Re: Centralization dangers of applying OpenID Connect to wallets protocols (was: Re: 2022-2026 Verifiable Data Standards Roadmap [DRAFT]) from Anders Rundgren on 2022-03-18 (public-credentials@w3.org from March 2022)

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Fri, 18 Mar 2022 20:27:07 +0100
To: dzagidulin@gmail.com, Benjamin Goering <bengoering@gmail.com>
Cc: Manu Sporny <msporny@digitalbazaar.com>, Credentials Community Group <public-credentials@w3.org>
Message-ID: <eda53a9f-4598-312d-93fb-1ce1957d54d4@gmail.com>

On 2022-03-18 19:14, Dmitri Zagidulin wrote:
>  > In your opinion, does SIOP help with the NASCAR problem?
> 
> So, I can definitely speak to this -- No, SIOP does not solve the NASCAR problem, unfortunately. And this has to do with the limitation OS vendors enforce, both on mobile devices and on the desktop. There are two problems with the current `openid://` / custom protocol handler approach.
> 
> 1. Terrible initial UX. Meaning, if a typical user clicks on an openid:// URL on the desktop or on mobile, and they don't have an app installed that handles it, NOTHING HAPPENS. Literally nothing happens. There's no smooth guiding to a marketplace to install a handler, or anything like that. But this is a minor inconvenience, compared to the next one.
> 
> 2. If more than one app is registered as a handler for openid://, and a user clicks on the link, the behavior is /undefined/ (at least on IOS).
> And this is a very well understood problem in the SIOP community -- if you look at the SIOP v2 spec, https://openid.net/specs/openid-connect-self-issued-v2-1_0-03.html#section-7.5.1 <https://openid.net/specs/openid-connect-self-issued-v2-1_0-03.html#section-7.5.1>:
> "Usage of custom schemas [like openid://] as a way to invoke a Self-Issued OP may lead to phishing attacks and undefined behavior. ... Any malicious app can register the custom schema already used by another app, imitate the user interface and impersonate a good app. When more than one Self-issued OP with the same custom schema has been installed on one device, the behavior of Self-Issued OP is undefined."
> 
> This is a huge problem, that the community is still strugglign to solve.

According to the W3C TAG, calling native apps from the Web should be abolished.  Effectively WebAuthn is the only endorsed way to securely authenticate over the Web.

Equally problematic is the Mobile to Desktop/Web interface where the W3C concluded that using WebAuthn + the device-specific cloud service + BLE (aka CABLE) is the way to go. I suggested years ago using NFC to deliver secure URLs but the Web-NFC folks claimed that there is no valid use case so for those who do not buy into WebAuthn, clunky and phishing-vulnerable QR code is the only universal alternative.  NFC has subsequently (and logically) been removed from the PC concept altogether.

Anders

> 
> Dmitri
> 
> 
> 
> On Fri, Mar 18, 2022 at 1:42 PM Benjamin Goering <bengoering@gmail.com <mailto:bengoering@gmail.com>> wrote:
> 
>     In your opinion, does SIOP help with the NASCAR problem?
> 
>     I thought it would, e.g. we could replace the nascar labels with a QR code (that is also a clickable hyperlink) that encodes an `openid://` URI, which the end-user would hopefully be able to configure via their operating system (or maybe registerProtocolHandler <https://developer.mozilla.org/en-US/docs/Web/API/Navigator/registerProtocolHandler>), or use their phone to take a photo and use a mobile wallet.
> 
>     So I was surprised to read your assessment that ’None of the OpenID for Verifiable Credentials specifications solve that problem”.
> 
>     What am I missing?
> 
>>     On Mar 18, 2022, at 10:26 AM, Manu Sporny <msporny@digitalbazaar.com <mailto:msporny@digitalbazaar.com>> wrote:
>>
>>     On 3/18/22 12:59 PM, Anders Rundgren wrote:
>>>     Take Open Banking as example.  How do you select bank when they count in
>>>     the 100 000+ region? The Open ID foundation have solved this issue in a
>>>     radical way: leave it to the market to figure out.
>>
>>     Yep, exactly, Anders.
>>
>>     This sort of "Let each Relying Party decide by picking a handful of big
>>     banks... 'cause we can't possibly fit them all on the same screen" approach is
>>     exactly what is being proposed w/ the OpenID for Verifiable Credentials work.
>>
>>     "Let the each website decide among all the wallet vendors on the planet! It's
>>     a market-driven approach!" will just turn into "Well, we can't go wrong with
>>     Apple Wallet, Google Wallet, and Microsoft Wallet, let's just support those to
>>     start" decisions being made at the Relying Party... and we all know where that
>>     story ends -- centralization -- we have years of data showing that it leads to
>>     centralization in social log in.
>>
>>     ... which is why solving this problem is mandatory:
>>
>>>     2. Eliminate NASCAR screens; don't allow verifiers to pick/choose which
>>>     wallets they accept. If you allow either of these things to happen, you
>>>     enable centralization.
>>
>>     None of the OpenID for Verifiable Credentials  specifications solve that
>>     problem and without solving that problem, you have centralization in the
>>     ecosystem.
>>
>>     -- manu
>>
>>     -- 
>>     Manu Sporny - https://www.linkedin.com/in/manusporny/ <https://www.linkedin.com/in/manusporny/>
>>     Founder/CEO - Digital Bazaar, Inc.
>>     News: Digital Bazaar Announces New Case Studies (2021)
>>     https://www.digitalbazaar.com/ <https://www.digitalbazaar.com/>
>>
>

Received on Friday, 18 March 2022 19:28:22 UTC