- From: Dmitri Zagidulin <dzagidulin@gmail.com>
- Date: Fri, 18 Mar 2022 19:19:57 -0400
- To: Credentials Community Group <public-credentials@w3.org>
- Message-ID: <CANnQ-L55JxQFt2e-eLXUXgqG13p-osxLmB5vGB1NnSUnb7t75A@mail.gmail.com>
Manu, thank you for bringing up this issue and starting this thread! So many excellent points raised so far. I also want to add my thoughts on this thread -- like many of you, I care a lot about the decentralized identity space, and I'm very familiar with both the OpenID Protocol, the current work being done for SIOP v2 / OIDC4VP, as well as competing identity and VC-related protocols (DIF's Presentation Exchange, VC-API, CHAPI, etc). Do I agree with Manu that OIDC, as currently spec'd and implemented, exerts a centralizing / monopolizing pressure, as a protocol? Well, I think it's important to differentiate between two different use cases. One is - OIDC for humans looking at UI screens (mobile apps, web browsers, etc). And two - machine-to-machine VC exchanges between a limited pool of well-known parties (like those being used in the Traceability space). 1) In the first case, for general consumer usage (humans looking at UI screens)? - I think that OIDC/SIOP is basically unusable without something like CHAPI or a similar community mediator to perform wallet selection. And not just unusable, also kind of dangerous and does exert a centralizing pressure. That said, I do think that OIDC can be incredibly powerful for general consumer use. This is why I based the design of the Solid Project's authentication system on OIDC (except it's only really usable when used in combination with CHAPI's wallet picker), and why I'll be working on single-sign-on DID auth for VR worlds using OIDC + CHAPI. I do genuinely hope, that with some combination of legislative and market pressure, we can influence browser and OS manufacturers to add a (user-controlled!) wallet picker primitive. (Although, as Orie points out, I do also see that there are very strong monopoly-capitalism forces at play that work _against_ that happening.) 2) In the second case, for machine-to-machine VC exchanges? I think OIDC is fine (and takes advantage of existing infrastructure), and is no more or less centralizing than other protocols (especially if combined with Dynamic Registration). HOWEVER -- I do think that in terms of protocol capabilities, OIDC is much more limited, as compared to DIF PEx or VC-API. Specifically, because the latter two have provisions for multiple-round interactive issuing workflows (as described in https://github.com/w3c-ccg/vc-api/issues/245), and OIDC very much does not. But at least it's usable (which is why so many of our peers are using OIDC for this very case.)
Received on Friday, 18 March 2022 23:21:26 UTC