Re: Centralization dangers of applying OpenID Connect to wallets protocols (was: Re: 2022-2026 Verifiable Data Standards Roadmap [DRAFT])

Sorry for this long / ranty email on web platform capabilities... But
Anders' email triggered me :) ... mostly because of how right he is.

For folks wondering about web-nfc, and using it for general purpose
protocols beyond NDEF.... https://github.com/w3c/web-nfc/issues/578

WebNFC and WebBluetooth are both well supported by Chrome...  and
pretty much only Chrome.

- https://web.dev/nfc/ - https://caniuse.com/?search=nfc
- https://web.dev/bluetooth/ - https://caniuse.com/?search=bluetooth

Apple does not believe in many web standards, for privacy reasons... but
also its financially beneficial for them to drive developers to native
mobile apps.

-
https://linustechtips.com/topic/1334270-google-chromes-web-standards-lead-criticizes-apples-argument-that-web-apps-can-replace-iphone-apps/

Advertising is the life blood of the web (and mobile?) platform.

Google owns the web, and Apple owns mobile, they use standards
organizations to protect their existing positions and platforms, you can't
really blame them for this.

Chrome for Android does not let you block ads, I'm sure Safari mobile will
be instrumented similarly now that Apple and Google are going to be
competing in the mobile ads space.

FireFox for Android does allow you to block ads...  Although I'm not sure
for how much longer that will be the case, I'm sure turning off that
capability is worth enough to be sold for something... I don't envy
Mozilla's position competing against both Apple and Google, and with no
hardware footprint.

-
https://www.businessinsider.com/facebook-blames-apple-10-billion-loss-ad-privacy-warning-2022-2

-
https://www.forbes.com/sites/johnkoetsier/2021/10/19/apples-ad-network-is-the-biggest-beneficiary-of-apples-new-marketing-rules-report/?sh=4c978bc077a0

On my cynical days (like today), Standards are not built for "web users",
they are built for platform owners, and whoever owns the platform owns the
first party data from it, and the first opportunities to monetize that
data.... and they add new standards, when they think they can make more
money from them... or prevent a competitor from making money.

Imagine pitching universal ad blocking to the W3C... Imagine trying to
standardize a web browser feature that destroyed monetization capabilities
for first party platform providers... That would probably be a lot harder
than agreeing on how to destroy monetization capabilities for 3rd parties
or how to track users without 3rd party cookies, for the purpose of
authentication... https://www.w3.org/community/fed-id/

I would love to see the "web platform" be more decentralized, but I don't
think the current market trends are signaling that is the direction it is
headed.

You can't blame web browsers for seeking to protect their own interests, I
think the main problems arise when those same players that have dominance
in, for example, web platform, also have dominance in, for example, mobile
os platform, but the rent seeking / monetization opportunities in mobile
are better, it's hard to argue against financial forces of nature.

It takes time to invest in new standards, and add support for them, and you
have to ask why would a major software / hardware provider invest in
something which might harm their ability to compete.

And without support from the large players, how effective will a new web
standard be?
Sure you can make a new browser and add support for the feature, but if
nobody uses your browser, it's like the standard never existed.

With respect to Chrome, I have to say, I love it... and I love that Google
puts such effort into implementing new standards.

Google also benefits from implementing web standards more than any other
browser vendor, it's how they keep developers like myself singing their
praises on mailing lists like this :)

But I also fear that in the future, when Chrome has 99.9% of the browser
market, Google will think of Android the way that Apple thinks of iOS, and
the last and greatest open standards compliant web browser (Chrome) will be
used to funnel users out of the web platform into pay to play app stores,
and de facto monopolies built on hardware supply chain / firmware
control... where competition costs are insurmountable.

Long live the open, competitive, and at times deeply offensive and
unsuitable for ad monetization web platform that I grew up with.

OS


On Fri, Mar 18, 2022 at 2:30 PM Anders Rundgren <
anders.rundgren.net@gmail.com> wrote:

