- From: CCG Minutes Bot <minutes@w3c-ccg.org>
- Date: Mon, 21 Mar 2022 21:44:10 +0000
Thanks to Our Robot Overlords for scribing this week! The transcript for the call is now available here: https://w3c-ccg.github.io/meetings/2022-03-21-vc-education/ Full text of the discussion follows for W3C archival purposes. Audio of the meeting is available at the following location: https://w3c-ccg.github.io/meetings/2022-03-21-vc-education/audio.ogg ---------------------------------------------------------------- VC for Education Task Force Transcript for 2022-03-21 Agenda: https://lists.w3.org/Archives/Public/public-vc-edu/2022Mar/0005.html Topics: 1. IP Note 2. Call Notes 3. Introductions & Reintroductions 4. Announcements 5. About CCG Email Thread: "Centralization dangers of applying OpenID Connect to wallets" (Dmitri Zagidulin) Organizer: Kerri Lemoie Scribe: Our Robot Overlords Present: Kerri Lemoie, Stuart Freeman, Marty Reed, Deepak Kulkarni, Kaliya, Andy Miller, Taylor, Colin, LEF, Dmitri Zagidulin, Sharon Leu, Jim Kelly, Phil Barker, Tony Sheppard, Deb Everhart, Matthias Gottlieb, Jim Goodell, Kimberly Linson, Kayode Ezike, Phil L (P1) <colin,_lef> gm gm Our Robot Overlords are scribing. Topic: IP Note Kerri Lemoie: Hey hello everybody Welcome to the March 21st bcig task force called today our topic is going to be on identity and I'm and education credentials I'm going to go through some of the announcements and boilerplate stuff that we always start these meetings with the first one to know is that the IP note know that anyone can participate in these calls but any substitutive continued contributions. Kerri Lemoie: You have to. Kerri Lemoie: https://www.w3.org/community/credentials/join Kerri Lemoie: Member to do those have to be members of the CCG with full IP are agreements and you can read more about this at this link that I put in the chat now. Topic: Call Notes Kerri Lemoie: Please note that all of these meetings are recorded we do our best with our infrastructure to record them all and then also have a transcription of the meeting minutes so you will see in the chat that there's an auto transcriber that is recording what I'm saying right now what you can do while we're taking these notes is if you see something on a transcriber is his is really flubbed up pretty badly you can do a substitution. Kerri Lemoie: In the chat like: Kerri Lemoie: That would be very helpful in publishing the minutes and that would look something like this where you do an s a forward slash I'm just going to make up one right now that doesn't exist but the middle between the brackets is the word you want to replace and then the replacement we do use cues in these calls to instead of I'm just speaking out please put yourself in the queue you can do this by typing q+ if you know what you're. Kerri Lemoie: Something about you going to say you can say. Kerri Lemoie: S + topic. Kerri Lemoie: And then you can also remove yourself from the queue. Topic: Introductions & Reintroductions Kerri Lemoie: Okay let's do some introductions and reintroductions is there anybody in the call today that would like to introduce themselves. Kerri Lemoie: A lot of my faces if there's someone who'd like to introduce themselves or reintroduce themselves and give us an update what you're working on here's an opportunity to do so. Deepak_Kulkarni: Hi I'm Deepak Kulkarni I work for is you and also work for the pocket initiative that you might be familiar with. Deepak_Kulkarni: But the chain thank you. Kerri Lemoie: I am yeah oh great thank you for introducing yourself Deepak. Topic: Announcements Kerri Lemoie: Okay our next part is announcements and reminders. Kerri Lemoie: So I have two on my list one is for tomorrow ccg call the tldr for that is that John Gleason Dominic Marina from storage will give an overview of decentralized cloud object storage which is emerged from the same ethos as the decentralized identity Community they will discuss their Edge access management features and have a discussion around using SSI identity with the centralized storage that sounds interesting to you the link to the agenda and the connection. Kerri Lemoie: Info is going to be in the chat right now. <kerri_lemoie> Link to agenda & connection info: https://lists.w3.org/Archives/Public/public-credentials/2022Mar/0088.html Kerri Lemoie: Also on April 26th through April 28th is the internet identity Workshop this is being held at the Computer History Museum in Mountain View California. Kerri Lemoie: https://internetidentityworkshop.com/ Kerri Lemoie: I am actually a big leagues in the chat I'm actually attending this year it's the first conference I've attended and over two years in person so I'm really looking forward to it if you can make it I suggest that you go because you will get to spend some time with the people who have been thinking about identity for a really long time and it's a great opportunity to learn and then wrap your head around some of these Concepts that are really challenging at times. Kerri Lemoie: Let me see if there's anyone in the queue right now. Kerri Lemoie: Anyone else have any other announcements that they would like to make before we get started on today's topic. Kerri Lemoie: You're in the queue. Kaliya: Hi thanks for sharing about IW and people should also know that if. Kaliya: Accessibility is an issue over price you can come and talk to us about. Kaliya: That we're really committed to opening it up I have another event that people might be interested in called mitigating harms on 13 happening April 1 if I'm on my phone so it's hard to put it into chat if you search on Eventbrite for mitigating harms and web three it'll come up and it's yeah five hours on April 1 depending on what time zone you're on. Kerri Lemoie: I think I found it I'm going to put it in the chat right now. Kerri Lemoie: https://www.eventbrite.com/e/mitigating-harms-in-web3-tickets-260675526517 <deb_everhart> Open Badges Summit call for proposals is open: https://docs.google.com/forms/d/e/1FAIpQLSeIGapaEFIjB5WYYB9fkc1snJicqdUdGPqSLe_RFNv2gIcAJA/viewform Kaliya: And that's when I just have one more thing I I'm it's kind of an aside I'm working with a verifiable credentials policy committee on getting some legislation passed in California to create a trust framework and a pilot project within higher well within education so if there's anybody in this group based in California interested in helping say something to your legislators about this. Kaliya: I love to connect. Kerri Lemoie: Basically I what's the best way for folks to reach you. Kaliya: I think email kaliya at identity woman dotnet. <deb_everhart> deadline for proposals is April 15 and the conference is Aug 1-2 f2f and Aug 9 virtual <colin,_lef> Woot woot! Kerri Lemoie: Thank you and then Deb Everhart you posted the open badges Summit called proposals a chat that is great that is on August 1st and 2nd in Boulder Colorado this year and the deadline to do your proposal is April 15th I believe that's another one I will be attending. Kerri Lemoie: Bit of course. Kerri Lemoie: Okay any other announcements before we get started on our education credential learner identity discussion. Topic: About CCG Email Thread: "Centralization dangers of applying OpenID Connect to wallets" (Dmitri Zagidulin) Kerri Lemoie: To a large part of why we're all working and I'm verifiable credentials that we believe that individual should have more control over their data and this includes deciding what identity is associated with their credentials. Kerri Lemoie: And our. Kerri Lemoie: Our goal very soon hopefully the spring is to publish a community report that informs the Education and Training ecosystem without issue in verifying be seized and we're narrowing in on this report today I would really like to hold a discussion about identity and credentials to help inform the community to It's A continuing ongoing conversation and it's a moving Target right now but in order to get implementations going we've landed somewhere and so we can talk about that and then talk. Kerri Lemoie: About what they choose me or die. Kerri Lemoie: There are any questions that remain and before we get started. Kerri Lemoie: Dimitri I was wondering if you could help us out there's been this long thread going on over the weekend and the ccg melas about open ID and choppy and did come centralized versus decentralized and someone has been working on a while that is one of our co-chairs I was wondering if you can unpack that thread for us and hope to explain the issues that are going on and how it affects what we're doing. Dmitri Zagidulin: Sure thanks thanks Gary I can I can certainly give it a try it's it's a long thread and has branched out into mini sub threads lots of things are being discussed their the health of the ccg community the interaction with other standards bodies but at the heart are a couple of things at the moment there are let's say three or four. Dmitri Zagidulin: That can be used. <kerri_lemoie> (ignore topic having the floor - Dmitiri has the floor) Dmitri Zagidulin: There there three or four protocols that can be used for verifiable credentials to request that they're issued to transport them into the wallet to verify them to transfer them between wallets right so a lot of the time in this group we've started with. <kerri_lemoie> Feel free to queue up your questions about this. Dmitri Zagidulin: Focusing on the data model so we have the verifiable credentials working group has standardized the envelope for us so what we do in this group is discuss a lot what goes into the envelope so the data model of the payload itself and of course in parallel with that we need to discuss how do we get it into student wallets how do we exchange it between our server to server systems how do we verify and all that stuff. Dmitri Zagidulin: So the protocol in the data model question is in. Dmitri Zagidulin: And today there are three or four different apis being formed by different standards bodies that can be used to do something with verifiable credentials so. Dmitri Zagidulin: So that was thread one why are there competing apis and what can be done to either converge their development or at least make it clear to users to implementers what the strengths and weaknesses of each API is why we why one would choose w3c's VC API or diffs presentation exchange or open ID foundations. Dmitri Zagidulin: Self issued open ID or the draft of openings Uconnect for verifiable presentations. Dmitri Zagidulin: Which is the work that the openid foundation is currently doing. Dmitri Zagidulin: In a certain sense the fact that there is. Dmitri Zagidulin: Four different apis is healthy right it means there's a lot of communities have set up and take taken notice of verifiable credentials. Dmitri Zagidulin: Means that they're definitely making impact in the world and and all the standards bodies have their own different approach to handling it so that was issue one how what's the relationship between these. Dmitri Zagidulin: How do we. Dmitri Zagidulin: Standards bodies to communicate to cross pollinate and all that stuff. Dmitri Zagidulin: Threatened number two was Manu and several others including myself but what I can qualify that and answer questions have stepped forward and said we understand where open ID connect is coming from. Dmitri Zagidulin: But specifically when it comes to. Dmitri Zagidulin: Using opening to connect for general-purpose verifiable credentials wallets for consumers. Dmitri Zagidulin: We feel that. Dmitri Zagidulin: The versions of the opening to connect protocol tailored to work with verifiable credentials. Dmitri Zagidulin: Are in danger of. Dmitri Zagidulin: Exerting a market and technological pressure towards Monopoly towards centralization. Dmitri Zagidulin: Now I know we use centralization or decentralization as sort of value judgments a lot of times in the