Shameless plug (but I hope that's okay, again): IRMA Authentication is an open-source app [1] and protocol that offers privacy-friendly attribute based authentication and signing using Camenisch and Lysyanskaya's Idemix [2].
It's currently heavily focused towards The Netherlands, where citizens can obtain attributes such as name, home address and age. These attributes can then be selectively disclosed directly to a service provider, without the identity provider being able to see the transaction [3]. Multiple disclosures are also unlinkable as long as the attributes themselves are not identifying.
The fact that the identity provider is not at all involved with the transaction is an enormous privacy win compared to OpenID Connect, especially in the case of centralizing providers such as Apple – and less so in for example the domain of education single sign-on.
It's not currently using the verifiable claims data model, but it would very much fit it. It also doesn't use a 'blockchain', simply because it's not necessary to do so, and makes it all a lot less complicated.
Any website could use BrowserID by including cross-domain JavaScript that sent cookies to a third party (browserid) and hand the session token over for auth and then get it back. This went poorly versus the modern web’s hostility to third-party cookies.
For a website to use IRMA, it looks like they have to stand up a server component on their web server - it’s not enough to simply include Javascript like browserid, but it also isn’t subject to the third-party cookie failure of browserid.
Mobile ecosystem issues aside, IRMA looks excellent. Could IRMA's decentralization and selective disclosure features somehow be combined with OpenID? For example, could the IRMA application serve as a standalone OpenID provider, perhaps using OpenID Connect Federation to establish trust? [0]
Currently, IRMA is indeed still phone-only. We're quite aware that not everybody owns or wants to use a smartphone. Our software is not very tightly bound to the iOS and Android platforms, and we've explored various options over the years (smartcards, random-reader'esque devices). However, executing one of those options will only be possible if we see more adoption in general.
It's currently heavily focused towards The Netherlands, where citizens can obtain attributes such as name, home address and age. These attributes can then be selectively disclosed directly to a service provider, without the identity provider being able to see the transaction [3]. Multiple disclosures are also unlinkable as long as the attributes themselves are not identifying.
The fact that the identity provider is not at all involved with the transaction is an enormous privacy win compared to OpenID Connect, especially in the case of centralizing providers such as Apple – and less so in for example the domain of education single sign-on.
It's not currently using the verifiable claims data model, but it would very much fit it. It also doesn't use a 'blockchain', simply because it's not necessary to do so, and makes it all a lot less complicated.
[1] https://github.com/privacybydesign
[2] https://privacybydesign.foundation/publications/
[3] https://privacybydesign.foundation/meeting-slides/slides-8-3...