RE: Centralization dangers of applying OpenID Connect to wallets protocols (was: Re: 2022-2026 Verifiable Data Standards Roadmap [DRAFT]) from Nikos Fotiou on 2022-03-20 (public-credentials@w3.org from March 2022)

From: Nikos Fotiou <fotiou@aueb.gr>
Date: Sun, 20 Mar 2022 09:51:59 +0200
To: "'Tobias Looker'" <tobias.looker@mattr.global>, <dzagidulin@gmail.com>
Cc: "'Manu Sporny'" <msporny@digitalbazaar.com>, <public-credentials@w3.org>
Message-ID: <004001d83c2f$616cf650$2446e2f0$@aueb.gr>
Related to that, EBSI's "Verifiable Exchange Scenarios"  are a useful
guideline

https://ec.europa.eu/digital-building-blocks/wikis/display/EBSIDOC/EBSI+Veri
fiable+Presentation+Exchange+Guidelines#EBSIVerifiablePresentationExchangeGu
idelines-VerifiablePresentationExchangeScenarios 

 

Similar to what Tobias said, I cannot see how CHAPI can be used in use cases
B and C.

 

Best,

Nikos

 

From: Tobias Looker <tobias.looker@mattr.global> 
Sent: Sunday, March 20, 2022 12:53 AM
To: dzagidulin@gmail.com
Cc: Manu Sporny <msporny@digitalbazaar.com>; public-credentials@w3.org
Subject: Re: Centralization dangers of applying OpenID Connect to wallets
protocols (was: Re: 2022-2026 Verifiable Data Standards Roadmap [DRAFT])

 

> Can you say more about those multiple ways? If I'm understanding
correctly, there is just one mechanism that SIOP supports, and that is
through a custom url protocol link. Is that not the case?

 

I guess it depends on what you constitute as being different in this
context? What I meant here was the options that DW listed.

 

1. Local Invocation via URL schemes or platform-registered HTTPS URL (e.g.
universal links, app links)

2. Cross-device Invocation via QR code holding above initiation URL

3. Cross-device invocation via wallet QR code reader

 

Thanks,


 
<https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.
trustwave.com%2F%3Fc%3D15517%26d%3Dw46s4eMXULV_ns1ZfAKYLbVKcqey_PHiW1WeN4boY
w%26u%3Dhttps%253a%252f%252fmattr.global%252f&data=04%7C01%7CSteve.Lowes%40m
bie.govt.nz%7C5a65fe33c70b41fd8ba908d976f3a2f1%7C78b2bd11e42b47eab0112e04c3a
f5ec1%7C0%7C0%7C637671611076709977%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwM
DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=tKqCMzLUQNCeO
Rd908YqfqZoT7tCy%2FMVwXdjpch1sDY%3D&reserved=0> 

 


Tobias Looker


MATTR
CTO


+64 (0) 27 378 0461
 <mailto:tobias.looker@mattr.global> tobias.looker@mattr.global



 
<https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.
trustwave.com%2F%3Fc%3D15517%26d%3Dw46s4eMXULV_ns1ZfAKYLbVKcqey_PHiW1WeN4boY
w%26u%3Dhttps%253a%252f%252fmattr.global%252f&data=04%7C01%7CSteve.Lowes%40m
bie.govt.nz%7C5a65fe33c70b41fd8ba908d976f3a2f1%7C78b2bd11e42b47eab0112e04c3a
f5ec1%7C0%7C0%7C637671611076709977%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwM
DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=tKqCMzLUQNCeO
Rd908YqfqZoT7tCy%2FMVwXdjpch1sDY%3D&reserved=0> 








This communication, including any attachments, is confidential. If you are
not the intended recipient, you should not read it - please contact me
immediately, destroy it, and do not copy or use any part of this
communication or disclose anything about it. Thank you. Please note that
this communication does not designate an information system for the purposes
of the Electronic Transactions Act 2002.

 

  _____  

From: Dmitri Zagidulin <dzagidulin@gmail.com <mailto:dzagidulin@gmail.com> >
Sent: 20 March 2022 11:46
To: Tobias Looker <tobias.looker@mattr.global
<mailto:tobias.looker@mattr.global> >
Cc: Manu Sporny <msporny@digitalbazaar.com
<mailto:msporny@digitalbazaar.com> >; public-credentials@w3.org
<mailto:public-credentials@w3.org>  <public-credentials@w3.org
<mailto:public-credentials@w3.org> >
Subject: Re: Centralization dangers of applying OpenID Connect to wallets
protocols (was: Re: 2022-2026 Verifiable Data Standards Roadmap [DRAFT]) 

 

EXTERNAL EMAIL: This email originated outside of our organisation. Do not
click links or open attachments unless you recognise the sender and know the
content is safe.

