{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,6,15]],"date-time":"2026-06-15T23:55:49Z","timestamp":1781567749222,"version":"3.54.5"},"publisher-location":"Cham","reference-count":29,"publisher":"Springer Nature Switzerland","isbn-type":[{"value":"9783032195661","type":"print"},{"value":"9783032195678","type":"electronic"}],"license":[{"start":{"date-parts":[[2026,1,1]],"date-time":"2026-01-01T00:00:00Z","timestamp":1767225600000},"content-version":"tdm","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"},{"start":{"date-parts":[[2026,1,1]],"date-time":"2026-01-01T00:00:00Z","timestamp":1767225600000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/www.springernature.com\/gp\/researchers\/text-and-data-mining"}],"content-domain":{"domain":["link.springer.com"],"crossmark-restriction":false},"short-container-title":[],"published-print":{"date-parts":[[2026]]},"DOI":"10.1007\/978-3-032-19567-8_4","type":"book-chapter","created":{"date-parts":[[2026,6,15]],"date-time":"2026-06-15T23:38:18Z","timestamp":1781566698000},"page":"69-88","update-policy":"https:\/\/doi.org\/10.1007\/springer_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["A Threat Model for\u00a0the\u00a0W3C Digital Credentials API: An Initial Analysis"],"prefix":"10.1007","author":[{"ORCID":"https:\/\/orcid.org\/0000-0002-8921-4480","authenticated-orcid":false,"given":"Zahra Ebadi","family":"Ansaroudi","sequence":"first","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6290-3588","authenticated-orcid":false,"given":"Amir","family":"Sharif","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7567-4526","authenticated-orcid":false,"given":"Giada","family":"Sciarretta","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0009-0003-0449-3770","authenticated-orcid":false,"given":"Simone","family":"Onofri","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-7269-9285","authenticated-orcid":false,"given":"Silvio","family":"Ranise","sequence":"additional","affiliation":[],"role":[{"vocabulary":"crossref","role":"author"}]}],"member":"297","published-online":{"date-parts":[[2026,5,1]]},"reference":[{"key":"4_CR1","doi-asserted-by":"crossref","unstructured":"Bisztray, T., Gruschka, N.: Privacy impact assessment: comparing methodologies with a focus on practicality. In: Nordic Conference on Secure IT Systems. Springer (2019)","DOI":"10.1007\/978-3-030-35055-0_1"},{"key":"4_CR2","doi-asserted-by":"crossref","unstructured":"Ansaroudi, Z.E., Sharif, A., Sciarretta, G., Marino, F.A., Ranise, S.: Secure and reliable digital wallets: a threat model for secure storage in eIDAS 2.0. In: IFIP Annual Conference on Data and Applications Security and Privacy, pp. 271\u2013289. Springer (2025)","DOI":"10.1007\/978-3-031-96590-6_15"},{"key":"4_CR3","doi-asserted-by":"crossref","unstructured":"Elbitar, Y., et al.: Permission rationales in the web ecosystem: an exploration of rationale text and design patterns. In: Proceedings of the 2025 CHI Conference on Human Factors in Computing Systems, pp. 1\u201325 (2025)","DOI":"10.1145\/3706598.3713547"},{"key":"4_CR4","unstructured":"FIDO Alliance. Client to Authenticator Protocol (CTAP) v2.2. Proposed standard (2025)"},{"key":"4_CR5","doi-asserted-by":"crossref","unstructured":"Harbach, M., et al.: Don\u2019t interrupt me-a large-scale study of on-device permission prompt quieting in chrome. In: 31st Annual Network and Distributed System Security Symposium (NDSS\u201924) (2024)","DOI":"10.14722\/ndss.2024.24108"},{"key":"4_CR6","unstructured":"Herman, I., Jones, M., Sporny, M., et\u00a0al.: Verifiable credentials data model v2.0. W3C recommendation, World Wide Web Consortium (W3C) (2025)"},{"key":"4_CR7","unstructured":"Huang, L.