space or especially in the web three space but here to to the point where it becomes apocryphal so what do we mean by that. Dmitri Zagidulin: What do I do what do I personally mean when I say that it exerts a market pressure towards Monopoly more so than other protocols. Dmitri Zagidulin: It has to do with the issue of wallet selection and the NASCAR problem which we'll get into in a second. Dmitri Zagidulin: I also want to preface this that. Dmitri Zagidulin: In the education space. Dmitri Zagidulin: We have kind of a unique approach to this and a unique set of problems here's what I mean by that so for example several of the wallets that I work with example the digital credentials Consortium DCC wallet very much uses OpenID Connect for purposes of binding the existing student identity to the decentralized identifier that the student brings which is the other topic of this call. Dmitri Zagidulin: Ahmed Gary. Dmitri Zagidulin: Like to talk about right so we have in our typical University or other school setups we have existing student Information Management Systems particularly we have a database with a student ID in it somewhere and we're trying to introduce these dids these decentralised identifiers. Dmitri Zagidulin: And one of our challenges as technologists is how do we how do we bridge that Gap how do we on-ramp how do we bind the new decentralized identifiers which are controlled by the students or by the individual person how do we find those to that user ID in the database that exists on the learning institution server somewhere. Dmitri Zagidulin: And so that the reason DCC wallet uses open and to connect is for that binding it is an excellent mechanism to when asking for a learner credential to be issued openid connect provides an excellent mechanism to say okay we're going to bind the openid connect user ID Dimitri one two three. Dmitri Zagidulin: And their email to this decentralized identifier. Dmitri Zagidulin: Here's why I bring this up in the context of the discussion of centralizing pressure or monopolizing pressure OpenID connect. Dmitri Zagidulin: This that I believe exists in the general-purpose world but less so in our field of Education it has to do with. Dmitri Zagidulin: Use expectation and basically it has to do with students are already a captured audience with a. Dmitri Zagidulin: Going to count on the University's our school system so usual. Dmitri Zagidulin: So hold on one second help me close the door dogs are very excited over here and I don't have a good view of the chats Carrie please feel free to interrupt if there's a questions in chat. Kerri Lemoie: Nothing yet thank you. Dmitri Zagidulin: Let me describe the the general situation and then we can qualify of what we think is different in the education space so one of the terms that's thrown about in discussions in the dissent as identity space is a term called the NASCAR problem. Dmitri Zagidulin: For those of you not in the US or just not familiar with NASCAR NASCAR is a United States car racing associations and one of the iconic things of NASCAR is these racing cars are plastered with logos of sponsors. Dmitri Zagidulin: Regardless of the teams all the big companies sponsor the teams and plaster the logo on the car so the cars are just you know very colorful banner ads essentially with with dozens if not hundreds of different logos. Dmitri Zagidulin: And so the NASCAR problem is. Dmitri Zagidulin: The rise of social login which has brought a lot of a lot of benefits in a lot of was intended to bring a lot of decentralisation to cross domain login but instead you see insights that supported a preponderance of logos so if a side support social login you usually presented with an array of buttons that says log in with Google login with Facebook login with LinkedIn. Dmitri Zagidulin: With GitHub and. Dmitri Zagidulin: Long or short a list. Dmitri Zagidulin: As that particular website decides its users are going to use so. Dmitri Zagidulin: Closer related to that is the wallet selection problem so with. Dmitri Zagidulin: I am sort of Web 2.0 social login which incidentally is based on open ID connect. Dmitri Zagidulin: We have this problem of in order to use social login the user has to select their identity provider or essentially the user has to select their wallet that where they have an account that manages cryptographic keys for them so in looking at the list of login with Facebook log in with Google Etc that right there is the wallet selection step that is the identity provider selection stop. Dmitri Zagidulin: And then f. Dmitri Zagidulin: The long list of different logos different brands with which they can log-in which is reminiscent of the logo plastered racing cars at NASCAR. Dmitri Zagidulin: So why does this happen. Dmitri Zagidulin: OpenID Connect is the third iteration of the opening D protocol is prefaced by open ID 1 and open ID 2. Dmitri Zagidulin: And both OpenID 1 and OpenID 2 as part of the input required the user to paste in the URL of their identity provider there's literally a text box and the user logging in was literally required to cut and paste or type in the URL of so google.com or facebook.com or their universities webpage or if they were running. Dmitri Zagidulin: WordPress or. Dmitri Zagidulin: General something like that that URL and as you can probably imagine but this was actually confirmed by scientific studies paid by Yahoo and others this is incredibly bad usability so openID sites ran usability studies and and and discovered that users hate this this is really confusing nobody wants to type in urls. Dmitri Zagidulin: So what's interesting about open ID connect the third iteration of this protocol it did learn from this Achilles heel of open ID that asking people to type in. Dmitri Zagidulin: Asking people to perform wallet selection step the IDP selection step incredibly cumbersome. Dmitri Zagidulin: And open if you connect at its Inception had