[Discuss] Limit access to the API based on known allow listed origins

[kdenhartog]

In order to reduce harmful over-requesting of 3P attested information it would be useful to have a registry of origins allowed to request credentials. If the origin is not listed then the site would not be able to prompt the user for permission of the credential.

The default lists will need to be maintained. Two proposals for this registry would be W3C or country specific privacy commissioners who publish them in a way that the browser services can load and store them.

Should we also allow users to be able to override them and if so what is the proper UX for this? If so would it make sense to do this as a part of the permissions UX currently implemented or as a UX with more friction?

[marcoscaceres]

I'm not sure this would scale, tbh, and would set up a single point of failure and point of control (which goes against the Web, in principle). We already have things like safe browsing lists that aim to keep users safe from the worst actors.

[kdenhartog]

I personally see not scaling as a good thing, but I still think it's possible to if we needed. First, we've shown this is possible to scale with TLS certificates already and manage these credentials at scale. Also, as you point out we have many other lists. In the example you pointed out as a potential solution to this problem safebrowsing is not used to address permissions abuse on the web which is what this would be for.

Secondly, we need to ask ourselves to what degree we want this to scale. I personally believe it would be a fundamental failure of an open web to have every site requesting a digital drivers license in order to register for it. This would lead to the opposite of an open web where the only way users can access the full web experience is if they've had a third party attestation from a certified party. For example, that would mean 850 million people globally would not have access to a growing number of sites. That sounds pretty closed to me.

Put simply this API is restrictive to the web, but has legitimate use. Therefore I believe we should limit its capability to only legitimate and certified purposes which would require some need for a registry.

[marcoscaceres]

I just don't think this API is more special than any other powerful feature on the Web. If we don't do this for other APIs, we shouldn't do it for this one either. We should be designing these APIs to be safe, secure, and privacy preserving, instead of relying on control lists. Control lists should be seen as a form of failure and last resort, not as starting point.

[kdenhartog]

No other APIs directly supply 3P attested PII until just recently with FedCM in very limited circumstances. Every other API until just recently relied on statistical correlation via fingerprinting which often does not satisfy the court of law as being identifiable. I argue that this change does constitute it being "more powerful" in terms of direct correlation and therefore requires greater protections from harm. By supplying and relying upon this information it is highly likely that this will be sufficient evidence that the person operating the computer is also the person identified by the digital credential. No other API has the dual use potential to be used as a tool to limit access to adult content, including on social media sites such as Reddit (as Texas' law directly addresses in section Sec. 129B.002. clause A) and then later be legally required to be provided by the same social media sites when law enforcement subpoenas all information about the user. Do we believe that other legislative bodies won't take this even further and directly establish that all users will have to supply digital credentials in an effort to reduce misinformation leading to a chilling effect of political speech?

The limitations here aren't just for limiting abused of smaller sites either. It's also for providing a checks and balance to legislative abuse in the same way that Google and Mozilla did with Kazakhstan's MITM CA certificate. These limitations act as a method to limit abuse both big and small.

It's also worth reiterating that no other API also stands as a way to lock at least 850 million people out of the web and potentially more depending on regulations that require usage of these digital credentials. There is legitimate harms that have been described here and here and this is a way to limit this harm so that the API is not abused.

With that said is your position here really to downplay these issues being raised by civic organizations and PING aren't a concern? Or do you believe these are valid concerns and we just need to be addressed them in in some other way that will achieve consensus among the broader W3C members? If so, please suggest another alternative that can be critiqued on it's merits as I've done here.

I fully understand that there is heavy commercial and regulatory interests in seeing this API implemented, but the "scaling" of legitimate usage should not outweigh all the potential harms that can come about by us ignoring them or assuming that since we've never needed them before therefore we shouldn't also need them now.

Finally, it's worth pointing out that this isn't the first time that a list has been used to modify well established boundaries. First party sets are doing the same thing (albeit collapsing control boundaries rather than adding additional control boundaries) here to create a set of allow listed origins in order to collapse storage boundaries and other boundaries set around the origin boundary. While the purpose and maintainability between these two lists would be different, it suggests that there is precedent for this and therefore the concept should be seriously considered.

[marcoscaceres]

Adding for discussion for upcoming call. Although I share all of your concerns, I just don't personally believe that a domain list is going to fly or is in any way scalable (though more than happy to be proven wrong).

