- From: CCG Minutes Bot <minutes@w3c-ccg.org>
- Date: Mon, 21 Mar 2022 21:44:10 +0000
Thanks to Our Robot Overlords for scribing this week!
The transcript for the call is now available here:
https://w3c-ccg.github.io/meetings/2022-03-21-vc-education/
Full text of the discussion follows for W3C archival purposes.
Audio of the meeting is available at the following location:
https://w3c-ccg.github.io/meetings/2022-03-21-vc-education/audio.ogg
----------------------------------------------------------------
VC for Education Task Force Transcript for 2022-03-21
Agenda:
https://lists.w3.org/Archives/Public/public-vc-edu/2022Mar/0005.html
Topics:
1. IP Note
2. Call Notes
3. Introductions & Reintroductions
4. Announcements
5. About CCG Email Thread: "Centralization dangers of applying
OpenID Connect to wallets" (Dmitri Zagidulin)
Organizer:
Kerri Lemoie
Scribe:
Our Robot Overlords
Present:
Kerri Lemoie, Stuart Freeman, Marty Reed, Deepak Kulkarni,
Kaliya, Andy Miller, Taylor, Colin, LEF, Dmitri Zagidulin, Sharon
Leu, Jim Kelly, Phil Barker, Tony Sheppard, Deb Everhart,
Matthias Gottlieb, Jim Goodell, Kimberly Linson, Kayode Ezike,
Phil L (P1)
<colin,_lef> gm gm
Our Robot Overlords are scribing.
Topic: IP Note
Kerri Lemoie: Hey hello everybody Welcome to the March 21st bcig
task force called today our topic is going to be on identity and
I'm and education credentials I'm going to go through some of the
announcements and boilerplate stuff that we always start these
meetings with the first one to know is that the IP note know that
anyone can participate in these calls but any substitutive
continued contributions.
Kerri Lemoie: You have to.
Kerri Lemoie: https://www.w3.org/community/credentials/join
Kerri Lemoie: Member to do those have to be members of the CCG
with full IP are agreements and you can read more about this at
this link that I put in the chat now.
Topic: Call Notes
Kerri Lemoie: Please note that all of these meetings are
recorded we do our best with our infrastructure to record them
all and then also have a transcription of the meeting minutes so
you will see in the chat that there's an auto transcriber that is
recording what I'm saying right now what you can do while we're
taking these notes is if you see something on a transcriber is
his is really flubbed up pretty badly you can do a substitution.
Kerri Lemoie: In the chat like:
Kerri Lemoie: That would be very helpful in publishing the
minutes and that would look something like this where you do an s
a forward slash I'm just going to make up one right now that
doesn't exist but the middle between the brackets is the word you
want to replace and then the replacement we do use cues in these
calls to instead of I'm just speaking out please put yourself in
the queue you can do this by typing q+ if you know what you're.
Kerri Lemoie: Something about you going to say you can say.
Kerri Lemoie: S + topic.
Kerri Lemoie: And then you can also remove yourself from the
queue.
Topic: Introductions & Reintroductions
Kerri Lemoie: Okay let's do some introductions and
reintroductions is there anybody in the call today that would
like to introduce themselves.
Kerri Lemoie: A lot of my faces if there's someone who'd like to
introduce themselves or reintroduce themselves and give us an
update what you're working on here's an opportunity to do so.
Deepak_Kulkarni: Hi I'm Deepak Kulkarni I work for is you and
also work for the pocket initiative that you might be familiar
with.
Deepak_Kulkarni: But the chain thank you.
Kerri Lemoie: I am yeah oh great thank you for introducing
yourself Deepak.
Topic: Announcements
Kerri Lemoie: Okay our next part is announcements and reminders.
Kerri Lemoie: So I have two on my list one is for tomorrow ccg
call the tldr for that is that John Gleason Dominic Marina from
storage will give an overview of decentralized cloud object
storage which is emerged from the same ethos as the decentralized
identity Community they will discuss their Edge access management
features and have a discussion around using SSI identity with the
centralized storage that sounds interesting to you the link to
the agenda and the connection.
Kerri Lemoie: Info is going to be in the chat right now.
<kerri_lemoie> Link to agenda & connection info:
https://lists.w3.org/Archives/Public/public-credentials/2022Mar/0088.html
Kerri Lemoie: Also on April 26th through April 28th is the
internet identity Workshop this is being held at the Computer
History Museum in Mountain View California.
Kerri Lemoie: https://internetidentityworkshop.com/
Kerri Lemoie: I am actually a big leagues in the chat I'm
actually attending this year it's the first conference I've
attended and over two years in person so I'm really looking
forward to it if you can make it I suggest that you go because
you will get to spend some time with the people who have been
thinking about identity for a really long time and it's a great
opportunity to learn and then wrap your head around some of these
Concepts that are really challenging at times.
Kerri Lemoie: Let me see if there's anyone in the queue right
now.
Kerri Lemoie: Anyone else have any other announcements that they
would like to make before we get started on today's topic.
Kerri Lemoie: You're in the queue.
Kaliya: Hi thanks for sharing about IW and people should also
know that if.
Kaliya: Accessibility is an issue over price you can come and
talk to us about.
