W3C home > Mailing lists > Public > public-credentials@w3.org > September 2022

Re: Open Wallet Foundation (and how it might fail)

From: Torsten Lodderstedt <torsten@lodderstedt.net>
Date: Thu, 22 Sep 2022 09:37:07 +0200
Message-Id: <E59ED3DF-045D-4C5D-95DA-9BE470225E34@lodderstedt.net>
Cc: Manu Sporny <msporny@digitalbazaar.com>, W3C Credentials Community Group <public-credentials@w3.org>
To: Kyle Den Hartog <kyle@pryvit.tech>
Hi Kyle, 

> Am 22.09.2022 um 02:47 schrieb Kyle Den Hartog <kyle@pryvit.tech>:
> 
> Is anyone else concerned with the homogenization of wallets if we take this approach of multiple companies building and contributing to a common code base? I certainly get that the incentives are useful and generally agree with what OWF is trying to achieve. With that in mind let's consider the "when not if" scenario of some of this code having a vulnerability so we can avoid a heartbleed scenario like OpenSSL faced.

any advise on how we could try to prevent but also prepare for such a situation? We clearly want to produce high quality, secure source code and I would tend to utilize higher level programming language than C as well as source code analysis tools.

best regards,
Torsten.   

> 
> -Kyle
> 
> On Thu, Sep 22, 2022 at 5:22 AM Torsten Lodderstedt <torsten@lodderstedt.net <mailto:torsten@lodderstedt.net>> wrote:
> Hi Manu, 
> 
> thanks for sharing your thoughts. 
> 
> There have been a lot of discussions about the best way to fund and organise the work of the OWF in the last couple of days, especially how we get started. An important caveat of the original proposal is around scoping and feature prioritisation. Who would decide what features the staff would develop first (VCs, AnonCreds, ISO mDL, SD-JWT, …)? A committee? I’m pretty sure that would not work.  
> 
> I’m now perceiving a mind shift towards a community driven approach. The OWF should be open for anyone to contribute code and the prioritisation is pretty simple. Those who contribute code influence what the OWF will produce. There is a need for some governance, e.g. all projects need to adhere to the same principles (e.g. code quality & security). Since we are aiming for multi-format, multi-protocol wallets, I would also assume there will be joined work on a core design that wires different modules (e.g. formats & protocols) together. 
> 
> Drummond Reed, Andre Kudra, and myself have drafted this proposal how to bootstrap and govern the technical work.   
> 
> https://docs.google.com/document/d/1X7K33COKOovExJS_Cw_vL1eLQNSej431OfNpTEtXh2g/edit# <https://docs.google.com/document/d/1X7K33COKOovExJS_Cw_vL1eLQNSej431OfNpTEtXh2g/edit#>
> 
> @anyone on the list: please review and comment/propose changes. 
> 
> The proposal aims at kickstarting a discussion among the people interested in the OWF, especially those intending to contribute.
> 
> Would you consider to contribute?
> 
> best regards,
> Torsten. 
> 
> > Am 20.09.2022 um 16:30 schrieb Manu Sporny <msporny@digitalbazaar.com <mailto:msporny@digitalbazaar.com>>:
> > 
> > On Tue, Sep 20, 2022 at 9:25 AM Orie Steele <orie@transmute.industries> wrote:
> >> I'm confident that we can keep things aligned, and you can count on me to point out risks very publicly if I see something harmful emerging.
> > 
> > I'm not as confident about alignment. We have all been through this
> > before, with W3C VCs, ISO mDL, IIW, RWoT, Sovrin, Hyperleder, DIF,
> > ToIP, and now OWF. Every time one of these new "Foundations" pops up,
> > it dilutes focus in the technical specification work and ultimately
> > slows things down. It is, also, inevitable -- innovation and
> > standardization are chaotic.
> > 
> > I've spoken with DanielG about my concerns here, so this will mostly
> > be a repeat of what I conveyed to him a few weeks ago, after attending
> > one of the OWF meetings.
> > 
> > To start, I believe DanielG (and others that are trying to put OWF
> > together) have their hearts in the right place. The vision is
> > compelling, which is effectively "We don't want a proprietary
> > Apple/Google wallet duopoly to take hold, like has happened for mobile
> > payments." Almost no one wants that. So, yes, most everyone is excited
> > by that vision to come together and defend an open wallet ecosystem.
> > It's an excellent vision!
