Autonomous identity for the pluriverse based on OAuth/OIDC

ActivityPub
12

I’ve shared some thoughts on how the MIMI/MLS standard pertains to nomadic identity. Similarly, it’s also related to OAuth/OIDC:

draft-barnes-mimi-identity-arch-01 - Identity for E2E-Secure Communications

5.3. Verifiable Credentials

Certificates and PKI protocols tend to be a bad fit for
authenticating user identities. Systems like SAML [saml] and OpenID
Connect [oidc] are more commonly used for user identity, but only
produce bearer tokens, not the public key credentials required for
E2E identity – using bearer tokens for E2E identity would allow the
verifying client to impersonate the presenting client! Likewise,
because the verifier needs to check a bearer tokens validity directly
with the issuer, the identity authority learns every verifier to whom
a client authenticates.

More recently, there has been work to apply the W3C Verifiable
Credentials (VC) framework to this problem [W3C.vc-data-model]. The
VC model aligns well conceptually with the above architecture, and
some of the required protocols are in development:

  • Credentials would be verifiable credentials or verifiable
    presentations.

  • The identity authorities would be Issuers in the VC model.
    (Likewise, the presenting client would be a Holder and the
    verifying client a Verifier.)

  • The issuance process here corresponds to the issuance interaction
    in the VC model, for example using OpenID for Verifiable
    Credential Issuance [openid-4-vci]

  • The presentation process here corresponds to the presentation
    interaction in the VC model, for example using an integration with
    the E2E encryption protocol analogous to the X509Credential
    integration in MLS mentioned above.

  • The verification process here corresponds to VC verification,
    using a mechanism such as [StatusList2021] for revocation.

A VC-based model for E2E identity is clearly still incomplete, but
given the good conceptual alignment and potential for a better fit
with user identity than PKI, it seems like a promising candidate for
further development.

It has two authors in common with the aforementioned ‘Self-Issued OpenID Provider’. Exactly how they relate to each other however is beyond me. My point is just that the OpenID standard shouldn’t be disregarded as orthogonal to decentralized identity.