W3C home > Mailing lists > Public > public-credentials@w3.org > March 2022

Progress check on this thread (was: Re: Centralization dangers of applying OpenID Connect to wallets protocols)

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Mon, 28 Mar 2022 16:33:21 -0400
To: public-credentials@w3.org
Message-ID: <403a22c6-8ace-c7ab-d85e-72be9e6deab4@digitalbazaar.com>
On 3/28/22 4:06 AM, Tobias Looker wrote:
> It seems pretty clear to me that we aren't getting anywhere in our latest 
> email exchanges.

Here are concrete benefits and progress we've made in the past 10 days:

* Engagement from implementers in the CCG, DIF, Aries, and
  OpenID communities on a topic that is important to all
  of us.

* Historical perspective from multiple viewpoints on
  CHAPI, OIDC, and mDL.

* Creation of the "W3C CCG Wallet Protocol Analysis"
  spreadsheet with multiple people from the community
  participating with a suggestion by one of the Chairs
  to make it into a work item.

* Feature separation of "mediation" from "VP exchange

* Feature separation of same-device from cross-device use

* Feature separation of presentation request data model
  from presentation exchange protocol.

* Commitments to present DIDCommv2 and CHAPI in CCG.

* Invitation to engage about CHAPI in OpenID Foundation.

* Productive analysis of multiple features and concerns
  for multiple protocols.

* The list of concrete items to focus on that you provided
  in the preceding email to this one.

That's one concrete positive outcome per day that this thread has been alive.
That's a win in my book! Perma-threads typically go nowhere, but this one
seems to be making concrete progress!

> Its become clear to me that recounting history (and yes I know it was my 
> idea to invite more of it) is clearly going to have limited value when it 
> is primarily two limited perspectives being shared.

Understanding how we got here is pretty vital, all around, I've seen multiple
people learning from each other on this thread. I've had four people email me
saying that they're learning a lot from this thread. That's a good thing.

I've been positively suprised by this thread (in a good way) when Kristina
suggested that we might look at CHAPI as a mediation layer for OIDC -- I was
not expecting that very positive outcome. I am also happy to see that we've
been able to tease SIOP apart from CHAPI and bucket these technologies more

> Im sure there is some hard fought truth in what you are saying, I respect 
> it, but I simply don't agree, I've shared my perspective and you have 
> yours.

It's fine to disagree, even once all of the facts are out there. Perspective
plays a role in our view of the world.

> I find it fruitless to continue to engage in a dialog, much of which, 
> attempts to characterise the motives of people and organisations, who are 
> members of this and wider communities, as being complicit, ignorant or 
> worse.

There are people and organizations in this world that are complicit, ignorant,
or worse. Just look at what's happening on the world stage today -- or really,
any decade. It's debatable which, if any of these characteristics, apply to
CCG, DIF, Aries, and OpenID. We're all guilty and innocent of these vagaries,
to a degree, from time to time.

These are perspectives, and we all have them, and the more we understand each
communities perspectives, the easier it is to understand when collaboration is
an option, and when it'll more likely lead to frustration.

> To that end I'm going to try and focus on the things I think we agree on 
> and I suggest Dmitri's latest response is the best place to start with this
> (im essentially restating his points below + a couple more):

I take your point, however, that most people don't enjoy unearthing and
analysing these sorts of behaviours and would rather focus on the technology
instead of the politics... which is why Dmitri and your list is a good one,
let's shift to that and see where we end up.

> - Its clear that we need to work on a mediation layer for whatever protocol
> we use for same-device flows. A polyfill approach like CHAPI is an option,
> however there are concerns being shared by numerous people on how this
> works today, ones that appear to keep being overridden in this thread and
> in the spreadsheet. I'm going to try work on a way to better communicate
> these outside of the context of pitting SIOP against CHAPI, because all
> that leads to is a tit for tat style dialog, rather than one that is
> focused on finding solutions to the outstanding problems.

Sounds good, in the name of fairness, I can kick off a "Centralization dangers
of applying CHAPI to wallet selection" thread.

> As a parallel approach I would also like us to explore putting forward a 
> proposal to FedCM, its not every day that the browsers work on primitives 
> in this area, so the time feels right to have the conversation.

Happy to try and provide perspective there -- it's worth a shot, though I have
some fairly considerable concerns and warnings (as someone that has tried to
do exactly that, multiple times with the browser vendors).

> - Separating out the protocol from the mediation layer appears to have 
> brought some clarity so I will try to continue to help make this clearer in
> the spreadsheet.


> - Its clear that the exchange protocol needs to account for capability 
> negotiation between the involved parties (e.g RP and wallet during 
> credential presentation), whether that be accomplished via something like 
> client registration or via other means. Its very hard to compare when this
>  doesn't exist in CHAPI and VC API today.

Let's break this out into a separate thread, there's a lot to talk about here.

> - We need to have a discussion about client authentication, I dont know how
> to describe this more generally than by using the OAuth2 language.

Yep, separate thread. We should probably focus on the security model and
attack vectors, there.

> - I think being able to share a security model and E2E sequence diagram
> for how these different protocols are assumed to work would also help
> massively in the conversation, im willing to commit to producing one for
> OIDC CP / OIDC4VCI as a starting point and talking it through if others are
> happy to do it for the other protocols?

Yes, I can commit to doing one for CHAPI and VPR + VC-API.

It'd be great if we had someone do one for DIDComm.

I know folks are frustrated, but stick with it, as long as there are concrete
items to discuss like the above, there is hope. :)

-- manu

Manu Sporny - https://www.linkedin.com/in/manusporny/
Founder/CEO - Digital Bazaar, Inc.
News: Digital Bazaar Announces New Case Studies (2021)
Received on Monday, 28 March 2022 20:33:39 UTC

This archive was generated by hypermail 2.4.0 : Monday, 28 March 2022 20:33:41 UTC