had an answer to this. Dmitri Zagidulin: It was called webfinger thank you protocol neighbors and it allowed the user to type in their email address and through the email address. Dmitri Zagidulin: Discover the URL of their preferred open ID connect provider so the original design of the open Internet Protocol had a solution to the NASCAR problem it said okay we don't want people to type in the URL of their wallet. Dmitri Zagidulin: Users a used to typing in the email so it's fine that that's that's an okay ask and through this other piece of infrastructure that we have. Dmitri Zagidulin: By typing in the email we're going to let machines discover their preferred wallet provider great this is a fantastic system. Dmitri Zagidulin: Here's the only problem here's why instead we have this list of logos this list of social ID buttons. Dmitri Zagidulin: Webfinger required that email providers support this protocol this webfinger protocol and essentially it all rested on Google was one of the participants in the working group that was coming up with open a g connect protocol and put forward to support towards web finger. Dmitri Zagidulin: And the. Dmitri Zagidulin: Sort of figured that okay if we land Gmail if Gmail supports this right that's a lot of users and then that'll that'll exerted Market pressure for all the other email providers to. Dmitri Zagidulin: Support this as well and so hey we've solved one of the thorniest problems and identity which is while it's selection problem great. Dmitri Zagidulin: Partway through the process may be at the last moment I wasn't really there but the Google leadership cut support for web finger so pulled the plug. Dmitri Zagidulin: And because Gmail didn't support it none of the other major email provider supported and essentially webfinger was Dead on Arrival so open it you connect protocol which is a fantastic protocol has lots of lots of innovation and specifically learned from the mistakes of its predecessors in a lot of ways plugged a lot of security issues in open a d 1 and 2 and also in oauth 2 to which it open into connected. Dmitri Zagidulin: A successor it builds on a costume so great. Dmitri Zagidulin: Unfortunately at launch. Dmitri Zagidulin: A major major part of it was killed the webfinger part of the wallet selection part and so that leads us to the world where we are right now that obviously we don't want to present a text box to the user to type in the URL. Dmitri Zagidulin: Typing in. Dmitri Zagidulin: Email doesn't work because webfinger I never caught on due to Market pressures and political pressure. Dmitri Zagidulin: So instead we present the user with a bunch of buttons. Dmitri Zagidulin: That contain the URL and contain yeah so the buttons replace the text box. Dmitri Zagidulin: All right so all that digression how does that how does that relate to what we're here for how does that relate to decentralize Identity and our student wallets are learner wallets. Dmitri Zagidulin: It relates directly. Dmitri Zagidulin: Most of the things that we want to do login with your did ask for a credential to be issued into your wallet. Dmitri Zagidulin: All have to do with step 1. Dmitri Zagidulin: So we in the VC world have the exact same problem of of wallet selection that the openid connect world have had and we have almost the exact same set of fundamental tools to do it with which is a text box or a list of buttons. Dmitri Zagidulin: Much like they're going to do a world where okay yeah so let's talk about why that led to centralization you can. Dmitri Zagidulin: You can see it intuitively. Dmitri Zagidulin: He long list of logos long list of social login buttons is annoying to users and so each website that presents social login. <phil_l_(p1)> Isn't step 1 actually choose your identifier, and then choose your wallet? Dmitri Zagidulin: Usability pressure to present as few buttons as possible which means everybody picks the top most recognizable wallets identity providers everybody picks. Dmitri Zagidulin: Gmail Facebook LinkedIn whatever their particular Niche is. Dmitri Zagidulin: So the dream of. Dmitri Zagidulin: The recording room did not like. Kerri Lemoie: Like they were talking about open ID we're still getting the transcription to the Head. Dmitri Zagidulin: Okay fantastic all right so we'll do our best here. Dmitri Zagidulin: So OpenID Connect which is the decentralized protocol. Dmitri Zagidulin: Was at its heart meant to to provide genuine consumer level choice in wallets. Dmitri Zagidulin: Instead because it was missing the solution to all its selection problem. Dmitri Zagidulin: Presented the NASCAR problem and the only solution to the NASCAR problem that the world has come up with so far. Dmitri Zagidulin: Is trying to reduce the number of logos by only presenting the most well-known wallets which is where we are right now right small handful of the the big main companies and their wallets Google LinkedIn and so on. Dmitri Zagidulin: In the VC World we're in the exact same bind when the exact same situation we have the same we have the same tool set that are going to be had. Dmitri Zagidulin: Means it's the same usability problem that wallet selection step and now there's asterisks all this will get into the details of do we exactly have the same tool set or do we have any other kind of techniques what can we do about this we'll get into all of that so right now we're just trying to paint a picture of what that email thread was about so but if you connect has this wall selection problem we have the exact same old selection problem and just as open as you connects NASCAR problem led to. Dmitri Zagidulin: The only. Dmitri Zagidulin: Most websites are able to find is. Dmitri Zagidulin: Small handful of winner-take-all wallets because we were an exact same situation exact same Market pressure and Technologies if we're not careful in the DC World we're going to end up in that same situation we're going to