 

Quick clarification question --

 

> SIOP currently supports multiple ways to invoke / send a request to a
wallet to ask for presentation of credentials

 

Can you say more about those multiple ways? If I'm understanding correctly,
there is just one mechanism that SIOP supports, and that is through a custom
url protocol link. Is that not the case?

 

 

On Sat, Mar 19, 2022 at 6:30 PM Tobias Looker <tobias.looker@mattr.global
<mailto:tobias.looker@mattr.global> > wrote:

Thanks Dmitri, appreciate the clarification, would it be sufficient to
summarize this as follows?

 

SIOP currently supports multiple ways to invoke / send a request to a wallet
to ask for presentation of credentials, however when the relying party is a
website, without a consistent *browser style* mediation layer that allows an
End-User to register what wallets they use like in CHAPI, it does not meet
the "open wallet ecosystem" goal? 

 

The reason I added the caveat "when the relying party is a website" here, is
how does CHAPI help achieve an "open wallet ecosystem" when you are doing a
cross device presentation (e.g in-person)? IMO it doesn't which highlights
the fact we perhaps need to be clearer about what user journeys we are
talking about when. 

 

Also I think the importance of the existence of a mediation layer like CHAPI
is different in credential presentation flows vs issuance flows, for example
in issuance, a CHAPI mediation layer is only used if you start from the
issuers website AND your wallet is installed on the same device and you need
some way to invoke it.

 

Thanks,


 
<https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.
trustwave.com%2F%3Fc%3D15517%26d%3Dw46s4eMXULV_ns1ZfAKYLbVKcqey_PHiW1WeN4boY
w%26u%3Dhttps%253a%252f%252fmattr.global%252f&data=04%7C01%7CSteve.Lowes%40m
bie.govt.nz%7C5a65fe33c70b41fd8ba908d976f3a2f1%7C78b2bd11e42b47eab0112e04c3a
f5ec1%7C0%7C0%7C637671611076709977%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwM
DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=tKqCMzLUQNCeO
Rd908YqfqZoT7tCy%2FMVwXdjpch1sDY%3D&reserved=0> 

 


Tobias Looker


MATTR
CTO


+64 (0) 27 378 0461
 <mailto:tobias.looker@mattr.global> tobias.looker@mattr.global



 
<https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.
trustwave.com%2F%3Fc%3D15517%26d%3Dw46s4eMXULV_ns1ZfAKYLbVKcqey_PHiW1WeN4boY
w%26u%3Dhttps%253a%252f%252fmattr.global%252f&data=04%7C01%7CSteve.Lowes%40m
bie.govt.nz%7C5a65fe33c70b41fd8ba908d976f3a2f1%7C78b2bd11e42b47eab0112e04c3a
f5ec1%7C0%7C0%7C637671611076709977%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwM
DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=tKqCMzLUQNCeO
Rd908YqfqZoT7tCy%2FMVwXdjpch1sDY%3D&reserved=0> 








This communication, including any attachments, is confidential. If you are
not the intended recipient, you should not read it - please contact me
immediately, destroy it, and do not copy or use any part of this
communication or disclose anything about it. Thank you. Please note that
this communication does not designate an information system for the purposes
of the Electronic Transactions Act 2002.

 

  _____  

From: Dmitri Zagidulin <dzagidulin@gmail.com <mailto:dzagidulin@gmail.com> >
Sent: 20 March 2022 11:05
To: Tobias Looker <tobias.looker@mattr.global
<mailto:tobias.looker@mattr.global> >
Cc: Manu Sporny <msporny@digitalbazaar.com
<mailto:msporny@digitalbazaar.com> >; public-credentials@w3.org
<mailto:public-credentials@w3.org>  <public-credentials@w3.org
<mailto:public-credentials@w3.org> >
Subject: Re: Centralization dangers of applying OpenID Connect to wallets
protocols (was: Re: 2022-2026 Verifiable Data Standards Roadmap [DRAFT]) 

 

EXTERNAL EMAIL: This email originated outside of our organisation. Do not
click links or open attachments unless you recognise the sender and know the
content is safe.

 

> Can you elaborate on this, DW looks to have already elaborated on the
multiple different mechanisms for sending a credential presentation request
to a wallet that supports SIOP 

 

Hang on a sec :) I deeply, deeply respect DW's expertise in this (and yours
as well, Tobias), and I'm confident that in general, given time and effort
(technical and political), we as a community can steer all of this in the
right direction.
But I'm not sure that "there's different mechanisms for sending VPs/VPRs to
a SIOP wallet" is a fair reading of what DW said.

Earlier, responding to my lament that openid:// custom protocol handling is
not very well supported by OS vendors, DW said: "To be honest, I don't see
this being solved without a first-class interface for javascript and native
apps, similar to what WebAuthn has created for pure authentication
credentials."  

And later in that same reply, "Today, the best pitch we have (other than
scanning a QR code with your chosen wallet on another device) is app links
maintained by a trust framework.".

