Re: Standardization of OAuth2 server-to-server flows using DIF Presentation Exchange?

This thread illustrates the three dimensions of VC interoperability:
- Technical
- Regulatory
- Business Model

The technical assessment of IETF GNAP suggests it has the broadest scope of
applicability across the range of user agents.

The regulatory perspective will differ for jurisdictions like EU or India
that are intentionally trying to reduce the power of platforms in different
ways as compared to US.

Lastly, the business model perspective seems to be driven by government
procurement for humans application or non-human supply chain applications.
Direct to consumer business models don’t seem to be represented in the VC
standards groups.

There’s no obvious organizing principle at play to help focus the API work. The
number of workgroups around VC interfaces is large and still seems to be
growing. The scope of participating interests is also growing.

- Adrian


On Wed, Aug 9, 2023 at 6:25 AM Alen Horvat <horvat.alen@yahoo.com> wrote:

> Hi,
>
> Seems there’s a clear need for m2m VC exchange and there are several ways
> projects/initiatives approached the problem. Which is quite natural when
> one starts from business requirements that are different across use cases.
>
> Question is: what would be the best way to converge on the approaches
> (whenever this is possible; we need to acknowledge there might be cases
> that may be constrained in by various factors).
>
> Orie made a good point
>
>
> In general, "verifiable presentations" are extremely weakly defined making
> interop testing very inconsistent, and often "securing mechanism specific".
>
>
> Hence “profiles” for VC exchange need to be defined. If there’s interest,
> we could collect business requirements from different use cases and see
> whether there’s overlap and if a convergence is possible (or not).
>
> There are several elements that need to be considered
> - trust establishment (DID+VC, P2P, federation, other)
> - authentication (OID4VP, OAuth, …)
> - Signature format and algorithms (jws, data integrity, other)
> - other
>
> WDYT?
>
> BR, Alen
>
>
> On 8 Aug 2023, at 18:27, Orie Steele <orie@transmute.industries> wrote:
>
> Traceability folks support what we call "OAuth Presentations"... to
> distinguish them from their VC-API cousins.
>
> - https://github.com/w3c-ccg/traceability-interop
> - https://github.com/w3c-ccg/traceability-vocab
>
> You can see the latest report runs here:
> https://w3c-ccg.github.io/traceability-interop/reports/interoperability/
>
> I would say what we are doing is not "vc-api" or "presentation exchange"
> in the DIF context.
>
> In general, "verifiable presentations" are extremely weakly defined making
> interop testing very inconsistent, and often "securing mechanism specific".
>
> For example see:
>
> https://openid.net/specs/openid-4-verifiable-presentations-1_0.html
>
> I don't know if anyone is implementing this kind of flow for M2M / machine
> identity use cases... but that's what we have been wanting for a long
> time... and why we don't use the current version of the vc api.
>
> There is also:
>
> https://identity.foundation/jwt-vc-presentation-profile/#profile
>
> In general the community seems very fixated on "human in the loop"
> presentation flows... which are almost completely useless for organization
> / cloud agent use cases where machines interact on behalf of users without
> pestering them to confirm transactions.
>
> At the most recent IETF, there seems to be a lot of interest in "client
> credentials", "private key jwt" and "client attestation" auth modes for
> OAuth.
>
> It would be nice to see a similar level of interest in M2M / Machine
> Identity originating verifiable presentation flows.
>
> Regards,
>
> OS
>
>
> On Tue, Aug 8, 2023 at 9:17 AM Manu Sporny <msporny@digitalbazaar.com>
> wrote:
>
>> On Mon, Aug 7, 2023 at 10:35 AM Rein Krul <info@reinkrul.nl> wrote:
>> > Is there (previous) work on, or interest for, such a standard? Or do
>> you know of any initiatives to standardize it?
>>
>> Hi Rein,
>>
>> There is a group of us that are working on something called the
>> Verifiable Credentials API, which does the sort of server-to-server
>> flows that you mention, where OAuth2 is one of the authentication
>> mechanisms in play. The VC API is a work item of the Credentials CG:
>>
>> https://w3c-ccg.github.io/vc-api/
>>
>> We do plan to take it onto the standards track once we have enough
>> implementation experience. There are portions of the API that were
>> utilized for the last Jobs for the Future plugfest (mostly the issuer
>> API portions), where a number of the VC API implementers used OAuth2
>> for the authentication mechanism (see slide #5):
>>
>>
>> https://docs.google.com/presentation/d/19GmJ3bLMrbVadesnkmsWaaUr-U71Y9Kr775tZvgs-xI/edit
>>
>> Here are a number of implementers in the ecosystem demonstrating that
>> the API can be used to interop on credential issuance here (as well):
>>
>>
>> https://w3c-ccg.github.io/vc-api-issuer-test-suite/#Issue%20Credential%20-%20Data%20Integrity
>>
>> For exchanging VCs, we provide these interfaces in the API (again,
>> OAuth2 could be used for server-to-server exchanges):
>>
>> https://w3c-ccg.github.io/vc-api/#exchange-examples
>>
>> All that said, while we plan to take the API standards track, we want
>> to make sure that we're addressing a variety of the diverse
>> server-to-server use cases in the ecosystem, which are being
>> documented here:
>>
>> https://w3c-ccg.github.io/vc-api-use-cases/
>>
>> Hope that helps. We have weekly calls (Tuesdays at 3pm ET) among a
>> group that is working on the specification. I hope that helps answer
>> some of the question you were asking. Do you have any further
>> questions on any of the above, Rein?
>>
>> -- manu
>>
>> --
>> Manu Sporny - https://www.linkedin.com/in/manusporny/
>> Founder/CEO - Digital Bazaar, Inc.
>> https://www.digitalbazaar.com/
>>
>>
>
> --
>
> ORIE STEELE
> Chief Technology Officer
> www.transmute.industries
> <https://transmute.industries/>
>
>
>

Received on Wednesday, 9 August 2023 22:26:25 UTC