end up with here are the two to three most well-known wallets and everybody else is out of luck we certainly don't want to put in a text box for the user to type in the name of their wallet or whatever. Dmitri Zagidulin: Now why haven't we seen that yet. Dmitri Zagidulin: Because there's just not that many VC wallets yet and especially here's the important part at the moment there's almost no no. Dmitri Zagidulin: More than one interoperable VC wallets which is where this problem starts to be seen right so with social login all social logins are theoretically interoperable because they theoretically use open it you connect although in practice what's unfortunate they're not so Google uses a subtly different identity protocol than Facebook that's not the point point is open as you connector interoperable and so we have the problem in. Dmitri Zagidulin: The wallet world. Dmitri Zagidulin: Have more than one wallet that is interoperable with each other we have this world selection problem and on all of the all of the solutions so the circle back around what the thread that Manu started was pointing out that. Dmitri Zagidulin: Said I have concerns. Dmitri Zagidulin: About this this very successful standards body open 85 Foundation working on a version of openID connect for verifiable credentials - I have concerns that the very same Market pressures apply. Dmitri Zagidulin: The unsolved problem of wallet selection is going to lead us to the same centralizing place to the same Monopoly Monopoly winner-take-all place. Dmitri Zagidulin: That the previous iteration led to nothing has fundamentally changed and so a lot of the lot of the argument that you that you saw in the thread if you read it was bickering over the details was trying to clarify is a true the nothing has changed what about this technique and what about this technique and also in parallel. Dmitri Zagidulin: Especially coming from. Dmitri Zagidulin: Companies that are that are that small handful of winner-take-all wallets. Dmitri Zagidulin: You'll see some argument that oh it's not so bad this this pressure towards centralization towards you know very small amount of logos it's not so bad you shouldn't worry about it and we'll let you make your own judgments there now what about our corner of the world what about education so for instance with the DC wallet. Dmitri Zagidulin: It's not as cute of a problem because if I'm a student of I don't know Georgia Tech University and I'm trying to pick up a credential from my University while selection is not so bad I know I'm going to be logging in to Georgia Tech and I'm doing it at not at some third party relying party site it's not at a random website I'm picking up my credentials add Georgia Texas website in the first place right so the. Dmitri Zagidulin: Focus of the use case. Dmitri Zagidulin: Already takes in a lot of cases or at least in the case that the wallet deals with right now has already performed while its election unlike social login where it's on some website and needs to I'm just picking it up at my University so the wall selection has essentially has already been performed I've gotten to that URL of the University side I didn't have to type it in its we're already there. Dmitri Zagidulin: The in a particular case while selection and identity provider selection is taken care of and we can use the power of open and you connect protocol to bind existing student account existing student identity with the decentralized identifier it's great. Dmitri Zagidulin: Oh also however however again it's not a problem because in the DC context it's a pilot that just involves one wallet the moment we have more than one wallet that's participating in this pilot the moment that happens even though on the student login side. Dmitri Zagidulin: I DP selection is solved because the student is already at the University's website the wallet selection problem is not solved. <jim_goodell> Locking a wallet to an institution sounds problematic to me. Could it be select from market leader listed but also have an "other" option to enter the domain of another wallet provider? Dmitri Zagidulin: We now have to essentially either somehow guide the user to open up their preferred Wallet app and perform the operations from within it which is in itself has usability problems or. <kayode_ezike> Maybe for a broader group, but any thoughts around specificying wallet selection via DID services? Dmitri Zagidulin: Need to come up with some sort of mechanism in the notification email. Dmitri Zagidulin: That says hey students you have a credential waiting please go pick it up over here. Dmitri Zagidulin: And now now we have the NASCAR problem now we have we need to present two buttons pick it up with the DC wallet or pick it up pick it up with pocket or pick it up with so-and-so wallet and now we're in the nightmare of preponderance of buttons now where NASCAR land. Dmitri Zagidulin: And again as a community we have a couple of nascent solutions to this and a lot of heated discussion but it is a it is a real problem that even though it might not be as bad or might not be as Tangled in our neck of the woods it is still Tangled in that we do need to perform wallet selection to get the user inside of the wallet out. Dmitri Zagidulin: Or somehow guide the. Dmitri Zagidulin: The protocol toll roads. <marty_reed> as an example, we allow the user to create their own e-mail VC to a SOVRIN based wallet, IDRamp, Trinsic, Evernym and then allow them to authenticate via OIDC in the Open Credential Publisher wallet and Teacher Wallet Dmitri Zagidulin: Selection okay so I've spoken enough let's let's take questions hopefully this helps shed some light. Kerri Lemoie: I did see we have a full yeah I mean this is great I know I will have some questions to a filled long is like you right now. Dmitri Zagidulin: We'll go ahead. Phil_L_(P1): Hi Dmitry couple of things first of all is it actually the case at the