RE: Centralization dangers of applying OpenID Connect to wallets protocols (was: Re: 2022-2026 Verifiable Data Standards Roadmap [DRAFT])

Some of the points discussed in this thread openly criticize specifications being worked on outside the CCG. You won't influence those specifications here. Nor will you be able to get responses from the subject-matter experts not participating in W3C CCG. Putting on a hat of a chair of a SIOP Special Calls in OpenID Foundation Connect WG, if you have issues, concerns, comments regarding OpenID Connect for SSI specification family (SIOP v2, OIDC4VP, OIDC4VCI), please join the Connect mailing list or the calls. We would welcome you there. For example, we could explore using CHAPI as one of the options for SIOP(wallet) selection/invocation in SIOPv2 and OIDC4VP, since CHAPI itself does not seem to be defining request/response syntax. Though if CHAPI works only with browser wallets and same-device, it would not be able to be used with other scenarios of SIOP/OIDC4VP: native apps, cross-device (where user uses a phone to scan a request on another device).
You can find the information on joining here: https://openid.net/wg/connect/

Kindest Regards,
Kristina

-----Original Message-----
From: Manu Sporny <msporny@digitalbazaar.com> 
Sent: Friday, March 18, 2022 5:47 PM
To: public-credentials@w3.org
Subject: Centralization dangers of applying OpenID Connect to wallets protocols (was: Re: 2022-2026 Verifiable Data Standards Roadmap [DRAFT])

I'm taking all of my hats off and saying the rest as a "concerned citizen and computer scientist". Take it as personal commentary, for whatever that is worth.

I expect much of this to be controversial... and result in an unavoidable permathread. :)

TL;DR: It is hopelessly naive to think that OpenID Connect, THE protocol that centralized social login to 3-4 major tech companies, only requires "small changes" for self-sovereign identity and is a "doorway" we should gleefully step through.

On 3/17/22 5:45 PM, Kaliya Identity Woman wrote:
> Yes - and I agree with the note following this one on the thread that 
> they are meeting different needs use-cases.

It's all a matter of perspective, isn't it? :)

When you get down into the details, sure you can argue that some protocols are addressing different needs/use-cases, but it is also undeniable that every single one of the protocols can move a Verifiable Credential from point A to point B. In that way, they're directly competitive with one another. That's not an interesting debate, though; it's at the wrong level -- too meta.

What would be more beneficial is for someone to produce a pros/cons matrix like we did for "Protecting VCs using pure JSON JWTs vs. VC-JWTs vs. Linked Data Proofs":

https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fw3c.github.io%2Fvc-imp-guide%2F%23benefits-of-jwts&amp;data=04%7C01%7Ckristina.yasuda%40microsoft.com%7C4659b32914a44fc5b9da08da08ff35d2%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637832189478637770%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=tPylKl9zRJJEnmqpl%2BND4wqtvDRhh43PTSzKqevDFy4%3D&amp;reserved=0
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fw3c.github.io%2Fvc-imp-guide%2F%23benefits-of-json-ld-and-ld-proofs&amp;data=04%7C01%7Ckristina.yasuda%40microsoft.com%7C4659b32914a44fc5b9da08da08ff35d2%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637832189478637770%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=4VFARXyNsfPgpv3A%2BKRJ1pheelW7XFrF416TXMM0%2BGM%3D&amp;reserved=0

Until we get to that level of detail, I expect we'll not make much progress on the wallet protocols topic.

> The fact is that there is a huge opportunity to really leverage the "OIDC" 
> "doorways" that exist all over the web (a protocol that is literally 
> used a billion times a day...you know some real adoption) to exchange 
> VCs - with some small changes.
> 
> AND people in this group seem to be "deathly afraid" of that work 
> because it isn't home grown here alone in isolation and focused on web only.

I... just... don't even know where to start. I disagree with every concept in the previous paragraph. :)

I can't speak for anyone else in this group, so I'll just speak for myself:

It is hopelessly naive to think that OpenID Connect, THE protocol that centralized social login to 3-4 major tech companies, only requires "small changes" for self-sovereign identity and is a "doorway" we should gleefully step through.

