Open ID v. FIDO v. SSI

From IIW

Heading Trebuchet 14


Wednesday 5J

Convener: Mike Schwartz

Notes-taker(s): Mike Schwartz


Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:


Mike Schwartz from Gluu posits that there is surprisingly little overlap between SSI, FIDO and OAuth. Futhermore, he suggested that SSI is some kind of "next evolutionary step" is detrimental to the adoption of SSI.

We reviewed the OpenID, FIDO, and Self-Sovereign identity diagrams in this folder: https://gluu.co/know-git

SSI promises some potentially great innovations:   1. Not controlled by a domain (user can't be held hostage)   2. Not reliant on TLS as the encryption mechanism

Use cases showing where SSI and OAuth can work together would be helpful. Gluu has some interesting use cases for SSI where verifiable claims can be  sent as a pushed UMA claim token for the purpose of API access management.  SSI is really interesting because it might provide a attractive publication mechanism for information not traditionally sent via identity assertions like an id_token or SAML assertion.

Another use case mentioned by Jack from Veridium was Blockstack's use of dropbox (which uses oauth to protect access to its resources) to publish data under the user's control, referenced on the bitcoin blockchain.

Mike is working on a blog called "SSI versus SSO" which will be published on https://gluu.org/blogs sometime after IIW, that summarizes many of the points.