- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Fri, 18 Mar 2022 17:59:33 +0100
- To: Manu Sporny <msporny@digitalbazaar.com>, public-credentials@w3.org
On 2022-03-18 17:46, Manu Sporny wrote:
> I'm taking all of my hats off and saying the rest as a "concerned citizen and
> computer scientist". Take it as personal commentary, for whatever that is worth.
>
> I expect much of this to be controversial... and result in an unavoidable
> permathread. :)
You bet :)
>
> TL;DR: It is hopelessly naive to think that OpenID Connect, THE protocol that
> centralized social login to 3-4 major tech companies, only requires "small
> changes" for self-sovereign identity and is a "doorway" we should gleefully
> step through.
Take Open Banking as example. How do you select bank when they count in the 100 000+ region?
The Open ID foundation have solved this issue in a radical way: leave it to the market to figure out.
Thanx,
Anders
>
> On 3/17/22 5:45 PM, Kaliya Identity Woman wrote:
>> Yes - and I agree with the note following this one on the thread that they
>> are meeting different needs use-cases.
>
> It's all a matter of perspective, isn't it? :)
>
> When you get down into the details, sure you can argue that some protocols are
> addressing different needs/use-cases, but it is also undeniable that every
> single one of the protocols can move a Verifiable Credential from point A to
> point B. In that way, they're directly competitive with one another. That's
> not an interesting debate, though; it's at the wrong level -- too meta.
>
> What would be more beneficial is for someone to produce a pros/cons matrix
> like we did for "Protecting VCs using pure JSON JWTs vs. VC-JWTs vs. Linked
> Data Proofs":
>
> https://w3c.github.io/vc-imp-guide/#benefits-of-jwts
> https://w3c.github.io/vc-imp-guide/#benefits-of-json-ld-and-ld-proofs
>
> Until we get to that level of detail, I expect we'll not make much progress on
> the wallet protocols topic.
>
>> The fact is that there is a huge opportunity to really leverage the "OIDC"
>> "doorways" that exist all over the web (a protocol that is literally used
>> a billion times a day...you know some real adoption) to exchange VCs - with
>> some small changes.
>>
>> AND people in this group seem to be "deathly afraid" of that work because
>> it isn't home grown here alone in isolation and focused on web only.
>
> I... just... don't even know where to start. I disagree with every concept in
> the previous paragraph. :)
>
> I can't speak for anyone else in this group, so I'll just speak for myself:
>
> It is hopelessly naive to think that OpenID Connect, THE protocol that
> centralized social login to 3-4 major tech companies, only requires "small
> changes" for self-sovereign identity and is a "doorway" we should gleefully
> step through.
>
> Login with Google/Facebook/Apple/Microsoft, those "billions of times a day"
> usages... are all coerced logins. We have no choice but to use the big tech
> vendors. That is not a world I want to contribute to.
>
> We are not "focused on web only" here... though it is an effective "gotcha!"
> talking point that seems to not be questioned when uttered ("I mean... the
> word "WEB" is in World Wide Web Consortium! What else could they be up to over
> there!?"). The phrase is disingenuous, I really wish those uttering it would
> stop... but you can't blame them, it's an effective way to get people who
> don't know any better nodding in agreement with whatever "non-Web" thing
> you're going to say next.
>
> I am "deathly afraid" of the work, because people are rushing into it without
> thinking deeply about the consequences. So, "Nope!":
>
> I refuse to just go with the herd and gleefully re-cement centralization in
> this new generation of identity technologies.
>
> I refuse to trust that things will be different this time because the same
> people that created OpenID Connect have learned their lessons and are doing
> things differently now.
>
> ... and I refuse to accept your mischaracterization of this community, the
> good faith efforts that they've put forward to coordinate where they can, or
> why some of us remain sceptical of some of the other wallet protocol efforts
> going on right now.
>
> It is possible for all of us, across all communities, to act in good faith and
> still disagree on the path forward.
>
> I certainly don't think for a second that the vast majority of people involved
> in OpenID, DIF, CCG, IIW, or RWoT are acting in bad faith. Misguided, possibly
> (including myself!), but not this "Not Invented Here Tribalism" narrative that
> seems to be so popular. I see a bunch of people, across each "silo", doing
> their best to solve hard problems given all of the pressures of their work and
> home life. Full stop.
>
> Going back to OpenID being applied to Verifiable Credential Exchange. There
> are three fatal flaws that need to be overcome for it to be a good idea:
>
> 1. Eliminate registration -- if you require wallet
> registration, you enable centralization.
>
> 2. Eliminate NASCAR screens; don't allow verifiers to
> pick/choose which wallets they accept. If you allow
> either of these things to happen, you enable
> centralization.
>
> 3. Eliminate the concept of "App Store"-like in-wallet
> "Marketplaces". If you do this, you put issuers at a
> natural disadvantage -- pay to play to get listed
> in a wallet's "Marketplace".
>
> Rather than seeing solutions proposed to the problems above, the OpenID
> specifications seem to be doubling down on enabling the three items above.
>
> Out of CHAPI, DIDCommv2, and OpenID... OpenID is the most centralizing, worst
> solution for Verifiable Credential Exchange on the table today.
>
> That is not to say it can't be fixed, but I have yet to see a proposal that
> addresses all three items above.
>
>> There is a lot of "othering" of work that isn't CCG. Because that work is
>> less "pure".
>
> No, there are concerns related to the technical underpinnings of OpenID that
> lead to centralization that have yet to be addressed by the current proposals.
>
> The only Othering I'm seeing going on here is what you're doing. Casting some
> vague subset of the CCG as this irrational, web-only, not invented here,
> tribal silo and going after community volunteers that are not doing what you
> want or meeting on your schedule.
>
> I've known you for many years, Kaliya -- you're better than this and are
> usually a bridge builder and tireless advocate for open lines of
> communication. I know you're frustrated, we all are, but I don't think the way
> in which you've chosen to engage is going to result in what you want.
>
> Again, just my $0.02 as a community member.
>
> -- manu
>
Received on Friday, 18 March 2022 17:00:48 UTC