Login with Google/Facebook/Apple/Microsoft, those "billions of times a day"
usages... are all coerced logins. We have no choice but to use the big tech vendors. That is not a world I want to contribute to.

We are not "focused on web only" here... though it is an effective "gotcha!"
talking point that seems to not be questioned when uttered ("I mean... the word "WEB" is in World Wide Web Consortium! What else could they be up to over there!?"). The phrase is disingenuous, I really wish those uttering it would stop... but you can't blame them, it's an effective way to get people who don't know any better nodding in agreement with whatever "non-Web" thing you're going to say next.

I am "deathly afraid" of the work, because people are rushing into it without thinking deeply about the consequences. So, "Nope!":

I refuse to just go with the herd and gleefully re-cement centralization in this new generation of identity technologies.

I refuse to trust that things will be different this time because the same people that created OpenID Connect have learned their lessons and are doing things differently now.

... and I refuse to accept your mischaracterization of this community, the good faith efforts that they've put forward to coordinate where they can, or why some of us remain sceptical of some of the other wallet protocol efforts going on right now.

It is possible for all of us, across all communities, to act in good faith and still disagree on the path forward.

I certainly don't think for a second that the vast majority of people involved in OpenID, DIF, CCG, IIW, or RWoT are acting in bad faith. Misguided, possibly (including myself!), but not this "Not Invented Here Tribalism" narrative that seems to be so popular. I see a bunch of people, across each "silo", doing their best to solve hard problems given all of the pressures of their work and home life. Full stop.

Going back to OpenID being applied to Verifiable Credential Exchange. There are three fatal flaws that need to be overcome for it to be a good idea:

1. Eliminate registration -- if you require wallet
   registration, you enable centralization.

2. Eliminate NASCAR screens; don't allow verifiers to
   pick/choose which wallets they accept. If you allow
   either of these things to happen, you enable
   centralization.

3. Eliminate the concept of "App Store"-like in-wallet
   "Marketplaces". If you do this, you put issuers at a
   natural disadvantage -- pay to play to get listed
   in a wallet's "Marketplace".

Rather than seeing solutions proposed to the problems above, the OpenID specifications seem to be doubling down on enabling the three items above.

Out of CHAPI, DIDCommv2, and OpenID... OpenID is the most centralizing, worst solution for Verifiable Credential Exchange on the table today.

That is not to say it can't be fixed, but I have yet to see a proposal that addresses all three items above.

> There is a lot of "othering" of work that isn't CCG. Because that work 
> is less "pure".

No, there are concerns related to the technical underpinnings of OpenID that lead to centralization that have yet to be addressed by the current proposals.

The only Othering I'm seeing going on here is what you're doing. Casting some vague subset of the CCG as this irrational, web-only, not invented here, tribal silo and going after community volunteers that are not doing what you want or meeting on your schedule.

I've known you for many years, Kaliya -- you're better than this and are usually a bridge builder and tireless advocate for open lines of communication. I know you're frustrated, we all are, but I don't think the way in which you've chosen to engage is going to result in what you want.

Again, just my $0.02 as a community member.

-- manu

--
Manu Sporny - https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.linkedin.com%2Fin%2Fmanusporny%2F&amp;data=04%7C01%7Ckristina.yasuda%40microsoft.com%7C4659b32914a44fc5b9da08da08ff35d2%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637832189478637770%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=lwFYbDAA5jJjol5ksGp5Vmp5gOfYqPFuJQj4ddH5nl8%3D&amp;reserved=0
Founder/CEO - Digital Bazaar, Inc.
News: Digital Bazaar Announces New Case Studies (2021)
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fwww.digitalbazaar.com%2F&amp;data=04%7C01%7Ckristina.yasuda%40microsoft.com%7C4659b32914a44fc5b9da08da08ff35d2%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637832189478637770%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&amp;sdata=PXUFkzzqOTztEZMPGzWQbk7vSKBTxHubWMj8%2Bt0EEO8%3D&amp;reserved=0

Received on Friday, 25 March 2022 19:09:06 UTC