Blockchain identity OpenID

Is there no future for VC (Verifiable Credentials)?

Nat 2024-11-02 No Comments

There is a blog post that is currently a hot topic in the identity industry. It is a blog post posted on October 10th by Mr. Hughes, founder of Trinsic, a company that provided a decentralized ID/Verifiable Credentials (VC) solution on the Sovrin blockchain.Why Verifiable Credentials Aren't Widely Adopted & Why Trinsic Pivoted (Why VCs aren't widely adopted & why Trinsic pivoted) The summary is as follows:

Why VC isn't widely adopted & why Trinsic pivoted

Overview of Trinsic's policy change

  • Presentation at IIW38 in a session titled "SSI didn't work. Trinsic changes course."
  • The audience responded positively, with applause and requests for a live broadcast.
  • Recognition of the importance of the session by industry veterans.

Key Assumptions

  • Premise #0: Enthusiastic Support – The author remains committed to the idea of ​​self-sovereign identity (SSI).
  • Premise #1: Terminology – We use terms such as verifiable credentials (VC) and self-sovereign identity (SSI) to mean roughly the same thing – technologies that allow for the reliable transfer of attributes in a user-centric manner.
  • Assumption #2: Market Reality – The market is unpredictable; successful products require product/market fit.
  • Premise #3: Recruitment matters – The best technology is defined by its adoption and its impact on users.
  • Premise #4: Avoid Wasting Time – Encouraging innovation while warning against known failures in the market.

Historical background:

  • It was started by the Sovrin Foundation in 2017 and founded by Trinsic in 2019.
  • Although it was initially successful, with hundreds of developers signing up, the number of successful customer cases was limited to one in 500 companies.
  • Market trend is towards proprietary solutions over verifiable credentials1showed a tendency to prefer

Identified challenges

  • Interoperability Issues – Lack of true interoperability between verifiable credentials (VCs); no universally agreed upon standards.
  • User Experience (UX) Concerns – The initial user experience of VC is inferior to existing solutions, making them hesitant to adopt it.
  • Scattered distribution - Network effects are hindered by lack of dominant use cases and geographic consistency.

Future prospects

  • Government involvement – Government mandates may encourage VC adoption, but this is a medium-term outlook.
  • Timing and Market Readiness – The argument that VC is premature is challenged by the success of proprietary solutions.
  • Trinsic's new strategy focuses on helping businesses embrace existing digital identities, rather than creating new ones, in anticipation of a continuing fragmentation of the identity environment.

Dick Hardt's take

While this article has received positive feedback, some people feel it does not provide enough context. For example, Dick Hardt'sLinkedIn PostThe post points out the following:

  1. It's unfortunate that people have confused SSI with verifiable credentials (VC) and decentralized identity. The whole point of SSI is to give control of identity to users, but they're too focused on the tech stack.
  2. When I left Amazon five years ago, I looked at the state of personal digital identity and felt that although decentralized identity had been around for some time, it would not see the rapid adoption that OpenID 5, OAuth 2.0, and OpenID Connect (OIDC) had, because it had the same problems as OAuth 2.0: it was complex and didn't leverage existing patterns.
  3. The main technical issues with VC:
    • Users are required to manage encryption keys, which creates UX challenges and barriers to device migration.
    • Issuer information is disclosed (e.g., even your place of residence is revealed when verifying your age)
    • User behavior can be tracked by reusing keys. To prevent this, we are exploring ways to issue batches, making implementation and operation even more cumbersome.
  4. The biggest challenge is the business model:
    • Users do not pay into the wallet
    • Issuers invest in infrastructure, but validators capture value
    • There is a lack of motivation for existing personal information sales businesses to move to VC
    • No visibility into back-end information movement

His opinion is generally the same as mine, and in fact I think that the late Vittorio Bertocci, who is mentioned in Hughes' article, had the same view.

So what kind of "unique standard" was used?

Another thing I don't understand about Mr. Hughes' article is why OpenID Connect isn't mentioned. Itsme, YOTI, ID.me, and PLAID, which are said to have grown by adopting their own standards, actually use OpenID Connect. It's not a proprietary standard.

It has also been written that AI, such as ChatGPT, has switched to OAuth without using VC, but these also use OpenID Connect. As Hughes says, given the reality of the market and the importance of adoption, OpenID Connect was the better technology for these use cases.

So is there no future for VC?

So does VC have no future? I'm not as pessimistic as Hughes, but I think his "split adoption" is a problem. OpenID Connect simplifies the tech stack and operations by only dealing with the case where both issuers and devices are online. I think we need a similar, but different, focus and compromise. Focus on use cases other than those where OIDC has proven to be superior. VCs today are trying to solve everything. It's like trying to build an amphibious car that can also run on rails.

(Figure 1) Amphibious vehicle that can also run on rails

What I've been looking for in a VC for a long time is

  • Can continue to be used even if the issuer goes offline or no longer exists
  • You can continue to use your device even when it is offline
  • Users won’t be confused about which wallet to use
  • If not subsidized by public funds, the issuer will receive profits from validators.

The goal is to establish a technology stack and ecosystem that focuses on use cases that meet these requirements.

in addition

  • Issuer information is only disclosed as group information

It would be even better if they could do so. Is this a problem that can be solved if the issuers use group signatures?Everyone in the Sako Laboratory.

If you focus on these things first, you may see a chance of winning.

Also, as I've pointed out before, things like query languages ​​need to be dramatically simplified. Presentation Exchange is too complicated. Even OpenID's claims syntax was too complicated and didn't catch on. I think DCQL is too complicated. The simplified parts of DCQL (which is finally as complicated as the Claims Syntax) will be enough for now.

There's still a lot I want to say, but I'll leave it at that for today.

Oh, by the way, I don't know if it's related to Trinsic's disappearance, but the Sovrin blockchain has also decided to shut down. This is a good example of how blockchain does not guarantee permanence.

Well then!

footnote

  1. Although it is said to be unique, most of it is based on OpenID Connect

Leave a comment

This site uses Akismet to reduce spam.For details of how to process comment data, please click here.