Re: Centralization dangers of applying OpenID Connect to wallets protocols (was: Re: 2022-2026 Verifiable Data Standards Roadmap [DRAFT])

Quick clarification question --

> SIOP currently supports multiple ways to invoke / send a request to a
wallet to ask for presentation of credentials

Can you say more about those multiple ways? If I'm understanding correctly,
there is just one mechanism that SIOP supports, and that is through a
custom url protocol link. Is that not the case?


On Sat, Mar 19, 2022 at 6:30 PM Tobias Looker <tobias.looker@mattr.global>
wrote:

> Thanks Dmitri, appreciate the clarification, would it be sufficient to
> summarize this as follows?
>
> SIOP currently supports multiple ways to invoke / send a request to a
> wallet to ask for presentation of credentials, however when the relying
> party is a website, without a consistent *browser style* mediation layer
> that allows an End-User to register what wallets they use like in CHAPI, it
> does not meet the "open wallet ecosystem" goal?
>
> The reason I added the caveat "when the relying party is a website" here,
> is how does CHAPI help achieve an "open wallet ecosystem" when you are
> doing a cross device presentation (e.g in-person)? IMO it doesn't which
> highlights the fact we perhaps need to be clearer about what user journeys
> we are talking about when.
>
> Also I think the importance of the existence of a mediation layer like
> CHAPI is different in credential presentation flows vs issuance flows, for
> example in issuance, a CHAPI mediation layer is only used if you start from
> the issuers website AND your wallet is installed on the same device and you
> need some way to invoke it.
>
> Thanks,
>
> [image: Mattr website]
> <https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.trustwave.com%2F%3Fc%3D15517%26d%3Dw46s4eMXULV_ns1ZfAKYLbVKcqey_PHiW1WeN4boYw%26u%3Dhttps%253a%252f%252fmattr.global%252f&data=04%7C01%7CSteve.Lowes%40mbie.govt.nz%7C5a65fe33c70b41fd8ba908d976f3a2f1%7C78b2bd11e42b47eab0112e04c3af5ec1%7C0%7C0%7C637671611076709977%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=tKqCMzLUQNCeORd908YqfqZoT7tCy%2FMVwXdjpch1sDY%3D&reserved=0>
>
>
>
> *Tobias Looker*
>
> MATTR
> CTO
>
> +64 (0) 27 378 0461
> tobias.looker@mattr.global
>
> [image: Mattr website]
> <https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.trustwave.com%2F%3Fc%3D15517%26d%3Dw46s4eMXULV_ns1ZfAKYLbVKcqey_PHiW1WeN4boYw%26u%3Dhttps%253a%252f%252fmattr.global%252f&data=04%7C01%7CSteve.Lowes%40mbie.govt.nz%7C5a65fe33c70b41fd8ba908d976f3a2f1%7C78b2bd11e42b47eab0112e04c3af5ec1%7C0%7C0%7C637671611076709977%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=tKqCMzLUQNCeORd908YqfqZoT7tCy%2FMVwXdjpch1sDY%3D&reserved=0>
>
> [image: Mattr on LinkedIn]
> <https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.trustwave.com%2F%3Fc%3D15517%26d%3Dw46s4eMXULV_ns1ZfAKYLbVKcqey_PHiW1SbN9fvNg%26u%3Dhttps%253a%252f%252fwww.linkedin.com%252fcompany%252fmattrglobal&data=04%7C01%7CSteve.Lowes%40mbie.govt.nz%7C5a65fe33c70b41fd8ba908d976f3a2f1%7C78b2bd11e42b47eab0112e04c3af5ec1%7C0%7C0%7C637671611076719975%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=t%2BidOI32oaKuTJf1AkcG%2B%2FirIJwbrgzXVZnjOAC52Hs%3D&reserved=0>
>
> [image: Mattr on Twitter]
> <https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.trustwave.com%2F%3Fc%3D15517%26d%3Dw46s4eMXULV_ns1ZfAKYLbVKcqey_PHiW1WdMte6ZA%26u%3Dhttps%253a%252f%252ftwitter.com%252fmattrglobal&data=04%7C01%7CSteve.Lowes%40mbie.govt.nz%7C5a65fe33c70b41fd8ba908d976f3a2f1%7C78b2bd11e42b47eab0112e04c3af5ec1%7C0%7C0%7C637671611076729970%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=BD9WWyXEjVGlbpbCja93yW%2FzLJZpe%2Ff8lGooe8V6i7w%3D&reserved=0>
>
> [image: Mattr on Github]
> <https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.trustwave.com%2F%3Fc%3D15517%26d%3Dw46s4eMXULV_ns1ZfAKYLbVKcqey_PHiWwGdMoDtMw%26u%3Dhttps%253a%252f%252fgithub.com%252fmattrglobal&data=04%7C01%7CSteve.Lowes%40mbie.govt.nz%7C5a65fe33c70b41fd8ba908d976f3a2f1%7C78b2bd11e42b47eab0112e04c3af5ec1%7C0%7C0%7C637671611076729970%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=4AhRuXZCnU5i3hcngo4H3UiNayYUtXpRcImV4slS1mw%3D&reserved=0>
