Drafting: revised, in-scope/out-of-scope section, Added Digital Credentials API

Author: simoneonofri

2024/wg-fedid.html

@@ -73,15 +73,10 @@
   </header>
 
 
-  <main>
-    <h1 id="title">PROPOSED Federated Identity Working Group Charter</h1>
-    <!-- delete PROPOSED after AC review completed -->
+  <main>    <h1 id="title">Federated Identity Working Group Charter</h1>
 
     <p class="mission">The <strong>mission</strong> of the <a href="https://www.w3.org/groups/wg/fedid">Federated Identity Working Group</a> is to
-      develop specifications to allow a website to request a federated identity
-      credential or assertion with the purpose of authenticating a user and/or requesting a set of claims in a
-      compatible way to OIDC or SAML.</p>
-    <!-- the link to the group is ALWAYS that available from https://www.w3.org/groups/wg or https://www.w3.org/groups/ig because each group page can then point to a different homepage, but not the other way around. -->
+        is to develop specifications that allow a website to request an identity credential from a credential container (e.g., a wallet) to authenticate a user and request a set of claims in a way that is compatible with other protocols like OIDC, SAML, and OpenID4VP.</p>
 
     <div class="noprint">
       <p class="join"><a href="https://www.w3.org/groups/wg/fedid/join">Join the Federated Identity Working
@@ -110,15 +105,15 @@ <h1 id="title">PROPOSED Federated Identity Working Group Charter</h1>
             Start date
           </th>
           <td>
-            <i class="todo">[dd monthname yyyy] (date of the "Call for Participation", when the charter is approved)</i>
+            28 March 2024
           </td>
         </tr>
         <tr id="CharterEnd">
           <th>
             End date
           </th>
           <td>
-            <i class="todo">[dd monthname yyyy]</i> (Start date + 2 years)
+            28 March 2026
           </td>
         </tr>
         <tr>
@@ -135,8 +130,8 @@ <h1 id="title">PROPOSED Federated Identity Working Group Charter</h1>
             Team Contacts
           </th>
           <td>
-            <span class="todo"><a href="mailto:">[team contact name]</a></span> <i class="todo">(0.15 <abbr
-                title="Full-Time Equivalent">FTE</abbr>)</i>
+            <a href="mailto:[email protected]">Simone Onofri</a> (0.25 <abbr
+                title="Full-Time Equivalent">FTE</abbr>)
           </td>
         </tr>
         <tr>
@@ -156,50 +151,36 @@ <h1 id="title">PROPOSED Federated Identity Working Group Charter</h1>
     <div id="background" class="background">
       <h2>Motivation and Background</h2>
       <p>
-        With changes to the support for underlying <a href='https://www.w3.org/TR/privacy-principles/'>privacy principles</a>, 
-        fundamental assumptions of the web platform are being redefined or removed. While overall good for the web, the
-        <a href='https://www.w3.org/2001/tag/doc/web-without-3p-cookies/'>third-party cookie deprecation</a>
-        removes a building block used by certain designs of federated
-        identity. This Group aims to bridge the gap for the federated identity designs which relied
-        on third-party cookies.
+        Identity on the Web is critical to online interaction, privacy, and security. W3C has a role in fostering an ecosystem where privacy, security, and user sovereignty are all taken into account. That includes developing new mechanisms for individuals to have the ability to select the identity information, such as assertions, specific credentials, or specific attributes, relevant to a given interaction. These mechanisms must also be viable for the issuers, verifiers, identity providers, and relying parties to exchange information in a secure and privacy-preserving manner. The user agent is the coordinator for these transactions. So, while the request and response protocols are being developed elsewhere (e.g., ISO, IETF, OpenID, and other W3C groups), the web platform layer must also be standardized to provide the privacy and security API framework in a protocol-agnostic fashion in a manner that is compatible with identity request/response protocols like mDoc, Verifiable Credentials, and OpenID4VP.
+      <p>
+      <p>
+        One of the initial hurdles is ensuring support for federated identity while adhering to <a href='https://www.w3.org/TR/privacy-principles/'>privacy principles</a>, 
+        despite the deprecation of
+        <a href='https://www.w3.org/2001/tag/doc/web-without-3p-cookies/'>third-party cookies</a>, a cornerstone of such operations.
       </p>
     </div>
 
