Re: Centralization dangers of applying OpenID Connect to wallets protocols (was: Re: 2022-2026 Verifiable Data Standards Roadmap [DRAFT])

On Fri, 25 Mar 2022 at 11:42, Oliver Terbu <o.terbu@gmail.com> wrote:

> @Manu: SIOPv2 does allow mediation but doesn't define mediation. I also
> think you cannot compare CHAPI with SIOP. CHAPI is a mediator with
> high-level APIs without defining request/response objects whereas SIOPv2 is
> a protocol with defined request/response objects. That is also why I
> mentioned one could potentially use CHAPI to get a list of SIOPv2 OP
> configs (where the `authorization_endpoint` of the particular wallet is
> configured).
>

To use CHAPI terminology, if no "external mediation" is performed, SIOPv2
defaults (i.e., if no SIOPv2 OP config available) to OS/platform mediation
so to say.


>
> On Fri, 25 Mar 2022 at 02:09, Manu Sporny <msporny@digitalbazaar.com>
> wrote:
>
>> On 3/20/22 3:51 AM, Nikos Fotiou wrote:
>> > Related to that, EBSI’s “Verifiable Exchange Scenarios”  are a useful
>> > guideline
>> >
>>
>> https://ec.europa.eu/digital-building-blocks/wikis/display/EBSIDOC/EBSI+Verifiable+Presentation+Exchange+Guidelines#EBSIVerifiablePresentationExchangeGuidelines-VerifiablePresentationExchangeScenarios
>> > Similar to what Tobias said, I cannot see how CHAPI can be used in use
>> > cases B and C.
>>
>> Thank you, Nikos, that is helpful!
>>
>> CHAPI is not designed for B and C (and never was) -- the point of
>> contention
>> is Case A: Same-device flow.
>>
>> CHAPI can solve for that use case for a high percentage of the market
>> while
>> not falling into the NASCAR, scheme, app URL traps that Dmitri has
>> outlined.
>>
>> How does OIDC/SIOP solve for that use case? That is -- where's the
>> mediator
>> for SIOP?
>>
>> -- manu
>>
>> --
>> Manu Sporny - https://www.linkedin.com/in/manusporny/
>> Founder/CEO - Digital Bazaar, Inc.
>> News: Digital Bazaar Announces New Case Studies (2021)
>> https://www.digitalbazaar.com/
>>
>>
>>