- From: Orie Steele <orie@transmute.industries>
- Date: Tue, 22 Mar 2022 14:06:00 -0500
- To: Manu Sporny <msporny@digitalbazaar.com>
- Cc: "W3C Credentials CG (Public List)" <public-credentials@w3.org>
- Message-ID: <CAN8C-_+Luw2Yt6AnRVYyVPXORCwsPoPUb3655id5nQQOBH7TDQ@mail.gmail.com>
> Can you elaborate on this point more? How do we "get OIDC to penetrate to these lower layers"? The same way we got SSH to those lower layers... Get the secure enclave to support OIDC core cryptographic primitives & protocols. - Get enclaves to expose general purpose APIs. - Get browsers to implement support for those general purpose APIs. - Allow the user to consent to interactions with those APIs from secure contexts. Imagine if WebAuthN allowed you to pay with bitcoin / eth / or issue a credential... One of the reasons it doesn't is that they intentionally avoided exposing general purpose APIs that could be used to build more competitive products with the hardware companies that signed on to support authentication use cases... despite the fact that authentication is a special case of secure signing apis from devices. OS On Tue, Mar 22, 2022 at 1:57 PM Manu Sporny <msporny@digitalbazaar.com> wrote: > On 3/22/22 2:51 PM, Orie Steele wrote: > > I'm not trolling, you can't just focus on building apps and app layer > > protocols... you need to focus on the full software supply chain to > > prevent abuse. > > Ok, I get (most) of what you were saying now, thanks for the clarification. > > > No, but ... we need to acknowledge where vendor lock in exists before we > > can address it seriously. > > Yes, agreed. > > > Implementing more web apis that offer access to devices is critical to > > enabling healthy competition at the layers beyond the hardware and the > > OS... That Mozilla and Apple are so strongly opposed to this is creating > a > > market pressure that is driving secure use cases away from the web > > platform... If that's because it's impossible to secure the web platform > > if it has good general purpose device APIs, that's understandable, but > if > > instead that's happening to drive more users into native apps or because > > browser vendors can't afford to implement secure device apis based on > open > > standards, that's a problem... and not one solved by building more apps > or > > app layer protocols. > > Yes, all good points/questions. > > > If we can get OIDC to penetrate to these lower layers, it's worth it > IMO, > > armies travel both directions on roads. > > Can you elaborate on this point more? How do we "get OIDC to penetrate to > these lower layers"? > > -- manu > > -- > Manu Sporny - https://www.linkedin.com/in/manusporny/ > Founder/CEO - Digital Bazaar, Inc. > News: Digital Bazaar Announces New Case Studies (2021) > https://www.digitalbazaar.com/ > > > -- *ORIE STEELE* Chief Technical Officer www.transmute.industries <https://www.transmute.industries>
Received on Tuesday, 22 March 2022 19:06:25 UTC