From the very beginning of the web, browsers have been used as credential wallets to store and present cryptographic credentials, which makes sense since the browser is the user’s agent on the web. But only TLS certificates have so far been supported, and proof of possession is inconveniently provided, during the TLS handshake, to transport-layer rather than application-layer code of the network stack of the relying party.
In Chapter 12, Section 12.4, of the book on Foundations of Cryptographic Authentication that I’m writing with Sukhi Chuhan and Veronica Wojnas, we show how a browser can be used as a credential wallet using standard application-layer web technology, for any kind of cryptographic credential, including full disclosure and selective disclosure public key certificates and anonymous credentials. Sections 12.4.2.1-3 have graphical descriptions of protocols for credential issuance and same-device as well as cross-device credential presentation. There is also a description of a protocol for presentation to an unattended IoT device, that can be used for providing authenticated physical access to a facility.
Using a browser as a credential wallet provides compelling deployability benefits, because every computer user has a browser, and the relying party does not have to figure out where to find the user’s credentials, since the user will access the relying party using the browser where the user’s credentials are stored, or at least the credential that the user intends to use for authentication to that relying party.
Online and proximity presentation of government credentials
But while the browser, as the user’s agent on the web, is well suited for credential presentation over the web, a government wallet must support credentials that are presented both over the web and over proximity protocols such as BLE, NFC and WiFi Aware. This is the case, in particular, for the ISO/IEC mDL.
It is also the case for legacy eID credentials. The Wikipedia page on Electronic identification has a list of more than 30 countries that use eID credentials. Citizens of those countries would expect a government wallet to be backward-compatible and support the eIDs that they are already using. But they would also expect the same government wallet to support credentials that cannot be tracked online.
To satisfy these requirements, a future government wallet will have to support proximity presentation of credentials such as the mDL and legacy eIDs, as well as online presentation of those same credentials, and online presentation of anonymous credentials such as the BBS signatures being standardized by the IRTF. Section 12.4.2.5 explains how this can be achieved using a WebView component of a native app for online presentation, paired with native code components for proximity presentation. And Figure 5e in Section 12.4.2.6.1 shows an example of such a wallet.
The ISO/IEC mDL use case
Section 12.4.2.6 describes in detail how a native app wallet with a WebView component and a native code component can be used for online and proximity presentation of the mDL.
Section 12.4.2.6.1 provides a graphical description of the process for setting up the wallet, with Figure 5d showing the end-result of the process when the mDL is the only credential in the wallet, and Figure 5e showing a wallet that carries an eID legacy credential and a BBS credential in addition to the mDL credential.
Section 12.4.2.6.2 describes a protocol for same-device presentation of the mDL, by adding details specific to the mDL to the same-device protocol description of Section 12.4.2.2. The ISO-IEC 18013-7 specification uses the same protocol for presentation over the web as for proximity presentation over BLE, NFC or WiFi Aware, which is inefficient and complicated for the relying party. The protocol of Section 12.4.2.6.2 takes advantage of the fact that the mDL is just a selective disclosure public key certificate, a concept defined in Section 3.3 of Chapter 3 of the book, and is similar to the process for same-device presentation of an ordinary, full disclosure public key certificate.
Section 12.4.2.6.3 provides a graphical description of the cross-device protocol of Section 12.4.2.3 with details specific to the mDL. The ISO-IEC specifications do not support cross-device presentation of the mDL. Note 1 of Section B.1.1 of Part 7 says: “Cross-device flows are prone to engagement relay attacks which is the reason cross-device flow is not included in this document.”
Section 12.4.2.6.4 specifies a proximity presentation protocol for the mDL that is interoperable with standard mDL readers while mitigating an unauthorized access vulnerability.