In this episode of Identity. Unlocked, principal architect at Auth0 and podcast host, Vittorio Bertocci, focuses on the Self-Issued OpenID Provider specification, also known as SIOP. We are joined today by Kristina Yasuda, Identity Standards Architect at Microsoft and longtime advocate of decentralized Identity.
The Overview
Kristina opens by enunciating what SIOP is about, in a nutshell: the ability for an end user to present claims about themselves to a relying party (RP) without the need to redirect to an external provider. The scenario is further clarified through the enumeration of key use cases where that ability is useful, such as circumstances in which an external identity provider might cease to exist (as it actually happened in the earthquake/tsunami disaster that hit Japan ten years ago), or no longer be willing to provide service (as it might be the case in situations where democratic rule is under threat).
The original OpenID Core specification predicted the need for the SIOP, codifying it in chapter 7. However, at the time, the scenario was largely theoretical; hence the specification leaves out a number of important details - it is those gaps that SIOP is meant to fill.
One of the most fundamental challenges to solve is the discovery problem, that is to say, the ability of an RP to discover and select a self-issued OP to use to authenticate the user in the current transaction. As a discovery mechanism to invoke a Self-Issued OP, the discussion on the podcast covered the usage of a custom schema 'openid://'. Alternative mechanisms to address the limitations of custom schemas are being actively explored in the WG.
The conversation meanders through deeper details, from how the current SIOP specification draft under the OpenID Foundation picks up the mission from a former attempt under DIF to encoding approaches for verifiable presentations (embedding in JWTs, LD proofs), how to represent attributes (with a mention of eKYC, which we covered in an earlier episode of the show).
As a final thought, Kristina relays that a lot of the work that took place so far in this space aimed at developing data models- and that it's time to flesh out the transport, the protocol aspect of the scenarios.
In closing: the ideal call to action from all this is to implement the specs and give concrete feedback - and if the episode helped clarify the aim and the scenarios SIOP targets, to help spread that clarity and demystify the topic for others!
Top comments (1)
What is the relationship, or similarities, between SIOP and self-sovereign identity?
en.wikipedia.org/wiki/Self-soverei...