<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8">
<meta name="Generator" content="Microsoft Word 15 (filtered medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:"MS Gothic";
panose-1:2 11 6 9 7 2 5 8 2 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:"Segoe UI Emoji";
panose-1:2 11 5 2 4 2 4 2 2 3;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
@font-face
{font-family:"\@MS Gothic";
panose-1:2 11 6 9 7 2 5 8 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0in;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0in;
font-size:10.0pt;
font-family:"Courier New";}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:Consolas;}
span.EmailStyle21
{mso-style-type:personal-reply;
font-family:"Calibri",sans-serif;
color:windowtext;}
.MsoChpDefault
{mso-style-type:export-only;
font-family:"Calibri",sans-serif;}
@page WordSection1
{size:8.5in 11.0in;
margin:1.0in 1.0in 1.0in 1.0in;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
</head>
<body lang="EN-US" link="blue" vlink="purple" style="word-wrap:break-word">
<div class="WordSection1">
<p class="MsoNormal">Hi Nat,<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">Under what conditions are you viewing OpenID Connect as being User-Centric in practice? That’s a serious question.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">OpenID Connect can certainly be used in a User-Centric manner if the person chooses to host an OP at their own Web site or if they use a Self-Issued OP. Unfortunately, most RPs have made choices (fixed NASCAR lists) that preclude these
User-Centric features enabled by the protocol to be used by people in practice.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">I’m as much of a fan of OpenID Connect as the next person (maybe more so
<span style="font-family:"Segoe UI Emoji",sans-serif">😊</span>). But overselling it as being User-Centric when on the whole, it hasn’t been used or deployed in a User-Centric fashion does no one any favors.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal">We’re working on creating true, usable, practical User-Centric identity at present. Let’s not sell that effort short trying to defend the case that OpenID Connect has been used in a User-Centric manner, when that’s simply not the case.<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal"> Sincerely,<o:p></o:p></p>
<p class="MsoNormal"> -- Mike<o:p></o:p></p>
<p class="MsoNormal"><o:p> </o:p></p>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal"><b>From:</b> Openid-specs-ab <openid-specs-ab-bounces@lists.openid.net>
<b>On Behalf Of </b>Nat Sakimura via Openid-specs-ab<br>
<b>Sent:</b> Tuesday, April 19, 2022 8:15 PM<br>
<b>To:</b> Artifact Binding/Connect Working Group <openid-specs-ab@lists.openid.net><br>
<b>Cc:</b> nat <nat@nat.consulting><br>
<b>Subject:</b> Re: [Openid-specs-ab] Replacement to "User-Centric Identity" complete + another terminology topic: alternative to a "credential"?<o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal">I prefer User-Controlled or User-Driven over User-Centric as <o:p></o:p></p>
<div>
<p class="MsoNormal">1) it will not have negative connotations against our existing standards, which have always been User-Centric; and<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">2) it conveys the active feeling rather than a static one like "user is at the centre". <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">There is a merit and demerit for "Controlled" and "Driven". <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">"Control" does have legal connotations as in data controller while "Driven" is free from that. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">I kind of like "Driven" better as <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">1) users usually do not want to control themselves; and <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">2) "drivers" still get consumer protection, <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">but I do understand the merit of being able to directly relate to "controller, processor, third-party" categorization. <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Best, <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal">Nat sakimura <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<div>
<p class="MsoNormal">2022<span style="font-family:"MS Gothic"">年</span>4<span style="font-family:"MS Gothic"">月</span>20<span style="font-family:"MS Gothic"">日</span>(<span style="font-family:"MS Gothic"">水</span>) 11:00 nadalin--- via Openid-specs-ab <<a href="mailto:openid-specs-ab@lists.openid.net">openid-specs-ab@lists.openid.net</a>>:<o:p></o:p></p>
</div>
<blockquote style="border:none;border-left:solid #CCCCCC 1.0pt;padding:0in 0in 0in 6.0pt;margin-left:4.8pt;margin-right:0in">
<div>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">I would prefer User Driven but I’m ok with User Centric, need to stay away from decentralized as that is a bag of worms. While I don’t like SSI for the same reasons that decentralized
is a broken concept so is SSI. <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b>From:</b> Openid-specs-ab <<a href="mailto:openid-specs-ab-bounces@lists.openid.net" target="_blank">openid-specs-ab-bounces@lists.openid.net</a>>
