w3c-fedid · simoneonofri · Jan 8, 2026
@@ -1321,108 +1321,18 @@ <h2>
           for Digital Credentials, both broadly and for presentation on the
           web. Their contents will be integrated into this document gradually.
         </p>
-        <ul>
-          <li>
-            <a href=
-            "https://github.com/w3c-fedid/digital-credentials/wiki/Horizontal-reviews#self-review-questionnaire-security-and-privacy">
-            TAG Security and Privacy Considerations Questionnaire (WIP)</a>
-          </li>
-          <li>
-            <a href=
-            "https://github.com/w3c-cg/threat-modeling/blob/main/models/decentralized-identities.md">
-            Threat Model for Decentralized Identities</a>
-          </li>
-        </ul>
       </div>
       <section>
-        <!---->
-        <h3>
-          Credential Protocols
-        </h3>
-        <p class="issue" title="Work in progress">
-          Explain that while the API provides security at the browser API
-          level, that security for the underlying credential issuance or
-          presentation protocol is a separate concern and that developers need
-          to understand that layer of the stack to get a total picture of the
-          protections that are in place during any given transaction.
-        </p>
-      </section>
-      <section>
-        <!--
-        // MARK: Cross-device Protocols
-        -->
-        <h3>
-          Cross-device Protocols
-        </h3>
-        <p class="issue" title="Work in progress">
-          Explain that cross-device issuance or presentation uses a separate
-          protocol that has its own security characteristics.
-        </p>
-      </section>
-      <section>
-        <!--
-        // MARK: Quishing
-        -->
-        <h3>
-          Quishing
-        </h3>
-        <p class="issue" title="Work in progress">
-          Explain that the API is designed to avoid the problem of quishing
-          (phishing via QR Codes) and other QR Code and non-browser API-based
-          attacks and to be aware of exposure of QR Codes during digital
-          credential interactions.
-        </p>
-      </section>
-      <section>
-        <!--
-        // MARK: Data Integrity
-        -->
-        <h3>
-          Data Integrity
-        </h3>
-        <p class="issue" title="Work in progress">
-          Explain that the API does not provide data integrity on the digital
-          credential requests or responses and that responsibility is up to the
-          underlying protocol used for the request or response.
-        </p>
-      </section>
-      <section>
-        <!--
-        // MARK: Authentication
-        -->
-        <h3>
-          Authentication
-        </h3>
-        <p class="issue" title="Work in progress">
-          Explain that authentication (such as a PIN code to unlock) to a
-          particular app, such as a digital wallet, that responds to an API
-          request is crucial in high-risk use cases.
-        </p>
-      </section>
-      <section>
-        <!--
-        // MARK: Cross-Site Scripting (XSS) and Cross-Site
-        -->
-        <h3>
-          Cross-Site Scripting (XSS) and Cross-Site Request Forgery (CSRF)
-        </h3>
-        <p class="issue" title="Work in progress">
-          Explain what attacks are possible via XSS and CSRF, if any.
-        </p>
-      </section>
-      <section>
-        <!--
-        // MARK: Session Security
-        -->
-        <h3>
-          Session Security
-        </h3>
-        <p class="issue" title="Work in progress">
-          Explain that once a secure session is established at a website using
-          credentials exchanged over this API, that the subsequent security is
-          no longer a function of the credential used or this API and is up to
-          the session management utilized on the website.
-        </p>
+        <h3>Security properties and mitigations defined by this specification</h3>
+        <p>Where security protections are explicitly defined in this document, they MUST be implemented by conforming
+            User Agents. The following mitigations derive from normative requirements already present in the
+            specification.</p>
+        <section>
+            <h4>Permissions Policy</h4>
+            <p>The specification integrates the Permissions Policy mechanism, meaning that cross-origin usage requires
+                explicit delegation. This reduces Malicious Browser extension (T2), and cross-origin invocation (T6).
+                See section 8. </p>
+        </section>
       </section>
     </section>
     <section class="informative" data-cite="privacy-principles">