Kaliya: That we're really committed to opening it up I have
another event that people might be interested in called
mitigating harms on 13 happening April 1 if I'm on my phone so
it's hard to put it into chat if you search on Eventbrite for
mitigating harms and web three it'll come up and it's yeah five
hours on April 1 depending on what time zone you're on.
Kerri Lemoie: I think I found it I'm going to put it in the chat
right now.
Kerri Lemoie:
https://www.eventbrite.com/e/mitigating-harms-in-web3-tickets-260675526517
<deb_everhart> Open Badges Summit call for proposals is open:
https://docs.google.com/forms/d/e/1FAIpQLSeIGapaEFIjB5WYYB9fkc1snJicqdUdGPqSLe_RFNv2gIcAJA/viewform
Kaliya: And that's when I just have one more thing I I'm it's
kind of an aside I'm working with a verifiable credentials policy
committee on getting some legislation passed in California to
create a trust framework and a pilot project within higher well
within education so if there's anybody in this group based in
California interested in helping say something to your
legislators about this.
Kaliya: I love to connect.
Kerri Lemoie: Basically I what's the best way for folks to reach
you.
Kaliya: I think email kaliya at identity woman dotnet.
<deb_everhart> deadline for proposals is April 15 and the
conference is Aug 1-2 f2f and Aug 9 virtual
<colin,_lef> Woot woot!
Kerri Lemoie: Thank you and then Deb Everhart you posted the
open badges Summit called proposals a chat that is great that is
on August 1st and 2nd in Boulder Colorado this year and the
deadline to do your proposal is April 15th I believe that's
another one I will be attending.
Kerri Lemoie: Bit of course.
Kerri Lemoie: Okay any other announcements before we get started
on our education credential learner identity discussion.
Topic: About CCG Email Thread: "Centralization dangers of applying OpenID Connect to wallets" (Dmitri Zagidulin)
Kerri Lemoie: To a large part of why we're all working and I'm
verifiable credentials that we believe that individual should
have more control over their data and this includes deciding what
identity is associated with their credentials.
Kerri Lemoie: And our.
Kerri Lemoie: Our goal very soon hopefully the spring is to
publish a community report that informs the Education and
Training ecosystem without issue in verifying be seized and we're
narrowing in on this report today I would really like to hold a
discussion about identity and credentials to help inform the
community to It's A continuing ongoing conversation and it's a
moving Target right now but in order to get implementations going
we've landed somewhere and so we can talk about that and then
talk.
Kerri Lemoie: About what they choose me or die.
Kerri Lemoie: There are any questions that remain and before we
get started.
Kerri Lemoie: Dimitri I was wondering if you could help us out
there's been this long thread going on over the weekend and the
ccg melas about open ID and choppy and did come centralized
versus decentralized and someone has been working on a while that
is one of our co-chairs I was wondering if you can unpack that
thread for us and hope to explain the issues that are going on
and how it affects what we're doing.
Dmitri Zagidulin: Sure thanks thanks Gary I can I can certainly
give it a try it's it's a long thread and has branched out into
mini sub threads lots of things are being discussed their the
health of the ccg community the interaction with other standards
bodies but at the heart are a couple of things at the moment
there are let's say three or four.
Dmitri Zagidulin: That can be used.
<kerri_lemoie> (ignore topic having the floor - Dmitiri has the
floor)
Dmitri Zagidulin: There there three or four protocols that can
be used for verifiable credentials to request that they're issued
to transport them into the wallet to verify them to transfer them
between wallets right so a lot of the time in this group we've
started with.
<kerri_lemoie> Feel free to queue up your questions about this.
Dmitri Zagidulin: Focusing on the data model so we have the
verifiable credentials working group has standardized the
envelope for us so what we do in this group is discuss a lot what
goes into the envelope so the data model of the payload itself
and of course in parallel with that we need to discuss how do we
get it into student wallets how do we exchange it between our
server to server systems how do we verify and all that stuff.
Dmitri Zagidulin: So the protocol in the data model question is
in.
Dmitri Zagidulin: And today there are three or four different
apis being formed by different standards bodies that can be used
to do something with verifiable credentials so.
Dmitri Zagidulin: So that was thread one why are there competing
apis and what can be done to either converge their development or
at least make it clear to users to implementers what the
strengths and weaknesses of each API is why we why one would
choose w3c's VC API or diffs presentation exchange or open ID
foundations.
Dmitri Zagidulin: Self issued open ID or the draft of openings
Uconnect for verifiable presentations.
Dmitri Zagidulin: Which is the work that the openid foundation
is currently doing.
Dmitri Zagidulin: In a certain sense the fact that there is.
Dmitri Zagidulin: Four different apis is healthy right it means
there's a lot of communities have set up and take taken notice of
verifiable credentials.
Dmitri Zagidulin: Means that they're definitely making impact in
the world and and all the standards bodies have their own
different approach to handling it so that was issue one how
what's the relationship between these.
Dmitri Zagidulin: How do we.
Dmitri Zagidulin: Standards bodies to communicate to cross
pollinate and all that stuff.
Dmitri Zagidulin: Threatened number two was Manu and several
others including myself but what I can qualify that and answer
questions have stepped forward and said we understand where open
ID connect is coming from.
Dmitri Zagidulin: But specifically when it comes to.
