Re: Can CHAPI survive Big Tech? (was Re: Centralization dangers of applying OpenID Connect to wallets protocols)

On Sun, Mar 27, 2022 at 3:52 PM Manu Sporny <msporny@digitalbazaar.com>
wrote:

> On 3/27/22 4:33 PM, Snorre Lothar von Gohren Edwin wrote:
> > A quick follow up question, chapi cannot work, unless the party doing
> > issuance or verification adds the polyfill it to their webpage?
>
> Yes, that is correct. The same is true for any "Login with..." solution --
> you
> have to load Javascript to do anything with CHAPI, OIDC, or even DIDCommv2
> on
> the web today.
>

All three should be similar in the requirements for the verifier to create
the challenge and verify the response. OIDC and DIDCommv2 can challenge
without needing javascript or polyfill by supplying an initiation link or
QR code within page content.

To adopt CHAPI you might review the polyfill, pin a version by copying it
or using subresource integrity, and do an analysis on authn.io as a central
party (compromise, downtime).

To adopt SIOP with a universal link invocation, you wouldn't need to review
javascript but you'd still do an analysis of the hosted resource behind
that link. It is operated by a federation/trust framework that you are
presumably a part of, so your evaluation. may be influenced by that.

With DIDComm such intermediaries are dynamic through DID resolution of
transport mechanisms, so the holder will be responsible for their own
privacy, security and uptime considerations.

-DW

-- 
_CONFIDENTIALITY NOTICE: This email may contain confidential and privileged 
material for the sole use of the intended recipient(s). Any review, use, 
distribution or disclosure by others is strictly prohibited.  If you have 
received this communication in error, please notify the sender immediately 
by e-mail and delete the message and any file attachments from your 
computer. Thank you._

Received on Sunday, 3 April 2022 14:02:06 UTC