Re: Centralization dangers of applying OpenID Connect to wallets protocols (was: Re: 2022-2026 Verifiable Data Standards Roadmap [DRAFT]) from Dmitri Zagidulin on 2022-03-19 (public-credentials@w3.org from March 2022)

From: Dmitri Zagidulin <dzagidulin@gmail.com>
Date: Sat, 19 Mar 2022 18:05:30 -0400
To: Tobias Looker <tobias.looker@mattr.global>
Cc: Manu Sporny <msporny@digitalbazaar.com>, "public-credentials@w3.org" <public-credentials@w3.org>
Message-ID: <CANnQ-L4qb=ur=paM0WPK5Qg7ioaGE8=0uMDkF1yMo48ZraHVzA@mail.gmail.com>
> Can you elaborate on this, DW looks to have already elaborated on the
multiple different mechanisms for sending a credential presentation request
to a wallet that supports SIOP

Hang on a sec :) I deeply, deeply respect DW's expertise in this (and yours
as well, Tobias), and I'm confident that in general, given time and effort
(technical and political), we as a community can steer all of this in the
right direction.
But I'm not sure that "there's different mechanisms for sending VPs/VPRs to
a SIOP wallet" is a fair reading of what DW said.

Earlier, responding to my lament that openid:// custom protocol handling is
not very well supported by OS vendors, DW said: "To be honest, I don't see
this being solved without a first-class interface for javascript and native
apps, similar to what WebAuthn has created for pure authentication
credentials."
And later in that same reply, "Today, the best pitch we have (other than
scanning a QR code with your chosen wallet on another device) is app links
maintained by a trust framework.".

Which, as far as I know, we don't really have one of those (an app link
mediated by a trust framework). (Other than CHAPI's mediator.)
And scanning QR codes, aside from the fact that this only works across
devices, and not within the same device, is a very limited mechanism
(because, again, of custom url protocol problems, and other issues which I
pointed out in my QR Codes + Wallets presentation
<https://docs.google.com/presentation/d/1ki2VMtW1yZnWlomyeoYCIfrkLhb2Qb7Kb5sNQOiLYnY/edit#slide=id.p>
to DIF Interop).

So, I would still maintain, than until this problem is solved, SIOP is
basically unusable, for getting VCs/VPs into wallets.


On Sat, Mar 19, 2022 at 5:33 PM Tobias Looker <tobias.looker@mattr.global>
wrote:

> > CHAPI and DIDCommv2 have answers to these questions... I have yet to
> hear how
> OpenID provides the same "open wallet ecosystem".
>
> Can you elaborate on this, DW looks to have already elaborated on the
> multiple different mechanisms for sending a credential presentation request
> to a wallet that supports SIOP and I have responded to the concerns you
> have raised about the role of the client in the issuance stage, explaining
> its purpose. You have not explained what the criteria is that a technical
> protocol must meet to be considered supporting an "open wallet ecosystem"
> nor why CHAPI and DIDCommv2 appear to meet this bar when the OpenID
> protocols do not.
>
> Across all of these threads we appear to be wildly jumping from
> considerations as they apply to credential issuance protocols and then as
> they apply to credential presentation protocols. It would be helpful when
> raising concerns to frame them more in the context of where they apply.
>
> Thanks,
>
> [image: Mattr website]
> <https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.trustwave.com%2F%3Fc%3D15517%26d%3Dw46s4eMXULV_ns1ZfAKYLbVKcqey_PHiW1WeN4boYw%26u%3Dhttps%253a%252f%252fmattr.global%252f&data=04%7C01%7CSteve.Lowes%40mbie.govt.nz%7C5a65fe33c70b41fd8ba908d976f3a2f1%7C78b2bd11e42b47eab0112e04c3af5ec1%7C0%7C0%7C637671611076709977%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=tKqCMzLUQNCeORd908YqfqZoT7tCy%2FMVwXdjpch1sDY%3D&reserved=0>
>
>
>
> *Tobias Looker*
>
> MATTR
> CTO
>
> +64 (0) 27 378 0461
> tobias.looker@mattr.global
>
> [image: Mattr website]
> <https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.trustwave.com%2F%3Fc%3D15517%26d%3Dw46s4eMXULV_ns1ZfAKYLbVKcqey_PHiW1WeN4boYw%26u%3Dhttps%253a%252f%252fmattr.global%252f&data=04%7C01%7CSteve.Lowes%40mbie.govt.nz%7C5a65fe33c70b41fd8ba908d976f3a2f1%7C78b2bd11e42b47eab0112e04c3af5ec1%7C0%7C0%7C637671611076709977%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=tKqCMzLUQNCeORd908YqfqZoT7tCy%2FMVwXdjpch1sDY%3D&reserved=0>
>
> [image: Mattr on LinkedIn]
> <https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.trustwave.com%2F%3Fc%3D15517%26d%3Dw46s4eMXULV_ns1ZfAKYLbVKcqey_PHiW1SbN9fvNg%26u%3Dhttps%253a%252f%252fwww.linkedin.com%252fcompany%252fmattrglobal&data=04%7C01%7CSteve.Lowes%40mbie.govt.nz%7C5a65fe33c70b41fd8ba908d976f3a2f1%7C78b2bd11e42b47eab0112e04c3af5ec1%7C0%7C0%7C637671611076719975%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=t%2BidOI32oaKuTJf1AkcG%2B%2FirIJwbrgzXVZnjOAC52Hs%3D&reserved=0>
>
> [image: Mattr on Twitter]
> <https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.trustwave.com%2F%3Fc%3D15517%26d%3Dw46s4eMXULV_ns1ZfAKYLbVKcqey_PHiW1WdMte6ZA%26u%3Dhttps%253a%252f%252ftwitter.com%252fmattrglobal&data=04%7C01%7CSteve.Lowes%40mbie.govt.nz%7C5a65fe33c70b41fd8ba908d976f3a2f1%7C78b2bd11e42b47eab0112e04c3af5ec1%7C0%7C0%7C637671611076729970%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=BD9WWyXEjVGlbpbCja93yW%2FzLJZpe%2Ff8lGooe8V6i7w%3D&reserved=0>
>
> [image: Mattr on Github]
> <https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.trustwave.com%2F%3Fc%3D15517%26d%3Dw46s4eMXULV_ns1ZfAKYLbVKcqey_PHiWwGdMoDtMw%26u%3Dhttps%253a%252f%252fgithub.com%252fmattrglobal&data=04%7C01%7CSteve.Lowes%40mbie.govt.nz%7C5a65fe33c70b41fd8ba908d976f3a2f1%7C78b2bd11e42b47eab0112e04c3af5ec1%7C0%7C0%7C637671611076729970%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=4AhRuXZCnU5i3hcngo4H3UiNayYUtXpRcImV4slS1mw%3D&reserved=0>
>
>
> This communication, including any attachments, is confidential. If you are
> not the intended recipient, you should not read it - please contact me
> immediately, destroy it, and do not copy or use any part of this
> communication or disclose anything about it. Thank you. Please note that
> this communication does not designate an information system for the
> purposes of the Electronic Transactions Act 2002.
>
> ------------------------------
> *From:* Manu Sporny <msporny@digitalbazaar.com>
> *Sent:* 20 March 2022 04:54
> *To:* public-credentials@w3.org <public-credentials@w3.org>
> *Subject:* Re: Centralization dangers of applying OpenID Connect to
> wallets protocols (was: Re: 2022-2026 Verifiable Data Standards Roadmap
> [DRAFT])
>
> EXTERNAL EMAIL: This email originated outside of our organisation. Do not
> click links or open attachments unless you recognise the sender and know
> the content is safe.
>
>
> On 3/18/22 1:43 PM, David Chadwick wrote:
> > Perhaps you are forgetting eIDASv2 which will require every EU country to
> > make the eIDAS wallet available to all EU citizens.
>
> Some of us live in countries where there will be wallet competition and the
> state won't be providing a digital wallet to all citizens. What then? How
> is
> the holder's choice respected in those scenarios?
>
> CHAPI and DIDCommv2 have answers to these questions... I have yet to hear
> how
> OpenID provides the same "open wallet ecosystem".
>
> -- manu
>
> --
> Manu Sporny - https://www.linkedin.com/in/manusporny/
> Founder/CEO - Digital Bazaar, Inc.
> News: Digital Bazaar Announces New Case Studies (2021)
> https://www.digitalbazaar.com/
>
>
>
Received on Saturday, 19 March 2022 22:07:00 UTC