Dmitri Zagidulin: Using opening to connect for general-purpose
verifiable credentials wallets for consumers.
Dmitri Zagidulin: We feel that.
Dmitri Zagidulin: The versions of the opening to connect
protocol tailored to work with verifiable credentials.
Dmitri Zagidulin: Are in danger of.
Dmitri Zagidulin: Exerting a market and technological pressure
towards Monopoly towards centralization.
Dmitri Zagidulin: Now I know we use centralization or
decentralization as sort of value judgments a lot of times in the
space or especially in the web three space but here to to the
point where it becomes apocryphal so what do we mean by that.
Dmitri Zagidulin: What do I do what do I personally mean when I
say that it exerts a market pressure towards Monopoly more so
than other protocols.
Dmitri Zagidulin: It has to do with the issue of wallet
selection and the NASCAR problem which we'll get into in a
second.
Dmitri Zagidulin: I also want to preface this that.
Dmitri Zagidulin: In the education space.
Dmitri Zagidulin: We have kind of a unique approach to this and
a unique set of problems here's what I mean by that so for
example several of the wallets that I work with example the
digital credentials Consortium DCC wallet very much uses OpenID
Connect for purposes of binding the existing student identity to
the decentralized identifier that the student brings which is the
other topic of this call.
Dmitri Zagidulin: Ahmed Gary.
Dmitri Zagidulin: Like to talk about right so we have in our
typical University or other school setups we have existing
student Information Management Systems particularly we have a
database with a student ID in it somewhere and we're trying to
introduce these dids these decentralised identifiers.
Dmitri Zagidulin: And one of our challenges as technologists is
how do we how do we bridge that Gap how do we on-ramp how do we
bind the new decentralized identifiers which are controlled by
the students or by the individual person how do we find those to
that user ID in the database that exists on the learning
institution server somewhere.
Dmitri Zagidulin: And so that the reason DCC wallet uses open
and to connect is for that binding it is an excellent mechanism
to when asking for a learner credential to be issued openid
connect provides an excellent mechanism to say okay we're going
to bind the openid connect user ID Dimitri one two three.
Dmitri Zagidulin: And their email to this decentralized
identifier.
Dmitri Zagidulin: Here's why I bring this up in the context of
the discussion of centralizing pressure or monopolizing pressure
OpenID connect.
Dmitri Zagidulin: This that I believe exists in the
general-purpose world but less so in our field of Education it
has to do with.
Dmitri Zagidulin: Use expectation and basically it has to do
with students are already a captured audience with a.
Dmitri Zagidulin: Going to count on the University's our school
system so usual.
Dmitri Zagidulin: So hold on one second help me close the door
dogs are very excited over here and I don't have a good view of
the chats Carrie please feel free to interrupt if there's a
questions in chat.
Kerri Lemoie: Nothing yet thank you.
Dmitri Zagidulin: Let me describe the the general situation and
then we can qualify of what we think is different in the
education space so one of the terms that's thrown about in
discussions in the dissent as identity space is a term called the
NASCAR problem.
Dmitri Zagidulin: For those of you not in the US or just not
familiar with NASCAR NASCAR is a United States car racing
associations and one of the iconic things of NASCAR is these
racing cars are plastered with logos of sponsors.
Dmitri Zagidulin: Regardless of the teams all the big companies
sponsor the teams and plaster the logo on the car so the cars are
just you know very colorful banner ads essentially with with
dozens if not hundreds of different logos.
Dmitri Zagidulin: And so the NASCAR problem is.
Dmitri Zagidulin: The rise of social login which has brought a
lot of a lot of benefits in a lot of was intended to bring a lot
of decentralisation to cross domain login but instead you see
insights that supported a preponderance of logos so if a side
support social login you usually presented with an array of
buttons that says log in with Google login with Facebook login
with LinkedIn.
Dmitri Zagidulin: With GitHub and.
Dmitri Zagidulin: Long or short a list.
Dmitri Zagidulin: As that particular website decides its users
are going to use so.
Dmitri Zagidulin: Closer related to that is the wallet selection
problem so with.
Dmitri Zagidulin: I am sort of Web 2.0 social login which
incidentally is based on open ID connect.
Dmitri Zagidulin: We have this problem of in order to use social
login the user has to select their identity provider or
essentially the user has to select their wallet that where they
have an account that manages cryptographic keys for them so in
looking at the list of login with Facebook log in with Google Etc
that right there is the wallet selection step that is the
identity provider selection stop.
Dmitri Zagidulin: And then f.
Dmitri Zagidulin: The long list of different logos different
brands with which they can log-in which is reminiscent of the
logo plastered racing cars at NASCAR.
Dmitri Zagidulin: So why does this happen.
Dmitri Zagidulin: OpenID Connect is the third iteration of the
opening D protocol is prefaced by open ID 1 and open ID 2.
Dmitri Zagidulin: And both OpenID 1 and OpenID 2 as part of the
input required the user to paste in the URL of their identity
provider there's literally a text box and the user logging in was
literally required to cut and paste or type in the URL of so
google.com or facebook.com or their universities webpage or if
they were running.
Dmitri Zagidulin: WordPress or.
