# 2021-02-22 WebID CGs crossover Chat https://csarven.ca/#i * What's the definition of WebID? (Henry) * Name collision - next steps (Sarven) * State of token binding (Aaron) * Mechanisms in the browser to differentiate between ClientIDs/Relying Party (Aaron) * I would be interested to know if they have looked at [Universal Wallet]( https://w3c-ccg.github.io/universal-wallet-interop-spec/ ) 11:01 justinwb q+ 11:05 Sarven would you like to manage the queue ? 11:08 https://csarven.ca/#i sure, osrry missed Justin's 11:09 Daniel Buchner One is actual identity, one is about obscuring an IDP token exchange WebFederatedTokenPrivacyTweak 11:12 😄 q+ re webid document as structured data 11:15 Daniel Buchner Solid WebID and Pods are basically the equivalent of a type of Decentralized Identifier + an Identity Hub personal datastore Apps store data with users, in their Hubs/Pods 11:16 justinwb yes that's exactly right 11:16 Daniel Buchner data is encrypted with their ID keys remake how half the web apps on the planet work at a fundamental level with true serverless dev APIs 11:17 justinwb webid similar to did:web 11:19 Daniel Buchner yep I would love to see Solid use DIDs, even if just did:web Brings us all under one common URI scheme and data model 11:19 justinwb we actually talked a lot about that in the solid editorial session last week - a lot of support for it 11:20 Daniel Buchner Fantastic - we are here to support you on the MSFT side 11:20 justinwb excellent 11:21 Daniel Buchner Pods/Hubs will eventually replace much of email and cloud storage services We don't need MSFT and Google up in that data anymore 😄 Ooops I work for MSFT 11:25 justinwb lol 11:25 Daniel Buchner Imagine what Google tried to propose with roaming Local Storage a while back this is roaming storage for all apps A better math co-processor! navigator.did.requestStorage({ OBJECT_TYPE }) ^ that's what we need from UAs Your PWA fires up, asks for authing a DID, and fires off that storage request 11:32 justinwb q+ re apps / ecosystem 11:32 Majid Valipour What is the extensibility model? What if Spotify wants to add its own specific field to this data. Does it require them go through the standard process to get it into model? 11:32 justinwb the base schemas are typically open, meaning you can add properties without failing validation 11:33 Daniel Buchner It's open world, so you could recreated your own types, but industries already huddle around this Consider the case of Supply Chains: Across the globe, there is precisely 1 supply chain schema object ontology GS! GS1 both MSFT and Google are members of that org 11:34 justinwb we're doing a ton with health data using HL7 FHIR - similar case 11:34 Daniel Buchner All companies in the supply chain ecosystem use GS1, the same objects across all companies world wide If they used Hubs/Pods, they could instantly interop with a common shared conduit It's about creating one language out of the tower of babel 11:35 justinwb then allowing disparate apps developed with only knowledge of the data they want to work with, be able to read and write that data in those hubs/pods without corrupting it (but enriching it), and allow people to be able to share that data intuitively 11:36 Daniel Buchner yep - things like Conflict-free Replicated Data Types help us do this seamlessly 11:37 justinwb for sure 11:38 Daniel Buchner DID Comms authenticated encryption FTW 11:40 justinwb we've made a spec for multi-resource / multi-shape schemas that we use to reference and validate that should work well with those 11:40 Daniel Buchner Justin, did we just become best friends? 11:41 justinwb velociraptor! lol 11:41 Tim Cappalli (Microsoft) I'm a bit confused. OIDC and access tokens have no direct relationship. 11:41 yeah, we should touch that q+ re clarifying OP, RS, client (RP) 11:43 Daniel Buchner Ironically, Google has the closest dev-analog to the Pod/Hub app experience, with Firebase we want to make a Firebase that is native to the web, that all apps can use without caring who that backing provider or server is Fire ALL Your Base, if you will 😄 11:45 Tim Cappalli (Microsoft) ID tokens are not designed to be used for authorization. That's why I'm a bit confused trying to understand what issues exist in OIDC. 11:47 current iteration of solid-oidc uses access tokens for that not id tokens which aren't meant for it 11:47 Tim Cappalli (Microsoft) Got it. Can you expand