Open Thinkering

A (proposed) browser-based interoperability layer for digital credentials

Open Badges, Verifiable Credentials, interoperability, W3C
An abstract image with a black background, vaguely reminiscent of the Firefox logo

I was talking with Nate Otto earlier this week about various things, including a potential upcoming collaboration as well as Badge To The Future. In passing, he mentioned something which I’d heard rumours about: a proposed infrastructure layer to allow Open Badges and Verifiable Credentials to be added easily to smartphone-based wallets.

After the call, I had a quick look. I was a bit skeptical, as the authors of the Digital Credentials community group report are from Apple, Google, and Okta — so it would be easy to think that this is an attempt to somehow ‘capture’ the market and drive users towards Apple Wallet and Google Wallet. But it seems that it’s actually… the opposite?

If I’ve understood the proposal correctly, it’s a way of trying to create a browser-based interoperability layer so that credentials can be added to any type of wallet. The closest analogy I can think of is something like Metamask: instead of managing cryptocurrency, this infrastructure layer manages digital credentials like diplomas, government IDs, or professional certifications. Like MetaMask, which allows you to approve transactions and interact with Web3 apps directly from your browser, this API would let you control when and how your credentials are shared with websites or organisations.

You might be reading this thinking, “So what? This isn’t even an official proposal!” What’s interesting is that this is the kind of thing that Mozilla would have been working on, had they managed some joined-up thinking between Firefox OS and Open Badges.

Things are a lot more complicated than the early days of Open Badges. But if we can nail the UX of all this, we could see even wider and more seamless adoption. Here are three advantages:

  1. Web browser as credential hub — instead of platform-specific wallets (e.g. Google/Apple) users can store, present, and revoke credentials without third-party apps.
  2. Consent-based model — unlike the current status quo, users would be explicitly prompted for every credential request (e.g., “Share your diploma with Employer X?”)
  3. Web-based issuing — smaller organisations could distribute credentials directly via their website rather than having to have an ‘issuing platform.’ This would improve the whole user experience.

There are, of course, some risks with this approach. For example, browser vendors might implement the protocols inconsistently. It also introduces new attack surfaces for phishing, which is increasingly a problem as higher-stakes credentials are issued digitally. I noticed that the current draft doesn’t have any way to revoke credentials, but perhaps that’s dealt with elsewhere.

Ultimately, the thing that continues to excite me about digital credentialing is putting the means of credentialing into the hands of everyone. That’s the thing that underpins Open Recognition, and so anything that moves us towards decentralised, user-owned identity systems is a good thing as far as I’m concerned.

I should stress, though, that this is still very much early days. It’s not even close to being ratified by the W3C, yet alone had the kind of vendor buy-in from major browser makers that would require mass adoption. But by 2030? Who knows.

Image: Faded_Gallery