Re: Centralization dangers of applying OpenID Connect to wallets protocols (was: Re: 2022-2026 Verifiable Data Standards Roadmap [DRAFT]) from Dmitri Zagidulin on 2022-03-24 (public-credentials@w3.org from March 2022)

From: Dmitri Zagidulin <dzagidulin@gmail.com>
Date: Thu, 24 Mar 2022 13:11:38 -0400
To: Oliver Terbu <o.terbu@gmail.com>, "public-credentials@w3.org" <public-credentials@w3.org>
Message-ID: <CANnQ-L6M9OQjk4jH8+1YPfoAmqmF49MNYej-cnji0YgXKMbLLQ@mail.gmail.com>

Thanks, Oliver.
I didn't even mention the universal app link (for those not familiar with
mobile development, what Oliver is mentioning is a regular https:// web
link that is /bound to a particular mobile app/.), because that's
SIGNIFICANTLY WORSE, in terms of interop and centralization. (By their very
nature, app links are bound to their particular individual apps (so,
wallets, here)). Which makes the lack of a wallet selector that much more
critical.
So, whereas openid:// has SOME interop (in addition to usability & security
problems), universal app links have NO interop (though in their defense,
they do fix the usability & security problems of the custom protocol
handler.)


On Thu, Mar 24, 2022 at 12:59 PM Oliver Terbu <o.terbu@gmail.com> wrote:

> It doesn't rely on the openid:// protocol handler. It is the fallback /
> default. It really depends on what is in the OP config, could be also a
> universal link.
>
> On Thu, 24 Mar 2022 at 17:53, Dmitri Zagidulin <dzagidulin@gmail.com>
> wrote:
>
>> > Why is SIOP  the “worst” solution ? David W.  has asked tis many times
>> without a proper response I have noticed.
>>
>> As previously mentioned in the thread -- SIOP is the worst solution (in
>> terms of usability, security, and centralization/monopolization incentives)
>> because it relies on the openid:// custom protocol handler. This poses
>> significant challenges on the desktop, mobile, and web; challenges that the
>> SIOP spec itself highlights.
>>
>> On Thu, Mar 24, 2022 at 9:04 AM Anthony Nadalin <nadalin@prodigy.net>
>> wrote:
>>
>>> >Out of CHAPI, DIDCommv2, and OpenID... OpenID is the most centralizing, worst
>>>
>>> solution for Verifiable Credential Exchange on the table today.
>>>
>>>
>>>
>>> Manu, you obviously don’t understand the difference between OpenID
>>> Connect core and SIOP to make a statement like that. It seems that this is
>>> just a thread trying to bash OpenID without understanding.
>>>
>>>
>>>
>>> Not sure where to begin here as there are so many responses that are all
>>> over the place.
>>>
>>>
>>>
>>> Need to separate OIDC and SIOP and discuss how SIOP supports a 3 party
>>> model and decentralization.
>>>
>>>
>>>
>>> There is no worst solution, this is all use case driven, it seems you
>>> are trying to dictate what protocols developers should use without
>>> understanding what their needs are, just a blanket statement. You seem to
>>> base your comments on a specific decentralized usecase but don’t want to
>>> hear about other usecases.
>>>
>>>
>>>
>>> So please explain why you believe SIOP V2 is centralized ? Why is SIOP
>>> the “worst” solution ? David W.  has asked tis many times without a proper
>>> response I have noticed.
>>>
>>>
>>>
>>>
>>>
>>> Sent from Mail <https://go.microsoft.com/fwlink/?LinkId=550986> for
>>> Windows
>>>
>>>
>>>
>>

Received on Thursday, 24 March 2022 17:13:07 UTC