on what issues exist with OIDC then? That didn't come through to me If we're trying to replace OIDC, it is important to understand why / what's wrong with it 11:48 in short RP needs to access data on behalf of the user stored on multiple RSs RP/client 11:49 Henry Story Ah here is a chat here! to Daniel Buchne: I have a proposal to put DID and WebID together here https://github.com/bblfish/authentication-panel/blob/HttpSig/HttpSignature.md 11:49 Daniel Buchner Yeah, need me some Object Capabilities activated via DID-signed invocations 11:49 Sarven I see q+ rrom Tim 11:49 Tim Cappalli (Microsoft) just responding to Aaron if possible 11:50 Henry Story That HttpSig proposal is about token binding 11:51 also about, current solid-oidc draft uses DPoP 11:51 Majid Valipour Those are OAuth? 11:53 https://tools.ietf.org/html/draft-fett-oauth-dpop-04 11:53 Sam Goto There are a few problems we think exist in federation today: 11:53 Tim Cappalli (Microsoft) https://datatracker.ietf.org/doc/html/draft-ietf-oauth-access-token-jwt-11 11:54 Sam Goto - portability, impersonation, unjustified parties, progressive disclosure and the lack of progressive disclosure aaron, it would be helpful to converge on whether these are valid problems or not and what's within the adjacency of possibilities 11:55 Aaron Coburn Sam, those are all concerns that we share 11:56 if we do next meeting we could prepare agenda upfront q+ from Sam 11:57 Daniel Buchner We should definitely fix that, but also just get ride of the IDP in the middle, if we can get *rid 11:59 Tim Cappalli (Microsoft) Here's the current questions from Microsoft's perspective, most of which overlap with Sam/Ken: How do we eliminate third party cookies and other tracking vectors without breaking federated identity? How does an identity provider and platform assist a user in selecting a credential with the right balance of convenience and security? How does an identity provider/verifier request a series cryptographically secure, privacy respecting, and machine-verifiable credentials from a user? How do we prevent RP and IdP collusion and tracking in consumer federated auth use cases? How do we ensure seamless SSO across apps and the web for users in work and school environments, regardless of device management status? And in all these cases, how do we maintain (or improve) user experience? 11:59 Henry Story I think you use Verifiable Credentials of carious sorts. 12:00 Tim Cappalli (Microsoft) agreed ^ 12:00 q+ re: WebID to OP delegation in solid-oidc 12:00 Aaron Coburn q+ re shared issue w/ "NASCAR flag problem" 12:03 Tim Cappalli (Microsoft) That is also what is trying to be solved with SIOPv2 in OIDC 12:03 i think this would compare to setting MX records in DNS for one's domain 12:04 Tim Cappalli (Microsoft) SIOP today does not support identifier or key rollover v2 should address those 12:04 https://csarven.ca/#i Raised hand notifications disappear for me.. so please q+ 12:04 Henry Story q+ 12:04 justinwb q+ 12:04 https://csarven.ca/#i aaron, henry, justin I think Ken had a hand up too. 12:05 Daniel Buchner We need IDs MSFT and Google can't hit a button to erase Think about a legit version of Gravatar for the internet native gravatar that you own, control, and keep independently from an IDP 12:06 Tim /me rfershes the page as connectioon to mic seems to eb broken 12:06 Sam Goto delegation oriented flow https://docs.google.com/presentation/d/1Sym0k84omyL5Ls1lO6w4aGQ-s4EHrDzo8ZlheyzFOlw/edit#slide=id.ga40b1e6d4f_0_77 (details here) 12:07 Tim Cappalli (Microsoft) VC's could replace all instances of X.509 in there ^ (and should 😃 ) 12:07 nice, will read after the meeting 12:08 Daniel Buchner I got you fam! https://github.com/decentralized-identity/fuzzy-encryption 12:08 Henry Story What we both agree on is that we want connectivity, not just complete unlinkeabiity. 12:08 https://csarven.ca/#i q: aaron, justin, daniel 12:08 Tim Cappalli (Microsoft) (MSR: Microsoft Research) 12:09 do you have links to more details on that ? 12:09 Tim Cappalli (Microsoft) https://techcommunity.microsoft.com/t5/identity-standards-blog/new-explorations-in-secret-recovery/ba-p/1441550 12:10 thanks 12:10 Daniel Buchner Pavlik: https://github.com/decentralized-identity/fuzzy-encryption 12:11 great 12:11 Daniel Buchner T of N threshold recovery with human friendly inputs that can be subset shared among custodians 12:11 Tim Cappalli (Microsoft) NASCAR problem is this in our list: How does an identity provider and platform assist a user in selecting a credential with the right balance of convenience and security? 