     <section id="scope" class="scope">
       <h2>Scope</h2>
-      <p>The Working Group will specify new web platform features intended to be implemented in browsers or similar user
-        agents. The purpose of these features is to support authentication and authorization flows without compromising
-        security principles for Identity Providers (IdPs), Relying Parties (RPs), and User Agents as well as protecting user
-        privacy. Here "privacy" minimally refers to the appropriate processing of personal information. The result of
-        this work is the development of new mechanisms that define how information is passed by the browser between the
-        RP, the IdP, and authentication intermediaries to facilitate federated authentication; these mechanisms are not
-        an authentication method.</p>
-
-      <p>If any of the mechanisms developed to support authentication and authorization flows would cause
-        breaking changes for existing protocols, work on that mechanism must include a well-documented transition
-        period.</p>
+      <p>The Working Group will specify new web platform features intended to be implemented in user agents like browsers. The purpose of these features is to support privacy-preserving authentication, authorization flows, and requesting digital credentials without compromising security principles for Identity Providers (IdPs) or Relying Parties (RPs) (in a ‘traditional’ federation model) or Issuers, Verifiers, and Holders (in a digital identity wallet architecture), and User Agents. Here &quot;privacy&quot; minimally refers to the appropriate processing of personal information and preventing third parties from gleaming anything about the end-user's environment (e.g., which wallets are available and their capabilities). The result of this work is the development of new mechanisms that define how information is passed by the browser between the different entities and authentication intermediaries to facilitate federated authentication; these mechanisms are not authentication methods.</p>
+
+      <p>If any of the mechanisms developed to support authentication and authorization flows would cause breaking changes for existing protocols, work on that mechanism must include a well-documented transition period.</p>
 
       <section id="section-out-of-scope">
         <h3 id="out-of-scope">Out of Scope</h3>
-        <p>The identity space is much larger than federated authentication. While several topics related to
-          identity may be of interest, they are out of scope for our work.</p>
+        <p>The identity space is much larger than that of federated authentication and digital credential wallets. While several topics related to identity may be of interest, they are out of the scope for our work.</p>
 
         <p>Specific topics out of scope:</p>
         <ul class="out-of-scope">
 
           <li>New authentication methods</li>
-
-          <li>Design and discussion regarding individual credential and assertion formats</li>
-
+          <li>Designing individual credential and assertion formats</li>
           <li>Performing any security or confidence assessment (e.g. checking signatures,
             audience, encoding, etc) of the <a
             href="https://fedidcg.github.io/FedCM/#dom-identityprovidertoken-token">token</a> that
             encodes the <a href="https://fedidcg.github.io/FedCM/#fetch-identity-assertion">identity
             assertions</a>.</li>
-
-          <li>Ad-tech tools or APIs</li>
-
-          <li>Interactions with identity wallets</li>
+          <li>Ad-tech tools or APIs specifically focused on advertising as opposed to authentication.</li>
         </ul>
       </section>
 
@@ -238,7 +219,7 @@ <h3>
             </p>
             <p class="milestone"><b>Expected completion:</b> CR in Q1 2025</p>
           </dd>
-          <dt id="fedcm" class="spec"><a href="https://fedidcg.github.io/FedCM/#browser-api-login-status">Login Status API</a>
+          <dt id="bapi" class="spec"><a href="https://fedidcg.github.io/FedCM/#browser-api-login-status">Login Status API</a>
           </dt>
           <dd>
             <p>This specification defines an API to inform the Web Application of their user's
@@ -252,6 +233,17 @@ <h3>
             <p class="milestone"><b>Expected completion:</b> CR in Q1 2025</p>
           </dd>
         </dl>
+        <h3>Tentative Deliverables</h3>
+        <p>Depending on the incubation progress, interest from multiple implementers, and the consensus of the Group participants, the Group may also produce Recommendation-track specifications for the following documents:</p>
+        <dt id="digid" class="spec"><a href="https://wicg.github.io/digital-identities/">Digital Credentials API</a></dt>
+        <dd>
+            <p>This specification specifies an API to enable user agents to mediate access to, and presentation of, digital credentials such as a driver's license, government-issued identification card, and/or other types of digital credentials.</p>
+
+            <p class="draft-status"><b>Draft state:</b> <a href="https://wicg.github.io/digital-identities/">Adopted from the
+                Web Incubator Community Group</a>
+            </p>
+            <p class="milestone"><b>Expected completion:</b> CR in Q4 2025</p>
+          </dd>
 
       </section>
 
@@ -271,14 +263,19 @@ <h3>
           <li>Use case and requirement documents;</li>
           <li>Implementation report for the specification;</li>
           <li>Primer or Best Practice documents to support web developers when designing applications.</li>
+          <li>Harm Model or other documents to identify the impact of the technology (API and also Digital Identities in general) on people and their security and privacy. 
+        </li>
         </ul>
       </section>
 
