Re: Centralization dangers of applying OpenID Connect to wallets protocols (was: Re: 2022-2026 Verifiable Data Standards Roadmap [DRAFT])

> In your opinion, does SIOP help with the NASCAR problem?

So, I can definitely speak to this -- No, SIOP does not solve the NASCAR
problem, unfortunately. And this has to do with the limitation OS vendors
enforce, both on mobile devices and on the desktop. There are two problems
with the current `openid://` / custom protocol handler approach.

1. Terrible initial UX. Meaning, if a typical user clicks on an openid://
URL on the desktop or on mobile, and they don't have an app installed that
handles it, NOTHING HAPPENS. Literally nothing happens. There's no smooth
guiding to a marketplace to install a handler, or anything like that. But
this is a minor inconvenience, compared to the next one.

2. If more than one app is registered as a handler for openid://, and a
user clicks on the link, the behavior is *undefined* (at least on IOS).
And this is a very well understood problem in the SIOP community -- if you
look at the SIOP v2 spec,
https://openid.net/specs/openid-connect-self-issued-v2-1_0-03.html#section-7.5.1
:
"Usage of custom schemas [like openid://] as a way to invoke a Self-Issued
OP may lead to phishing attacks and undefined behavior. ... Any malicious
app can register the custom schema already used by another app, imitate the
user interface and impersonate a good app. When more than one Self-issued
OP with the same custom schema has been installed on one device, the
behavior of Self-Issued OP is undefined."

This is a huge problem, that the community is still strugglign to solve.

Dmitri



On Fri, Mar 18, 2022 at 1:42 PM Benjamin Goering <bengoering@gmail.com>
wrote:

> In your opinion, does SIOP help with the NASCAR problem?
>
> I thought it would, e.g. we could replace the nascar labels with a QR code
> (that is also a clickable hyperlink) that encodes an `openid://` URI,
> which the end-user would hopefully be able to configure via their operating
> system (or maybe registerProtocolHandler
> <https://developer.mozilla.org/en-US/docs/Web/API/Navigator/registerProtocolHandler>),
> or use their phone to take a photo and use a mobile wallet.
>
> So I was surprised to read your assessment that ’None of the OpenID for
> Verifiable Credentials specifications solve that problem”.
>
> What am I missing?
>
> On Mar 18, 2022, at 10:26 AM, Manu Sporny <msporny@digitalbazaar.com>
> wrote:
>
> On 3/18/22 12:59 PM, Anders Rundgren wrote:
>
> Take Open Banking as example.  How do you select bank when they count in
> the 100 000+ region? The Open ID foundation have solved this issue in a
> radical way: leave it to the market to figure out.
>
>
> Yep, exactly, Anders.
>
> This sort of "Let each Relying Party decide by picking a handful of big
> banks... 'cause we can't possibly fit them all on the same screen"
> approach is
> exactly what is being proposed w/ the OpenID for Verifiable Credentials
> work.
>
> "Let the each website decide among all the wallet vendors on the planet!
> It's
> a market-driven approach!" will just turn into "Well, we can't go wrong
> with
> Apple Wallet, Google Wallet, and Microsoft Wallet, let's just support
> those to
> start" decisions being made at the Relying Party... and we all know where
> that
> story ends -- centralization -- we have years of data showing that it
> leads to
> centralization in social log in.
>
> ... which is why solving this problem is mandatory:
>
> 2. Eliminate NASCAR screens; don't allow verifiers to pick/choose which
> wallets they accept. If you allow either of these things to happen, you
> enable centralization.
>
>
> None of the OpenID for Verifiable Credentials  specifications solve that
> problem and without solving that problem, you have centralization in the
> ecosystem.
>
> -- manu
>
> --
> Manu Sporny - https://www.linkedin.com/in/manusporny/
> Founder/CEO - Digital Bazaar, Inc.
> News: Digital Bazaar Announces New Case Studies (2021)
> https://www.digitalbazaar.com/
>
>
>