Dmitri Zagidulin: General something like that that URL and as
you can probably imagine but this was actually confirmed by
scientific studies paid by Yahoo and others this is incredibly
bad usability so openID sites ran usability studies and and and
discovered that users hate this this is really confusing nobody
wants to type in urls.
Dmitri Zagidulin: So what's interesting about open ID connect
the third iteration of this protocol it did learn from this
Achilles heel of open ID that asking people to type in.
Dmitri Zagidulin: Asking people to perform wallet selection step
the IDP selection step incredibly cumbersome.
Dmitri Zagidulin: And open if you connect at its Inception had
had an answer to this.
Dmitri Zagidulin: It was called webfinger thank you protocol
neighbors and it allowed the user to type in their email address
and through the email address.
Dmitri Zagidulin: Discover the URL of their preferred open ID
connect provider so the original design of the open Internet
Protocol had a solution to the NASCAR problem it said okay we
don't want people to type in the URL of their wallet.
Dmitri Zagidulin: Users a used to typing in the email so it's
fine that that's that's an okay ask and through this other piece
of infrastructure that we have.
Dmitri Zagidulin: By typing in the email we're going to let
machines discover their preferred wallet provider great this is a
fantastic system.
Dmitri Zagidulin: Here's the only problem here's why instead we
have this list of logos this list of social ID buttons.
Dmitri Zagidulin: Webfinger required that email providers
support this protocol this webfinger protocol and essentially it
all rested on Google was one of the participants in the working
group that was coming up with open a g connect protocol and put
forward to support towards web finger.
Dmitri Zagidulin: And the.
Dmitri Zagidulin: Sort of figured that okay if we land Gmail if
Gmail supports this right that's a lot of users and then that'll
that'll exerted Market pressure for all the other email providers
to.
Dmitri Zagidulin: Support this as well and so hey we've solved
one of the thorniest problems and identity which is while it's
selection problem great.
Dmitri Zagidulin: Partway through the process may be at the last
moment I wasn't really there but the Google leadership cut
support for web finger so pulled the plug.
Dmitri Zagidulin: And because Gmail didn't support it none of
the other major email provider supported and essentially
webfinger was Dead on Arrival so open it you connect protocol
which is a fantastic protocol has lots of lots of innovation and
specifically learned from the mistakes of its predecessors in a
lot of ways plugged a lot of security issues in open a d 1 and 2
and also in oauth 2 to which it open into connected.
Dmitri Zagidulin: A successor it builds on a costume so great.
Dmitri Zagidulin: Unfortunately at launch.
Dmitri Zagidulin: A major major part of it was killed the
webfinger part of the wallet selection part and so that leads us
to the world where we are right now that obviously we don't want
to present a text box to the user to type in the URL.
Dmitri Zagidulin: Typing in.
Dmitri Zagidulin: Email doesn't work because webfinger I never
caught on due to Market pressures and political pressure.
Dmitri Zagidulin: So instead we present the user with a bunch of
buttons.
Dmitri Zagidulin: That contain the URL and contain yeah so the
buttons replace the text box.
Dmitri Zagidulin: All right so all that digression how does that
how does that relate to what we're here for how does that relate
to decentralize Identity and our student wallets are learner
wallets.
Dmitri Zagidulin: It relates directly.
Dmitri Zagidulin: Most of the things that we want to do login
with your did ask for a credential to be issued into your wallet.
Dmitri Zagidulin: All have to do with step 1.
Dmitri Zagidulin: So we in the VC world have the exact same
problem of of wallet selection that the openid connect world have
had and we have almost the exact same set of fundamental tools to
do it with which is a text box or a list of buttons.
Dmitri Zagidulin: Much like they're going to do a world where
okay yeah so let's talk about why that led to centralization you
can.
Dmitri Zagidulin: You can see it intuitively.
Dmitri Zagidulin: He long list of logos long list of social
login buttons is annoying to users and so each website that
presents social login.
<phil_l_(p1)> Isn't step 1 actually choose your identifier, and
then choose your wallet?
Dmitri Zagidulin: Usability pressure to present as few buttons
as possible which means everybody picks the top most recognizable
wallets identity providers everybody picks.
Dmitri Zagidulin: Gmail Facebook LinkedIn whatever their
particular Niche is.
Dmitri Zagidulin: So the dream of.
Dmitri Zagidulin: The recording room did not like.
Kerri Lemoie: Like they were talking about open ID we're still
getting the transcription to the Head.
Dmitri Zagidulin: Okay fantastic all right so we'll do our best
here.
Dmitri Zagidulin: So OpenID Connect which is the decentralized
protocol.
Dmitri Zagidulin: Was at its heart meant to to provide genuine
consumer level choice in wallets.
Dmitri Zagidulin: Instead because it was missing the solution to
all its selection problem.
Dmitri Zagidulin: Presented the NASCAR problem and the only
solution to the NASCAR problem that the world has come up with so
far.
Dmitri Zagidulin: Is trying to reduce the number of logos by
only presenting the most well-known wallets which is where we are
right now right small handful of the the big main companies and
their wallets Google LinkedIn and so on.
Dmitri Zagidulin: In the VC World we're in the exact same bind
when the exact same situation we have the same we have the same
tool set that are going to be had.
