W3C home > Mailing lists > Public > public-credentials@w3.org > March 2022

Re: Centralization dangers of applying OpenID Connect to wallets protocols (was: Re: 2022-2026 Verifiable Data Standards Roadmap [DRAFT])

From: Oliver Terbu <o.terbu@gmail.com>
Date: Thu, 24 Mar 2022 18:37:46 +0100
Message-ID: <CAJdc_Gm8HqSa9R5MgvYDWd+LOa1RNvh_SU5w4gAzAu=Yw62PAg@mail.gmail.com>
To: dzagidulin@gmail.com
Cc: "public-credentials@w3.org" <public-credentials@w3.org>
Btw. app links are more secure than custom URL schemes and they are the
recommended way of invoking a native app. Interop is not established based
on the concrete app link, it is established through the
`authorization_endpoint` config parameter which can be any sort of URL,
e.g., an app link. There is no issue regarding interop since RPs don't need
to know the particular app link, just the place where to look for the
config parameter.

On Thu, 24 Mar 2022 at 18:11, Dmitri Zagidulin <dzagidulin@gmail.com> wrote:

> Thanks, Oliver.
> I didn't even mention the universal app link (for those not familiar with
> mobile development, what Oliver is mentioning is a regular https:// web
> link that is /bound to a particular mobile app/.), because that's
> SIGNIFICANTLY WORSE, in terms of interop and centralization. (By their very
> nature, app links are bound to their particular individual apps (so,
> wallets, here)). Which makes the lack of a wallet selector that much more
> critical.
> So, whereas openid:// has SOME interop (in addition to usability &
> security problems), universal app links have NO interop (though in their
> defense, they do fix the usability & security problems of the custom
> protocol handler.)
>
>
> On Thu, Mar 24, 2022 at 12:59 PM Oliver Terbu <o.terbu@gmail.com> wrote:
>
>> It doesn't rely on the openid:// protocol handler. It is the fallback /
>> default. It really depends on what is in the OP config, could be also a
>> universal link.
>>
>> On Thu, 24 Mar 2022 at 17:53, Dmitri Zagidulin <dzagidulin@gmail.com>
>> wrote:
>>
>>> > Why is SIOP  the “worst” solution ? David W.  has asked tis many times
>>> without a proper response I have noticed.
>>>
>>> As previously mentioned in the thread -- SIOP is the worst solution (in
>>> terms of usability, security, and centralization/monopolization incentives)
>>> because it relies on the openid:// custom protocol handler. This poses
>>> significant challenges on the desktop, mobile, and web; challenges that the
>>> SIOP spec itself highlights.
>>>
>>> On Thu, Mar 24, 2022 at 9:04 AM Anthony Nadalin <nadalin@prodigy.net>
>>> wrote:
>>>
>>>> >Out of CHAPI, DIDCommv2, and OpenID... OpenID is the most centralizing, worst
>>>>
>>>> solution for Verifiable Credential Exchange on the table today.
>>>>
>>>>
>>>>
>>>> Manu, you obviously don’t understand the difference between OpenID
>>>> Connect core and SIOP to make a statement like that. It seems that this is
>>>> just a thread trying to bash OpenID without understanding.
>>>>
>>>>
>>>>
>>>> Not sure where to begin here as there are so many responses that are
>>>> all over the place.
>>>>
>>>>
>>>>
>>>> Need to separate OIDC and SIOP and discuss how SIOP supports a 3 party
>>>> model and decentralization.
>>>>
>>>>
>>>>
>>>> There is no worst solution, this is all use case driven, it seems you
>>>> are trying to dictate what protocols developers should use without
>>>> understanding what their needs are, just a blanket statement. You seem to
>>>> base your comments on a specific decentralized usecase but don’t want to
>>>> hear about other usecases.
>>>>
>>>>
>>>>
>>>> So please explain why you believe SIOP V2 is centralized ? Why is SIOP
>>>> the “worst” solution ? David W.  has asked tis many times without a proper
>>>> response I have noticed.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Sent from Mail <https://go.microsoft.com/fwlink/?LinkId=550986> for
>>>> Windows
>>>>
>>>>
>>>>
>>>
Received on Thursday, 24 March 2022 17:39:10 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:25:29 UTC