W3C home > Mailing lists > Public > public-credentials@w3.org > March 2022

Re: Centralization dangers of applying OpenID Connect to wallets protocols (was: Re: 2022-2026 Verifiable Data Standards Roadmap [DRAFT])

From: Steven Rowat <steven_rowat@sunshine.net>
Date: Thu, 24 Mar 2022 10:37:01 -0700
Message-ID: <e8d6c7c7-9882-169d-7227-ce04b5f2554d@sunshine.net>
To: daniel.hardman@gmail.com, Tobias Looker <tobias.looker@mattr.global>
Cc: Joe Andrieu <joe@legreq.com>, Credentials Community Group <public-credentials@w3.org>

Thank you Daniel. Great post. And spot-on the problem, at a high level, IMO. I was particularly caught by the use-cases:

On 2022-03-24 2:13 am, Daniel Hardman wrote:
> Alice wants to authenticate Bob (another human). Alice wants to eliminate phishing risks by authenticating a purported org that is doing something other than offfering to let her browse their website (e.g., sending her an SMS, sending her an email, calling her on the phone, asking her for her consent or PII). Alice wants to authenticate an IoT drone that is delivering her groceries. Alice wants to send an email that Bob reads two weeks later, and Bob still wants to know that Alice sent it (not authenticating her now, but authenticating her *then*). Alice wants to digitally sign a mortgage and be authenticated five years in the future, on the basis of her keys today. Etc.

To me this seems to be same problem we started with many years ago. That is, I've been on this list, as a non-technical observer, for over a decade. And I'm still here, hanging on, because I've been hoping to help solve (or at least watch being solved) the problem of peer-to-peer transfer of digital content, with fair payment when appropriate, and with pseudo-anonymity and privacy upheld.

In 2009 I contributed my view of that problem to a W3C TAG meeting [https://lists.w3.org/Archives/Public/www-tag/2009Sep/0055.html] and IMO the ten use cases I listed there are functionally a subset of the peer-to-peer Alice and Bob ones you listed above.

And about these you said:

> All of these use cases have been neglected for years because they don't make the economic engines of enterprise software or the surveillance economy any money.

Nicely said.

And at this point it seems that the same goes for the ten in my original essay to the TAG, unfortunately.

But... I'm hopeful that VCs and DIDs together are getting very close to allowing all these problems to be solved. Like somebody -- Gibson? -- said, the future is already here, it's just unevenly distributed.

And one question that occurs to me is:

If peer-to-peer interactions are core to SSI changing the power dynamics, then is a 'Wallet' a red herring for these types of use cases? Doesn't it insert a middleman (choke-point) necessarily?

In other words: could VCs and DIDs together be configured, as they stand now, to allow peer-to-peer interactions, messages, content, even money, to be transferred between Alice and Bob without a formal 'wallet' even existing?

Anyway, that's my 2c, and I look forward to seeing where the future is now. :-)

Steven Rowat
Received on Thursday, 24 March 2022 17:37:18 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:25:29 UTC