<b>On Behalf Of </b>David Chadwick via Openid-specs-ab<br>
<b>Sent:</b> Tuesday, April 19, 2022 1:21 AM<br>
<b>To:</b> <a href="mailto:openid-specs-ab@lists.openid.net" target="_blank">openid-specs-ab@lists.openid.net</a><br>
<b>Cc:</b> David Chadwick <<a href="mailto:d.w.chadwick@verifiablecredentials.info" target="_blank">d.w.chadwick@verifiablecredentials.info</a>><br>
<b>Subject:</b> Re: [Openid-specs-ab] Replacement to "User-Centric Identity" complete + another terminology topic: alternative to a "credential"?<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p>Kristina, thanks for re-writing the Introduction.<o:p></o:p></p>
<p>My personal opinion is that "User Controlled" is a better term than "User-Centric". The two letter acronym is still the same (IC), but if you replace user-centric with user controlled in your introduction, I think it reads better,<o:p></o:p></p>
<p>Kind regards<o:p></o:p></p>
<p>David<o:p></o:p></p>
<p> <o:p></o:p></p>
<div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">On 19/04/2022 09:05, Kristina Yasuda via Openid-specs-ab wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Also as promised, I did write up an introduction that more clearly positions the thinking of the WG around why “User-Centric” and not another term. The language definitely needs
tweaking, but would appreciate the feedback if people agree with the direction (especially, Nat, John, Mike, Vittorio, Tobias, DW, and the small group of editors
<span style="font-family:"Segoe UI Emoji",sans-serif">😊</span>)<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">We all know how much the industry is used to the terms “SSI” and “Decentralized Identity” so if we are making a conscious decision to use another term even when meaning something
quite similar (especially to the decision-making folks), it has to be crystal clear why, hence quite straightforward language below:<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">---<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b>Introduction
</b><o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">OpenID Connect, a protocol that has enabled deployment of federated Identity at scale, was built with User-Centricity in mind. The protocol flow is designed to provide Identity
Providers a capability to directly talk to the End-User to obtain consent before releasing claims about that End-User to the Relying Party. The protocol also enables the End-Users to run their own Identity Providers instead of using third party provided ones.<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Now, the User-Centricity is evolving to the next level, where the End-Users retain full control over the key decisions when receiving identity information from the Credentials Issuers,
and when presenting those credentials to the Verifiers. The End-Users can now directly receive their identity information as credentials from the Issuers and present those credentials to the Verifiers without Verifiers obtaining those user claims from the
Issuer. This is an obvious evolution from a federated Identity protocol flow where after receiving the End-User’s consent, the Identity Provider directly provides the Verifier with the identity information about the End-User.<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">When describing the concept of putting the End-User in control of their identity, the readers might be more familiar with the terminology Self-Sovereign Identity or Decentralized
Identity. This whitepaper could have used those terms, too. However, after numerous long discussions, Connect WG in OpenID Foundation has decided to use a term User-Centric Identity to describe both a vision and an architecture of this new, emerging approach
to the identity management. <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">The Connect WG could not reach consensus to use the term Self-Sovereign Identity because Self-Sovereignty implies the End-User’s autonomy and freedom from the Issuers and the Verifiers,
which is not the case in real-life use-cases. Even if the Verifier has obtained the claims directly from the End-User, it is up to the Verifier to decide whether to accept those credentials and provide the service to the End-User. Regardless of where the End-Use
is planning to use a credential, it is up to the Issuer to decide whether to issue credential to the End-User in the first place. Even after the issuance, in most cases, the Issuer retains the right to revoke and invalidate the credential.<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">The Connect WG also could not reach consensus to use the term Decentralized Identity because decentralized implementation techniques have their role to play, but they are neither
necessary nor sufficient to achieve user centric identity. For the End-Users to directly receive identity credentials from the Issuers and directly present them to the Verifiers, user identifiers other than Decentralized Identifier (DIDs) can be used, meaning
