Introduction of W3C Identity Strategy

August 13, 2024

Philippe Le Hegaret, plh@w3.org,
Strategy and Project Lead

World Wide Web Consortium 万维网联盟

Founded in 1994 by Tim Berners-Lee and was Director until June 12, 2023 由 Tim Berners-Lee 于 1994 年创立，并担任董事至 2023 年 6 月 12 日
Around 300 technical Web standards,
370 in progress 约370份开发中的标准
Consensus-driven process 由共识驱动的流程,
Royalty-Free patent policy 免版税专利政策
Over 400 members 超过 400个成员单位

W3C’s Vision for the World Wide Web

The Web is for all humanity 为全人类服务.
The Web is designed for the good of its users 为用户的利益而设计.
The Web must be safe for its users必须对用户是安全的.
There is one interoperable world-wide Web只有一个互联互通的万维网.

Driven by principles

Ethical Web Principles 道德原则
Device Independence Principles设备独立性原则
Privacy Principles隐私原则
Ethical Principles for Web Machine Learning机器学习道德原则
Web Platform Design Principles技术平台设计原则

… and multiple set of guidelines

Digital Identity and the Web

Identities and Credentials Use Cases 身份与凭证用例

Supply chain 供应链: traceability 可追溯性, ownership 所有权, …
Energy sector and automotive 能源行业和汽车: IoT
Government 政府: travel 出行, license 执照, permit 许可证, welfare program 福利计划, age 年龄管理, residency 居住权, etc.
Society 社会: university diplomas 大学文凭, Marrakesh treaty 马拉喀什条约
Replacing our physical wallets 取代我们的实体钱包: driver's license 驾照, payment cards 银行卡, loyalty cards 会员卡, university IDs 大学校园卡, medical insurance card 医保卡, etc.

Everyone has the right to recognition everywhere as a person before the law 每个人都有权利在所有地方被法律赋予一个身份

Identity processes 身份管理流程

Identification 识别: recognizing an entity through the information it provides 通过所提供的信息识别实体
Verification 验证: allows us to confirm that the presented information is valid 允许我们确认所看到的信息是有效的
Authentication 认证: is a specific, formal verification type that aims to grant access 具体、正式，旨在给予访问权限
Authorization 授权: grant the necessary permissions to access 给予获取访问权限必要的许可

Identity Models 身份模型

Centralized 中心化的: a single provider offers both the identity (with its credentials) and the service 单一方提供身份和服务
Federated 联邦式的: An Identity provider (IdP) and a Service Provider (SP) 一个身份提供商+一个服务提供商
Decentralized 去中心化的: Holder, Issuer, Verifier 持有者、发行方、验证方

The Galaxy of SDOs 标准化组织那么多

SDOs involved in Digital Identity — Heather Flanagan, Identity on the Web, April 2024

Web Authentication Working Group Web验证工作组

Working on its third revision for the WebAuthn API (passkeys) 编写第三版 WebAuthn API
Use case: replacing the use of passwords (centralized identity, sign-in) 用例：替换掉对密码的使用
Web Authentication: An API for accessing Public Key Credentials, W3C Standard, April 2021 一个用于获取公钥API

Federated Identity Working Group 联合身份工作组

Launched on 28 March 2024
Use case: replacing the use of 3rd-party cookies for federated identity 通过联合身份取代部分第三方 cookie 的应用
(Soon) Drafts 即将发布的标准草案: Federated Credential Management (FedCM) and Login Status 联合身份管理与登陆状态

(Proposed) Extend to Digital Credentials 数字凭证验证（提案）

Digital Credentials API to request identity credentials or assertions from users 用于向用户请求身份凭证或断言的 API
Use case: enabling digital wallets support 支持数字钱包 (decentralized identity 分布式身份, sign-up)
Agnostic to formats and protocols 与格式和协议无关:
ISO/IEC 18013-5 mobile documents (mDoc), W3C VC /VP, OpenID Connect ID Tokens, and SAML assertions
Challenges:
- Who controls the digital wallet(s)? 谁控制数字钱包？
- Multi-devices scenarios 多设备场景
- Threat Modeling for Decentralized Identities 分布式身份威胁模型分析

Decentralized Identifiers 分布式身份

An identifier technology based on cryptography that empowers us to control our personal data and consent to its usage; often paired with Verifiable Credentials. These methods can rely on various technologies, including blockchains, the web, InterPlanetary File System (IPFS), and Domain Name System (DNS) [did-spec-registries]. 基于密码学的标识符技术，促使我们掌管我们的个人数据并授权同意其使用；通常与 VC 可验证凭据配对。这些方法可以依靠各种技术，包括区块链，Web，行星际文件系统（IPFS）和域名系统（DNS）[DID Spec-Spec-Registries]。
Decentralized Identifiers (DIDs) v1.0, W3C Standard, July 2022.

An example of a decentralized identifier shown left to right the 'did' scheme, followed by a colon, followed by an 'example' DID Method identifier, followed by another colon, followed by a method specific identifier with the characters '123456789abcdefghi' is shown.

Verifiable Credentials (VCs) 可验证凭据

A privacy-preserving technology for issuing, storing, and presenting education degrees, government issued ID cards, shipping container manifests, certified product information, and other machine-readable credentials. 一种隐私友好的技术，用于发行，存储和介绍教育学位，政府发行的身份证，货运集装箱清单，经过认证的产品信息以及其他机器可读的凭据
Verifiable Credentials, W3C Standard, March 2022.

Veriable Credentials: Credential Metadata, Claim(s), Proof(s)

Ongoing work on VCs

New revision of the VC Data Model VC 数据模型新版本
BitString Status List 字节字符串状态列表: publishing status information such as suspension or revocation 发布暂停或撤销等状态信息
Data Integrity 数据完整性: ensuring the authenticity and integrity 确保真实性和完整性
- BBS
- EdDSA
- ECDSA
- Quantum-Safe
JSON Object Signing and Encryption (JOSE) and CBOR Object Signing and Encryption (COSE)

See also Verifiable Credentials Overview, July 2024

We want to hear from you! 我们期待听到你的建议！

Which is the status of Digital Identity in China? 在中国数字身份技术发展状态如何？
Government point of view? 政府对此的期望？
Standards to implement? 有哪些落地和计划落地的标准？
Any Risks? 有哪些技术与其它风险？
Specific Personas (fictional representation of a user, created to understand and anticipate the needs, behaviors, and goals of the target audience) to consider in our model? 我们的模型中需要考虑哪些特定角色（用户的虚构代表，旨在了解和预测目标受众的需求、行为和目标）？
How we can help? W3C是否能通过标准发挥什么作用？

谢谢

See also Identity & the Web, https://www.w3.org/reports/identity-web-impact/, Simone Onofri, W3C Security Lead, August 2024

These slides:
https://w3.org/2024/Talks/identity-plh

Email: plh@w3.org

WeChat: wxid_zzjg6wsat33y22