- From: Daniel Hardman <daniel.hardman@gmail.com>
- Date: Sun, 20 Mar 2022 18:21:44 +0200
- To: Manu Sporny <msporny@digitalbazaar.com>
- Cc: public-credentials@w3.org
- Message-ID: <CACU_chmOPUGQHO7kra=EuBCjGcY6rTvFYbEbcc5nXj-H7ZP2MA@mail.gmail.com>
Squinting away the details, the deep assumption behind OpenID Connect is that we need a standard way for institutions to authenticate and authorize people. SIOP+VCs updates the mechanism, but not the goal. Of course this is a worthy objective. We want institutions to have a standard way to authenticate and authorize. We have plenty of evidence that this is economically valuable, and it is a perfectly reasonable thing to do. However, I consider this framing to be disastrous, because of what it leaves out. Notice that it is one way: institutions authN/Z people, but they don't propose to play by the same rules. The entire phishing industry exists because institutions don't authenticate themselves the same way people do. If every email and SMS (notice I picked 2 contexts other than web, but that are HUGE) that purported to come from Acme Corp had to actually be signed by Acme's DID keys, phishing would go away. Furthermore, institutions would cease to be able to unilaterally dictate terms of service, would feel much greater pressure on the Hobson's choices they give to users, would feel some of the friction that users feel today when an institution upgrades a server or invalidates a cookie, etc, etc. If we standardize and promote OIDC+SIOP+VCs as the standard way for institutions to authN/Z users in web contexts, and only for that, then I think we suck all the wind out of the sails of a standard that would actually correct this imbalance. Not because there's some fatal flaw in the API, but because it's teaching the world, yet again, to treat users and institutions unequally. On Sun, Mar 20, 2022 at 5:57 PM Manu Sporny <msporny@digitalbazaar.com> wrote: > On 3/18/22 2:00 PM, Adrian Gropper wrote: > > If we’re serious about decentralization we should be not be playing > > whack-a-mole based on various well intentioned but distracting > > sponsorships and business models. We need to be designing the commons > that > > we’re being denied today. > > Agreed. > > As far as I can see, CHAPI and DIDCommv2 are doing just that, but coming > at it > from different directions (more in a future thread about that). > > The current OpenID approaches seem to be saying: "That problem is too > hard, so > let's just use the centralized rails that we have set up today; we can > realize > immediate benefit because of the value of VCs and DIDs WITHOUT solving the > open wallet ecosystem problem!" or "Let's just assume that you're using two > devices, because that problem is easier to solve."... which are strategies > that avoid the point of contention. > > The point of contention is bootstrapping into a wallet of any kind from a > website when I'm on the same device. For example: > > I'm on my mobile phone, I go to a website to get a credential (using my > mobile > phone)... how does that website invoke *my* digital wallet? If it shows a > QR > Code, what am I going to take a picture of that QRCode with? My phone > (which > I'm using to view the web page with)?! > > It's a fairly simple use case, and the most common interaction style people > have when searching for information (on desktop or mobile). > > The actual protocol we use AFTER you're already in your wallet is a > secondary > (and far less contentious) concern. > > > I’m trying to understand the scope of the issue. How many wallets does > one > > person need? > > Ideally, just one... though we know that some employers are going to want > strict control over corporate credentials in corporate wallets, so > possibly 2-3. > > The key point here is /it has to be your choice/. Not the Issuer's. Not the > IdP's. Not the Verifier's. It must be the Holder's choice. How do we > empower > Holders? > > > Right now, the platforms don’t control my choice of 1Password but I do > keep > > some credentials in platform-controlled wallets. I also have one crypto > > wallet unrelated to either 1password or the platform. > > Yes, exactly, and these were your choices and no one should be coercing you > into using a different product (assuming the feature set is the same) for > any > reason. > > If we require wallet providers to register, which is suggested by the > current > OpenID specifications, we automatically create a centralizing friction in > digital wallets. It's great news for dominant OpenID providers, and bad > news > for Holders. > > -- manu > > -- > Manu Sporny - https://www.linkedin.com/in/manusporny/ > Founder/CEO - Digital Bazaar, Inc. > News: Digital Bazaar Announces New Case Studies (2021) > https://www.digitalbazaar.com/ > > >
Received on Sunday, 20 March 2022 16:22:09 UTC