Re: Centralization dangers of applying OpenID Connect to wallets protocols (was: Re: 2022-2026 Verifiable Data Standards Roadmap [DRAFT]) from Benjamin Goering on 2022-03-18 (public-credentials@w3.org from March 2022)

From: Benjamin Goering <bengoering@gmail.com>
Date: Fri, 18 Mar 2022 10:39:54 -0700
To: Manu Sporny <msporny@digitalbazaar.com>
Cc: public-credentials@w3.org
Message-Id: <B076FB09-DC0C-4ED7-889E-5B21E304FD25@gmail.com>

In your opinion, does SIOP help with the NASCAR problem?

I thought it would, e.g. we could replace the nascar labels with a QR code (that is also a clickable hyperlink) that encodes an `openid://` URI, which the end-user would hopefully be able to configure via their operating system (or maybe registerProtocolHandler <https://developer.mozilla.org/en-US/docs/Web/API/Navigator/registerProtocolHandler>), or use their phone to take a photo and use a mobile wallet.

So I was surprised to read your assessment that ’None of the OpenID for Verifiable Credentials specifications solve that problem”.

What am I missing?

> On Mar 18, 2022, at 10:26 AM, Manu Sporny <msporny@digitalbazaar.com> wrote:
> 
> On 3/18/22 12:59 PM, Anders Rundgren wrote:
>> Take Open Banking as example.  How do you select bank when they count in 
>> the 100 000+ region? The Open ID foundation have solved this issue in a 
>> radical way: leave it to the market to figure out.
> 
> Yep, exactly, Anders.
> 
> This sort of "Let each Relying Party decide by picking a handful of big
> banks... 'cause we can't possibly fit them all on the same screen" approach is
> exactly what is being proposed w/ the OpenID for Verifiable Credentials work.
> 
> "Let the each website decide among all the wallet vendors on the planet! It's
> a market-driven approach!" will just turn into "Well, we can't go wrong with
> Apple Wallet, Google Wallet, and Microsoft Wallet, let's just support those to
> start" decisions being made at the Relying Party... and we all know where that
> story ends -- centralization -- we have years of data showing that it leads to
> centralization in social log in.
> 
> ... which is why solving this problem is mandatory:
> 
>> 2. Eliminate NASCAR screens; don't allow verifiers to pick/choose which 
>> wallets they accept. If you allow either of these things to happen, you 
>> enable centralization.
> 
> None of the OpenID for Verifiable Credentials  specifications solve that
> problem and without solving that problem, you have centralization in the
> ecosystem.
> 
> -- manu
> 
> -- 
> Manu Sporny - https://www.linkedin.com/in/manusporny/
> Founder/CEO - Digital Bazaar, Inc.
> News: Digital Bazaar Announces New Case Studies (2021)
> https://www.digitalbazaar.com/
>

Received on Friday, 18 March 2022 17:40:09 UTC