Re: Centralization dangers of applying OpenID Connect to wallets protocols (was: Re: 2022-2026 Verifiable Data Standards Roadmap [DRAFT]) from Melvin Carvalho on 2022-03-21 (public-credentials@w3.org from March 2022)

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Tue, 22 Mar 2022 00:33:46 +0100
To: Manu Sporny <msporny@digitalbazaar.com>
Cc: W3C Credentials Community Group <public-credentials@w3.org>
Message-ID: <CAKaEYhLtefu8L8SViD2Hagh0JSPF_kRn+URm6mi7=EamJeEwrw@mail.gmail.com>
On Fri, 18 Mar 2022 at 17:49, Manu Sporny <msporny@digitalbazaar.com> wrote:

> I'm taking all of my hats off and saying the rest as a "concerned citizen
> and
> computer scientist". Take it as personal commentary, for whatever that is
> worth.
>
> I expect much of this to be controversial... and result in an unavoidable
> permathread. :)
>
> TL;DR: It is hopelessly naive to think that OpenID Connect, THE protocol
> that
> centralized social login to 3-4 major tech companies, only requires "small
> changes" for self-sovereign identity and is a "doorway" we should gleefully
> step through.
>
> On 3/17/22 5:45 PM, Kaliya Identity Woman wrote:
> > Yes - and I agree with the note following this one on the thread that
> they
> > are meeting different needs use-cases.
>
> It's all a matter of perspective, isn't it? :)
>
> When you get down into the details, sure you can argue that some protocols
> are
> addressing different needs/use-cases, but it is also undeniable that every
> single one of the protocols can move a Verifiable Credential from point A
> to
> point B. In that way, they're directly competitive with one another. That's
> not an interesting debate, though; it's at the wrong level -- too meta.
>
> What would be more beneficial is for someone to produce a pros/cons matrix
> like we did for "Protecting VCs using pure JSON JWTs vs. VC-JWTs vs. Linked
> Data Proofs":
>
> https://w3c.github.io/vc-imp-guide/#benefits-of-jwts
> https://w3c.github.io/vc-imp-guide/#benefits-of-json-ld-and-ld-proofs
>
> Until we get to that level of detail, I expect we'll not make much
> progress on
> the wallet protocols topic.
>
> > The fact is that there is a huge opportunity to really leverage the
> "OIDC"
> > "doorways" that exist all over the web (a protocol that is literally used
> > a billion times a day...you know some real adoption) to exchange VCs -
> with
> > some small changes.
> >
> > AND people in this group seem to be "deathly afraid" of that work because
> > it isn't home grown here alone in isolation and focused on web only.
>
> I... just... don't even know where to start. I disagree with every concept
> in
> the previous paragraph. :)
>
> I can't speak for anyone else in this group, so I'll just speak for myself:
>
> It is hopelessly naive to think that OpenID Connect, THE protocol that
> centralized social login to 3-4 major tech companies, only requires "small
> changes" for self-sovereign identity and is a "doorway" we should gleefully
> step through.
>
> Login with Google/Facebook/Apple/Microsoft, those "billions of times a day"
> usages... are all coerced logins. We have no choice but to use the big tech
> vendors. That is not a world I want to contribute to.
>
> We are not "focused on web only" here... though it is an effective
> "gotcha!"
> talking point that seems to not be questioned when uttered ("I mean... the
> word "WEB" is in World Wide Web Consortium! What else could they be up to
> over
> there!?"). The phrase is disingenuous, I really wish those uttering it
> would
> stop... but you can't blame them, it's an effective way to get people who
> don't know any better nodding in agreement with whatever "non-Web" thing
> you're going to say next.
>
> I am "deathly afraid" of the work, because people are rushing into it
> without
> thinking deeply about the consequences. So, "Nope!":
>
> I refuse to just go with the herd and gleefully re-cement centralization in
> this new generation of identity technologies.
>
> I refuse to trust that things will be different this time because the same
> people that created OpenID Connect have learned their lessons and are doing
> things differently now.
>
> ... and I refuse to accept your mischaracterization of this community, the
> good faith efforts that they've put forward to coordinate where they can,
> or
> why some of us remain sceptical of some of the other wallet protocol
> efforts
> going on right now.
>
> It is possible for all of us, across all communities, to act in good faith
> and
> still disagree on the path forward.
>
> I certainly don't think for a second that the vast majority of people
> involved
> in OpenID, DIF, CCG, IIW, or RWoT are acting in bad faith. Misguided,
> possibly
> (including myself!), but not this "Not Invented Here Tribalism" narrative
> that
> seems to be so popular. I see a bunch of people, across each "silo", doing
> their best to solve hard problems given all of the pressures of their work
> and
> home life. Full stop.
>
> Going back to OpenID being applied to Verifiable Credential Exchange. There
> are three fatal flaws that need to be overcome for it to be a good idea:
>
> 1. Eliminate registration -- if you require wallet
>    registration, you enable centralization.
>
> 2. Eliminate NASCAR screens; don't allow verifiers to
>    pick/choose which wallets they accept. If you allow
>    either of these things to happen, you enable
>    centralization.
>
> 3. Eliminate the concept of "App Store"-like in-wallet
>    "Marketplaces". If you do this, you put issuers at a
>    natural disadvantage -- pay to play to get listed
>    in a wallet's "Marketplace".
>
> Rather than seeing solutions proposed to the problems above, the OpenID
> specifications seem to be doubling down on enabling the three items above.
>
> Out of CHAPI, DIDCommv2, and OpenID... OpenID is the most centralizing,
> worst
> solution for Verifiable Credential Exchange on the table today.
>
> That is not to say it can't be fixed, but I have yet to see a proposal that
> addresses all three items above.
>
> > There is a lot of "othering" of work that isn't CCG. Because that work is
> > less "pure".
>
> No, there are concerns related to the technical underpinnings of OpenID
> that
> lead to centralization that have yet to be addressed by the current
> proposals.
>
> The only Othering I'm seeing going on here is what you're doing. Casting
> some
> vague subset of the CCG as this irrational, web-only, not invented here,
> tribal silo and going after community volunteers that are not doing what
> you
> want or meeting on your schedule.
>
> I've known you for many years, Kaliya -- you're better than this and are
> usually a bridge builder and tireless advocate for open lines of
> communication. I know you're frustrated, we all are, but I don't think the
> way
> in which you've chosen to engage is going to result in what you want.
>
> Again, just my $0.02 as a community member.
>

+1 agree with everything Manu said

As the old saying goes, "no matter how decentralized you make something,
centralization creeps in through the back door".  From my experience OIDC
is a vector for that, perhaps the biggest vector

I recall being on a call with Manu, 15 years ago, where we were advocating
a web based single sign-on solution based on PKI that his team had put
together and worked in the browser.  We came quite close to getting that
into Ubuntu, but it was felt that browser support wasnt quite there

Over the course of the next decade, that solution, or something similar,
became the basis of the Solid project.  Single sign on via PKI was the the
genesis and value proposition of what we created.  It was innovative
because users owned their own profiles, they could manage their own keys,
and could log in without the need to rely on a trusted third party.  One
slight weakness was that it was domain based, and hard to move your
identity.  Content addressable identifiers such as DID provide an
innovative (and complementary) alternative to that

Much later OIDC was added to solid, and it was promised that it could live
"side by side" with PKI.  That was not the case, as soon as OICD was
allowed in, the trusted third party system took over and owning your own
keys got broken and never fixed.  Tests were commented out etc.  There was
also no greater source of bugs in Solid than OIDC.  They were never fixed.
People came to the project and left, the earth being salted with the
disappointment, as it appeared to be something that didnt work.  In
contrast, I used PKI on an hourly basis for 10 years (in browser, apps and
server to server), and it never failed me.

You may recall the original OpenID (nee. Yadis) from bradfitz was designed
for sovereign identity.  But increasingly it became used for just certain
large providers, creating the NASCAR problem, and occasionally you would
have "Log in with your OpenID".  Which often didnt work.  Then Yahoo came
along and started white listing, and sovereign ID didnt get a look in.

It's the same story again and again.  We need to stand up for PKI
solutions.  Because trusted third party solutions will never be content to
live side by side.  They are a vector for the biggest companies to get
bigger and leverage their overwhelming competitive advantages through
standards

It's a permathread because trusted third parties will never stop trying to
get into standards and making themselves those trusted third parties.
That's OK, we should accept that, but also create more choice for the user
with modern cryptographic solutions


>
> -- manu
>
> --
> Manu Sporny - https://www.linkedin.com/in/manusporny/
> Founder/CEO - Digital Bazaar, Inc.
> News: Digital Bazaar Announces New Case Studies (2021)
> https://www.digitalbazaar.com/
>
>
>
Received on Monday, 21 March 2022 23:35:11 UTC