Re: Centralization dangers of applying OpenID Connect to wallets protocols (was: Re: 2022-2026 Verifiable Data Standards Roadmap [DRAFT])

I want to echo Manu’s concerns and go a bit further in the analysis of
drivers to centralization by looking at “platforms” as a concept.

Platforms promote centralization at different layers:
- authentication (SSI or IdP)
- storage (hubs, registries)
- authorization policy (social networks)
- search (directories)
- governance (Apple as a privacy brand)
- transport (how many metaverses will there be?)

I think it’s shortsighted to focus on OIDC and wallets, just as it’s
shortsighted to think that EDVs are much of a solution to centralization.
If we’re serious about decentralization we should be not be playing
whack-a-mole based on various well intentioned but distracting sponsorships
and business models. We need to be designing the commons that we’re being
denied today.

Adrian

On Fri, Mar 18, 2022 at 11:44 AM Brian Richter <brian@aviary.tech> wrote:

> Manu,
>
> Thanks for this. I was going to respond to you individually and ask if
> OpenID was what you were referring to as "dangerous". I have been spending
> time the last week understanding the SIOP flow and reading the latest spec.
> I'm not sure how up to date on it you or the rest of the community are but
> here is my first impressions of the answers to those questions with no
> advocacy implied as I am just learning what this looks like myself. I am
> not an expert so take these comments with a grain of salt.
>
> 1. Eliminate registration -- if you require wallet
>>    registration, you enable centralization.
>
>
> There is a lot of talk in the spec about not being able to register the
> wallet, and having the Relying Party using static metadata. This forces
> certain constraints of course but I'm ok with the decisions they've made on
> those constraints. I personally read these sections and figured "ok i'll be
> doing this static metadata flow and ignoring the rest" but maybe that's a
> flawed thought process. Is this going to be used by RPs to only allow
> pre-registered wallets to authenticate? I don't think so
>
> 2. Eliminate NASCAR screens; don't allow verifiers to
>>    pick/choose which wallets they accept. If you allow
>>    either of these things to happen, you enable
>>    centralization.
>
>
> I believe on a long enough time scale this is largely solved by SIOP as it
> becomes the only OIDC provider worth a damn. So eventually I see RPs only
> enabling this one method and removing the nascar screen entirely. This of
> course means people need to have credentials they can authenticate with..
> Disappearance of the Nascar screen might be a longer time frame than we
> would all like to see but the alternative of forcing a new authentication
> method on the web is also too long for us impatient folks. The fact of the
> matter is the majority of the world's population are not technical in
> authentication technologies so there simply isn't the demand for this stuff
> that will move the needle as quickly as we want/need. I see SIOP as a
> worthwhile PsyOp.. It helps us capture a large market that will be
> otherwise reluctant to larger changes required to implement what we are
> building. Maybe there are still changes that need to be made to fully solve
> the centralization problems but in my early studying of the work I don't
> see the flow to be
>
> 3. Eliminate the concept of "App Store"-like in-wallet
>>    "Marketplaces". If you do this, you put issuers at a
>>    natural disadvantage -- pay to play to get listed
>>    in a wallet's "Marketplace".
>
>
> I don't think I understand this grievance :)
>
> SIOP allows any credential from any wallet to be presented no different
> than the other methods we are building. They are all quite similar
> request/response flows with their different flavours. It's still up to the
> RP to choose what credentials they will trust.
>
> Please all, point out where I am wrong and what I am missing. If I have
> blindspots in my thinking, I'd like to hear what they are.
>
> Thanks,
> Brian
>
> On Fri, Mar 18, 2022 at 10:28 AM Manu Sporny <msporny@digitalbazaar.com>
> wrote:
>
>> On 3/18/22 12:59 PM, Anders Rundgren wrote:
>> > Take Open Banking as example.  How do you select bank when they count
>> in
>> > the 100 000+ region? The Open ID foundation have solved this issue in a
>> > radical way: leave it to the market to figure out.
>>
>> Yep, exactly, Anders.
>>
>> This sort of "Let each Relying Party decide by picking a handful of big
>> banks... 'cause we can't possibly fit them all on the same screen"
>> approach is
>> exactly what is being proposed w/ the OpenID for Verifiable Credentials
>> work.
>>
>> "Let the each website decide among all the wallet vendors on the planet!
>> It's
>> a market-driven approach!" will just turn into "Well, we can't go wrong
>> with
>> Apple Wallet, Google Wallet, and Microsoft Wallet, let's just support
>> those to
>> start" decisions being made at the Relying Party... and we all know where
>> that
>> story ends -- centralization -- we have years of data showing that it
>> leads to
>> centralization in social log in.
>>
>> ... which is why solving this problem is mandatory:
>>
>> > 2. Eliminate NASCAR screens; don't allow verifiers to pick/choose which
>> > wallets they accept. If you allow either of these things to happen, you
>> > enable centralization.
>>
>> None of the OpenID for Verifiable Credentials  specifications solve that
>> problem and without solving that problem, you have centralization in the
>> ecosystem.
>>
>> -- manu
>>
>> --
>> Manu Sporny - https://www.linkedin.com/in/manusporny/
>> Founder/CEO - Digital Bazaar, Inc.
>> News: Digital Bazaar Announces New Case Studies (2021)
>> https://www.digitalbazaar.com/
>>
>>

Received on Friday, 18 March 2022 18:01:01 UTC