Re: Centralization dangers of applying OpenID Connect to wallets protocols (was: Re: 2022-2026 Verifiable Data Standards Roadmap [DRAFT]) from Manu Sporny on 2022-03-27 (public-credentials@w3.org from March 2022)

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Sun, 27 Mar 2022 15:24:43 -0400
To: public-credentials@w3.org
Message-ID: <4eaa8678-ff5f-05c8-9df9-ec3e5b831695@digitalbazaar.com>
On 3/23/22 2:11 PM, Oliver Terbu wrote:
> IMO, OpenID Connect is not the reason why web applications do only offer a 
> limited set of sign-in options.

OpenID is a contributing factor, for sure.

OpenID provided a technical solution for attribute transfer w/o a
self-sovereign provider registration or selection mechanism. That contributed
to the centralized state of social login today, or at best, isn't going to
address the centralized state of social login today.

The CCG Verifiable Credentials work started by addressing two problems
simultaneously. The first was the broken "IdP" model where it is the issuer of
attributes, storage mechanism, and conveyance mechanism, all in one. The
second was the broken state of login due to the NASCAR problem, where there
was no self-sovereign provider registration or selection mechanism in the market.

The CCG work fielded solutions for both of those classes of problems. If you
only solve ONE of those classes of problems, you will continue to have a
centralized system.

> It is also not the “Big Tech” companies that force relying parties to
> reduce their sign-in options.

The browser vendors (aka Big Tech) could've solved this problem long ago by
providing a self-sovereign provider registration and selection mechanism in
the browser. They didn't do that. Inaction generates a coercive force as well.

That's not to say BigTech is fundamentally bad... just that they have their
own, completely legal, motivations (protecting their profit is among them) and
large corporations act out of self interest (for the most part).

The strategic trick here is to force a hand, regulations can do that, but so
can market competition.

> They could still offer more options. The reason why they don’t is simply
> they don’t need to since most relying parties are just interested in a
> small set of claims, most important is the verified email address and all
> providers can address that need.

The argument that was made against the first Verifiable Credentials charter at
W3C, by leaders in the OpenID community, was that JWTs provided all of the
functionality necessary to carry arbitrary attributes in OpenID, there was an
open JWT attribute extension registry at IETF, and that the VC work was
completely and totally unnecessary as a result.

I don't know how to reconcile your statement with that one, other than there
seem to be conflicting opinions on the matter. :)

> There is no need for relying parties in investing in more options since it
> is more complicated.

It's only more complicated because 1) VCs didn't exist and 2) a solution to
the NASCAR problem wasn't fielded.

> Verifiable Credentials (VCs) have a completely different promise, larger
> scope and scales in a very different way (many many issuers and types of
> credentials). To lower the costs for relying parties it would be actually
> good to use already existing rails for VCs. That was the idea.

It's a really bad idea if we don't ensure an open wallet ecosystem.

I can see nothing but upsides for the existing, dominant and centralized IdPs.
I can certainly see upsides in enterprise settings.

However, where it really matters to society, not having an open wallet
ecosystem is going to cause societal harm through centralization. I think
that's a use case that many of us care deeply about, regardless of which
community we identify with.

> If people here are worried that “Big Tech” companies would enter the W3C
> VC market, then they would enter the market not because we make it easy to 
> integrate with OpenID Connect, it is because the market is big and
> attractive enough to invest in development.

I don't think anyone here is worried about Big Tech entering the VC market.
Quite the opposite, that would be a huge win.

How they enter is what's being debated. If they enter by utilizing a market
centralizing technology stack and use that to further centralize, that's not
good for anyone but the very few winners.

If, however, there is fair market competition... then that's much different.
You and I have elaborated on ways that OIDC could change to enable a more open
market -- use CHAPI for registration/selection, don't require wallet vendor
registration at Verifiers, avoid the use of wallet marketplaces... but that
doesn't seem to be resonating w/ the OpenID folks that are engaging in the
discussion (and it never really has... at least, not to the point where action
was taken).

> Was Google and Apple involved in mobile driver’s licenses before ISO
> 18013-5? No, probably not. They don’t even seem to be interested in the
> OpenID Connect profile of ISO 18013-5, they go a completely different
> route. If the market is big enough those companies would invest and imo,
> they don’t care which protocol it is. For that reason, I don’t think anyone
> can prevent “Big Tech” companies from entering a lucrative market by
> inventing or betting on a new protocol (see ISO 18013-5).

As I said above, the goal isn't to exclude... it's to be as inclusive as we
can be, and right now, OpenID is /not/ inclusive in a variety of important ways.

-- manu

-- 
Manu Sporny - https://www.linkedin.com/in/manusporny/
Founder/CEO - Digital Bazaar, Inc.
News: Digital Bazaar Announces New Case Studies (2021)
https://www.digitalbazaar.com/
Received on Sunday, 27 March 2022 19:25:00 UTC