- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Sun, 20 Mar 2022 17:50:52 -0400
- To: "public-credentials@w3.org" <public-credentials@w3.org>
On 3/20/22 4:21 PM, Tobias Looker wrote: > Are we able to please list these issues / criticisms in a more structured > manner so we can analyse and respond to each. To be fair, I did that in the initial email in this thread :P https://lists.w3.org/Archives/Public/public-credentials/2022Mar/0101.html To quote directly from that email: > Going back to OpenID being applied to Verifiable Credential Exchange. There > are three fatal flaws that need to be overcome for it to be a good idea: > > 1. Eliminate registration -- if you require wallet registration, you > enable centralization. > > 2. Eliminate NASCAR screens; don't allow verifiers to pick/choose which > wallets they accept. If you allow either of these things to happen, you > enable centralization. > > 3. Eliminate the concept of "App Store"-like in-wallet "Marketplaces". If > you do this, you put issuers at a natural disadvantage -- pay to play to > get listed in a wallet's "Marketplace". #1 is about mandatory wallet registration and wallet vendor detection being a bad idea. There are certain technical solutions (feature detection) that help here. #2 is about OpenID not having any CHAPI-like equivalent, which creates a natural centralization pressure. There are certain technical solutions (CHAPI-like mediators) that help here. #3 is about challenging the notion that putting the wallet at the centre via "Credential Marketplaces" is without great centralization risk. There are best practices and market competition warnings that could help here. > Personally I dont think, statements like "openid does not support an open > wallet ecosystem" suffices as an issue, we need to push past this into > why, how and where, it is only then we will be able to work on addressing > it. Sure, but as I point out above... I'm not intentionally trying to be vague and there have been multiple people providing specific technical examples of where things fall a part. > So in the spirit of trying to get to this view, do the following issues > summarise your concerns @Manu > > OIDC4VP (the verifiable credentials presentation protocol) features no > adequate mediation layer (wallet chooser component) that allows a web based > relying party or verifier to invoke during a presentation request that > allows an End-User to select which wallet they would like to respond to a > request with? Yes, that is one of the issues (issue #2 I raised in the original email). > OIDC4VCI (the verifiable credential issuance protocol) requires the wallet > to be a valid "client" with the provider (issuer) in order to request > credential issuance. This constraint encourages some form of > centralization or anti-competitive market force that is un-tenable? Yes, that is another one of the issues (issue #1 I raised in the original email). The third issue (issue #3 in the original email that started this thread) is the "Credential Marketplace" problem, which creates a centralization concern with dominant Wallet vendors. There might be technical solutions to this problem, but I doubt we'll be able to do much here other than best practices and perhaps some finger wagging spec language about centralization dangers related to tight binding between wallet->issuer w/o also ensuring CHAPI-like wallet invocation. I can elaborate further on this if anyone is interested, but for now, the real centralization dangers seem to be the two items you mentioned. -- manu -- Manu Sporny - https://www.linkedin.com/in/manusporny/ Founder/CEO - Digital Bazaar, Inc. News: Digital Bazaar Announces New Case Studies (2021) https://www.digitalbazaar.com/
Received on Sunday, 20 March 2022 21:51:10 UTC