Dmitri Zagidulin: Means it's the same usability problem that
wallet selection step and now there's asterisks all this will get
into the details of do we exactly have the same tool set or do we
have any other kind of techniques what can we do about this we'll
get into all of that so right now we're just trying to paint a
picture of what that email thread was about so but if you connect
has this wall selection problem we have the exact same old
selection problem and just as open as you connects NASCAR problem
led to.
Dmitri Zagidulin: The only.
Dmitri Zagidulin: Most websites are able to find is.
Dmitri Zagidulin: Small handful of winner-take-all wallets
because we were an exact same situation exact same Market
pressure and Technologies if we're not careful in the DC World
we're going to end up in that same situation we're going to end
up with here are the two to three most well-known wallets and
everybody else is out of luck we certainly don't want to put in a
text box for the user to type in the name of their wallet or
whatever.
Dmitri Zagidulin: Now why haven't we seen that yet.
Dmitri Zagidulin: Because there's just not that many VC wallets
yet and especially here's the important part at the moment
there's almost no no.
Dmitri Zagidulin: More than one interoperable VC wallets which
is where this problem starts to be seen right so with social
login all social logins are theoretically interoperable because
they theoretically use open it you connect although in practice
what's unfortunate they're not so Google uses a subtly different
identity protocol than Facebook that's not the point point is
open as you connector interoperable and so we have the problem
in.
Dmitri Zagidulin: The wallet world.
Dmitri Zagidulin: Have more than one wallet that is
interoperable with each other we have this world selection
problem and on all of the all of the solutions so the circle back
around what the thread that Manu started was pointing out that.
Dmitri Zagidulin: Said I have concerns.
Dmitri Zagidulin: About this this very successful standards body
open 85 Foundation working on a version of openID connect for
verifiable credentials - I have concerns that the very same
Market pressures apply.
Dmitri Zagidulin: The unsolved problem of wallet selection is
going to lead us to the same centralizing place to the same
Monopoly Monopoly winner-take-all place.
Dmitri Zagidulin: That the previous iteration led to nothing has
fundamentally changed and so a lot of the lot of the argument
that you that you saw in the thread if you read it was bickering
over the details was trying to clarify is a true the nothing has
changed what about this technique and what about this technique
and also in parallel.
Dmitri Zagidulin: Especially coming from.
Dmitri Zagidulin: Companies that are that are that small handful
of winner-take-all wallets.
Dmitri Zagidulin: You'll see some argument that oh it's not so
bad this this pressure towards centralization towards you know
very small amount of logos it's not so bad you shouldn't worry
about it and we'll let you make your own judgments there now what
about our corner of the world what about education so for
instance with the DC wallet.
Dmitri Zagidulin: It's not as cute of a problem because if I'm a
student of I don't know Georgia Tech University and I'm trying to
pick up a credential from my University while selection is not so
bad I know I'm going to be logging in to Georgia Tech and I'm
doing it at not at some third party relying party site it's not
at a random website I'm picking up my credentials add Georgia
Texas website in the first place right so the.
Dmitri Zagidulin: Focus of the use case.
Dmitri Zagidulin: Already takes in a lot of cases or at least in
the case that the wallet deals with right now has already
performed while its election unlike social login where it's on
some website and needs to I'm just picking it up at my University
so the wall selection has essentially has already been performed
I've gotten to that URL of the University side I didn't have to
type it in its we're already there.
Dmitri Zagidulin: The in a particular case while selection and
identity provider selection is taken care of and we can use the
power of open and you connect protocol to bind existing student
account existing student identity with the decentralized
identifier it's great.
Dmitri Zagidulin: Oh also however however again it's not a
problem because in the DC context it's a pilot that just involves
one wallet the moment we have more than one wallet that's
participating in this pilot the moment that happens even though
on the student login side.
Dmitri Zagidulin: I DP selection is solved because the student
is already at the University's website the wallet selection
problem is not solved.
<jim_goodell> Locking a wallet to an institution sounds
problematic to me. Could it be select from market leader listed
but also have an "other" option to enter the domain of another
wallet provider?
Dmitri Zagidulin: We now have to essentially either somehow
guide the user to open up their preferred Wallet app and perform
the operations from within it which is in itself has usability
problems or.
<kayode_ezike> Maybe for a broader group, but any thoughts around
specificying wallet selection via DID services?
Dmitri Zagidulin: Need to come up with some sort of mechanism in
the notification email.
Dmitri Zagidulin: That says hey students you have a credential
waiting please go pick it up over here.
Dmitri Zagidulin: And now now we have the NASCAR problem now we
have we need to present two buttons pick it up with the DC wallet
or pick it up pick it up with pocket or pick it up with so-and-so
wallet and now we're in the nightmare of preponderance of buttons
now where NASCAR land.
Dmitri Zagidulin: And again as a community we have a couple of
nascent solutions to this and a lot of heated discussion but it
is a it is a real problem that even though it might not be as bad
or might not be as Tangled in our neck of the woods it is still
Tangled in that we do need to perform wallet selection to get the
user inside of the wallet out.
Dmitri Zagidulin: Or somehow guide the.
Dmitri Zagidulin: The protocol toll roads.
