10E/ Integrating FIDO with Verifiable Credentials (8.30 am start)

From IIW

Integrating FIDO with Verifiable Credentials

Wednesday 10E

Convener: David Chadwick

Notes-taker(s): John Callahan, David Chadwick

Tags for the session - technology discussed/ideas considered:
FIDO2, Web Authn, Verifiable Credentials, IAM.

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps

W3C Web Authentication (FIDO2) provides a mechanism for strong authentication whilst W3C Verifiable Credentials provide a mechanism for strong identification and authorisation. Together they make an unbeatable pair for identity management.

Prof. David Chadwick presented work on sharing W3C Verifiable Crendentials via FIDO2 key setup with issuers of credentials. In a nutshell, the holder and issuer use the WebAuthN protocol to strongly authenticate before the issuer protects the credentials with its signature. Upon providing credentials to a relying party, the issuer (acting in an IDP capacity, so they must be online) will verify the identity of the holder via FIDO2 WebAuthN so that the credentials (or selected claims in the credentials for selective disclosure) can be shared with the relying party. Ephemeral keys are created to bind the holder with such credentials shared to the relying party/verifier. The relying party/verifier can use X.509 certs to confirm that the issuer is valid by checking the signature on the derived credential from the holder.

David has a slide deck and video at https://youtube.com/watch?v=l3taGxBdrRU

The eSSIF TRAIN project from Fraunhoffer url:

https://essif-lab.eu/essif-train-by-fraunhofer-gesellschaft/

Is building a trust infrastructure for SSI, whereby a VC will contain the name of its trust federation, and the verifier will call the TRAIN API passing it the name of the trust federation, the URI of the VC Issuer, and asking if this issuer is really a member of this trust federation. The response will indicate how trustworthy the issuer really is. TRAIN will work with both blockchain DID and X.509 trust infrastructures.

Retrieved from "https://iiw.idcommons.net/index.php?title=10E/_Integrating_FIDO_with_Verifiable_Credentials_(8.30_am_start)&oldid=23737"