From the very beginning of the web, browsers have been used as credential wallets to store and present cryptographic credentials, which makes sense since the browser is the user’s agent on the web. But only TLS certificates have so far been supported, and proof of possession is inconveniently provided, during the TLS handshake, to transport-layer rather than application-layer code of the network stack of the relying party.
In Chapter 12, Section 12.4, of the book on Foundations of Cryptographic Authentication that I’m writing with Sukhi Chuhan and Veronica Wojnas, we show how a browser can be used as a credential wallet using standard application-layer web technology, for any kind of cryptographic credential, including full disclosure and selective disclosure public key certificates and anonymous credentials. Sections 12.4.2.1-3 have graphical descriptions of protocols for credential issuance and same-device as well as cross-device credential presentation. There is also a description of a protocol for presentation to an unattended IoT device, that can be used for providing authenticated physical access to a facility.
Continue reading “Using a browser as a credential wallet”