WICG
Ensure that credential issuers do not discriminate based on the user’s device or OS
While any device can hold a wallet, credential issuers may only allow issue credentials that they can verify are running on mobile hardware running issuer-trusted OSs. In fact, the EU implemented a wallet that only supports Android and has either already implemented Play Integrity or is considering it. Play Integrity actually excludes OSs, like GrapheneOS, that are more secure than the stock OS.
While a desktop browser could implement this API, it is only of use if it can obtain a credential that would actually be trusted. Right now, there is no guarantee of this. This should be guaranteed before any website is allowed to use the API.
Personally, I don't consider social guarantees (promises) to be sufficient. If a credential issuer starts discriminating against which browsers/OSs/etc can use the API, I think it should be blocklisted on all platforms.
I do consider hardware tokens to be OS-independent, provided that all of the following conditions are met:
- The tokens (and, if needed, readers) are provided at little or no additional charge, where “little” is measured by local income.
- The tokens use a public and standardized protocol that is implemented by Windows, macOS, and the major Linux distros without needing to install any third-party or token-specific software or drivers.
This is not an API or even protocol layer issue IMO. Issuance is governed by trust frameworks which define their requirements and other parties (credential managers, verifiers, etc) participate in.
My thought is that only websites that can demonstrate a need for this should be able to access something that does discriminate in this way.