>
>
> This communication, including any attachments, is confidential. If you are
> not the intended recipient, you should not read it - please contact me
> immediately, destroy it, and do not copy or use any part of this
> communication or disclose anything about it. Thank you. Please note that
> this communication does not designate an information system for the
> purposes of the Electronic Transactions Act 2002.
>
> ------------------------------
> *From:* Dmitri Zagidulin <dzagidulin@gmail.com>
> *Sent:* 20 March 2022 11:05
> *To:* Tobias Looker <tobias.looker@mattr.global>
> *Cc:* Manu Sporny <msporny@digitalbazaar.com>; public-credentials@w3.org <
> public-credentials@w3.org>
> *Subject:* Re: Centralization dangers of applying OpenID Connect to
> wallets protocols (was: Re: 2022-2026 Verifiable Data Standards Roadmap
> [DRAFT])
>
> EXTERNAL EMAIL: This email originated outside of our organisation. Do not
> click links or open attachments unless you recognise the sender and know
> the content is safe.
>
> > Can you elaborate on this, DW looks to have already elaborated on the
> multiple different mechanisms for sending a credential presentation request
> to a wallet that supports SIOP
>
> Hang on a sec :) I deeply, deeply respect DW's expertise in this (and
> yours as well, Tobias), and I'm confident that in general, given time and
> effort (technical and political), we as a community can steer all of this
> in the right direction.
> But I'm not sure that "there's different mechanisms for sending VPs/VPRs
> to a SIOP wallet" is a fair reading of what DW said.
>
> Earlier, responding to my lament that openid:// custom protocol handling
> is not very well supported by OS vendors, DW said: "To be honest, I don't
> see this being solved without a first-class interface for javascript and
> native apps, similar to what WebAuthn has created for pure authentication
> credentials."
> And later in that same reply, "Today, the best pitch we have (other than
> scanning a QR code with your chosen wallet on another device) is app links
> maintained by a trust framework.".
>
> Which, as far as I know, we don't really have one of those (an app link
> mediated by a trust framework). (Other than CHAPI's mediator.)
> And scanning QR codes, aside from the fact that this only works across
> devices, and not within the same device, is a very limited mechanism
> (because, again, of custom url protocol problems, and other issues which I
> pointed out in my QR Codes + Wallets presentation
> <https://docs.google.com/presentation/d/1ki2VMtW1yZnWlomyeoYCIfrkLhb2Qb7Kb5sNQOiLYnY/edit#slide=id.p>
> to DIF Interop).
>
> So, I would still maintain, than until this problem is solved, SIOP is
> basically unusable, for getting VCs/VPs into wallets.
>
>
> On Sat, Mar 19, 2022 at 5:33 PM Tobias Looker <tobias.looker@mattr.global>
> wrote:
>
> > CHAPI and DIDCommv2 have answers to these questions... I have yet to
> hear how
> OpenID provides the same "open wallet ecosystem".
>
> Can you elaborate on this, DW looks to have already elaborated on the
> multiple different mechanisms for sending a credential presentation request
> to a wallet that supports SIOP and I have responded to the concerns you
> have raised about the role of the client in the issuance stage, explaining
> its purpose. You have not explained what the criteria is that a technical
> protocol must meet to be considered supporting an "open wallet ecosystem"
> nor why CHAPI and DIDCommv2 appear to meet this bar when the OpenID
> protocols do not.
>
> Across all of these threads we appear to be wildly jumping from
> considerations as they apply to credential issuance protocols and then as
> they apply to credential presentation protocols. It would be helpful when
> raising concerns to frame them more in the context of where they apply.
>
> Thanks,
>
> [image: Mattr website]