12:12 i see q+ from DB 12:14 Henry Story yes. we do need a policy framework for interaction Agents giving out credentials to Authenticate. But for browsers we need a minimum of an JS API to allow a trusted Agent interact with the wallet 12:14 sounds in direction of https://github.com/WICG/webpackage 12:15 Daniel Buchner Yeah, recovery is a thing that you can swap mechanisms without having the UA know we don't need to codify this in the UA API surface 12:16 Tim Cappalli (Microsoft) And CredMan already exists and can be extended to help broker either a wallet associated with the browser/OS or a federation provider 12:16 Sam Goto one question that i think is worth getting some convergence here in this group is: "what browser affordances solid needs to succeed/materialize?". 12:17 Daniel Buchner Ooops, I forgot we own NPM - I have to stop reducing the position of our products 😛 12:17 Henry Story q+ on browser affordances 12:17 https://csarven.ca/#i /me adds Sam to queue and Henry 12:17 I'll copy paste this chat to https://hackmd.io/DNaMjyJoRuK14Drk3cmsGA 12:17 Daniel Buchner Microsoft - Working to remove us from the middle of your life TM 12:18 Henry Story cool 12:18 https://csarven.ca/#i Sam, native RDF parsing/serializing would be icing on the cake. 12:19 Daniel Buchner We need: 1. Ask for an ID from the user (directed to native browser wallet or external) 2. Request data store permissions/capabilities 3. Request presentation of credentials/data directly to the RPs/sits ^ do that, and we all win 12:19 Tim Cappalli (Microsoft) Honestly, all roads lead back to https://www.accountchooser.net/ we're essentially trying to rebuild this 12:20 https://csarven.ca/#i Henry et al : https://www.w3.org/2011/identity-ws/papers/idbrowser2011_submission_22/webid.html -- see Recommended Browser Improvements... may be outdated (c. 2010) 12:20 q+ re: users with multiple devices 12:20 Daniel Buchner Basically, this: let response = await navigator.did.requestDid({ methods: [ 'web', 'key', 'ion' ] }); let response = await navigator.did.resolve(DID_URI); let response = await navigator.did.requestCredential(PRESENTATION_OBJ); let response = await navigator.did.requestStorage(IDENTITY_HUB_STORAGE_PERMISSION); I need 4 APIs 😃 12:21 Tim Cappalli (Microsoft) Consent fatigue is a real problem though 12:21 Sam Goto Honestly, all roads lead back to https://www.accountchooser.net/ 12:22 justinwb the consent needs to be something that every user can understand perfectly without having to think 12:22 https://csarven.ca/#i q+ 12:22 Sam Goto <- tim this is what i'm trying to ask. how much of htis canbe done in userland 12:22 Daniel Buchner Lots can 12:22 Sam Goto and if it failed in userland (i.e. account chooser) 12:22 Henry Story yes that is why the user needs to be able to set policies: eg you can log in authoatically to all the friends of my friends. 12:22 Daniel Buchner But not the presentation of permission/data request we can do a lot of set-once-and-remember though 12:23 justinwb yeah that needs to be done by a trusted agent 12:23 Henry Story We could put together proposals on what we need. 12:23 Tim Cappalli (Microsoft) Account Chooser, but extended to support new paradigms like DIDs, VCs and WebAuthn 12:23 Daniel Buchner and unlike token refresh periods, it doesn't need to be invalidated like centralized IDP tokens/schemes It's the RPs, Google, and us chickens LOL 12:24 justinwb yep 12:25 Henry Story +1 I agree we the Solid community should put together a documetn of what would be useful in the Identity space for us. 12:25 Daniel Buchner I can help with that, if we want a converged POV I have a doc for APIs we need from browserland and an extension that demos it a bit Maybe we can join forces as Microsolid! 12:26 Henry Story we can cooperate 😃 12:26 justinwb also have a demo that demonstrates an application expressing access needs for complex verifiable data types and dynamically generating an authorization screen for data in a pod 12:27 Daniel Buchner Justin, let's you and I sync up if you have time 12:27 justinwb yep for sure 12:27 Tim Cappalli (Microsoft) there's also the W3C slack 12:27 Daniel Buchner Didder? I kid Plus, I can't make realtime puns in GH 12:28 justinwb lol e-mail? 12:28