-S., Moshchuk, A., Wang, H.J., Schecter, S., Jackson, C.: Clickjacking: attacks and defenses. In: 21st USENIX Security Symposium (USENIX Security 12), pp. 413\u2013428 (2012)"},{"key":"4_CR8","unstructured":"Indie Web. NASCAR problem (2024)"},{"key":"4_CR9","unstructured":"Kapravelos, A., Grier, C., Chachra, N., Kruegel, C., Vigna, G., Paxson, V.: Hulk: eliciting malicious behavior in browser extensions. In: 23rd USENIX Security Symposium (USENIX Security 14), pp. 641\u2013654 (2014)"},{"key":"4_CR10","volume-title":"Cross-Device Flows: Security Best Current Practice","author":"P Kasselman","year":"2025","unstructured":"Kasselman, P., Fett, D., Skokan, F.: Cross-Device Flows: Security Best Current Practice. Internet-Draft, Internet Engineering Task Force (2025)"},{"key":"4_CR11","unstructured":"LINDDUN. LINDDUN privacy threat modeling framework"},{"key":"4_CR12","unstructured":"Markoborodova, N., Zapata, J.L.: Digital Credentials API: Secure and private identity on the web (2025)"},{"key":"4_CR13","doi-asserted-by":"crossref","unstructured":"Mazzocca, C., Acar, A., Uluagac, S., Montanari, R., Bellavista, P., Conti, M.: A survey on decentralized identifiers and verifiable credentials. IEEE Commun. Surv. Tutorials (2025)","DOI":"10.1109\/COMST.2025.3543197"},{"key":"4_CR14","unstructured":"Microsoft. STRIDE threat modeling framework"},{"key":"4_CR15","unstructured":"OpenID Foundation. OpenID for verifiable presentations (OID4VP) 1.0 (2025)"},{"key":"4_CR16","doi-asserted-by":"crossref","unstructured":"Pernpruner, M., Pasquini, C., Sciarretta, G., Ranise, S.: Beyond screens: investigating identity proofing for the metaverse through cross-device flows. In: 2024 2nd International Conference on Intelligent Metaverse Technologies & Applications (iMETA), pp. 056\u2013064. IEEE (2024)","DOI":"10.1109\/iMETA62882.2024.10808135"},{"key":"4_CR17","unstructured":"P\u00f6hn, D., et\u00a0al.: Modeling the threats to self-sovereign identities. Gesellschaft f\u00fcr Informatik eV (2023)"},{"issue":"6","key":"4_CR18","first-page":"24","volume":"2","author":"G Rydstedt","year":"2010","unstructured":"Rydstedt, G., Bursztein, E., Boneh, D., Jackson, C.: Busting frame busting: a study of clickjacking vulnerabilities at popular sites. IEEE Oakland Web 2(6), 24 (2010)","journal-title":"IEEE Oakland Web"},{"key":"4_CR19","doi-asserted-by":"crossref","unstructured":"Sassetti, G., Sharif, A., Sciarretta, G., Carbone, R., Ranise, S.: Assurance, consent and access control for privacy-aware OIDC deployments. In: IFIP Annual Conference on Data and Applications Security and Privacy, pp. 203\u2013222. Springer (2023)","DOI":"10.1007\/978-3-031-37586-6_13"},{"key":"4_CR20","unstructured":"Satragno, N., Caceres, M.: Credential management level 1. W3C working draft, World Wide Web Consortium (W3C) (2024)"},{"issue":"15","key":"4_CR21","doi-asserted-by":"publisher","first-page":"5641","DOI":"10.3390\/s22155641","volume":"22","author":"F Schardong","year":"2022","unstructured":"Schardong, F., Cust\u00f3dio, R.: Self-sovereign identity: a systematic review, mapping and taxonomy. Sensors 22(15), 5641 (2022)","journal-title":"Sensors"},{"key":"4_CR22","doi-asserted-by":"crossref","unstructured":"Sharif, A., et al.: Protecting digital identity wallet: a threat model in the age of eIDAS 2.0. In: International Conference on Risks and Security of Internet and Systems, pp. 89\u2013106. Springer (2024)","DOI":"10.1007\/978-3-031-89350-6_6"},{"key":"4_CR23","doi-asserted-by":"crossref","unstructured":"Sharif, A., Carbone, R., Ranise, S., Sciarretta, G., et\u00a0al.: A wizard-based approach for secure code generation of single sign-on and access delegation solutions for mobile native apps. In: Proceedings of the 16th International Joint Conference on e-Business and Telecommunications-Volume 2: SECRYPT, vol. 2, pp. 268\u2013275 (2019)","DOI":"10.5220\/0007930502680275"},{"key":"4_CR24","unstructured":"Shostack, A.: Threat Modeling: Designing for Security. John Wiley & Sons (2014)"},{"key":"4_CR25","unstructured":"Souppaya, M., Scarfone, K.: Guide to data-centric system threat modeling. NIST Special Publication 800-154, National Institute of Standards and Technology (NIST) (2016)"},{"key":"4_CR26","unstructured":"Terbu, O., Lodderstedt, T., Yasuda, K., Fett, D., Heenan, J.: OpenID for verifiable credential issuance 1.0. Technical report, OpenID Foundation (2025)"},{"key":"4_CR27","unstructured":"W3C Credentials Community Group. Digital Credentials API: Question on trust between browser and wallet (2025)"},{"key":"4_CR28","unstructured":"W3C Federated Identity Working Group. Digital credentials. W3C working draft, World Wide Web Consortium (W3C) (2025)"},{"key":"4_CR29","unstructured":"W3C Threat Modeling Community Group. Threat modeling for decentralized identities (2024). Community group report"}],"container-title":["Lecture Notes in Computer Science","Security Standardisation Research"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/link.springer.com\/content\/pdf\/10.1007\/978-3-032-19567-8_4","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,6,15]],"date-time":"2026-06-15T23:38:22Z","timestamp":1781566702000},"score":1,"resource":{"primary":{"URL":"https:\/\/link.springer.com\/10.1007\/978-3-032-19567-8_4"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2026]]},"ISBN":["9783032195661","9783032195678"],"references-count":29,"URL":"https:\/\/doi.org\/10.1007\/978-3-032-19567-8_4","relation":{},"ISSN":["0302-9743","1611-3349"],"issn-type":[{"value":"0302-9743","type":"print"},{"value":"1611-3349","type":"electronic"}],"subject":[],"published":{"date-parts":[[2026]]},"assertion":[{"value":"1 May 2026","order":1,"name":"first_online","label":"First Online","group":{"name":"ChapterHistory","label":"Chapter History"}},{"value":"SSR","order":1,"name":"conference_acronym","label":"Conference Acronym","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"International Conference on Research in Security Standardisation","order":2,"name":"conference_name","label":"Conference Name","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Passau","order":3,"name":"conference_city","label":"Conference City","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"Germany","order":4,"name":"conference_country","label":"Conference Country","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"2025","order":5,"name":"conference_year","label":"Conference Year","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"4 December 2025","order":7,"name":"conference_start_date","label":"Conference Start Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"5 December 2025","order":8,"name":"conference_end_date","label":"Conference End Date","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"10","order":9,"name":"conference_number","label":"Conference Number","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"ssr2025","order":10,"name":"conference_id","label":"Conference ID","group":{"name":"ConferenceInfo","label":"Conference Information"}},{"value":"https:\/\/www.uni-passau.de\/ssr2025","order":11,"name":"conference_url","label":"Conference URL","group":{"name":"ConferenceInfo","label":"Conference Information"}}]}}