Re: Centralization dangers of applying OpenID Connect to wallets protocols (was: Re: 2022-2026 Verifiable Data Standards Roadmap [DRAFT]) from Brian Richter on 2022-03-18 (public-credentials@w3.org from March 2022)

From: Brian Richter <brian@aviary.tech>
Date: Fri, 18 Mar 2022 11:29:09 -0700
To: Dmitri Zagidulin <dzagidulin@gmail.com>
Cc: Benjamin Goering <bengoering@gmail.com>, Manu Sporny <msporny@digitalbazaar.com>, Credentials Community Group <public-credentials@w3.org>
Message-ID: <CAPUZd8vt==-hJxJDrpvJ9wRVtz-5HvvhhReEKvgV0aORR+Gy6A@mail.gmail.com>

Thank you Dmitri that does sound quite *dangerous*.

Ironic note: Ben's email you quoted was in my g suite spam folder.. Maybe
the email protocol creators had a note about having an open mailbox leading
to phishing attacks as well :)

On Fri, Mar 18, 2022 at 11:21 AM Dmitri Zagidulin <dzagidulin@gmail.com>
wrote:

> > In your opinion, does SIOP help with the NASCAR problem?
>
> So, I can definitely speak to this -- No, SIOP does not solve the NASCAR
> problem, unfortunately. And this has to do with the limitation OS vendors
> enforce, both on mobile devices and on the desktop. There are two problems
> with the current `openid://` / custom protocol handler approach.
>
> 1. Terrible initial UX. Meaning, if a typical user clicks on an openid://
> URL on the desktop or on mobile, and they don't have an app installed that
> handles it, NOTHING HAPPENS. Literally nothing happens. There's no smooth
> guiding to a marketplace to install a handler, or anything like that. But
> this is a minor inconvenience, compared to the next one.
>
> 2. If more than one app is registered as a handler for openid://, and a
> user clicks on the link, the behavior is *undefined* (at least on IOS).
> And this is a very well understood problem in the SIOP community -- if you
> look at the SIOP v2 spec,
> https://openid.net/specs/openid-connect-self-issued-v2-1_0-03.html#section-7.5.1
> :
> "Usage of custom schemas [like openid://] as a way to invoke a Self-Issued
> OP may lead to phishing attacks and undefined behavior. ... Any malicious
> app can register the custom schema already used by another app, imitate the
> user interface and impersonate a good app. When more than one Self-issued
> OP with the same custom schema has been installed on one device, the
> behavior of Self-Issued OP is undefined."
>
> This is a huge problem, that the community is still strugglign to solve.
>
> Dmitri
>
>
>
> On Fri, Mar 18, 2022 at 1:42 PM Benjamin Goering <bengoering@gmail.com>
> wrote:
>
>> In your opinion, does SIOP help with the NASCAR problem?
>>
>> I thought it would, e.g. we could replace the nascar labels with a QR
>> code (that is also a clickable hyperlink) that encodes an `openid://`
>> URI, which the end-user would hopefully be able to configure via their
>> operating system (or maybe registerProtocolHandler
>> <https://developer.mozilla.org/en-US/docs/Web/API/Navigator/registerProtocolHandler>),
>> or use their phone to take a photo and use a mobile wallet.
>>
>> So I was surprised to read your assessment that ’None of the OpenID for
>> Verifiable Credentials specifications solve that problem”.
>>
>> What am I missing?
>>
>> On Mar 18, 2022, at 10:26 AM, Manu Sporny <msporny@digitalbazaar.com>
>> wrote:
>>
>> On 3/18/22 12:59 PM, Anders Rundgren wrote:
>>
>> Take Open Banking as example.  How do you select bank when they count in
>> the 100 000+ region? The Open ID foundation have solved this issue in a
>> radical way: leave it to the market to figure out.
>>
>>
>> Yep, exactly, Anders.
>>
>> This sort of "Let each Relying Party decide by picking a handful of big
>> banks... 'cause we can't possibly fit them all on the same screen"
>> approach is
>> exactly what is being proposed w/ the OpenID for Verifiable Credentials
>> work.
>>
>> "Let the each website decide among all the wallet vendors on the planet!
>> It's
>> a market-driven approach!" will just turn into "Well, we can't go wrong
>> with
>> Apple Wallet, Google Wallet, and Microsoft Wallet, let's just support
>> those to
>> start" decisions being made at the Relying Party... and we all know where
>> that
>> story ends -- centralization -- we have years of data showing that it
>> leads to
>> centralization in social log in.
>>
>> ... which is why solving this problem is mandatory:
>>
>> 2. Eliminate NASCAR screens; don't allow verifiers to pick/choose which
>> wallets they accept. If you allow either of these things to happen, you
>> enable centralization.
>>
>>
>> None of the OpenID for Verifiable Credentials  specifications solve that
>> problem and without solving that problem, you have centralization in the
>> ecosystem.
>>
>> -- manu
>>
>> --
>> Manu Sporny - https://www.linkedin.com/in/manusporny/
>> Founder/CEO - Digital Bazaar, Inc.
>> News: Digital Bazaar Announces New Case Studies (2021)
>> https://www.digitalbazaar.com/
>>
>>
>>

Received on Friday, 18 March 2022 18:30:33 UTC