Open ID v. FIDO v. SSI
Heading Trebuchet 14
Convener: Mike Schwartz
Notes-taker(s): Mike Schwartz
Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:
Mike Schwartz from Gluu posits that there is surprisingly little overlap between SSI, FIDO and OAuth. Futhermore, he suggested that SSI is some kind of "next evolutionary step" is detrimental to the adoption of SSI.
We reviewed the OpenID, FIDO, and Self-Sovereign identity diagrams in this folder: https://gluu.co/know-git
SSI promises some potentially great innovations: 1. Not controlled by a domain (user can't be held hostage) 2. Not reliant on TLS as the encryption mechanism
Use cases showing where SSI and OAuth can work together would be helpful. Gluu has some interesting use cases for SSI where verifiable claims can be sent as a pushed UMA claim token for the purpose of API access management. SSI is really interesting because it might provide a attractive publication mechanism for information not traditionally sent via identity assertions like an id_token or SAML assertion.
Another use case mentioned by Jack from Veridium was Blockstack's use of dropbox (which uses oauth to protect access to its resources) to publish data under the user's control, referenced on the bitcoin blockchain.
Mike is working on a blog called "SSI versus SSO" which will be published on https://gluu.org/blogs sometime after IIW, that summarizes many of the points.