The CG should certainly be open to discussing alternatives approaches. It be nice to come up with at least 5 or so and maybe the PING folks have additional ideas (hi @npdoty).

[kdenhartog]

Adding for discussion for upcoming call. Although I share all of your concerns, I just don't personally believe that a domain list is going to fly or is in any way scalable (though more than happy to be proven wrong).

The CG should certainly be open to discussing alternatives approaches. It be nice to come up with at least 5 or so and maybe the PING folks have additional ideas (hi @npdoty).

Thank you discussion was all I was after as a starting point. I'm certainly open to alternative suggestions as my main concern is around addressing the harm pre-emptively rather than to focus on a specific solution. Personally, I agree the burden of maintaining these lists is not fun (albeit often act as a good form of checks and balance for censorship) and if we can find a better way I'm all for it. Let's continue to discuss this and see if the group may be able to come up with a better solution.

[marcoscaceres]

I think that even if we don't come up with better solutions, it would be fascinating to see what alternative solutions we can come up with (no matter how far-fetched they are!). I'm quite looking forward to seeing what might get cooked up. There are a lot of really smart folks in this community already thinking about decentralization, so hopefully they will pitch in interesting ideas.

[RByers]

Part of the challenge here is that there's so many different use cases, multiple layers of abstraction which may each weigh in on trust decisions, and so many possible different stakeholders in managing trust stores.

Surely some wallets and issuers are gong to rely on a list of acceptable verifiers without us having to building anything for that into the browser API itself (other than our core requirement of reliably conveying the verifier origin to the wallet), right?

For doing anonymous age verification (maybe with a ZKP protocol), I don't think it would be realistic or (hopefully) necessary to rely on an allow list of origins. But for more sensitive use of PII, maybe some sort of per-origin trust signal is really essential. Then who should be defining these lists and wouldn't we expect the curator to vary depending on the credential issuer? Eg. for eIDAS credentials, might the QWAC system provide that trust signal? But for, say, using US driver's licenses, then it's going to be a complete different allow list maintained by some other organization, right? So it's not clear to me at what level(s) of the system such allow lists could be defined.

Anyway, I'm supportive in general of using defensible origin trust lists in the Chrome implementation In particular, for our origin trials coming up, I'd love to find some way to limit in-the-wild testing to known origins who make some sort of attestation, maybe following something like our Privacy Sandbox enrollment. But Chrome is also pretty constrained on what we can do here - in general we can't just provide some functionality to some sites and not others based on the whim of some group of individuals. I think it's going to be essential for us as an industry to be able to iterate together on this, and for that I think it'll be essential to have good transparency on how these systems are being used in practice. To that end I'm currently working on trying to get API usage-by-origin data published like we do for push permission acceptance rate. Hopefully that'll help enable a much more data-informed debate on this topic. I also think it would be very reasonable for other browsers to take a more careful stance on this and not sure it's helpful or even necessary to try to standardize on all the details across all browsers. Perhaps it's a selling point for the privacy of a given browser how it manages such a list?

[npdoty]

in general we can't just provide some functionality to some sites and not others based on the whim of some group of individuals.

I don't understand the proposal to be that the determination would be made on anyone's whim. Data protection authorities, for example, seem entirely unwhimsical to me.

Enrollment or well-known public documentation and third-party evaluation and attestation would be a way for allow-list to be customized (but again, not at a whim, but rather through a trust decision made by a user). I'm also happy to brainstorm alternatives along these lines, although we should recognize that it could actually make it more difficult or less reliable for the verifier/origin to make use of the capability.

I think it's going to be essential for us as an industry to be able to iterate together on this, and for that I think it'll be essential to have good transparency on how these systems are being used in practice. To that end I'm currently working on trying to get API usage-by-origin data published like we do for push permission acceptance rate. Hopefully that'll help enable a much more data-informed debate on this topic.

I'm not sure permission acceptance rate is a particularly compelling piece of data, though I can see how it's relevant. A large social media site that users feel they have no choice but to use can gate access on accepting a permission and obtain a high acceptance rate; that wouldn't indicate that the behavior is appropriate, generally acceptable to users, or legal.

[npdoty]

High-level context for why registration is a useful protection, and one relevant legal citation:
https://github.com/w3cping/credential-considerations/blob/main/credentials-considerations.md#registration