W3C home > Mailing lists > Public > public-credentials@w3.org > March 2022

Re: Progress check on this thread (was: Re: Centralization dangers of applying OpenID Connect to wallets protocols)

From: Tobias Looker <tobias.looker@mattr.global>
Date: Wed, 30 Mar 2022 00:43:01 +0000
To: Manu Sporny <msporny@digitalbazaar.com>, "public-credentials@w3.org" <public-credentials@w3.org>
Message-ID: <SY4P282MB1274E10F264D14423EE4098F9D1E9@SY4P282MB1274.AUSP282.PROD.OUTLOOK.COM>
> Here are concrete benefits and progress we've made in the past 10 days:

I agree these are all great outcomes for the thread, so I'm hoping we can focus on getting to the next level of detail on these.

> Sounds good, in the name of fairness, I can kick off a "Centralization dangers
of applying CHAPI to wallet selection" thread.

Great, to be clear though, there may be some challenges with regards to centralization in CHAPI, however the concerns I was referring to are how it works in browser today and what the options and choices are given the landscape we are in. I've made a separate item in the spreadsheet to discuss these

https://docs.google.com/spreadsheets/d/1Gp5V5lTO3pyQ94hS-UR_WTWg0DkBMv0ubXYaKjIPqnU/edit#gid=1939507037

> Happy to try and provide perspective there -- it's worth a shot, though I have
some fairly considerable concerns and warnings (as someone that has tried to
do exactly that, multiple times with the browser vendors).

Granted, your perspective would be greatly appreciated on it none the less, I'd like to submit the FedCM group soon.

> Let's break this out into a separate thread, there's a lot to talk about here.

+1

> Yes, I can commit to doing one for CHAPI and VPR + VC-API.

Great, would we aim to present on a CCG call or somewhere else / some other format?


Thanks,

[Mattr website]<https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.trustwave.com%2F%3Fc%3D15517%26d%3Dw46s4eMXULV_ns1ZfAKYLbVKcqey_PHiW1WeN4boYw%26u%3Dhttps%253a%252f%252fmattr.global%252f&data=04%7C01%7CSteve.Lowes%40mbie.govt.nz%7C5a65fe33c70b41fd8ba908d976f3a2f1%7C78b2bd11e42b47eab0112e04c3af5ec1%7C0%7C0%7C637671611076709977%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=tKqCMzLUQNCeORd908YqfqZoT7tCy%2FMVwXdjpch1sDY%3D&reserved=0>



Tobias Looker

MATTR
CTO

+64 (0) 27 378 0461
tobias.looker@mattr.global<mailto:tobias.looker@mattr.global>

[Mattr website]<https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.trustwave.com%2F%3Fc%3D15517%26d%3Dw46s4eMXULV_ns1ZfAKYLbVKcqey_PHiW1WeN4boYw%26u%3Dhttps%253a%252f%252fmattr.global%252f&data=04%7C01%7CSteve.Lowes%40mbie.govt.nz%7C5a65fe33c70b41fd8ba908d976f3a2f1%7C78b2bd11e42b47eab0112e04c3af5ec1%7C0%7C0%7C637671611076709977%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=tKqCMzLUQNCeORd908YqfqZoT7tCy%2FMVwXdjpch1sDY%3D&reserved=0>

[Mattr on LinkedIn]<https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.trustwave.com%2F%3Fc%3D15517%26d%3Dw46s4eMXULV_ns1ZfAKYLbVKcqey_PHiW1SbN9fvNg%26u%3Dhttps%253a%252f%252fwww.linkedin.com%252fcompany%252fmattrglobal&data=04%7C01%7CSteve.Lowes%40mbie.govt.nz%7C5a65fe33c70b41fd8ba908d976f3a2f1%7C78b2bd11e42b47eab0112e04c3af5ec1%7C0%7C0%7C637671611076719975%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=t%2BidOI32oaKuTJf1AkcG%2B%2FirIJwbrgzXVZnjOAC52Hs%3D&reserved=0>

[Mattr on Twitter]<https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.trustwave.com%2F%3Fc%3D15517%26d%3Dw46s4eMXULV_ns1ZfAKYLbVKcqey_PHiW1WdMte6ZA%26u%3Dhttps%253a%252f%252ftwitter.com%252fmattrglobal&data=04%7C01%7CSteve.Lowes%40mbie.govt.nz%7C5a65fe33c70b41fd8ba908d976f3a2f1%7C78b2bd11e42b47eab0112e04c3af5ec1%7C0%7C0%7C637671611076729970%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=BD9WWyXEjVGlbpbCja93yW%2FzLJZpe%2Ff8lGooe8V6i7w%3D&reserved=0>

[Mattr on Github]<https://aus01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fscanmail.trustwave.com%2F%3Fc%3D15517%26d%3Dw46s4eMXULV_ns1ZfAKYLbVKcqey_PHiWwGdMoDtMw%26u%3Dhttps%253a%252f%252fgithub.com%252fmattrglobal&data=04%7C01%7CSteve.Lowes%40mbie.govt.nz%7C5a65fe33c70b41fd8ba908d976f3a2f1%7C78b2bd11e42b47eab0112e04c3af5ec1%7C0%7C0%7C637671611076729970%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=4AhRuXZCnU5i3hcngo4H3UiNayYUtXpRcImV4slS1mw%3D&reserved=0>

This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.

________________________________
From: Manu Sporny <msporny@digitalbazaar.com>
Sent: 29 March 2022 09:33
To: public-credentials@w3.org <public-credentials@w3.org>
Subject: Progress check on this thread (was: Re: Centralization dangers of applying OpenID Connect to wallets protocols)

EXTERNAL EMAIL: This email originated outside of our organisation. Do not click links or open attachments unless you recognise the sender and know the content is safe.