that Distributed Ledger Technology or Blockchain is not required and data models other than W3C Verifiable Credentials can be used.<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Therefore, the goal of this whitepaper is to first and foremost to inform the audience about the work on the OpenID for User-Centric Identity (OpenID4UCI) specification family and
help position it in the broader landscape of Self-Sovereign Identity and Decentralized Identity. The work is being conducted in the OpenID Foundation, in liaison with the Decentralized Identity Foundation (DIF). .<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">The whitepaper targets decision-makers, architects and implementers interested in the concepts, use-cases and architecture where the End-User directly receives identity credentials
from the Issuer and directly presents them to the Verifier, a concept that will be referred to as “User-Centric Identity” in this whitepaper.<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">---<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Thank you!<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Kristina<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<div>
<div style="border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0in 0in 0in">
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"><b>From:</b> Openid-specs-ab
<a href="mailto:openid-specs-ab-bounces@lists.openid.net" target="_blank"><openid-specs-ab-bounces@lists.openid.net></a>
<b>On Behalf Of </b>Kristina Yasuda via Openid-specs-ab<br>
<b>Sent:</b> Monday, April 18, 2022 6:08 PM<br>
<b>To:</b> <a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<b>Cc:</b> Kristina Yasuda <a href="mailto:Kristina.Yasuda@microsoft.com" target="_blank">
<Kristina.Yasuda@microsoft.com></a><br>
<b>Subject:</b> [Openid-specs-ab] Replacement to "User-Centric Identity" complete + another terminology topic: alternative to a "credential"?<o:p></o:p></p>
</div>
</div>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Hi, thanks a lot for a productive conversation regarding the terminology in the “OpenID for User-Centric Identity (preliminary naming)”
<a href="https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.google.com%2Fdocument%2Fd%2F1H556GIM_xD1yKl7rw1seq4bu83movFCkU8fQ7T8b1dI%2Fedit&data=05%7C01%7CKristina.Yasuda%40microsoft.com%7C8fb4bcc61b63463b182b08da21a106ef%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637859273185651256%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=yX9Q7MJ%2B%2FB2PMnYUBNMrXfj5vrYAsrFeNyUCkH2JaaQ%3D&reserved=0" target="_blank">
whitepaper</a> – the details of the conversation will be in the notes that will be sent out.<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">As agreed, I replaced all the references to the “Decentralized Identity” to “User-Centric Identity” (Thanks Mike for making the suggestions). As agreed, if you come up with a better
term than “User-Centric”, please bring it up. We are looking for “a generic property that transcend the topology we are working with at this point in time (I really like how Vittorio has put it!)” that describes “an approach to the identity management where
the End-User retains full control over from which Credential Issuer to obtain what credential, and when to disclose which credential to which Verifier (again, paraphrasing Vittorio)”. (and now I am not a big fan of an acronym OpenID4UCI, so acronym suggestions
welcome too..)<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Another terminology topic I wanted to bring up is inspired by Pieter’s comment on the definition of “Credential”: “It was interesting to see terminology in the EU Digital Wallet
architecture like "Electronic Attribute Attestation" (EAA) that may provide alternatives to the heavily overloaded "credential". Not sure it is the right time to adopt it, but may be a good way to disambiguate terms like credential (and align with frameworks
emerging elsewhere).” <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">I agree with Pieter both in that EAA might be an alternative, and in that maybe this is whitepaper V2 issue… Some food for thought.<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Cheers,<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Kristina<o:p></o:p></p>
<p class="MsoNormal" style="mso-margin-top-alt:auto;margin-bottom:12.0pt"><o:p> </o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre>Openid-specs-ab mailing list<o:p></o:p></pre>
<pre><a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><o:p></o:p></pre>
<pre><a href="https://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a><o:p></o:p></pre>
</blockquote>
</div>
</div>
<p class="MsoNormal">_______________________________________________<br>
Openid-specs-ab mailing list<br>
<a href="mailto:Openid-specs-ab@lists.openid.net" target="_blank">Openid-specs-ab@lists.openid.net</a><br>
<a href="https://lists.openid.net/mailman/listinfo/openid-specs-ab" target="_blank">https://lists.openid.net/mailman/listinfo/openid-specs-ab</a><o:p></o:p></p>
</blockquote>
</div>
<p class="MsoNormal"><br clear="all">
<o:p></o:p></p>
<div>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<p class="MsoNormal">-- <o:p></o:p></p>
<p class="MsoNormal">Nat Sakimura<o:p></o:p></p>
<p class="MsoNormal">NAT.Consulting LLC<o:p></o:p></p>
</div>
</body>
</html>