Re: Centralization dangers of applying OpenID Connect to wallets protocols (was: Re: 2022-2026 Verifiable Data Standards Roadmap [DRAFT]) from Andrew Hughes on 2022-03-25 (public-credentials@w3.org from March 2022)

From: Andrew Hughes <andrewhughes3000@gmail.com>
Date: Thu, 24 Mar 2022 17:08:13 -0700
To: Oliver Terbu <o.terbu@gmail.com>
Cc: dzagidulin@gmail.com, "public-credentials@w3.org" <public-credentials@w3.org>
Message-ID: <CAGJp9Uas811sA3pX3B2MrjEzY2436Fp6fdH1hyHV+Cp_=_=_EQ@mail.gmail.com>

Maybe we can encourage the platforms to get their act together and work on
a common mechanism for web-to-app calling? Rather than everyone making
weird hacks?

:-)

On Thu, Mar 24, 2022 at 10:39 AM Oliver Terbu <o.terbu@gmail.com> wrote:

> Btw. app links are more secure than custom URL schemes and they are the
> recommended way of invoking a native app. Interop is not established based
> on the concrete app link, it is established through the
> `authorization_endpoint` config parameter which can be any sort of URL,
> e.g., an app link. There is no issue regarding interop since RPs don't need
> to know the particular app link, just the place where to look for the
> config parameter.
>
> On Thu, 24 Mar 2022 at 18:11, Dmitri Zagidulin <dzagidulin@gmail.com>
> wrote:
>
>> Thanks, Oliver.
>> I didn't even mention the universal app link (for those not familiar with
>> mobile development, what Oliver is mentioning is a regular https:// web
>> link that is /bound to a particular mobile app/.), because that's
>> SIGNIFICANTLY WORSE, in terms of interop and centralization. (By their very
>> nature, app links are bound to their particular individual apps (so,
>> wallets, here)). Which makes the lack of a wallet selector that much more
>> critical.
>> So, whereas openid:// has SOME interop (in addition to usability &
>> security problems), universal app links have NO interop (though in their
>> defense, they do fix the usability & security problems of the custom
>> protocol handler.)
>>
>>
>> On Thu, Mar 24, 2022 at 12:59 PM Oliver Terbu <o.terbu@gmail.com> wrote:
>>
>>> It doesn't rely on the openid:// protocol handler. It is the fallback /
>>> default. It really depends on what is in the OP config, could be also a
>>> universal link.
>>>
>>> On Thu, 24 Mar 2022 at 17:53, Dmitri Zagidulin <dzagidulin@gmail.com>
>>> wrote:
>>>
>>>> > Why is SIOP  the “worst” solution ? David W.  has asked tis many
>>>> times without a proper response I have noticed.
>>>>
>>>> As previously mentioned in the thread -- SIOP is the worst solution (in
>>>> terms of usability, security, and centralization/monopolization incentives)
>>>> because it relies on the openid:// custom protocol handler. This poses
>>>> significant challenges on the desktop, mobile, and web; challenges that the
>>>> SIOP spec itself highlights.
>>>>
>>>> On Thu, Mar 24, 2022 at 9:04 AM Anthony Nadalin <nadalin@prodigy.net>
>>>> wrote:
>>>>
>>>>> >Out of CHAPI, DIDCommv2, and OpenID... OpenID is the most centralizing, worst
>>>>>
>>>>> solution for Verifiable Credential Exchange on the table today.
>>>>>
>>>>>
>>>>>
>>>>> Manu, you obviously don’t understand the difference between OpenID
>>>>> Connect core and SIOP to make a statement like that. It seems that this is
>>>>> just a thread trying to bash OpenID without understanding.
>>>>>
>>>>>
>>>>>
>>>>> Not sure where to begin here as there are so many responses that are
>>>>> all over the place.
>>>>>
>>>>>
>>>>>
>>>>> Need to separate OIDC and SIOP and discuss how SIOP supports a 3 party
>>>>> model and decentralization.
>>>>>
>>>>>
>>>>>
>>>>> There is no worst solution, this is all use case driven, it seems you
>>>>> are trying to dictate what protocols developers should use without
>>>>> understanding what their needs are, just a blanket statement. You seem to
>>>>> base your comments on a specific decentralized usecase but don’t want to
>>>>> hear about other usecases.
>>>>>
>>>>>
>>>>>
>>>>> So please explain why you believe SIOP V2 is centralized ? Why is
>>>>> SIOP  the “worst” solution ? David W.  has asked tis many times without a
>>>>> proper response I have noticed.
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> Sent from Mail <https://go.microsoft.com/fwlink/?LinkId=550986> for
>>>>> Windows
>>>>>
>>>>>
>>>>>
>>>> --
Andrew Hughes CISM CISSP
In Turn Information Management Consulting
o  +1 650.209.7542 m +1 250.888.9474
5043 Del Monte Ave,, Victoria, BC V8Y 1W9
AndrewHughes3000@gmail.com
https://www.linkedin.com/in/andrew-hughes-682058a
Digital Identity | International Standards | Information Security

Received on Friday, 25 March 2022 00:08:37 UTC