Re: Centralization dangers of applying OpenID Connect to wallets protocols (was: Re: 2022-2026 Verifiable Data Standards Roadmap [DRAFT]) from Manu Sporny on 2022-03-20 (public-credentials@w3.org from March 2022)

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Sun, 20 Mar 2022 11:54:31 -0400
To: public-credentials@w3.org
Message-ID: <3dbdc075-0fb2-2de6-39e9-ee427b8f730e@digitalbazaar.com>

On 3/18/22 2:00 PM, Adrian Gropper wrote:
> If we’re serious about decentralization we should be not be playing 
> whack-a-mole based on various well intentioned but distracting
> sponsorships and business models. We need to be designing the commons that
> we’re being denied today.

Agreed.

As far as I can see, CHAPI and DIDCommv2 are doing just that, but coming at it
from different directions (more in a future thread about that).

The current OpenID approaches seem to be saying: "That problem is too hard, so
let's just use the centralized rails that we have set up today; we can realize
immediate benefit because of the value of VCs and DIDs WITHOUT solving the
open wallet ecosystem problem!" or "Let's just assume that you're using two
devices, because that problem is easier to solve."... which are strategies
that avoid the point of contention.

The point of contention is bootstrapping into a wallet of any kind from a
website when I'm on the same device. For example:

I'm on my mobile phone, I go to a website to get a credential (using my mobile
phone)... how does that website invoke *my* digital wallet? If it shows a QR
Code, what am I going to take a picture of that QRCode with? My phone (which
I'm using to view the web page with)?!

It's a fairly simple use case, and the most common interaction style people
have when searching for information (on desktop or mobile).

The actual protocol we use AFTER you're already in your wallet is a secondary
(and far less contentious) concern.

> I’m trying to understand the scope of the issue. How many wallets does one
>  person need?

Ideally, just one... though we know that some employers are going to want
strict control over corporate credentials in corporate wallets, so possibly 2-3.

The key point here is /it has to be your choice/. Not the Issuer's. Not the
IdP's. Not the Verifier's. It must be the Holder's choice. How do we empower
Holders?

> Right now, the platforms don’t control my choice of 1Password but I do keep
> some credentials in platform-controlled wallets. I also have one crypto
> wallet unrelated to either 1password or the platform.

Yes, exactly, and these were your choices and no one should be coercing you
into using a different product (assuming the feature set is the same) for any
reason.

If we require wallet providers to register, which is suggested by the current
OpenID specifications, we automatically create a centralizing friction in
digital wallets. It's great news for dominant OpenID providers, and bad news
for Holders.

-- manu

-- 
Manu Sporny - https://www.linkedin.com/in/manusporny/
Founder/CEO - Digital Bazaar, Inc.
News: Digital Bazaar Announces New Case Studies (2021)
https://www.digitalbazaar.com/

Received on Sunday, 20 March 2022 15:54:48 UTC