Warning:
This wiki has been archived and is now read-only.

Roadmap/CredentialsWG

From Web Commerce Interest Group
Jump to: navigation, search

STATUS: This is a draft for discussion within the Web Payments Interest Group. STATUS: This is a draft for discussion within the Web Payments Interest Group.

Introduction

Ecommerce (especially on mobile) is growing as a proportion of total economic activity, online curricula are transforming education, and social networking infuses a growing number of our human activities. These and other trends are increasing pressure on the Web to support a broad array of competing requirements for exchanging information, illustrated by these use case:

  • Marla, a wine enthusiast, wishes to purchase a favorite vintage online but regulation requires proof of age. The wine enthusiast needs to provide a shipping address to the merchant. Because Marla does not know the merchant, she does not wish to share her credit card number. The merchant wants to establish a relationship with Marla to keep her as a customer, make suggestions about similar wines, and so forth. However, the merchant wishes to reduce the cost and liability associated with securing information about its customers. The merchant also wants to be able to demonstrate regulatory compliance.
  • Marco wishes to purchase a candy bar from a vending machine using electronic cash. There is no need to share any identifying information with this purchase, nor are there any regulatory requirements, so the transaction should support anonymity analogous to a cash transaction.
  • To implement know-your-customer (KYC) and anti-money laundering policies, regulators require knowledge about the real world identities of people involved in some types of transactions (e.g., high value).

The mission of this Working Group is to enhance the Web to support strong assurances about a person's or organization's real-world identity. To this end, group will create standards that support the exchange of trustworthy digital assertions that help establish attributes of a person or organization.

Scope

This group will develop mechanisms to support Web payments use cases that require high degrees of confidence in knowing the real-world identity of the parties setting up an account or participating in a transaction. These mechanisms will involve the distributed creation and exchange of "credentials" such as digital forms of government-issued IDs that can be used to rapidly and interoperably establish one's name, age, address, marital status, nationality, or other attribute.

Capabilities

This group will address the following aspects of credentials management: issuance, revocation, consumption, and endorsement.

Privacy requirements

The Working Group seeks to enhance user privacy while lowering the cost of satisfying regulatory requirements. In particular, the group seeks to satisfy these requirements:

  • By default the Web must not require a strong binding between real-world and online identity, to ensure online user privacy.
  • Where there is a legal or regulatory requirement for such a binding it should be possible establish that binding and limit knowledge of the binding only to those parties that require it, or where the user has consented to make the binding known.

Security requirements

  • It must be possible to sign credentials and verify the signature
  • Credentials must be tamper-proof.

This group will 'not develop supporting technology for encryption, digital signatures, or key management.

Applicability to Other Use Cases

There are many other industries (including entertainment, education, and healthcare) with similar requirements. For example, a Web site may only wish to stream movies to users above a certain age. While this Working Group is not chartered to produce standards that address cross-industry use cases, there is clearly a benefit if multiple industries can leverage the same standards.

Deliverables

  • a Credentials Specification that enables the exchange of arbitrary assertions but also includes a minimal set of standard terms (e.g., age, shipping address, email address). The credentials model must support easy extensibility. The specification address both of the following expectations:
    • Regulators may wish to trace the real-world identity of someone with multiple online identities.
    • The Web's traditional security policy seeks to prevent identity tracking across domains by limiting how information known to the browser is shared among domains.

Out of Scope

This group will not develop:

  • Industry-specific vocabularies
  • Supporting technology for encryption, digital signatures, or key management.

Dependencies and Liaisons

Retrieved from "https://www.w3.org/WebCommerce/IG/wiki/index.php?title=Roadmap/CredentialsWG&oldid=1551"