On 3/28/22 4:06 AM, Tobias Looker wrote:
> It seems pretty clear to me that we aren't getting anywhere in our latest
> email exchanges.

Here are concrete benefits and progress we've made in the past 10 days:

* Engagement from implementers in the CCG, DIF, Aries, and
  OpenID communities on a topic that is important to all
  of us.

* Historical perspective from multiple viewpoints on
  CHAPI, OIDC, and mDL.

* Creation of the "W3C CCG Wallet Protocol Analysis"
  spreadsheet with multiple people from the community
  participating with a suggestion by one of the Chairs
  to make it into a work item.

* Feature separation of "mediation" from "VP exchange
  protocols".

* Feature separation of same-device from cross-device use
  cases.

* Feature separation of presentation request data model
  from presentation exchange protocol.

* Commitments to present DIDCommv2 and CHAPI in CCG.

* Invitation to engage about CHAPI in OpenID Foundation.

* Productive analysis of multiple features and concerns
  for multiple protocols.

* The list of concrete items to focus on that you provided
  in the preceding email to this one.

That's one concrete positive outcome per day that this thread has been alive.
That's a win in my book! Perma-threads typically go nowhere, but this one
seems to be making concrete progress!

> Its become clear to me that recounting history (and yes I know it was my
> idea to invite more of it) is clearly going to have limited value when it
> is primarily two limited perspectives being shared.

Understanding how we got here is pretty vital, all around, I've seen multiple
people learning from each other on this thread. I've had four people email me
saying that they're learning a lot from this thread. That's a good thing.

I've been positively suprised by this thread (in a good way) when Kristina
suggested that we might look at CHAPI as a mediation layer for OIDC -- I was
not expecting that very positive outcome. I am also happy to see that we've
been able to tease SIOP apart from CHAPI and bucket these technologies more
accurately.

> Im sure there is some hard fought truth in what you are saying, I respect
> it, but I simply don't agree, I've shared my perspective and you have
> yours.

It's fine to disagree, even once all of the facts are out there. Perspective
plays a role in our view of the world.

> I find it fruitless to continue to engage in a dialog, much of which,
> attempts to characterise the motives of people and organisations, who are
> members of this and wider communities, as being complicit, ignorant or
> worse.

There are people and organizations in this world that are complicit, ignorant,
or worse. Just look at what's happening on the world stage today -- or really,
any decade. It's debatable which, if any of these characteristics, apply to
CCG, DIF, Aries, and OpenID. We're all guilty and innocent of these vagaries,
to a degree, from time to time.

These are perspectives, and we all have them, and the more we understand each
communities perspectives, the easier it is to understand when collaboration is
an option, and when it'll more likely lead to frustration.

> To that end I'm going to try and focus on the things I think we agree on
> and I suggest Dmitri's latest response is the best place to start with this
> (im essentially restating his points below + a couple more):

I take your point, however, that most people don't enjoy unearthing and
analysing these sorts of behaviours and would rather focus on the technology
instead of the politics... which is why Dmitri and your list is a good one,
let's shift to that and see where we end up.

> - Its clear that we need to work on a mediation layer for whatever protocol
> we use for same-device flows. A polyfill approach like CHAPI is an option,
> however there are concerns being shared by numerous people on how this
> works today, ones that appear to keep being overridden in this thread and
> in the spreadsheet. I'm going to try work on a way to better communicate
> these outside of the context of pitting SIOP against CHAPI, because all
> that leads to is a tit for tat style dialog, rather than one that is
> focused on finding solutions to the outstanding problems.

Sounds good, in the name of fairness, I can kick off a "Centralization dangers
of applying CHAPI to wallet selection" thread.

> As a parallel approach I would also like us to explore putting forward a
> proposal to FedCM, its not every day that the browsers work on primitives
> in this area, so the time feels right to have the conversation.

Happy to try and provide perspective there -- it's worth a shot, though I have
some fairly considerable concerns and warnings (as someone that has tried to
do exactly that, multiple times with the browser vendors).

> - Separating out the protocol from the mediation layer appears to have
> brought some clarity so I will try to continue to help make this clearer in
> the spreadsheet.

+1

> - Its clear that the exchange protocol needs to account for capability
> negotiation between the involved parties (e.g RP and wallet during
> credential presentation), whether that be accomplished via something like
> client registration or via other means. Its very hard to compare when this
>  doesn't exist in CHAPI and VC API today.

Let's break this out into a separate thread, there's a lot to talk about here.

> - We need to have a discussion about client authentication, I dont know how
> to describe this more generally than by using the OAuth2 language.

Yep, separate thread. We should probably focus on the security model and
attack vectors, there.

> - I think being able to share a security model and E2E sequence diagram
> for how these different protocols are assumed to work would also help
> massively in the conversation, im willing to commit to producing one for
> OIDC CP / OIDC4VCI as a starting point and talking it through if others are
> happy to do it for the other protocols?

Yes, I can commit to doing one for CHAPI and VPR + VC-API.

It'd be great if we had someone do one for DIDComm.

I know folks are frustrated, but stick with it, as long as there are concrete
items to discuss like the above, there is hope. :)

-- manu

--
Manu Sporny - https://www.linkedin.com/in/manusporny/
Founder/CEO - Digital Bazaar, Inc.
News: Digital Bazaar Announces New Case Studies (2021)
https://www.digitalbazaar.com/
Received on Wednesday, 30 March 2022 00:43:24 UTC

This archive was generated by hypermail 2.4.0 : Wednesday, 30 March 2022 00:43:26 UTC