first problem is the wallet selection and not the identifier selection that is to say if we are encouraging dids and and of course one can have multiple bids is that is the first question that has to be dealt with what's the identify I'm going to match my University ID to. Phil_L_(P1): Is that actually in preceding the problem of the the NASCAR wallet selection that's my question. Dmitri Zagidulin: Fantastic problem fantasy or floor sorry fantastic question very insightful and the answer is no in in the did world we have sworn a sacred vow in which we said the user will never have to see or type in there did so we will never give the user. Dmitri Zagidulin: Down of these big long opaque did identifiers we're never going to ask the user to select which did their logging in instead we're going to Outsource that problem to wallets that's why that's why the wallet selection step is the first step it you write conceptually it should be select the did but because dids are big long opaque identifiers we don't expose the user to them so instead it's select the wallet and then the wallet will. Dmitri Zagidulin: Do their best in saying you know so. Dmitri Zagidulin: Profile select your persona select are you logging in with your school dead or your work did right. Dmitri Zagidulin: That's the wallet responsibility. Phil_L_(P1): So that's a while its responsibility okay so in that in that the second question was related to that if I can continue that is I get the NASCAR problem and the sort of neat the pressure that that imposes to have as few stickers as possible but the question that emerges is if there were a central registry of wallets and you had just simply a drop-down what you start typing. Phil_L_(P1): your wallet and it finds you and that's that. Dmitri Zagidulin: Okay great question so that is one of the solution one of the attempted solutions to the NASCAR problem to wallet selection identified selection that search ahead drop box that you described it works better in certain verticals such as banking or universities right the lid there's a couple of specifically education. Dmitri Zagidulin: Non projects that do just that what you're describing. <deb_everhart> like shibboleth Dmitri Zagidulin: So that is a potential it's not a perfect solution but that is a potential solution but again picture what that's going to entail hey learner go pick up your credential okay I go to the site to pick up now let's find what while you're using and from a central registry which again is its own kind of gatekeeping but me ultimately be needed. Dmitri Zagidulin: Behead and select your wallet not perfect little bit awkward but it is one of the possible solutions yes. Phil_L_(P1): If the last question is the one of the things you didn't mention is isn't part of the concern about the centralization or at least the way in which ODI see connected is designed is at it it's certainly alerts to the to the authenticating provider a request that you've made. Dmitri Zagidulin: Yes that's also a problem I didn't even mention it because. Dmitri Zagidulin: Right now it is definitely also a problem in my mind the wall selection problem is so awkward and so fundamental that it outshines everything else but you're absolutely right that there is very much a privacy perspective that Google or Facebook or your University will know every time you're logging in using their social login yes you're absolutely right now. Dmitri Zagidulin: It's less of a problem. Dmitri Zagidulin: In with open and he connects because Google is managing your keys they're going to know it's less of a problem in wallet selection that my wallet is going to know that I logged in with them because they're a local app on my phone like I'm okay with that so less of a problem because of that. Dmitri Zagidulin: Thanks Phil. Dmitri Zagidulin: Questions anybody else. Kerri Lemoie: There's nobody else but I'm going to keep myself up for a question have you what I'm hearing in the short-term right now is that platforms are familiar with open ID when using it for a long time and in the short term this works right and an education this works pretty well right now but that there might be other options in the future that we will consider as the system matures. Kerri Lemoie: System matures. Dmitri Zagidulin: Great so let's be very specific. Dmitri Zagidulin: D the Fantastic solution for The Binding of existing student identity to the new dids so for that it works great hardly a problem even what we what is a problem and we don't have solution for is still wallet selection. Dmitri Zagidulin: Of interoperable wallets and that's all that we're working for right like that's what we're working here here in this group in the jff interop effort we want a world where students can export and transfer their credentials with multiple wallets that are hopefully on Open Standards but if we achieve that world. Dmitri Zagidulin: We will have the wall problem. Dmitri Zagidulin: Either in order to achieve that world we will need to solve W election which openid connect does not solve is the whole problem. <phil_l_(p1)> Another concern is that the centralized registry of wallets must require demonstrated interop among the wallets added into the list. Dmitri referred to the gatekeeping issue at the registry level, of which this is a part. Kerri Lemoie: Right and before I hand this over to Tamara dhia he's also in the queue I think it also another complicating aspect to this is that issuers are typically issuing these credentials directly very typically using platforms so in between the issuer and the wallet we have platforms that are also handling the identity. Kerri Lemoie: And this has been the case with open badges for a long time you know I work for a badging platform but there are several out there and they'll be some of the first ones to start doing this to that is also something to consider if I think. Dmitri Zagidulin: Yep good point good point. Marty