W3C home > Mailing lists > Public > public-credentials@w3.org > March 2022

Re: Centralization dangers of applying OpenID Connect to wallets protocols (was: Re: 2022-2026 Verifiable Data Standards Roadmap [DRAFT])

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Sat, 26 Mar 2022 17:04:13 -0400
To: public-credentials@w3.org
Message-ID: <82b3a867-a0ee-e71b-c361-683d53839bfb@digitalbazaar.com>
On 3/21/22 6:51 PM, David Waite wrote:
> They will not have installed an app or web extension to provide CHAPI.

CHAPI does not need a native app or web extension to be installed to work.
Full stop.

CHAPI is a browser polyfill that works with 95% of existing browsers today. A
polyfill is a piece of javascript code that a wallet, issuer, or a verifier
website loads to be able to use CHAPI. They do this just like any other
software library used on that website -- by including it via an HTML <script>
tag. That's it.

> If end users who have not been educated in and invested into wallets don't
> get a good experience out of the box, services are not going to become
> verifiers.

What would it take to convince you that CHAPI has "a good experience out of
the box"? UX studies? How big does the sample set have to be? What sorts of
users?

> The SIOP solution today to avoid NASCARing is that multiple wallets are 
> invocable with the same custom URL scheme or the same app link, in addition
> to being able to understand such a request if embedded within a scanned QR
> code.

Dmitri has already pointed out why both of these mechanisms are flawed in ways
that are unrecoverable. Both presume native apps are in use, they don't work
for same-device web wallets.

> The problem is that mediation between the sandboxes is a platform
> function, and visibility as well as state persistence will be increasingly
> locked down.

Can you elaborate on each platform function that you believe is going to
disappear, what time horizon it'll disappear on? I'm happy to try and outline
the mitigations that CHAPI has planned to use in each of those cases.

> Depending on the browser, a pure web CHAPI may involve juggling tabs and 
> windows for native wallets, it may involve the user accepting multiple
> prompts around sharing data that may result in tracking, and may see its
> registrations deleted due to periods of non-use.

We've proposed solutions to address each of these concerns before. What of
those solutions has you concerned. If you don't know what the solutions are,
please let me know, I'd be happy to walk you through each one of them.

> Instead, I am pointing out that modern consumer platforms (operating
> systems _and_ browsers) are built and continue to evolve to further sandbox
> and isolate processes by company or web domain, as well as limit state
> sharing and IPC.

Sure, but the details matter here... so let's get into the details.

> So, I would still maintain, than until this problem is solved, SIOP is 
> basically unusable, for getting VCs/VPs into wallets.
> 
> I would argue it is one of the better options for actual adoption.

... and we have multiple people arguing that it isn't. So, let's get into the
details if you're truly curious about a solution... we all want to solve the
same set of problems and we have market realities that we're all trying to
grapple with.

-- manu

-- 
Manu Sporny - https://www.linkedin.com/in/manusporny/
Founder/CEO - Digital Bazaar, Inc.
News: Digital Bazaar Announces New Case Studies (2021)
https://www.digitalbazaar.com/
Received on Saturday, 26 March 2022 21:04:30 UTC

This archive was generated by hypermail 2.4.0 : Saturday, 26 March 2022 21:04:31 UTC