<marty_reed> as an example, we allow the user to create their own
e-mail VC to a SOVRIN based wallet, IDRamp, Trinsic, Evernym and
then allow them to authenticate via OIDC in the Open Credential
Publisher wallet and Teacher Wallet
Dmitri Zagidulin: Selection okay so I've spoken enough let's
let's take questions hopefully this helps shed some light.
Kerri Lemoie: I did see we have a full yeah I mean this is great
I know I will have some questions to a filled long is like you
right now.
Dmitri Zagidulin: We'll go ahead.
Phil_L_(P1): Hi Dmitry couple of things first of all is it
actually the case at the first problem is the wallet selection
and not the identifier selection that is to say if we are
encouraging dids and and of course one can have multiple bids is
that is the first question that has to be dealt with what's the
identify I'm going to match my University ID to.
Phil_L_(P1): Is that actually in preceding the problem of the the
NASCAR wallet selection that's my question.
Dmitri Zagidulin: Fantastic problem fantasy or floor sorry
fantastic question very insightful and the answer is no in in the
did world we have sworn a sacred vow in which we said the user
will never have to see or type in there did so we will never give
the user.
Dmitri Zagidulin: Down of these big long opaque did identifiers
we're never going to ask the user to select which did their
logging in instead we're going to Outsource that problem to
wallets that's why that's why the wallet selection step is the
first step it you write conceptually it should be select the did
but because dids are big long opaque identifiers we don't expose
the user to them so instead it's select the wallet and then the
wallet will.
Dmitri Zagidulin: Do their best in saying you know so.
Dmitri Zagidulin: Profile select your persona select are you
logging in with your school dead or your work did right.
Dmitri Zagidulin: That's the wallet responsibility.
Phil_L_(P1): So that's a while its responsibility okay so in that
in that the second question was related to that if I can continue
that is I get the NASCAR problem and the sort of neat the
pressure that that imposes to have as few stickers as possible
but the question that emerges is if there were a central registry
of wallets and you had just simply a drop-down what you start
typing.
Phil_L_(P1): your wallet and it finds you and that's that.
Dmitri Zagidulin: Okay great question so that is one of the
solution one of the attempted solutions to the NASCAR problem to
wallet selection identified selection that search ahead drop box
that you described it works better in certain verticals such as
banking or universities right the lid there's a couple of
specifically education.
Dmitri Zagidulin: Non projects that do just that what you're
describing.
<deb_everhart> like shibboleth
Dmitri Zagidulin: So that is a potential it's not a perfect
solution but that is a potential solution but again picture what
that's going to entail hey learner go pick up your credential
okay I go to the site to pick up now let's find what while you're
using and from a central registry which again is its own kind of
gatekeeping but me ultimately be needed.
Dmitri Zagidulin: Behead and select your wallet not perfect
little bit awkward but it is one of the possible solutions yes.
Phil_L_(P1): If the last question is the one of the things you
didn't mention is isn't part of the concern about the
centralization or at least the way in which ODI see connected is
designed is at it it's certainly alerts to the to the
authenticating provider a request that you've made.
Dmitri Zagidulin: Yes that's also a problem I didn't even
mention it because.
Dmitri Zagidulin: Right now it is definitely also a problem in
my mind the wall selection problem is so awkward and so
fundamental that it outshines everything else but you're
absolutely right that there is very much a privacy perspective
that Google or Facebook or your University will know every time
you're logging in using their social login yes you're absolutely
right now.
Dmitri Zagidulin: It's less of a problem.
Dmitri Zagidulin: In with open and he connects because Google is
managing your keys they're going to know it's less of a problem
in wallet selection that my wallet is going to know that I logged
in with them because they're a local app on my phone like I'm
okay with that so less of a problem because of that.
Dmitri Zagidulin: Thanks Phil.
Dmitri Zagidulin: Questions anybody else.
Kerri Lemoie: There's nobody else but I'm going to keep myself
up for a question have you what I'm hearing in the short-term
right now is that platforms are familiar with open ID when using
it for a long time and in the short term this works right and an
education this works pretty well right now but that there might
be other options in the future that we will consider as the
system matures.
Kerri Lemoie: System matures.
Dmitri Zagidulin: Great so let's be very specific.
Dmitri Zagidulin: D the Fantastic solution for The Binding of
existing student identity to the new dids so for that it works
great hardly a problem even what we what is a problem and we
don't have solution for is still wallet selection.
Dmitri Zagidulin: Of interoperable wallets and that's all that
we're working for right like that's what we're working here here
in this group in the jff interop effort we want a world where
students can export and transfer their credentials with multiple
wallets that are hopefully on Open Standards but if we achieve
that world.
Dmitri Zagidulin: We will have the wall problem.
Dmitri Zagidulin: Either in order to achieve that world we will
need to solve W election which openid connect does not solve is
the whole problem.
<phil_l_(p1)> Another concern is that the centralized registry of
wallets must require demonstrated interop among the wallets added
into the list. Dmitri referred to the gatekeeping issue at the
registry level, of which this is a part.
Kerri Lemoie: Right and before I hand this over to Tamara dhia
he's also in the queue I think it also another complicating
aspect to this is that issuers are typically issuing these
credentials directly very typically using platforms so in between
the issuer and the wallet we have platforms that are also
handling the identity.