Reed: So I don't necessarily have a question as much as I just wanted to share a few approaches that we've taken in the open credential publisher project with North Dakota and the other participants there but in North Dakota is actually created a demo piece of this we are using basically an email credential so as long as your wallet for. Marty Reed: For this. Marty Reed: On Sovereign but we have another pilot started with with Microsoft and their did I own project but the email credential can be generated via the web interface issued to whichever wallet on Sovereign Network so you know trinsic I need ramp evernham and once you've issue this email credential then you can the oid C implementation on the open credential publisher and on the teacher wallet allows the user to. Marty Reed: Authenticate with that VC. Marty Reed: So it's actually connected to the did in that the did is the wallet but the credential you know is validated the kind of to factor with the email address and so on the other side of things with the North Dakota infrastructure internally they they also connect with a PowerSchool login via this VC. Marty Reed: Um credential and so that VC credential connects to the iadc account via the email map and then and then allows them to authenticate so that's one way that we've approached it to kind of solve for you know the NASCAR problem IE we don't really care what wallet you have as long as it has the right credential to authenticate with so just as an example and then and then. Marty Reed: In addition to that on. Marty Reed: Issue inside issuing to a wallet we actually don't connect the login from North Dakota's infrastructure to the wall at we just handle it in session which has its own challenges but but they're that way the user then selects where the wall and so I just wanted to share those couple of examples. Marty Reed: That we've tried to solve for some of these problems and will you know continue to think about that but any thoughts on that approach to me tree. Dmitri Zagidulin: Thank you so much Marty and this is exactly why calls like this are so valuable because we get to hear from. Dmitri Zagidulin: Real deployments out in the field and learn from them so let's let's zoom in you have so you have this use case and you have multiple wallets that are in our operating. Dmitri Zagidulin: Hot let's let's ask how do you select the right sorry how do you solve the wallet selection problem while getting the credential into their wallet in the first place right so when they're first picking up that email credential VC how do you solve the wall section problem how does the user choose which wallet to save it in. Marty Reed: So the user from the wallet application scans the QR code to to import that BC so that's how that's how it's not up front this is they just they opened the wallet they scanned and and so you can have multiple Wallets on your phone whichever wallet you scan with is the wallet that that BC goes into. Dmitri Zagidulin: Right okay got it and what happens if you want to pick it up what if you don't have a second device right but if you or rather yeah so what if you're picking up your credential on your phone you can't really scan this your phone screen with your phone. Marty Reed: Right yeah yeah and so then the link kind of uses a last in model so the last the last wall that you opened is where the BC Coast. Dmitri Zagidulin: Right our ends and I suspect that it's it's slightly more complicated than that just because of the just because of the affordances that unfortunately the mobile operating system vendors are provide us so this is a great example we and was one of the things that was argued about on the ccg thread that carry the Carrie brought up which is so one of the one of the one of the techniques that the. Dmitri Zagidulin: Both the open ID. Dmitri Zagidulin: The Wider SSI wallet world has come up with is if the user has two devices and we can present a QR code on one of the screens then we can ask the user to go manually pick the wallet that they're going to be using meaning open that up on their phone. Dmitri Zagidulin: QR code of that other device and so perform while its election using that technique it is an absolutely valid technique and 11 that we use as well in d.c.. Dmitri Zagidulin: But it is but it has the fundamental limitation of you need two devices with screens in order to do it there's no there's no way to pick up the credential on your phone or to pick up the credential just on your desktop so thank you so much party like there is there is a handful of techniques that people are using and that's one of them they are unfortunately limited and maybe as we as a community. Dmitri Zagidulin: The lack of better options we can say okay we can learn to live with these limitations one of the things that was argued about in the email thread this is to go back to there are four different protocols right now to deal with VCS. <kerri_lemoie> Thread in case you haven't seen it: https://lists.w3.org/Archives/Public/public-credentials/2022Mar/0101.html Dmitri Zagidulin: Several of the protocols don't have that limitation they're able to pick up the verifiable credentials on the same device they don't need the the to scan the to screen scan although they can work with that as well but others like opening to connect do have that limitation. Dmitri Zagidulin: Anybody else like I'm curious example to hear from the pocket team I'm so glad we have member from. Dmitri Zagidulin: Harley's had at the start of. Dmitri Zagidulin: Call I'm not sure if we still have them. Kerri Lemoie: You think he's still here. Dmitri Zagidulin: Okay yes I'm. Dmitri Zagidulin: As always really great to hear from you. <kayode_ezike> In a native mobile setting, is there a design that resembles “share via”? <marty_reed> great discussion Dmitri, well explained! Kerri Lemoie: I prayed I think maybe as a you know one of the things you want to do is get more