Description
OIDC identities are tied up with the entity that is providing the OAUTH2 credential. That entity can revoke, disable or make false claims about an identity.
There is significant risk associated with this kind of second party control, and I think the whodis program should include this as a dimension with which to evaluate identities.
VCs appear to have a goal of eliminating this dependency, but in practice they have significant gaps: specifically the role and funding model for the mediator seems ripe for capture. The mediator is a "bent-pipe" https://en.wikipedia.org/wiki/Transponder_(satellite_communications) that facilitates communication between end-user's wallets and the rest of the VC infrastructure. It is necessary because smartphones do not tend to have publically reachable addresses, but even in an ideal pure-IPv6 utopia, smartphones would always have less battery than those who'd attack them.
So, this additional dimension is potentially quite complex.