> > 
> > That said, it's the execution that matters here, and that's what seems
> > to be deeply flawed  with OWF (today).
> > 
> > OWF attempting to raise €7.5M to hire a team of software developers to
> > build NEW open source software components for digital wallets feels
> > very misguided when there are already companies building open source
> > software for digital wallets. Starting from scratch and asking those
> > that have already invested millions of dollars in open source software
> > (like Digital Bazaar) to now invest in yet another NEW open source
> > infrastructure and an untested team is the sort of high risk gambling
> > that gives even the most seasoned entrepreneurs pause.
> > 
> > I say this as one of the inventors, architects, and standards editors
> > for a variety of these "digital wallet" technologies -- the "digital
> > wallet" protocols/technologies/standards are not ready yet. If you
> > want technical input from industry experts, there it is -- you're
> > trying to implement a series of things that are rapidly moving
> > targets, you're trying to implement all of them simultaneously, and
> > you're trying to fund a team that is not deeply intimate with all the
> > ways those targets are moving.
> > 
> > We're still trying to stabilize these standards, so any investment in
> > a NEW open source digital wallet core is going to churn heavily for
> > the next year or two. Even more worrying are some organizations
> > claiming to have stabilized digital wallet protocols as "ready to go"!
> > Do not believe that for a second -- nobody is ready to go -- that goes
> > for the mDL protocols, OIDC4VC, VC API, DIDComm, all of them -- high
> > churn, expect heavy changes over the next year or more. We will get
> > there, in time, but not this year or possibly next. All of this takes
> > far longer than any of us want and distractions (like OWF) make things
> > worse.
> > 
> > The "open source digital wallet libraries" also presume that you can
> > get away with a handful of software libraries -- or a single/dual
> > stack; you can't. These technologies need to be implemented in
> > multiple languages to be immediately useful to software developers...
> > you can claim that "we only need to implement in
> > Rust/Wasm/Javascript/Java" because you're just trying to get to 75%+
> > of the market, but it rarely happens that way (unless you can hide
> > everything behind an HTTP API... which you can't with most digital
> > wallets).
> > 
> >> I don't think there is any cause for concern right now, other than ensuring that OWF has enough stakeholders to lift off in a way that is useful.
> > 
> > I don't see how OWF helps dig the trenches that we need digging in the
> > next several years. We need more people to pick up a shovel and
> > implement across multiple languages, help with test suites, and other
> > "boring" work that OWF will need to actually be successful. Until that
> > stuff stabilizes, OWF will be in a holding pattern waiting for the
> > standards work around digital wallet protocols to stabilize.
> > 
> > When we look at where that €7.5M/year is best utilized, it would be to
> > fund the people already building and releasing the standards, open
> > source libraries, interoperability test suites, and other things that
> > are necessary foundations for an open wallet ecosystem. If OWF
> > redirects that money, instead, to starting from scratch with a new
> > team (or picking winners), it's just helping to suck even more oxygen
> > out of the room which only helps ensure the failure of the initial
> > vision.
> > 
> > I hope OWF takes all of the above as constructive criticism. I do want
> > it to succeed, but not at the expense of slowing things down by
> > splitting everyone's attention. We absolutely need help, just not the
> > sort of help that has been proposed by OWF to date.
> > 
> > -- manu
> > 
> > -- 
> > Manu Sporny - https://www.linkedin.com/in/manusporny/ <https://www.linkedin.com/in/manusporny/>
> > Founder/CEO - Digital Bazaar, Inc.
> > News: Digital Bazaar Announces New Case Studies (2021)
> > https://www.digitalbazaar.com/ <https://www.digitalbazaar.com/>
> > 
> 
> 


Received on Thursday, 22 September 2022 07:37:22 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 22 September 2022 07:37:23 UTC