Kerri Lemoie: And this has been the case with open badges for a
long time you know I work for a badging platform but there are
several out there and they'll be some of the first ones to start
doing this to that is also something to consider if I think.
Dmitri Zagidulin: Yep good point good point.
Marty Reed: So I don't necessarily have a question as much as I
just wanted to share a few approaches that we've taken in the
open credential publisher project with North Dakota and the other
participants there but in North Dakota is actually created a demo
piece of this we are using basically an email credential so as
long as your wallet for.
Marty Reed: For this.
Marty Reed: On Sovereign but we have another pilot started with
with Microsoft and their did I own project but the email
credential can be generated via the web interface issued to
whichever wallet on Sovereign Network so you know trinsic I need
ramp evernham and once you've issue this email credential then
you can the oid C implementation on the open credential publisher
and on the teacher wallet allows the user to.
Marty Reed: Authenticate with that VC.
Marty Reed: So it's actually connected to the did in that the
did is the wallet but the credential you know is validated the
kind of to factor with the email address and so on the other side
of things with the North Dakota infrastructure internally they
they also connect with a PowerSchool login via this VC.
Marty Reed: Um credential and so that VC credential connects to
the iadc account via the email map and then and then allows them
to authenticate so that's one way that we've approached it to
kind of solve for you know the NASCAR problem IE we don't really
care what wallet you have as long as it has the right credential
to authenticate with so just as an example and then and then.
Marty Reed: In addition to that on.
Marty Reed: Issue inside issuing to a wallet we actually don't
connect the login from North Dakota's infrastructure to the wall
at we just handle it in session which has its own challenges but
but they're that way the user then selects where the wall and so
I just wanted to share those couple of examples.
Marty Reed: That we've tried to solve for some of these problems
and will you know continue to think about that but any thoughts
on that approach to me tree.
Dmitri Zagidulin: Thank you so much Marty and this is exactly
why calls like this are so valuable because we get to hear from.
Dmitri Zagidulin: Real deployments out in the field and learn
from them so let's let's zoom in you have so you have this use
case and you have multiple wallets that are in our operating.
Dmitri Zagidulin: Hot let's let's ask how do you select the
right sorry how do you solve the wallet selection problem while
getting the credential into their wallet in the first place right
so when they're first picking up that email credential VC how do
you solve the wall section problem how does the user choose which
wallet to save it in.
Marty Reed: So the user from the wallet application scans the QR
code to to import that BC so that's how that's how it's not up
front this is they just they opened the wallet they scanned and
and so you can have multiple Wallets on your phone whichever
wallet you scan with is the wallet that that BC goes into.
Dmitri Zagidulin: Right okay got it and what happens if you want
to pick it up what if you don't have a second device right but if
you or rather yeah so what if you're picking up your credential
on your phone you can't really scan this your phone screen with
your phone.
Marty Reed: Right yeah yeah and so then the link kind of uses a
last in model so the last the last wall that you opened is where
the BC Coast.
Dmitri Zagidulin: Right our ends and I suspect that it's it's
slightly more complicated than that just because of the just
because of the affordances that unfortunately the mobile
operating system vendors are provide us so this is a great
example we and was one of the things that was argued about on the
ccg thread that carry the Carrie brought up which is so one of
the one of the one of the techniques that the.
Dmitri Zagidulin: Both the open ID.
Dmitri Zagidulin: The Wider SSI wallet world has come up with is
if the user has two devices and we can present a QR code on one
of the screens then we can ask the user to go manually pick the
wallet that they're going to be using meaning open that up on
their phone.
Dmitri Zagidulin: QR code of that other device and so perform
while its election using that technique it is an absolutely valid
technique and 11 that we use as well in d.c..
Dmitri Zagidulin: But it is but it has the fundamental
limitation of you need two devices with screens in order to do it
there's no there's no way to pick up the credential on your phone
or to pick up the credential just on your desktop so thank you so
much party like there is there is a handful of techniques that
people are using and that's one of them they are unfortunately
limited and maybe as we as a community.
Dmitri Zagidulin: The lack of better options we can say okay we
can learn to live with these limitations one of the things that
was argued about in the email thread this is to go back to there
are four different protocols right now to deal with VCS.
<kerri_lemoie> Thread in case you haven't seen it:
https://lists.w3.org/Archives/Public/public-credentials/2022Mar/0101.html
Dmitri Zagidulin: Several of the protocols don't have that
limitation they're able to pick up the verifiable credentials on
the same device they don't need the the to scan the to screen
scan although they can work with that as well but others like
opening to connect do have that limitation.
Dmitri Zagidulin: Anybody else like I'm curious example to hear
from the pocket team I'm so glad we have member from.
Dmitri Zagidulin: Harley's had at the start of.
Dmitri Zagidulin: Call I'm not sure if we still have them.
Kerri Lemoie: You think he's still here.
Dmitri Zagidulin: Okay yes I'm.
Dmitri Zagidulin: As always really great to hear from you.
<kayode_ezike> In a native mobile setting, is there a design that
resembles “share via”?
<marty_reed> great discussion Dmitri, well explained!
