- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Thu, 24 Mar 2022 21:36:56 -0400
- To: public-credentials@w3.org
On 3/24/22 8:08 PM, Andrew Hughes wrote: > Maybe we can encourage the platforms to get their act together and work on > a common mechanism for web-to-app calling? Rather than everyone making > weird hacks? I know you're kinda-sorta-joking-and-also-kinda-sorta-serious... but that's exactly why CHAPI was created (and is built in the way that it is) -- it is the common platform mechanism you're asking us to encourage: https://w3c-ccg.github.io/credential-handler-api/#extension-to-the-serviceworkerregistration-interface I mean, CHAPI does more than just what you said -- it can support web-to-web-app and web-to-native-app (and back) interactions. It enables same-device decentralized wallet selection while simultaneously solving the NASCAR problem. Nothing in OpenID land even attempts to do that. However, we know the browser vendors aren't going to be interested in implementing it if that thing 1) never exists in a form they understand (CHAPI spec), and 2) doesn't have lots of deployments (implementations). Clearly, #2 above is a catch 22 if you can never deploy it... which is why CHAPI is a polyfill today. A polyfill adds functionality to a browser TODAY that could eventually become native code NEXT YEAR. We also do this to not be beholden to the browser vendors (begging doesn't work with those folks), and we harden ourselves further from browser vendor attacks on the polyfill by using broadly deployed features. This approach has gotten CHAPI working for same-device Verifiable Presentation flows across 95%+ of the browsers out there today... which is why I keep harping on this point -- OIDC/SIOP doesn't do this... at all. Why do people keep thinking it does? -- manu -- Manu Sporny - https://www.linkedin.com/in/manusporny/ Founder/CEO - Digital Bazaar, Inc. News: Digital Bazaar Announces New Case Studies (2021) https://www.digitalbazaar.com/
Received on Friday, 25 March 2022 01:37:12 UTC