Open ID v. FIDO v. SSI

From IIW
Jump to: navigation, search

Heading Trebuchet 14

Wednesday 5J

Convener: Mike Schwartz

Notes-taker(s): Mike Schwartz

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Mike Schwartz from Gluu posits that there is surprisingly little overlap between SSI, FIDO and OAuth. Futhermore, he suggested that SSI is some kind of "next evolutionary step" is detrimental to the adoption of SSI.

We reviewed the OpenID, FIDO, and Self-Sovereign identity diagrams in this folder:

SSI promises some potentially great innovations:   1. Not controlled by a domain (user can't be held hostage)   2. Not reliant on TLS as the encryption mechanism

Use cases showing where SSI and OAuth can work together would be helpful. Gluu has some interesting use cases for SSI where verifiable claims can be  sent as a pushed UMA claim token for the purpose of API access management.  SSI is really interesting because it might provide a attractive publication mechanism for information not traditionally sent via identity assertions like an id_token or SAML assertion.

Another use case mentioned by Jack from Veridium was Blockstack's use of dropbox (which uses oauth to protect access to its resources) to publish data under the user's control, referenced on the bitcoin blockchain.

Mike is working on a blog called "SSI versus SSO" which will be published on sometime after IIW, that summarizes many of the points.