[HN Gopher] Auth0 Verifiable Credentials
___________________________________________________________________
Auth0 Verifiable Credentials
Author : marcosnils
Score : 62 points
Date : 2022-11-01 21:09 UTC (1 hours ago)
(HTM) web link (verifiablecredentials.dev)
(TXT) w3m dump (verifiablecredentials.dev)
| woodruffw wrote:
| I wonder what the benefits of this versus e.g. OpenID Connect[1]
| are: OIDC is already semi-widely adopted, reuses a popular
| underlying envelope scheme (JWTs), and performs a similar type of
| proof (that some identity provider claims something about an
| identity).
|
| [1]: https://openid.net/connect/
| Alupis wrote:
| The biggest problem with OIDC is how non-standard every
| implementation is.
|
| I mean, there is a standard, but then there's what everyone
| actually does. Even within the standard, there is a very
| surprising amount of it that is... _optional_.
|
| Even discovery endpoints are non-standard... basics like
| `/.well-known/openid-configuration` is recommended but not
| required... and don't even try to guess where /userinfo lives!
|
| Claims are willy-nilly, and even some IDP's provide duplicate-
| in-intent but different-in-name claims, like `phone_verified`
| vs. `phone_number_verified`. It's just a complete wild west out
| there!
|
| Anyone bringing some level of standards to the delegated
| authentication arena would be very welcome in my opinion.
| woodruffw wrote:
| I agree completely about OIDC's discovery limitations! If
| this standard can improve along that axis, then that alone
| will make it a valuable contribution to the identity space.
|
| I also agree about standardized claim names, although I'll
| point out that standardizing something like `phone_verified`
| just pushed the identity/claim value question one level
| deeper: what does it mean for IdP A to have `phone_verified`
| versus IdP B? Do they have the same ontological value? That's
| part of why (IMO) "generalized" identity management has never
| succeeded: you can make everybody generate the same claims,
| but you can't assert that they've done a _uniform or
| sufficient degree of diligence_ for those claims. The only
| way you can do the latter is to select "high quality" IdPs,
| at which point the consistency of the claim names no longer
| matters.
| adontz wrote:
| I did not understand if this is somehow related to
| https://en.wikipedia.org/wiki/Self-sovereign_identity or not.
| Aeolun wrote:
| Isn't this just Json Web Tokens with a different name? (and an
| extra step to create a VP, presumably so the expiry on the VC can
| be longer).
| [deleted]
| Alupis wrote:
| It is a JWT, but a JWT is just a data format, not a schema.
|
| This VC thing seems to take ID Tokens from OIDC providers a
| little further and also standardizes what claims you can
| expect.
| woodruffw wrote:
| Hmm, I don't know if it's consider JWT to be "just a data
| format". It's an envelope format (dotted base64'd JSON),
| combined with a schema for each component in the envelope.
| That scheme isn't particularly _strict_ when it comes to the
| payload component, but that doesn 't mean it isn't a schema.
|
| OIDC's well-known discovery[1] also does this kind of claim
| standardization/expectation setting already. But maybe it
| goes beyond that, and actually normalizes between different
| IdPs? I'm not sure what that would entail.
|
| [1]: https://swagger.io/docs/specification/authentication/ope
| nid-...
| encryptluks2 wrote:
| It appears to be similar to regular public/private key
| encryption but with a fancy name to make it seem unique.
| CleverLikeAnOx wrote:
| This places all the trust in the institution that mints
| verifiable credentials. (or the institution + Auth0 if they use
| Auth0).
|
| This is good for use cases where you want to assert that an
| organization says something about you (e.g., you have a degree).
|
| It is not good for use cases where you want to assert that you
| say something (e.g., I voted for Blah, or I authorized this
| transfer).
| wyc wrote:
| Anyone with a keypair can issue verifiable credentials, and we
| work on making this simple[0], starting with developers.
| However, the ultimate challenge will be to be able to associate
| that keypair to the entity (or abstracted entity) who is making
| those statements, which is what Web of Trust tried to do, and
| there are some adjacent efforts to revitalize SPKI-style[1]
| trust models that are being discussed at RWoT[2].
|
| [0] https://www.spruceid.dev/quickstart
|
| [1] https://en.wikipedia.org/wiki/Simple_public-
| key_infrastructu...
|
| [2] https://github.com/WebOfTrustInfo/rwot11-the-hague
| chetanbhasin wrote:
| But I think it's a good use case for organization issued IDs,
| tickets, or even things like driver's license.
| CleverLikeAnOx wrote:
| Agreed! I think this is the start of something that will be
| big in a decade as adoption goes up.
| tomjen3 wrote:
| Anonymous verification of age is a nice one: Site a
| generates a bit of bytes, you then take that to a
| government portal, login and get it signed, then you return
| with the signature and now the site knows nothing
| whatsoever about you, other than that you could get a
| government site to assert that you are old enough to order
| beer online.
|
| The government site doesn't have to know anything about you
| either, other than you requested a beer token.
| paxys wrote:
| It works for both use cases. The only difference between the
| two is the source of trust (in case 1 it is some issuing
| authority, in case 2 it is you). There's no reason why you
| can't issue a certificate for yourself. The receiving party can
| choose to trust your public key if they wish.
| NovemberWhiskey wrote:
| Pretty sure this is the same technology as used for e.g. IBM
| Digital Health Pass, which underlies things like NY's Excelsior
| Covid pass.
| thesimon wrote:
| Wanted to take a look at the schemas linked, but identity0.io
| isn't even registered? oO
| red_Seashell_32 wrote:
| They don't have SSL enabled (or properly configured). But even
| with that in mind - it doesn't work.
|
| http://identity0.io/contexts/v1
| remram wrote:
| Judging by the whois it might have been created by someone
| who saw this post.
| paxys wrote:
| The only thing the web identity ecosystem needs is another
| independent standard - said no one ever.
|
| JWT is already a thing, as is X.509, OAuth/OpenID, WebAuthn...
| Just use a combination of these that best fits your use case.
|
| "But this new standard will be the true unifying one". Nope, it
| will not. The most it will do is get some share of usage and add
| to the chaos.
| bdcravens wrote:
| https://xkcd.com/927/
| Traubenfuchs wrote:
| Offerings in the SSI/VD space are currently exploding -some
| even government backed. Microsoft, MasterCard, Auth0, the
| European Union are the biggest players that come to my mind.
|
| This will turn the whole billion dollar kyc/identity
| verification space upside down.
|
| I work in that space.
___________________________________________________________________
(page generated 2022-11-01 23:00 UTC)