 

Which, as far as I know, we don't really have one of those (an app link
mediated by a trust framework). (Other than CHAPI's mediator.) 

And scanning QR codes, aside from the fact that this only works across
devices, and not within the same device, is a very limited mechanism
(because, again, of custom url protocol problems, and other issues which I
pointed out in my QR Codes
<https://docs.google.com/presentation/d/1ki2VMtW1yZnWlomyeoYCIfrkLhb2Qb7Kb5s
NQOiLYnY/edit#slide=id.p>  + Wallets presentation to DIF Interop).

 

So, I would still maintain, than until this problem is solved, SIOP is
basically unusable, for getting VCs/VPs into wallets.

 

 

On Sat, Mar 19, 2022 at 5:33 PM Tobias Looker <tobias.looker@mattr.global
<mailto:tobias.looker@mattr.global> > wrote:

> CHAPI and DIDCommv2 have answers to these questions... I have yet to hear
how

OpenID provides the same "open wallet ecosystem".

 

Can you elaborate on this, DW looks to have already elaborated on the
multiple different mechanisms for sending a credential presentation request
to a wallet that supports SIOP and I have responded to the concerns you have
raised about the role of the client in the issuance stage, explaining its
purpose. You have not explained what the criteria is that a technical
protocol must meet to be considered supporting an "open wallet ecosystem"
nor why CHAPI and DIDCommv2 appear to meet this bar when the OpenID
protocols do not.

 

Across all of these threads we appear to be wildly jumping from
considerations as they apply to credential issuance protocols and then as
they apply to credential presentation protocols. It would be helpful when
raising concerns to frame them more in the context of where they apply.

 

Thanks,


 
<https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.
trustwave.com%2F%3Fc%3D15517%26d%3Dw46s4eMXULV_ns1ZfAKYLbVKcqey_PHiW1WeN4boY
w%26u%3Dhttps%253a%252f%252fmattr.global%252f&data=04%7C01%7CSteve.Lowes%40m
bie.govt.nz%7C5a65fe33c70b41fd8ba908d976f3a2f1%7C78b2bd11e42b47eab0112e04c3a
f5ec1%7C0%7C0%7C637671611076709977%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwM
DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=tKqCMzLUQNCeO
Rd908YqfqZoT7tCy%2FMVwXdjpch1sDY%3D&reserved=0> 

 


Tobias Looker


MATTR
CTO


+64 (0) 27 378 0461
 <mailto:tobias.looker@mattr.global> tobias.looker@mattr.global



 
<https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.
trustwave.com%2F%3Fc%3D15517%26d%3Dw46s4eMXULV_ns1ZfAKYLbVKcqey_PHiW1WeN4boY
w%26u%3Dhttps%253a%252f%252fmattr.global%252f&data=04%7C01%7CSteve.Lowes%40m
bie.govt.nz%7C5a65fe33c70b41fd8ba908d976f3a2f1%7C78b2bd11e42b47eab0112e04c3a
f5ec1%7C0%7C0%7C637671611076709977%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwM
DAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=tKqCMzLUQNCeO
Rd908YqfqZoT7tCy%2FMVwXdjpch1sDY%3D&reserved=0> 








This communication, including any attachments, is confidential. If you are
not the intended recipient, you should not read it - please contact me
immediately, destroy it, and do not copy or use any part of this
communication or disclose anything about it. Thank you. Please note that
this communication does not designate an information system for the purposes
of the Electronic Transactions Act 2002.

 

  _____  

From: Manu Sporny <msporny@digitalbazaar.com
<mailto:msporny@digitalbazaar.com> >
Sent: 20 March 2022 04:54
To: public-credentials@w3.org <mailto:public-credentials@w3.org>
<public-credentials@w3.org <mailto:public-credentials@w3.org> >
Subject: Re: Centralization dangers of applying OpenID Connect to wallets
protocols (was: Re: 2022-2026 Verifiable Data Standards Roadmap [DRAFT]) 

 

EXTERNAL EMAIL: This email originated outside of our organisation. Do not
click links or open attachments unless you recognise the sender and know the
content is safe.


On 3/18/22 1:43 PM, David Chadwick wrote:
> Perhaps you are forgetting eIDASv2 which will require every EU country to
> make the eIDAS wallet available to all EU citizens.

Some of us live in countries where there will be wallet competition and the
state won't be providing a digital wallet to all citizens. What then? How is
the holder's choice respected in those scenarios?

CHAPI and DIDCommv2 have answers to these questions... I have yet to hear
how
OpenID provides the same "open wallet ecosystem".

-- manu

--
Manu Sporny - https://www.linkedin.com/in/manusporny/
Founder/CEO - Digital Bazaar, Inc.
News: Digital Bazaar Announces New Case Studies (2021)
https://www.digitalbazaar.com/
Attachments

application/pkcs7-signature attachment: smime.p7s
Received on Sunday, 20 March 2022 07:52:23 UTC