decentralized-id.github.io/_posts/identosphere-dump/open-standards/bridging-the-gap.md
⧉ infominer 91fd6f06e2 MDC
2022-11-25 23:39:31 -05:00

4.3 KiB
Raw Blame History

published
false

Bridging the Gap

Slides: https://www.slideshare.net/TorstenLodderstedt/openid-connect-for-w3c-verifiable-credential-objects

  • Have been incubated in OpenID Foundation and DIFs joint Self-Issued OpenID Provider WG - contact Kristina (kristina.yasuda@microsoft.com for participation details)

W3C Web Authentication (FIDO2) provides a mechanism for strong authentication whilst W3C Verifiable Credentials provide a mechanism for strong identification and authorisation. Together they make an unbeatable pair for identity management.

Prof. David Chadwick presented work on sharing W3C Verifiable Crendentials via FIDO2 key setup with issuers of credentials.  In a nutshell, the holder and issuer use the WebAuthN protocol to strongly authenticate before the issuer protects the credentials with its signature.  Upon providing credentials to a relying party, the issuer (acting in an IDP capacity, so they must be online) will verify the identity of the holder via FIDO2 WebAuthN so that the credentials (or selected claims in the credentials for selective disclosure) can be shared with the relying party.  Ephemeral keys are created to bind the holder with such credentials shared to the relying party/verifier.  The relying party/verifier can use X.509 certs to confirm that the issuer is valid by checking the signature on the derived credential from the holder.

  • Continuity of a service
  • Offline Authentication
  • Speed, reduced latency
  • Choice, Portability
  • Privacy

Goal is to allow folks to pick their DID they want to use for a website. “Subject choosing which DID to present”.

Use case: A user goes to an RP, and decides to register for return visits. RP cant offer folks the Nascar Problem (too many IDP logos on the login screen).

Select a Wallet vs Select a Wallet and Identifier.

What happens when SIOP arrives? We will need a DID chooser.

Some wallets will hold credentials for multiple identifiers, some will hold only 1.

An RP offers users multiple options for registration (Google, Facebook, Yahoo…. And coming soon… Personal)

RP should disclose their ID and why they are asking the user for what data.

Options we consider: