[Openid-specs-ab] SIOP and webauthn

Vittorio Bertocci vittorio.bertocci at okta.com
Sun Mar 12 01:23:47 UTC 2023 

While I agree there are important differences between VCs and earlier tech,
there are a couple of things I believe are worth clarifying:


   - Cards were never sent to be signed anywhere. They came down already
   signed at issuance time.
   Cards contained a template of the info that could be obtained from a
   particular issuer, and at presentation time were used for formatting a
   (ws-trust) request for whatever subset of info the user consented to
   disclose (if the RP marked some requested claims optional and the issuer
   elected to comply). What was signed was a SAML token carrying the requested
   claims, not the card itself.
   Yes, the outcome was that the resulting artifact (the SAML token) had no
   binding to the holder... *when using cards with websites*. When using
   cards with API, the resulting tokens did use proof of possession as part of
   the WS-Trust/WS-Security wizardry happening in there, and someone deep
   enough in WCF (or whatever other client stack implementing WS-*) could have
   technically injected a holder specific key instead of the default
   (negotiated on the fly). *Not that it makes any practical difference*,
   that's only to say that if there would have been a strong demand for it, it
   would have been technically feasible - not to speak of the higgins and
   u-prove extensions that could have probably been tortured to similar effect.
   - The Information Card Foundation (MS, Google, Oracle, PayPal, Equifax
   etc) was established mid-June 2008. Apple introduced the iPhone in January
   2007, and by that point Blackberries, Symbian, Windows Mobile were all well
   known and established enough to appear in mainstream media (google
   Crackberry).
   That is of course nowhere near the complete ubiquity mobile devices
   achieved today, but they were definitely mainstream by any reasonable
   business definition, as in, WAY more units sold than VR headsets today just
   to make a concrete example. That means that applications targeting
   businesses could profitably target the platform, and they did (Exchange +
   Blackberry was a big deal).
   Things were different from the consumer side, but perhaps not as much as
   one might think. CardSpace was discontinued (e.g. announcement that
   CardSpace 2 was cancelled) in 2011. The "There's an App for That" Apple ad
   is from 2009. Fruit Ninja was released shortly after. Evernote mobile
   launched in 2008 and by the time CardSpace was discontinued it had more
   than 10M users (and a very cool headquarter, I visited during that time).
   Profitably targeting mobile consumers was definitely feasible.

For RFC7800... proof of possession is way older
<https://www.cloudidentity.com/blog/2008/01/02/on-prooftokens/>. As
mentioned above, CardSpace did use it (if you didn't throw the book after
reading it, see page 261).
But to stress, I do agree that comparing VCs and information cards without
specifying what aspects are being considered (jobs to be done vs expressive
power vs privacy properties etc etc) is tricky as it might lead to shallow
conclusions.

On Sat, Mar 11, 2023 at 3:44 PM Kristina Yasuda <
Kristina.Yasuda at microsoft.com> wrote:

> *This message originated outside your organization.*
>
> ------------------------------
>
> I’ve read entire windows cardspace book to be able to respond to these
> kind of conversations.
>
> Cardspace/infocards did a great job setting out principles including user
> centricity. But in terms of technology, these are few important
> differences. One is cryptographic holder binding - holder being able to
> sign a presentation using a key signed over by the issuer. Infocards were
> either only self signed or sent to the issuer to be signed real-time (ie no
> direct presentation of issuer signed cards from the holder to the verifier).
>
> Also infocards were before smartphones were even invented/became
> mainstream ;)
>
> If we are talking about similarities, Verifiable credentials are much more
> similar to cnf claim RFC7800 than infocards.
>
> Best,
> Kristina
>
> ------------------------------
> *From:* Openid-specs-ab <openid-specs-ab-bounces at lists.openid.net> on
> behalf of Nikos Fotiou via Openid-specs-ab <
> openid-specs-ab at lists.openid.net>
> *Sent:* Saturday, March 11, 2023 2:56 PM
> *To:* 'Vittorio Bertocci' <vittorio.bertocci at okta.com>; 'Artifact
> Binding/Connect Working Group' <openid-specs-ab at lists.openid.net>
> *Cc:* Nikos Fotiou <fotiou at aueb.gr>
> *Subject:* Re: [Openid-specs-ab] SIOP and webauthn
>
>
> I read Vittorio’s description and I came up with the attached meme.
> Probably inaccurate but the resemblance in terminology cannot be ignored.
>
>
>
> *From:* Vittorio Bertocci <vittorio.bertocci at okta.com>
> *Sent:* Sunday, March 12, 2023 12:03 AM
> *To:* Artifact Binding/Connect Working Group <
> openid-specs-ab at lists.openid.net>
> *Cc:* Nikos Fotiou <fotiou at aueb.gr>
> *Subject:* Re: [Openid-specs-ab] SIOP and webauthn
>
>
>
> Thank you :)
>
> Information cards were an interoperable format representing the ability of
> a user to obtain a certain set of claims form a given issuer. The self
> issued cards mentioned above were cards sourcing claims from the client
> itself rather than an external issuer.
>
> Cardspace was the Windows client that was capable of working with
> information cards.
>
> HTH
>
>
>
> On Sat, Mar 11, 2023 at 13:59 Nikos Fotiou via Openid-specs-ab <
> openid-specs-ab at lists.openid.net> wrote:
>
> *This message originated outside your organization.*
>
>
> ------------------------------
>
>
>
> Sorry for asking but is “information cards“ and cardspace the same thing?
> FWIW I found this episode of Identity Unlocked about cardspace very
> educative
>
> Windows CardSpace with Stuart Kwan
> <https://urldefense.com/v3/__https://nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Fidentityunlocked.auth0.com*2Fpublic*2F49*2FIdentity*252C-Unlocked.--bed7fada*2F61103d3d&data=05*7C01*7CKristina.Yasuda*40microsoft.com*7C2ebb96788524449590a908db22838563*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C638141721598033544*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C2000*7C*7C*7C&sdata=SQNiSl6DF7L55BMNEQj8N1RIcRU3ieDl3FlqikCZH90*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUl!!PwKahg!7ZojPT6XOi5H_tKkgw5tO07ZHZe60-UILP4eaC_UoziqzsRDB070riSNvubcEUZfcbB2FHT-dLZBdbcA1KHVCrBWDHF__G45fg$>
>
> identityunlocked.auth0.com
> <https://urldefense.com/v3/__https://nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Fidentityunlocked.auth0.com*2Fpublic*2F49*2FIdentity*252C-Unlocked.--bed7fada*2F61103d3d&data=05*7C01*7CKristina.Yasuda*40microsoft.com*7C2ebb96788524449590a908db22838563*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C638141721598033544*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C2000*7C*7C*7C&sdata=SQNiSl6DF7L55BMNEQj8N1RIcRU3ieDl3FlqikCZH90*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUl!!PwKahg!7ZojPT6XOi5H_tKkgw5tO07ZHZe60-UILP4eaC_UoziqzsRDB070riSNvubcEUZfcbB2FHT-dLZBdbcA1KHVCrBWDHF__G45fg$>
>
>
>
>
>
> 11 Μαρ 2023, 10:26 μμ, ο χρήστης «Mike Jones via Openid-specs-ab <
> openid-specs-ab at lists.openid.net>» έγραψε:
>
> 
>
> SIOP standardization was completed in 2014
> https://openid.net/specs/openid-connect-core-1_0.html#SelfIssued
> <https://urldefense.com/v3/__https://nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Fopenid.net*2Fspecs*2Fopenid-connect-core-1_0.html*23SelfIssued&data=05*7C01*7CKristina.Yasuda*40microsoft.com*7C2ebb96788524449590a908db22838563*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C638141721598033544*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C2000*7C*7C*7C&sdata=sU*2BK3PYZZWuK2wbUU9MhAlJszxQtRzpC4nVbq4iH*2Bbw*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUl!!PwKahg!7ZojPT6XOi5H_tKkgw5tO07ZHZe60-UILP4eaC_UoziqzsRDB070riSNvubcEUZfcbB2FHT-dLZBdbcA1KHVCrBWDHH1PgvR7A$>.
>  (The ideas for it were partially based on self-issued Information Cards,
> which used a public/private keypair held in a wallet for authentication.)
>
>
>
>                                                        -- Mike
>
>
>
> *From:* Openid-specs-ab <openid-specs-ab-bounces at lists.openid.net> *On
> Behalf Of *Sam Goto via Openid-specs-ab
> *Sent:* Saturday, March 11, 2023 11:17 AM
> *To:* Artifact Binding/Connect Working Group <
> openid-specs-ab at lists.openid.net>
> *Cc:* Sam Goto <goto at google.com>
> *Subject:* Re: [Openid-specs-ab] SIOP and webauthn
>
>
>
> I don't recall the timelines precisely, but didn't we develop WebAuthn
> before SIOP?
>
>
>
> I think i understand why SIOP was developed, if it was done after
> WebAuthn, because, IIRC, WebAuthn didn't have the cross platform syncing
> capabilities that it has today, but i do wonder where SIOP would fit today.
>
>
>
> On Sat, Mar 11, 2023, 9:41 AM Tom Jones via Openid-specs-ab <
> openid-specs-ab at lists.openid.net> wrote:
>
> Check out chapi
>
> thx ..Tom (mobile)
>
>
>
> On Sat, Mar 11, 2023, 2:45 AM Nikos Fotiou via Openid-specs-ab <
> openid-specs-ab at lists.openid.net> wrote:
>
> Hi,
>
> I have a question which is related to politics and standardization history.
>
> I believe that SIOP (as defined in openid connect core) could have been
> used instead of WebAuthn. A combination of SIOP+ctap (rather than
> WebAuthn+ctap) would have more chances of getting adopted. So I was
> wondering how we came up with yet another API instead of adding support for
> SIOP to browsers. Did this ever occur as a possibility?
>
> Best,
> Nikos
>
> --
> Nikos Fotiou - https://www2.aueb.gr/users/fotiou/
> <https://urldefense.com/v3/__https://nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Fwww2.aueb.gr*2Fusers*2Ffotiou*2F&data=05*7C01*7CKristina.Yasuda*40microsoft.com*7C2ebb96788524449590a908db22838563*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C638141721598189796*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C2000*7C*7C*7C&sdata=UGQm8sW4YVpJwBhv1ZRaPG6NwPViOZciPKzGdJCD6RE*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJQ!!PwKahg!7ZojPT6XOi5H_tKkgw5tO07ZHZe60-UILP4eaC_UoziqzsRDB070riSNvubcEUZfcbB2FHT-dLZBdbcA1KHVCrBWDHH-lLEGvg$>
> Researcher - Mobile Multimedia Laboratory
> Athens University of Economics and Business
> https://mm.aueb.gr
> <https://urldefense.com/v3/__https://nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Fmm.aueb.gr*2F&data=05*7C01*7CKristina.Yasuda*40microsoft.com*7C2ebb96788524449590a908db22838563*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C638141721598189796*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C2000*7C*7C*7C&sdata=dAawSxHbdV*2FHPkAJvw*2F9NK9P2bEkqlmc0eM42SaVLYU*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJQ!!PwKahg!7ZojPT6XOi5H_tKkgw5tO07ZHZe60-UILP4eaC_UoziqzsRDB070riSNvubcEUZfcbB2FHT-dLZBdbcA1KHVCrBWDHHY5oEjMg$>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-ab
> <https://urldefense.com/v3/__https://nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Flists.openid.net*2Fmailman*2Flistinfo*2Fopenid-specs-ab&data=05*7C01*7CKristina.Yasuda*40microsoft.com*7C2ebb96788524449590a908db22838563*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C638141721598189796*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C2000*7C*7C*7C&sdata=ZgavOEekPNHEHLsF*2FZEvyqTrlIwZ721hd*2B5YMyoqfuo*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUl!!PwKahg!7ZojPT6XOi5H_tKkgw5tO07ZHZe60-UILP4eaC_UoziqzsRDB070riSNvubcEUZfcbB2FHT-dLZBdbcA1KHVCrBWDHFINKuoiw$>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-ab
> <https://urldefense.com/v3/__https://nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Flists.openid.net*2Fmailman*2Flistinfo*2Fopenid-specs-ab&data=05*7C01*7CKristina.Yasuda*40microsoft.com*7C2ebb96788524449590a908db22838563*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C638141721598189796*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C2000*7C*7C*7C&sdata=ZgavOEekPNHEHLsF*2FZEvyqTrlIwZ721hd*2B5YMyoqfuo*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUl!!PwKahg!7ZojPT6XOi5H_tKkgw5tO07ZHZe60-UILP4eaC_UoziqzsRDB070riSNvubcEUZfcbB2FHT-dLZBdbcA1KHVCrBWDHFINKuoiw$>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-ab
> <https://urldefense.com/v3/__https://nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Flists.openid.net*2Fmailman*2Flistinfo*2Fopenid-specs-ab&data=05*7C01*7CKristina.Yasuda*40microsoft.com*7C2ebb96788524449590a908db22838563*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C638141721598189796*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C2000*7C*7C*7C&sdata=ZgavOEekPNHEHLsF*2FZEvyqTrlIwZ721hd*2B5YMyoqfuo*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUl!!PwKahg!7ZojPT6XOi5H_tKkgw5tO07ZHZe60-UILP4eaC_UoziqzsRDB070riSNvubcEUZfcbB2FHT-dLZBdbcA1KHVCrBWDHFINKuoiw$>
>
> _______________________________________________
> Openid-specs-ab mailing list
> Openid-specs-ab at lists.openid.net
> https://lists.openid.net/mailman/listinfo/openid-specs-ab
> <https://urldefense.com/v3/__https://nam06.safelinks.protection.outlook.com/?url=https*3A*2F*2Flists.openid.net*2Fmailman*2Flistinfo*2Fopenid-specs-ab&data=05*7C01*7CKristina.Yasuda*40microsoft.com*7C2ebb96788524449590a908db22838563*7C72f988bf86f141af91ab2d7cd011db47*7C1*7C0*7C638141721598189796*7CUnknown*7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0*3D*7C2000*7C*7C*7C&sdata=ZgavOEekPNHEHLsF*2FZEvyqTrlIwZ721hd*2B5YMyoqfuo*3D&reserved=0__;JSUlJSUlJSUlJSUlJSUlJSUlJSUlJSUl!!PwKahg!7ZojPT6XOi5H_tKkgw5tO07ZHZe60-UILP4eaC_UoziqzsRDB070riSNvubcEUZfcbB2FHT-dLZBdbcA1KHVCrBWDHFINKuoiw$>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20230311/0b9adf1b/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 89609 bytes
Desc: not available
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20230311/0b9adf1b/attachment-0001.jpg>

More information about the Openid-specs-ab mailing list