W3C home > Mailing lists > Public > public-credentials@w3.org > March 2022

Re: Centralization dangers of applying OpenID Connect to wallets protocols (was: Re: 2022-2026 Verifiable Data Standards Roadmap [DRAFT])

From: Harrison <harrison@spokeo.com>
Date: Sun, 20 Mar 2022 11:56:03 -0700
Message-ID: <CAFYh=43HpEjuqQP2-bm45BkEfouZwCY5a_Pkxs8i1YPLGSM=3g@mail.gmail.com>
To: David Chadwick <d.w.chadwick@verifiablecredentials.info>
Cc: public-credentials@w3.org
Love this thread.  I am new to this space, so please feel free to clarify
my potential misunderstanding.

Centralization is defined as "the concentration of control of an activity
under a single authority", and decentralization is where that control is
not held by a single or few entities.  With this definition, the ultimate
decentralization is when the control resides in each and every entity (e.g.
tens of billions of users in this case).

I think VC best advances decentralization because VC's trust model empowers
users/holders to intermediate identity-related transactions.  In any
multi-sided platform (e.g. identity), the middleman holds the power.  In
VC, user/holder is the middleman intermediating between verifiers and
issuers, so each user/holder holds the power, and the decentralization of
the identity platform could be achieved.

In OIDC, the identity provider is the middleman between users and relying
parties, so the identity provider holds the power.  While anyone can be the
identity provider, I think there will be less identity providers than
users, so OIDC is probably not going to be as decentralized as VC unless
OIDC empowers users to be the middleman.

Different technologies have different applications, and different problems
require different solutions.  OIDC has been tremendously successful in
authentication/authorization use cases, and I think OIDC's social login
implementation could be one of the factors in multi-factor authentication
(or at least a proxy to knowledge, possession, inherence, and location
factors).  In identity verification use cases, I think VC is probably the
way to go if we want to achieve self-sovereign and decentralized identity
due to its decentralized trust model.


On Sun, Mar 20, 2022 at 10:55 AM David Chadwick <
d.w.chadwick@verifiablecredentials.info> wrote:

> On 20/03/2022 16:21, Daniel Hardman wrote:
> The entire phishing industry exists because institutions don't
> authenticate themselves the same way people do.
> that's because institutions don't use un/pws :-)
> Moving users to VCs is actually moving users more nearly to what
> institutions already do.
> I go to a web site on my browser and its sends me a credential containing
> its identity (DNS name) signed by a TTP.
> With OIDC4VPs I return a credential containing my identity signed by a TTP.
> So we are moving towards a more equal world.
> Footnote 1. An X.509 PKC is only a specialised VC encoded differently.
> Footnote 2. S/MIME tried to get everyone to send signed emails and it
> failed miserably.
> Kind regards
> David

*Harrison Tang*
 LinkedIn  <https://www.linkedin.com/in/theceodad/> •   Instagram
<https://www.instagram.com/spokeo/> •   Facebook
Received on Sunday, 20 March 2022 18:57:28 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:25:29 UTC