Kerri Lemoie: I prayed I think maybe as a you know one of the
things you want to do is get more Wallets on this call so I think
we can this is something we could ask about let me do that thank
you Dimitri I really appreciate I really appreciate you walking
us through that because the whole lot of the backstory there I
had no idea even working on the web for so long to thank you very
much for explaining that so well.
Dmitri Zagidulin: Thanks Gary so I noticed that coyote is asked
a good question in chat which is in in the context of mobile
devices in the context of picking up picking up a credential on
my phone without having another screen for example to deal with
is there an interface that.
Dmitri Zagidulin: That uses the mobile operating system share
sheet we're all familiar with the share via right both on Android
and on iOS we have the icons that encourage you to if you like
this image share it via this messenger or share it via Twitter
and so on right so we the native operating systems have all of
them one in one way or another have this notion of a share sheet
and are any of the current.
Dmitri Zagidulin: Using it great question that was one of the
things being argued about on that thread is the.
Dmitri Zagidulin: Credential Handler API protocol short CHAPI.
Dmitri Zagidulin: Use the native mobile system or that rather
the next iteration of chappie and we have demos out there that I
can link to.
Kerri Lemoie: CHAPI:
https://w3c-ccg.github.io/credential-handler-api/
Dmitri Zagidulin: Does use the iOS or Android share sheet so the
way it works is you click the link up Pops The Familiar share
screen that where there were familiar with and you select the
apps that are registered to receive the share event for that
particular data type so yes we that is an option we can we can
absolutely do that.
<kayode_ezike> Awesome, thanks Dmitri!
Kerri Lemoie: OpenID: https://openid.net/connect/faq/
Dmitri Zagidulin: In in this one particular family of protocols
not others though hopefully others will pick up that technology
as well the reason the reason we can do that and not because
we're particularly clever is because w3c has another Speck called
Web share API.
Kerri Lemoie: DIDComm:
https://identity.foundation/didcomm-messaging/spec/
Dmitri Zagidulin: And web share EPA is supported by the majority
of Mobile and other browsers so now it's tricky to because it's
designed to work with just raw text or hyperlinks It's tricky to
get it to work with verifiable credentials in an interoperable
way but it's definitely possible and and we do encourage doing
that.
Phil_L_(P1): Yeah I remember the reading through that that thread
and I thought there was a comment there that said that web share
was not from a security perspective sufficiently robust because
of the potential phishing that is available.
Dmitri Zagidulin: Ah good good good question no the opposite
custom protocol handling is not sufficiently robust because of
security so.
Phil_L_(P1): So Webster has protections that are encrypted in the
way in which it's shared okay.
Dmitri Zagidulin: That's correct or rather let's let's zoom in
real quick.
Dmitri Zagidulin: It's not that it has encryption it's more that
so one of the family of open it you connect protocols is called
psyop which stands for self issued open Education Act so that is
one of one of the two main directions that they open it you
connect Foundation is focusing on science is a great protocol.
Dmitri Zagidulin: But here's the thing.
Dmitri Zagidulin: He'll hear this main limitation.
Kerri Lemoie: SIOP:
https://openid.net/specs/openid-connect-self-issued-v2-1_0.html
Dmitri Zagidulin: It only works via the custom URL protocol
Handler so it doesn't use HTTP https URLs it uses open ID colon
URLs and that's where the the security limitation comes comes in
which the siop working group is very much aware of and points to
in their specification they said there's a section in the psyops
back that says we're really unhappy about this that this approach
can lead to fish.
Dmitri Zagidulin: Fishing can be tuned.
Dmitri Zagidulin: Here's why unfortunately on this is the fault
of Google end and apple mostly Apple.
Dmitri Zagidulin: When you have more than one application that
registers to handle open ID links meaning when you have more than
one wallet again.
Dmitri Zagidulin: The behavior of what happens on when you click
to that link is undefined meaning you'd you're not presented with
a list of hair pick which wallet to do know it just picks one
which means that if some app and any app in the app store can
register to handle open ID links so.
Dmitri Zagidulin: I want to pick up a credential using psyop and
I'm expecting that it will end up in my wallet you can instead be
intercepted by some random game that I picked up the other day
that registered a Handler for open ID and intercepted that call
that's the problem and the share she does not have that because
on the share sheet you explicitly pick the app that you're
sharing it to does that make sense.
<kerri_lemoie> We didn't get to the credential identity topic
today but here's a link to the
slides:https://docs.google.com/presentation/d/1gL5b59jMjCFIDnyjruIZgZD9ZQVCFuvMp60mMbodUic/edit#slide=id.g11d7d1204ed_0_15
Phil_L_(P1): Yes that makes perfect sense.
Dmitri Zagidulin: All right so I see yeah I see where the top of
the hour didn't get to talk about identity good go ahead Carrie.
Kerri Lemoie: Yeah and that's that's perfectly fine thank you
for watching us through this I think we need this discussion and
I hope we come back to it I'm in the chat I put links to the
slide so about identity that we will Circle back to so feel free
to read those over and preparation and you will get back to it
like next month or so and I believe next week actually my looking
from this way I think we the DC while I will be presenting the
learn to wallet so stay tuned for that okay thank you so much
everybody have a great week.
Kerri Lemoie: Thank you.
<taylor> Thanks Kerri, Dmitri and all :)
Received on Monday, 21 March 2022 21:44:11 UTC