Re: Centralization dangers of applying OpenID Connect to wallets protocols (was: Re: 2022-2026 Verifiable Data Standards Roadmap [DRAFT]) from Anders Rundgren on 2022-03-23 (public-credentials@w3.org from March 2022)

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Wed, 23 Mar 2022 06:10:38 +0100
To: Orie Steele <orie@transmute.industries>, Manu Sporny <msporny@digitalbazaar.com>
Cc: "W3C Credentials CG (Public List)" <public-credentials@w3.org>
Message-ID: <07d85067-90f6-5bac-b91f-7e1e59977512@gmail.com>

On 2022-03-22 20:06, Orie Steele wrote:
>  > Can you elaborate on this point more? How do we "get OIDC to penetrate to these lower layers"?
> 
> The same way we got SSH to those lower layers... Get the secure enclave to support OIDC core cryptographic primitives & protocols.
> 
> - Get enclaves to expose general purpose APIs.
> - Get browsers to implement support for those general purpose APIs.
> - Allow the user to consent to interactions with those APIs from secure contexts.

Hi Orie,

Something close to what you are asking for was suggested years ago:
https://www.w3.org/community/hb-secure-services/
It failed with BOOM and the primary convener left the W3C, and according to my sources, in anger.

It is for this discussion import to understand WHY it failed.  This extract of a paper of mine, indicates that it was actually doomed already on the drawing board:
https://cyberphone.github.io/doc/research/permissions.pdf

A related activity is the Web Payment WG, once pioneered by Manu.  However, that started back in 2013 and we still haven't seen a standard for Secure AND Convenient Web payments.

If trillion-dollar "Big Tech" companies as well as slightly smaller entities like VISA, MasterCard, and Stripe, cannot get their act together, I think that says a bit of how easy and fast things go in the Web world.

As I early on predicted, native apps have taken over.  From my watchtower seen, the "only" thing missing is a standardized and useful "bridge" between the Web and the native App world.

For "pure" Web security solutions, we are probably stuck with WebAuthn which is a slow and highly political project.  With MSFT defecting to "Blink", Mozilla fighting for survival, and Apple being on the fence, the future of the Web is essentially in the hands of a single a vendor.

Regards,
Anders

> 
> Imagine if WebAuthN allowed you to pay with bitcoin / eth / or issue a credential... One of the reasons it doesn't is that they intentionally avoided exposing general purpose APIs that could be used to build more competitive products with the hardware companies that signed on to support authentication use cases... despite the fact that authentication is a special case of secure signing apis from devices.
> 
> OS
> 
> 
> On Tue, Mar 22, 2022 at 1:57 PM Manu Sporny <msporny@digitalbazaar.com <mailto:msporny@digitalbazaar.com>> wrote:
> 
>     On 3/22/22 2:51 PM, Orie Steele wrote:
>      > I'm not trolling, you can't just focus on building apps and app layer
>      > protocols... you need to focus on the full software supply chain to
>      > prevent abuse.
> 
>     Ok, I get (most) of what you were saying now, thanks for the clarification.
> 
>      > No, but ... we need to acknowledge where vendor lock in exists before we
>      > can address it seriously.
> 
>     Yes, agreed.
> 
>      > Implementing more web apis that offer access to devices is critical to
>      > enabling healthy competition at the layers beyond the hardware and the
>      > OS... That Mozilla and Apple are so strongly opposed to this is creating a
>      > market pressure that is driving secure use cases away from the web
>      > platform... If that's because it's impossible to secure the web platform
>      > if it has good general purpose device APIs, that's understandable, but if
>      > instead that's happening to drive more users into native apps or because
>      > browser vendors can't afford to implement secure device apis based on open
>      > standards, that's a problem... and not one solved by building more apps or
>      > app layer protocols.
> 
>     Yes, all good points/questions.
> 
>      > If we can get OIDC to penetrate to these lower layers, it's worth it IMO,
>      > armies travel both directions on roads.
> 
>     Can you elaborate on this point more? How do we "get OIDC to penetrate to
>     these lower layers"?
> 
>     -- manu
> 
>     -- 
>     Manu Sporny - https://www.linkedin.com/in/manusporny/ <https://www.linkedin.com/in/manusporny/>
>     Founder/CEO - Digital Bazaar, Inc.
>     News: Digital Bazaar Announces New Case Studies (2021)
>     https://www.digitalbazaar.com/ <https://www.digitalbazaar.com/>
> 
> 
> 
> 
> -- 
> *ORIE STEELE*
> Chief Technical Officer
> www.transmute.industries
> 
> <https://www.transmute.industries>

Received on Wednesday, 23 March 2022 05:15:53 UTC