> On 2022-03-18 19:14, Dmitri Zagidulin wrote:
> >  > In your opinion, does SIOP help with the NASCAR problem?
> >
> > So, I can definitely speak to this -- No, SIOP does not solve the NASCAR
> problem, unfortunately. And this has to do with the limitation OS vendors
> enforce, both on mobile devices and on the desktop. There are two problems
> with the current `openid://` / custom protocol handler approach.
> >
> > 1. Terrible initial UX. Meaning, if a typical user clicks on an
> openid:// URL on the desktop or on mobile, and they don't have an app
> installed that handles it, NOTHING HAPPENS. Literally nothing happens.
> There's no smooth guiding to a marketplace to install a handler, or
> anything like that. But this is a minor inconvenience, compared to the next
> one.
> >
> > 2. If more than one app is registered as a handler for openid://, and a
> user clicks on the link, the behavior is /undefined/ (at least on IOS).
> > And this is a very well understood problem in the SIOP community -- if
> you look at the SIOP v2 spec,
> https://openid.net/specs/openid-connect-self-issued-v2-1_0-03.html#section-7.5.1
> <
> https://openid.net/specs/openid-connect-self-issued-v2-1_0-03.html#section-7.5.1
> >:
> > "Usage of custom schemas [like openid://] as a way to invoke a
> Self-Issued OP may lead to phishing attacks and undefined behavior. ... Any
> malicious app can register the custom schema already used by another app,
> imitate the user interface and impersonate a good app. When more than one
> Self-issued OP with the same custom schema has been installed on one
> device, the behavior of Self-Issued OP is undefined."
> >
> > This is a huge problem, that the community is still strugglign to solve.
>
> According to the W3C TAG, calling native apps from the Web should be
> abolished.  Effectively WebAuthn is the only endorsed way to securely
> authenticate over the Web.
>
> Equally problematic is the Mobile to Desktop/Web interface where the W3C
> concluded that using WebAuthn + the device-specific cloud service + BLE
> (aka CABLE) is the way to go. I suggested years ago using NFC to deliver
> secure URLs but the Web-NFC folks claimed that there is no valid use case
> so for those who do not buy into WebAuthn, clunky and phishing-vulnerable
> QR code is the only universal alternative.  NFC has subsequently (and
> logically) been removed from the PC concept altogether.
>
> Anders
>
> >
> > Dmitri
> >
> >
> >
> > On Fri, Mar 18, 2022 at 1:42 PM Benjamin Goering <bengoering@gmail.com
> <mailto:bengoering@gmail.com>> wrote:
> >
> >     In your opinion, does SIOP help with the NASCAR problem?
> >
> >     I thought it would, e.g. we could replace the nascar labels with a
> QR code (that is also a clickable hyperlink) that encodes an `openid://`
> URI, which the end-user would hopefully be able to configure via their
> operating system (or maybe registerProtocolHandler <
> https://developer.mozilla.org/en-US/docs/Web/API/Navigator/registerProtocolHandler>),
> or use their phone to take a photo and use a mobile wallet.
> >
> >     So I was surprised to read your assessment that ’None of the OpenID
> for Verifiable Credentials specifications solve that problem”.
> >
> >     What am I missing?
> >
> >>     On Mar 18, 2022, at 10:26 AM, Manu Sporny <
> msporny@digitalbazaar.com <mailto:msporny@digitalbazaar.com>> wrote:
> >>
> >>     On 3/18/22 12:59 PM, Anders Rundgren wrote:
> >>>     Take Open Banking as example.  How do you select bank when they
> count in
> >>>     the 100 000+ region? The Open ID foundation have solved this issue
> in a
> >>>     radical way: leave it to the market to figure out.
> >>
> >>     Yep, exactly, Anders.
> >>
> >>     This sort of "Let each Relying Party decide by picking a handful of
> big
> >>     banks... 'cause we can't possibly fit them all on the same screen"
> approach is
> >>     exactly what is being proposed w/ the OpenID for Verifiable
> Credentials work.
> >>
> >>     "Let the each website decide among all the wallet vendors on the
> planet! It's
> >>     a market-driven approach!" will just turn into "Well, we can't go
> wrong with
> >>     Apple Wallet, Google Wallet, and Microsoft Wallet, let's just
> support those to
> >>     start" decisions being made at the Relying Party... and we all know
> where that
> >>     story ends -- centralization -- we have years of data showing that
> it leads to
> >>     centralization in social log in.
> >>
> >>     ... which is why solving this problem is mandatory:
> >>
> >>>     2. Eliminate NASCAR screens; don't allow verifiers to pick/choose
> which
> >>>     wallets they accept. If you allow either of these things to
> happen, you
> >>>     enable centralization.
> >>
> >>     None of the OpenID for Verifiable Credentials  specifications solve
> that
> >>     problem and without solving that problem, you have centralization
> in the
> >>     ecosystem.
> >>
> >>     -- manu
> >>
> >>     --
> >>     Manu Sporny - https://www.linkedin.com/in/manusporny/ <
> https://www.linkedin.com/in/manusporny/>
> >>     Founder/CEO - Digital Bazaar, Inc.
> >>     News: Digital Bazaar Announces New Case Studies (2021)
> >>     https://www.digitalbazaar.com/ <https://www.digitalbazaar.com/>
> >>
> >
>
>
>

-- 
*ORIE STEELE*
Chief Technical Officer
www.transmute.industries

<https://www.transmute.industries>