktop) is possible without a loss in user experience, because the QR code can be scanned with every app capable of doing so and the user is redirected to the requested app.

With VCs/VPs it is possible to exchange personal information in a verifiable and data-conserving manner. In most use cases they simplify the disclosure of this information during for example a registration process. Using VCs/VPs the user must not input the information by hand but only has to send a VP. The service requesting the information could rely on them because they are signed by an [=issuer=] (only if the service trusts the [=issuer=]).

Additionally, this proposal enables every service provider that has its own app including credential and their exchange functionality without relying on a central [=identity=] [=wallet=] to store the issued credential. From the user's perspective, he or she only has to rely on the [=issuer=] and its application, not in an intermediary [=wallet=] service or app for storing the credentials.

Security Considerations

Perfect Forward Secrecy

Because HTTPS is used to transport [=credential requests=] and [=credential responses=] between two applications, [=perfect forward secrecy=] (PFS) is substantial in many of the available implementations. Note, that this applies only to the network connection while [=credential requests=] or [=credential responses=] are made. The including VP and its VCs signed by the [=holder=] and one or more [=issuers=] are unaffected. When using QR codes for a [=credential request=], this security requirement is obsolete.

Since [=Transport Layer Security=] (TLS) secures the communication channel before any user data is transmitted, it ensures that the information transferred within a URL is also protected (e.g. the query).

Trust

Because HTTPS is used to transport [=credential requests=] and [=credential responses=] between two applications, the underlying [=public key infrastructure=] (PKI) of TLS (X.509) [[rfc5280]] builds trust for this connection, in that way, that the communication endpoints are the intended ones. This is helpful to identify the applications that want to do a credential exchange.

Since DIDs are out of trust HTTPS can be used to map a DID to a domain. This is most useful for [=issuers=] since larger institutions usually use TLS certificates these days anyway. The [[[didconfiguration]]] specification describes an approach that makes use of Well-Known URIs [[rfc8615]].

Privacy Considerations

Anti-correlation

An important goal in dealing with digital [=identities=] is to avoid or at least make it more difficult to conduct in-depth analyses of user behavior. The concept of SSO in particular does exactly the opposite, even across multiple services and for each individual login process. In the approach of the Inter-Wallet Credential Exchange, this is complicated by two conceptual improvements. First, technical authentication via DIDs or other types of [=identifiers=] takes place only within the domain of a single service and is strictly separated from the exchange of a user's [=identity=] information across domain boundaries (see section [[[#sds]]]). Second, even the [=identifiers=], e.g., in the form of a DID, are not limited to a single, unique one per user. When used in VCs, it is recommended that each VC should have a different [=identifier=].

Individual aspects of digital [=identity=] are stored only within the service's app acting as the [=issuer=]. Other services that trust the aforementioned one as [=issuer=] and are interested in these individual aspects of [=identity=] can submit a request to the app of this [=issuer=] to return a VP. Further aspects of a digital [=identity=] can in turn be requested from apps of other services or [=issuers=] in the same way. Each app acts as a [=wallet=] software and stores private keys that never leave it and are used to authenticate with its own backend (e.g., DID Auth). Services acting as [=issuers=] also store the VCs they issue to their users only in their own apps on the end devices of them (and possibly as a backup in their own backend). Only this app is ultimately able to sign a requested VP because only it has the corresponding private keys. The user's own digital [=identity=] is thus formed from a large number of apps from different manufacturers or services exchanging VPs with each other. As a result, the correlation of personal data by intermediaries is made more difficult and a high degree of decentralization is achieved by the direct exchange of [=identity=] information between two apps. The private keys stored in the respective apps also relieve the user of the need to enter passwords.

Bootstrapping

An app launched the first time and wanted to authenticate with its backend, it generates and sends a DID to it. By doing so, the backend system merely learns about a new device but does not yet have any verifiable information about the user and his [=identity=]. Therefore at least one other app should be installed on the user's device that provides a VC accepted by the first app. If this isn't the case a newly computed DID must be associated with a digital [=identity=] in some other way. In the worst case, the user must visit an [=issuer=] in person and identify himself to him (ID card, driver's license, etc.) and transmit the corresponding DID (e.g., by QR code). It is also conceivable that some [=issuers=] will additionally offer other procedures for proofing [=identity=]. For example, the combination with an online ID function of the ID card could be a suitable starting point for some [=issuers=]. In addition, government agencies could also act as [=issuers=] and offer VCs in their apps after authentication with the ID card succeeds. RFID cards, PINs/TANs/links via e-mail, second devices, and many more are also ways to support bootstrapping during the initial launch of an application on a new end device supporting VCs/VPs. The greater the variety of applications supporting VCs and VPs, the easier and more convenient it will be for the user.

Furthermore, TLS and PKIs according to X.509 [[rfc5280]] play an important role as a complement to DIDs. They support bootstrapping in terms of trustworthiness and channel security between two [=wallets=]. HTTPS in particular is widely used today. It ensures the authenticity of (mostly) domain names and provides encrypted transport of data. The trust hierarchies in today's PKIs are largely established, and TLS is easy to use as transport security in today's network infrastructures (NAT, [=firewalls=], etc.). With the more widespread use of DIDs and VCs and the associated trust structures, they can also be used later for server-side authentication, but initially, they will only replace the little-used TLS client certificates in a more flexible way.

This is required for specifications that contain normative material.