Wallets on this call so I think we can this is something we could ask about let me do that thank you Dimitri I really appreciate I really appreciate you walking us through that because the whole lot of the backstory there I had no idea even working on the web for so long to thank you very much for explaining that so well. Dmitri Zagidulin: Thanks Gary so I noticed that coyote is asked a good question in chat which is in in the context of mobile devices in the context of picking up picking up a credential on my phone without having another screen for example to deal with is there an interface that. Dmitri Zagidulin: That uses the mobile operating system share sheet we're all familiar with the share via right both on Android and on iOS we have the icons that encourage you to if you like this image share it via this messenger or share it via Twitter and so on right so we the native operating systems have all of them one in one way or another have this notion of a share sheet and are any of the current. Dmitri Zagidulin: Using it great question that was one of the things being argued about on that thread is the. Dmitri Zagidulin: Credential Handler API protocol short CHAPI. Dmitri Zagidulin: Use the native mobile system or that rather the next iteration of chappie and we have demos out there that I can link to. Kerri Lemoie: CHAPI: https://w3c-ccg.github.io/credential-handler-api/ Dmitri Zagidulin: Does use the iOS or Android share sheet so the way it works is you click the link up Pops The Familiar share screen that where there were familiar with and you select the apps that are registered to receive the share event for that particular data type so yes we that is an option we can we can absolutely do that. <kayode_ezike> Awesome, thanks Dmitri! Kerri Lemoie: OpenID: https://openid.net/connect/faq/ Dmitri Zagidulin: In in this one particular family of protocols not others though hopefully others will pick up that technology as well the reason the reason we can do that and not because we're particularly clever is because w3c has another Speck called Web share API. Kerri Lemoie: DIDComm: https://identity.foundation/didcomm-messaging/spec/ Dmitri Zagidulin: And web share EPA is supported by the majority of Mobile and other browsers so now it's tricky to because it's designed to work with just raw text or hyperlinks It's tricky to get it to work with verifiable credentials in an interoperable way but it's definitely possible and and we do encourage doing that. Phil_L_(P1): Yeah I remember the reading through that that thread and I thought there was a comment there that said that web share was not from a security perspective sufficiently robust because of the potential phishing that is available. Dmitri Zagidulin: Ah good good good question no the opposite custom protocol handling is not sufficiently robust because of security so. Phil_L_(P1): So Webster has protections that are encrypted in the way in which it's shared okay. Dmitri Zagidulin: That's correct or rather let's let's zoom in real quick. Dmitri Zagidulin: It's not that it has encryption it's more that so one of the family of open it you connect protocols is called psyop which stands for self issued open Education Act so that is one of one of the two main directions that they open it you connect Foundation is focusing on science is a great protocol. Dmitri Zagidulin: But here's the thing. Dmitri Zagidulin: He'll hear this main limitation. Kerri Lemoie: SIOP: https://openid.net/specs/openid-connect-self-issued-v2-1_0.html Dmitri Zagidulin: It only works via the custom URL protocol Handler so it doesn't use HTTP https URLs it uses open ID colon URLs and that's where the the security limitation comes comes in which the siop working group is very much aware of and points to in their specification they said there's a section in the psyops back that says we're really unhappy about this that this approach can lead to fish. Dmitri Zagidulin: Fishing can be tuned. Dmitri Zagidulin: Here's why unfortunately on this is the fault of Google end and apple mostly Apple. Dmitri Zagidulin: When you have more than one application that registers to handle open ID links meaning when you have more than one wallet again. Dmitri Zagidulin: The behavior of what happens on when you click to that link is undefined meaning you'd you're not presented with a list of hair pick which wallet to do know it just picks one which means that if some app and any app in the app store can register to handle open ID links so. Dmitri Zagidulin: I want to pick up a credential using psyop and I'm expecting that it will end up in my wallet you can instead be intercepted by some random game that I picked up the other day that registered a Handler for open ID and intercepted that call that's the problem and the share she does not have that because on the share sheet you explicitly pick the app that you're sharing it to does that make sense. <kerri_lemoie> We didn't get to the credential identity topic today but here's a link to the slides:https://docs.google.com/presentation/d/1gL5b59jMjCFIDnyjruIZgZD9ZQVCFuvMp60mMbodUic/edit#slide=id.g11d7d1204ed_0_15 Phil_L_(P1): Yes that makes perfect sense. Dmitri Zagidulin: All right so I see yeah I see where the top of the hour didn't get to talk about identity good go ahead Carrie. Kerri Lemoie: Yeah and that's that's perfectly fine thank you for watching us through this I think we need this discussion and I hope we come back to it I'm in the chat I put links to the slide so about identity that we will Circle back to so feel free to read those over and preparation and you will get back to it like next month or so and I believe next week actually my looking from this way I think we the DC while I will be presenting the learn to wallet so stay tuned for that okay thank you so much everybody have a great week. Kerri Lemoie: Thank you. <taylor> Thanks Kerri, Dmitri and all :)
Received on Monday, 21 March 2022 21:44:11 UTC