Re: Centralization dangers of applying OpenID Connect to wallets protocols (was: Re: 2022-2026 Verifiable Data Standards Roadmap [DRAFT]) from Manu Sporny on 2022-03-20 (public-credentials@w3.org from March 2022)

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Sun, 20 Mar 2022 13:12:10 -0400
To: public-credentials@w3.org
Message-ID: <bc17d1f1-6966-55ef-31fd-cd126edaf6c0@digitalbazaar.com>

On 3/20/22 12:21 PM, Daniel Hardman wrote:
> If we standardize and promote OIDC+SIOP+VCs as the standard way for 
> institutions to authN/Z users in web contexts, and only for that, then I
> think we suck all the wind out of the sails of a standard that would
> actually correct this imbalance. Not because there's some fatal flaw in the
> API, but because it's teaching the world, yet again, to treat users and
> institutions unequally.

Yes! Thank you, Daniel! This! +1000

Now, we should not be under the impression that people won't try and build
this flawed model anyway -- there are strong economic incentives to do so --
"The infrastructure is already there! It's doing billions of interactions a
day! Let's build on top of it!"

I don't think there is any way that the OpenID Foundation DOES NOT go ahead
with their VCs over OpenID protocol plans.

Given that Tobias is leading OpenID working on this stuff, my hope is that he
takes our concerns into that work... that is, if we can convince him of the
dangers. :)

My hope is that we all, across the various communities, also start
collectively pointing toward why OpenID + VCs (as is currently designed) is
dangerous to the ecosystem... but we find a way to express these as not
pointing the finger at the OpenID protocol, but at design patterns that lead
to power inequalities and centralization as Daniel so eloquently stated in his
email.

Or... the folks working on the OpenID + VCs convince some of us hold outs that
what they're doing does support open wallet ecosystems... :)

Finally, there are no easy answers here.

CHAPI and DIDCommv2 aren't magical in their ability to combat centralization.
If Issuers start demanding that wallet vendors identify themselves in
transactions (another bad idea), we fall into the same trap, which is why
being LOUD about what a dysfunctional centralized ecosystem looks like is
crucial.

This is why I'd like us to mine this thread and have a "VC Market Competition
Considerations" section somewhere... it's clear that some individuals were
unaware of the problem and that means we're not doing a good job in educating
folks as they enter the industry.

-- manu

-- 
Manu Sporny - https://www.linkedin.com/in/manusporny/
Founder/CEO - Digital Bazaar, Inc.
News: Digital Bazaar Announces New Case Studies (2021)
https://www.digitalbazaar.com/

Received on Sunday, 20 March 2022 17:12:27 UTC