W3C home > Mailing lists > Public > public-credentials@w3.org > March 2022

Re: Centralization dangers of applying OpenID Connect to wallets protocols (was: Re: 2022-2026 Verifiable Data Standards Roadmap [DRAFT])

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Fri, 18 Mar 2022 17:59:33 +0100
Message-ID: <4fcc24a9-731f-af4e-142a-cc251465dfe8@gmail.com>
To: Manu Sporny <msporny@digitalbazaar.com>, public-credentials@w3.org
On 2022-03-18 17:46, Manu Sporny wrote:
> I'm taking all of my hats off and saying the rest as a "concerned citizen and
> computer scientist". Take it as personal commentary, for whatever that is worth.
> 
> I expect much of this to be controversial... and result in an unavoidable
> permathread. :)

You bet :)

> 
> TL;DR: It is hopelessly naive to think that OpenID Connect, THE protocol that
> centralized social login to 3-4 major tech companies, only requires "small
> changes" for self-sovereign identity and is a "doorway" we should gleefully
> step through.

Take Open Banking as example.  How do you select bank when they count in the 100 000+ region?
The Open ID foundation have solved this issue in a radical way: leave it to the market to figure out.

Thanx,
Anders


> 
> On 3/17/22 5:45 PM, Kaliya Identity Woman wrote:
>> Yes - and I agree with the note following this one on the thread that they
>> are meeting different needs use-cases.
> 
> It's all a matter of perspective, isn't it? :)
> 
> When you get down into the details, sure you can argue that some protocols are
> addressing different needs/use-cases, but it is also undeniable that every
> single one of the protocols can move a Verifiable Credential from point A to
> point B. In that way, they're directly competitive with one another. That's
> not an interesting debate, though; it's at the wrong level -- too meta.
> 
> What would be more beneficial is for someone to produce a pros/cons matrix
> like we did for "Protecting VCs using pure JSON JWTs vs. VC-JWTs vs. Linked
> Data Proofs":
> 
> https://w3c.github.io/vc-imp-guide/#benefits-of-jwts
> https://w3c.github.io/vc-imp-guide/#benefits-of-json-ld-and-ld-proofs
> 
> Until we get to that level of detail, I expect we'll not make much progress on
> the wallet protocols topic.
> 
>> The fact is that there is a huge opportunity to really leverage the "OIDC"
>> "doorways" that exist all over the web (a protocol that is literally used
>> a billion times a day...you know some real adoption) to exchange VCs - with
>> some small changes.
>>
>> AND people in this group seem to be "deathly afraid" of that work because
>> it isn't home grown here alone in isolation and focused on web only.
> 
> I... just... don't even know where to start. I disagree with every concept in
> the previous paragraph. :)
> 
> I can't speak for anyone else in this group, so I'll just speak for myself:
> 
> It is hopelessly naive to think that OpenID Connect, THE protocol that
> centralized social login to 3-4 major tech companies, only requires "small
> changes" for self-sovereign identity and is a "doorway" we should gleefully
> step through.
> 
> Login with Google/Facebook/Apple/Microsoft, those "billions of times a day"
> usages... are all coerced logins. We have no choice but to use the big tech
> vendors. That is not a world I want to contribute to.
> 
> We are not "focused on web only" here... though it is an effective "gotcha!"
> talking point that seems to not be questioned when uttered ("I mean... the
> word "WEB" is in World Wide Web Consortium! What else could they be up to over
> there!?"). The phrase is disingenuous, I really wish those uttering it would
> stop... but you can't blame them, it's an effective way to get people who
> don't know any better nodding in agreement with whatever "non-Web" thing
> you're going to say next.
> 
> I am "deathly afraid" of the work, because people are rushing into it without
> thinking deeply about the consequences. So, "Nope!":
> 
> I refuse to just go with the herd and gleefully re-cement centralization in
> this new generation of identity technologies.
> 
> I refuse to trust that things will be different this time because the same
> people that created OpenID Connect have learned their lessons and are doing
> things differently now.
> 
> ... and I refuse to accept your mischaracterization of this community, the
> good faith efforts that they've put forward to coordinate where they can, or
> why some of us remain sceptical of some of the other wallet protocol efforts
> going on right now.
> 
> It is possible for all of us, across all communities, to act in good faith and
> still disagree on the path forward.
> 
> I certainly don't think for a second that the vast majority of people involved
> in OpenID, DIF, CCG, IIW, or RWoT are acting in bad faith. Misguided, possibly
> (including myself!), but not this "Not Invented Here Tribalism" narrative that
> seems to be so popular. I see a bunch of people, across each "silo", doing
> their best to solve hard problems given all of the pressures of their work and
> home life. Full stop.
> 
> Going back to OpenID being applied to Verifiable Credential Exchange. There
> are three fatal flaws that need to be overcome for it to be a good idea:
> 
> 1. Eliminate registration -- if you require wallet
>     registration, you enable centralization.
> 
> 2. Eliminate NASCAR screens; don't allow verifiers to
>     pick/choose which wallets they accept. If you allow
>     either of these things to happen, you enable
>     centralization.
> 
> 3. Eliminate the concept of "App Store"-like in-wallet
>     "Marketplaces". If you do this, you put issuers at a
>     natural disadvantage -- pay to play to get listed
>     in a wallet's "Marketplace".
> 
> Rather than seeing solutions proposed to the problems above, the OpenID
> specifications seem to be doubling down on enabling the three items above.
> 
> Out of CHAPI, DIDCommv2, and OpenID... OpenID is the most centralizing, worst
> solution for Verifiable Credential Exchange on the table today.
> 
> That is not to say it can't be fixed, but I have yet to see a proposal that
> addresses all three items above.
> 
>> There is a lot of "othering" of work that isn't CCG. Because that work is
>> less "pure".
> 
> No, there are concerns related to the technical underpinnings of OpenID that
> lead to centralization that have yet to be addressed by the current proposals.
> 
> The only Othering I'm seeing going on here is what you're doing. Casting some
> vague subset of the CCG as this irrational, web-only, not invented here,
> tribal silo and going after community volunteers that are not doing what you
> want or meeting on your schedule.
> 
> I've known you for many years, Kaliya -- you're better than this and are
> usually a bridge builder and tireless advocate for open lines of
> communication. I know you're frustrated, we all are, but I don't think the way
> in which you've chosen to engage is going to result in what you want.
> 
> Again, just my $0.02 as a community member.
> 
> -- manu
> 
Received on Friday, 18 March 2022 17:00:48 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:25:29 UTC