W3C home > Mailing lists > Public > public-credentials@w3.org > March 2022

Re: Centralization dangers of applying OpenID Connect to wallets protocols (was: Re: 2022-2026 Verifiable Data Standards Roadmap [DRAFT])

From: Brian Richter <brian@aviary.tech>
Date: Fri, 18 Mar 2022 10:43:53 -0700
Message-ID: <CAPUZd8vbhnrO7kQSYa3-XAGgOGwVFU0RCLwY83YP3SXdsu4=9A@mail.gmail.com>
To: Manu Sporny <msporny@digitalbazaar.com>
Cc: "W3C Credentials CG (Public List)" <public-credentials@w3.org>
Manu,

Thanks for this. I was going to respond to you individually and ask if
OpenID was what you were referring to as "dangerous". I have been spending
time the last week understanding the SIOP flow and reading the latest spec.
I'm not sure how up to date on it you or the rest of the community are but
here is my first impressions of the answers to those questions with no
advocacy implied as I am just learning what this looks like myself. I am
not an expert so take these comments with a grain of salt.

1. Eliminate registration -- if you require wallet
>    registration, you enable centralization.


There is a lot of talk in the spec about not being able to register the
wallet, and having the Relying Party using static metadata. This forces
certain constraints of course but I'm ok with the decisions they've made on
those constraints. I personally read these sections and figured "ok i'll be
doing this static metadata flow and ignoring the rest" but maybe that's a
flawed thought process. Is this going to be used by RPs to only allow
pre-registered wallets to authenticate? I don't think so

2. Eliminate NASCAR screens; don't allow verifiers to
>    pick/choose which wallets they accept. If you allow
>    either of these things to happen, you enable
>    centralization.


I believe on a long enough time scale this is largely solved by SIOP as it
becomes the only OIDC provider worth a damn. So eventually I see RPs only
enabling this one method and removing the nascar screen entirely. This of
course means people need to have credentials they can authenticate with..
Disappearance of the Nascar screen might be a longer time frame than we
would all like to see but the alternative of forcing a new authentication
method on the web is also too long for us impatient folks. The fact of the
matter is the majority of the world's population are not technical in
authentication technologies so there simply isn't the demand for this stuff
that will move the needle as quickly as we want/need. I see SIOP as a
worthwhile PsyOp.. It helps us capture a large market that will be
otherwise reluctant to larger changes required to implement what we are
building. Maybe there are still changes that need to be made to fully solve
the centralization problems but in my early studying of the work I don't
see the flow to be

3. Eliminate the concept of "App Store"-like in-wallet
>    "Marketplaces". If you do this, you put issuers at a
>    natural disadvantage -- pay to play to get listed
>    in a wallet's "Marketplace".


I don't think I understand this grievance :)

SIOP allows any credential from any wallet to be presented no different
than the other methods we are building. They are all quite similar
request/response flows with their different flavours. It's still up to the
RP to choose what credentials they will trust.

Please all, point out where I am wrong and what I am missing. If I have
blindspots in my thinking, I'd like to hear what they are.

Thanks,
Brian

On Fri, Mar 18, 2022 at 10:28 AM Manu Sporny <msporny@digitalbazaar.com>
wrote:

> On 3/18/22 12:59 PM, Anders Rundgren wrote:
> > Take Open Banking as example.  How do you select bank when they count in
> > the 100 000+ region? The Open ID foundation have solved this issue in a
> > radical way: leave it to the market to figure out.
>
> Yep, exactly, Anders.
>
> This sort of "Let each Relying Party decide by picking a handful of big
> banks... 'cause we can't possibly fit them all on the same screen"
> approach is
> exactly what is being proposed w/ the OpenID for Verifiable Credentials
> work.
>
> "Let the each website decide among all the wallet vendors on the planet!
> It's
> a market-driven approach!" will just turn into "Well, we can't go wrong
> with
> Apple Wallet, Google Wallet, and Microsoft Wallet, let's just support
> those to
> start" decisions being made at the Relying Party... and we all know where
> that
> story ends -- centralization -- we have years of data showing that it
> leads to
> centralization in social log in.
>
> ... which is why solving this problem is mandatory:
>
> > 2. Eliminate NASCAR screens; don't allow verifiers to pick/choose which
> > wallets they accept. If you allow either of these things to happen, you
> > enable centralization.
>
> None of the OpenID for Verifiable Credentials  specifications solve that
> problem and without solving that problem, you have centralization in the
> ecosystem.
>
> -- manu
>
> --
> Manu Sporny - https://www.linkedin.com/in/manusporny/
> Founder/CEO - Digital Bazaar, Inc.
> News: Digital Bazaar Announces New Case Studies (2021)
> https://www.digitalbazaar.com/
>
>
Received on Friday, 18 March 2022 17:44:18 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:25:29 UTC