       <section id="timeline">
         <h3>Timeline</h3>
         <ul>
-          <li>Q1 2024: FPWD for Federated Credential Management API</li>
+          <li>Q4 2024: FPWD for Federated Credential Management API</li>
+          <li>Q4 2024: FPWD for Digital Credentials API</li>
           <li>Q1 2025: CR for Federated Credential Management API</li>
+          <li>Q4 2025: CR for Digital Credentials API</li>
+          
         </ul>
       </section>
     </section>
@@ -310,16 +307,15 @@ <h2>Success Criteria</h2>
 
       <!-- Horizontal review -->
 
-      <p>Each specification should contain sections detailing all known security and
-        privacy implications for implementers, Web authors, and end users.</p>
+      <p>Each specification should contain a Security Considerations section that must include a Threat Model with threats, attacks, mitigations, and residual risks and a Privacy Consideration section as specified in <a href="https://www.w3.org/TR/security-privacy-questionnaire/">Self-Review Questionnaire: Security and Privacy</a> and <a href="https://datatracker.ietf.org/doc/html/rfc3552">RFC 3552</a>, detailing all known security and privacy implications for implementers, Web authors, and end users.</p>
 
       <p>Each specification should contain a section on accessibility that describes the benefits and impacts, including
         ways specification features can be used to address them, and
         recommendations for maximising accessibility in implementations.</p>
 
-      <!-- Design principles -->
-      <p>This Working Group expects to follow the
-        TAG <a href="https://www.w3.org/TR/design-principles/">Web Platform Design Principles</a>.
+      <!-- Principles -->
+      <p>
+        This Working Group expects to follow the TAG <a href="https://www.w3.org/TR/design-principles/">Web Platform Design Principles</a>, <a href="https://www.w3.org/TR/ethical-web-principles/">Ethical Web Principles</a>, and <a href="https://www.w3.org/TR/privacy-principles/">Privacy Principles</a>.
       </p>
 
     </section>
@@ -370,7 +366,7 @@ <h3 id="w3c-coordination">W3C Groups</h3>
 <dt><a href="https://www.w3.org/groups/wg/webauthn/" rel="nofollow">Web Authentication (WebAuthn) Working Group</a></dt>
 <dd>While we are not developing an authentication mechanism, this work must operate in conjunction with existing authentication mechanisms. The WebAuthn Working Group may provide input and guidance for this requirement.</dd>
 <dt><a href="https://www.w3.org/WAI/APA/" rel="nofollow">Accessible Platform Architectures (APA) WG</a></dt>
-<dd>The APA WG seeks to ensure that accessibility is kept front of mind, as authentication timing and the reliance on short term memory are known and thorny topics for people with disabilities. APA WG can represent these issues that have been raised in the Cognitive Accessibility (COGA) TF, and Accessibility Guidelines (AG) WG.</p>
+<dd>The APA WG seeks to ensure that accessibility is kept front of mind, as authentication timing and the reliance on short term memory are known and thorny topics for people with disabilities. APA WG can represent these issues that have been raised in the Cognitive Accessibility (COGA) TF, and Accessibility Guidelines (AG) WG.
 </dl>
       </section>
 
@@ -565,18 +561,34 @@ <h3>
             </tr>
             <tr>
               <th>
-                <a class="todo" href="">Initial Charter</a>
+               Initial Charter
               </th>
               <td>
-                <i class="todo">[dd monthname yyyy]</i>
+                28 March 2024
               </td>
               <td>
-                <i class="todo">[dd monthname yyyy]</i>
+                28 March 2026
               </td>
               <td>
-                <i class="todo">none</i>
+                (initial)
               </td>
             </tr>
+            <tr>
+                <th>
+                    &nbsp;
+                </th>
+                <td>
+                  @@ June 2024
+                </td>
+                <td>
+                  &nbsp;
+                </td>
+                <td>
+                    <p>Revised</p>
+                    <p>in-scope/out-of-scope section</p>
+                    <p>Added Digital Credentials API</p>    
+                </td>
+              </tr>
 <!--            <tr>
               <th>
                 <a class="todo" href="">Charter Extension</a>
@@ -631,7 +643,7 @@ <h3>Change log</h3>
 
   <footer>
     <address>
-      <i class="todo"><a href="mailto:">[team contact name]</a></i>
+      <a href="mailto:[email protected]">Simone Onofri</a>
     </address>
 
     <p class="copyright">Copyright © 2024 <a href="https://www.w3.org/">World Wide Web