RE: Centralization dangers of applying OpenID Connect to wallets protocols (was: Re: 2022-2026 Verifiable Data Standards Roadmap [DRAFT]) from nadalin@prodigy.net on 2022-03-25 (public-credentials@w3.org from March 2022)

From: <nadalin@prodigy.net>
Date: Fri, 25 Mar 2022 00:02:11 -0700
To: <dzagidulin@gmail.com>, "'Oliver Terbu'" <o.terbu@gmail.com>, <public-credentials@w3.org>
Message-ID: <01a701d84016$41996620$c4cc3260$@prodigy.net>

Regarding app links, there are no interop issues as this is solved via configuration/metadata.

From: Dmitri Zagidulin <dzagidulin@gmail.com> 
Sent: Thursday, March 24, 2022 10:12 AM
To: Oliver Terbu <o.terbu@gmail.com>; public-credentials@w3.org
Subject: Re: Centralization dangers of applying OpenID Connect to wallets protocols (was: Re: 2022-2026 Verifiable Data Standards Roadmap [DRAFT])

Thanks, Oliver.

I didn't even mention the universal app link (for those not familiar with mobile development, what Oliver is mentioning is a regular https:// web link that is /bound to a particular mobile app/.), because that's SIGNIFICANTLY WORSE, in terms of interop and centralization. (By their very nature, app links are bound to their particular individual apps (so, wallets, here)). Which makes the lack of a wallet selector that much more critical.

So, whereas openid:// has SOME interop (in addition to usability & security problems), universal app links have NO interop (though in their defense, they do fix the usability & security problems of the custom protocol handler.)

On Thu, Mar 24, 2022 at 12:59 PM Oliver Terbu <o.terbu@gmail.com> wrote:

It doesn't rely on the openid:// protocol handler. It is the fallback / default. It really depends on what is in the OP config, could be also a universal link.

On Thu, 24 Mar 2022 at 17:53, Dmitri Zagidulin <dzagidulin@gmail.com <mailto:dzagidulin@gmail.com> > wrote:

> Why is SIOP  the “worst” solution ? David W.  has asked tis many times without a proper response I have noticed.

As previously mentioned in the thread -- SIOP is the worst solution (in terms of usability, security, and centralization/monopolization incentives) because it relies on the openid:// custom protocol handler. This poses significant challenges on the desktop, mobile, and web; challenges that the SIOP spec itself highlights.

On Thu, Mar 24, 2022 at 9:04 AM Anthony Nadalin <nadalin@prodigy.net <mailto:nadalin@prodigy.net> > wrote:

>Out of CHAPI, DIDCommv2, and OpenID... OpenID is the most centralizing, worst
solution for Verifiable Credential Exchange on the table today.

Manu, you obviously don’t understand the difference between OpenID  Connect core and SIOP to make a statement like that. It seems that this is just a thread trying to bash OpenID without understanding. 

Not sure where to begin here as there are so many responses that are all over the place.

Need to separate OIDC and SIOP and discuss how SIOP supports a 3 party model and decentralization.

There is no worst solution, this is all use case driven, it seems you are trying to dictate what protocols developers should use without understanding what their needs are, just a blanket statement. You seem to base your comments on a specific decentralized usecase but don’t want to hear about other usecases.

So please explain why you believe SIOP V2 is centralized ? Why is SIOP  the “worst” solution ? David W.  has asked tis many times without a proper response I have noticed.

Sent from Mail <https://go.microsoft.com/fwlink/?LinkId=550986>  for Windows

Received on Friday, 25 March 2022 07:02:39 UTC