> <https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.trustwave.com%2F%3Fc%3D15517%26d%3Dw46s4eMXULV_ns1ZfAKYLbVKcqey_PHiW1WeN4boYw%26u%3Dhttps%253a%252f%252fmattr.global%252f&data=04%7C01%7CSteve.Lowes%40mbie.govt.nz%7C5a65fe33c70b41fd8ba908d976f3a2f1%7C78b2bd11e42b47eab0112e04c3af5ec1%7C0%7C0%7C637671611076709977%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=tKqCMzLUQNCeORd908YqfqZoT7tCy%2FMVwXdjpch1sDY%3D&reserved=0>
>
>
>
> *Tobias Looker*
>
> MATTR
> CTO
>
> +64 (0) 27 378 0461
> tobias.looker@mattr.global
>
> [image: Mattr website]
> <https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.trustwave.com%2F%3Fc%3D15517%26d%3Dw46s4eMXULV_ns1ZfAKYLbVKcqey_PHiW1WeN4boYw%26u%3Dhttps%253a%252f%252fmattr.global%252f&data=04%7C01%7CSteve.Lowes%40mbie.govt.nz%7C5a65fe33c70b41fd8ba908d976f3a2f1%7C78b2bd11e42b47eab0112e04c3af5ec1%7C0%7C0%7C637671611076709977%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=tKqCMzLUQNCeORd908YqfqZoT7tCy%2FMVwXdjpch1sDY%3D&reserved=0>
>
> [image: Mattr on LinkedIn]
> <https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.trustwave.com%2F%3Fc%3D15517%26d%3Dw46s4eMXULV_ns1ZfAKYLbVKcqey_PHiW1SbN9fvNg%26u%3Dhttps%253a%252f%252fwww.linkedin.com%252fcompany%252fmattrglobal&data=04%7C01%7CSteve.Lowes%40mbie.govt.nz%7C5a65fe33c70b41fd8ba908d976f3a2f1%7C78b2bd11e42b47eab0112e04c3af5ec1%7C0%7C0%7C637671611076719975%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=t%2BidOI32oaKuTJf1AkcG%2B%2FirIJwbrgzXVZnjOAC52Hs%3D&reserved=0>
>
> [image: Mattr on Twitter]
> <https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.trustwave.com%2F%3Fc%3D15517%26d%3Dw46s4eMXULV_ns1ZfAKYLbVKcqey_PHiW1WdMte6ZA%26u%3Dhttps%253a%252f%252ftwitter.com%252fmattrglobal&data=04%7C01%7CSteve.Lowes%40mbie.govt.nz%7C5a65fe33c70b41fd8ba908d976f3a2f1%7C78b2bd11e42b47eab0112e04c3af5ec1%7C0%7C0%7C637671611076729970%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=BD9WWyXEjVGlbpbCja93yW%2FzLJZpe%2Ff8lGooe8V6i7w%3D&reserved=0>
>
> [image: Mattr on Github]
> <https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.trustwave.com%2F%3Fc%3D15517%26d%3Dw46s4eMXULV_ns1ZfAKYLbVKcqey_PHiWwGdMoDtMw%26u%3Dhttps%253a%252f%252fgithub.com%252fmattrglobal&data=04%7C01%7CSteve.Lowes%40mbie.govt.nz%7C5a65fe33c70b41fd8ba908d976f3a2f1%7C78b2bd11e42b47eab0112e04c3af5ec1%7C0%7C0%7C637671611076729970%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=4AhRuXZCnU5i3hcngo4H3UiNayYUtXpRcImV4slS1mw%3D&reserved=0>
>
>
> This communication, including any attachments, is confidential. If you are
> not the intended recipient, you should not read it - please contact me
> immediately, destroy it, and do not copy or use any part of this
> communication or disclose anything about it. Thank you. Please note that
> this communication does not designate an information system for the
> purposes of the Electronic Transactions Act 2002.
>
> ------------------------------
> *From:* Manu Sporny <msporny@digitalbazaar.com>
> *Sent:* 20 March 2022 04:54
> *To:* public-credentials@w3.org <public-credentials@w3.org>
> *Subject:* Re: Centralization dangers of applying OpenID Connect to
> wallets protocols (was: Re: 2022-2026 Verifiable Data Standards Roadmap
> [DRAFT])
>
> EXTERNAL EMAIL: This email originated outside of our organisation. Do not
> click links or open attachments unless you recognise the sender and know
> the content is safe.
>
>
> On 3/18/22 1:43 PM, David Chadwick wrote:
> > Perhaps you are forgetting eIDASv2 which will require every EU country to
> > make the eIDAS wallet available to all EU citizens.
>
> Some of us live in countries where there will be wallet competition and the
> state won't be providing a digital wallet to all citizens. What then? How
> is
> the holder's choice respected in those scenarios?
>
> CHAPI and DIDCommv2 have answers to these questions... I have yet to hear
> how
> OpenID provides the same "open wallet ecosystem".
>
> -- manu
>
> --
> Manu Sporny - https://www.linkedin.com/in/manusporny/
> Founder/CEO - Digital Bazaar, Inc.
> News: Digital Bazaar Announces New Case Studies (2021)
> https://www.digitalbazaar.com/
>
>
>

Received on Saturday, 19 March 2022 22:47:57 UTC