Re: Market Competition Considerations (was: Re: Centralization dangers of applying OpenID Connect to wallets protocols) from Brian Richter on 2022-03-19 (public-credentials@w3.org from March 2022)

From: Brian Richter <brian@aviary.tech>
Date: Sat, 19 Mar 2022 11:14:37 -0700
To: Manu Sporny <msporny@digitalbazaar.com>
Cc: public-credentials@w3.org
Message-ID: <CAPUZd8tbMZHo8jG6K4=YHucWBqWzEdxn7+8drYgC_U6hSgM7hw@mail.gmail.com>
Thank you Manu, that helps clear some things up for me. I will continue to
chime in with my naive thoughts as it’s the only way to tease out some of
the tribal context I’m lacking.

I would also like to solve this problem now so I think my next steps will
be to spend some time playing with CHAPI so I can compare.

If anyone has a good demo authentication flow using CHAPI I’d love to take
a look.

Brian


On Sat, Mar 19, 2022 at 9:23 AM Manu Sporny <msporny@digitalbazaar.com>
wrote:

> On 3/18/22 1:43 PM, Brian Richter wrote:
> > here is my first impressions of the answers to those questions with no
> > advocacy implied as I am just learning what this looks like myself.
>
> Brian, thank you for engaging in the discussion. Dmitri has already done an
> excellent job of pointing out where some of your thinking might not align
> with
> the reality of the specifications. Some higher-level responses to your
> questions below.
>
> > Is this going to be used by RPs to only allow pre-registered wallets to
> > authenticate? I don't think so
>
> I say this with respect -- on this particular point, you are being naive.
> :)
>
> I can tell you that "only allowing approved wallets via OpenID" is
> currently
> being proposed by some vendors in the SSI ecosystem to their customers.
>
> I do think it's being done in good faith -- "You don't want to just allow
> /any/ wallet to hold a credential, do you!?" -- the answer to that question
> should be "In general, yes, that's exactly what you want -- given the
> wallet
> has the features you need to ensure the safety of your credential -- such
> as
> being able to prove that it's using a Hardware Security Module and
> appropriate
> authentication to do key management."
>
> To put this in perspective... remember how horrible browser vendor
> detection
> was in the late 90s and early 00s, and how it contributed to one of the
> biggest anti-trust cases[1] in history against Microsoft? ... not to
> mention
> countless broken websites?
>
> We all learned from that... do browser /feature/ detection, don't do
> browser
> /vendor/ detection.
>
> The lesson here is: Do /wallet feature/ detection, don't do /wallet vendor/
> detection.
>
> > I believe on a long enough time scale this is largely solved by SIOP as
> it
> > becomes the only OIDC provider worth a damn.
>
> No, don't delay solving the problem, solve the problem NOW. I've heard that
> "just wait, OpenID will eventually solve the NASCAR problem" so many
> times...
> and the technology continues to fail to deliver on that promise. The
> current
> iteration is no different.
>
> CHAPI addresses the NASCAR problem *today* AND you can bootstrap into other
> protocols such as OIDC, DIDCommv2, VC-API, and VPR from it.
>
> > 3. Eliminate the concept of "App Store"-like in-wallet "Marketplaces".
> If
> > you do this, you put issuers at a natural disadvantage -- pay to play to
> > get listed in a wallet's "Marketplace".
> >
> > I don't think I understand this grievance :) It's still up to the RP to
> > choose what credentials they will trust.
>
> That's not the problem... the problem is from the opposite side. To state
> it
> another way:
>
> If you convince wallets vendors that the solution to the NASCAR problem is
> to
> just list every credential that is of interest to a holder /in the wallet
> UI/,
> then you put issuers at a disadvantage. How do people discover the issuer?
> If
> it's only through the wallet interface, then all of a sudden all of the
> issuers need to lobby wallet providers to get their credentials issued. If
> you
> give the wallet vendors that sort of power, market consolidation will
> result
> in issuers doing pay-to-play (like the music/streaming industry)... you get
> issuers paying wallet providers to include them in their searches and for
> search placement. Sounds like a pretty great business model -- I wonder if
> there's ever been a company to capitalize on that in an anti-competitive
> fashion. :P
>
> All this to say, we've provided strong guidance around security and
> privacy in
> both the Verifiable Credentials specification and the Decentralized
> Identifiers specification.
>
> We should think about providing some level of Market Competition Guidance
> since some of us seem to be marching into anti-competitive outcomes without
> much of a debate. Again, almost everyone is being well intentioned... but
> you
> know what they say about the road to hell. :P
>
> -- manu
>
> [1]https://en.wikipedia.org/wiki/United_States_v._Microsoft_Corp.
>
> --
> Manu Sporny - https://www.linkedin.com/in/manusporny/
> Founder/CEO - Digital Bazaar, Inc.
> News: Digital Bazaar Announces New Case Studies (2021)
> https://www.digitalbazaar.com/
>
>
>
Received on Saturday, 19 March 2022 18:16:01 UTC