Recent European efforts around digital identity -- the EUDI regulation and its OpenID architecture -- aim high, but start from a narrow and ill-defined conceptualization of authentication. Based on a broader, more grounded understanding of the term, in we identify several issues in the design of OpenID4VCI and OpenID4VP: insecure practices, static, and subject-bound credential types, and a limited query language restrict their application to classic scenarios of credential exchange -- already supported by existing solutions like OpenID Connect, SIOPv2, OIDC4IDA, and OIDC Claims Aggregation -- barring dynamic, asynchronous, or automated use cases. We also debunk OpenID's 'paradigm-shifting' trust-model, which -- when compared to existing decentralized alternatives -- does not deliver any significant increase in control, privacy, and portability of personal information. Not only the technical choices limit the capabilities of the EUDI framework; also the legislation itself cannot accommodate the promise of self-sovereign identity. In particular, we criticize the introduction of institutionalized trusted lists, and discuss their economical and political risks. Their potential to decline into an exclusory, re-centralized ecosystem endangers the vision of a user-oriented identity management in which individuals are in charge. Instead, the consequences might severely restrict people in what they can do with their personal information, and risk increased linkability and monitoring. In anticipation of revisions to the EUDI regulations, we suggest several technical alternatives that overcome some of the issues with the architecture of OpenID. In particular, OAuth's UMA extension and its A4DS profile, as well as their integration in GNAP, are worth looking into. Future research into uniform query (meta-)languages is needed to address the heterogeneity of attestations and providers.

翻译：近期欧洲围绕数字身份所做的努力——欧盟数字身份（EUDI）法规及其OpenID架构——虽立意高远，但其出发点建立在对身份验证这一概念狭隘且定义不清的理解之上。基于对该术语更广泛、更扎实的理解，我们在本文中指出OpenID4VCI与OpenID4VP设计中的若干问题：不安全的实践、静态且与主体绑定的凭证类型，以及受限的查询语言，这些限制使其仅适用于传统的凭证交换场景——此类场景已得到OpenID Connect、SIOPv2、OIDC4IDA与OIDC Claims Aggregation等现有方案的支持——而无法满足动态、异步或自动化的用例需求。我们同时剖析了OpenID所谓“范式转换”的信任模型，该模型与现有的去中心化替代方案相比，并未在个人信息控制、隐私及可移植性方面带来显著提升。不仅技术选择限制了EUDI框架的能力，法规本身亦无法兑现自我主权身份的承诺。我们特别批评了制度化可信名单的引入，并探讨其经济与政治风险。此类名单可能退化为排他性、再中心化的生态系统，从而危及以用户为中心、个体自主掌控的身份管理愿景。反之，其后果可能严重限制人们对个人信息的处理能力，并增加信息可关联性与监控风险。为应对EUDI法规的修订预期，我们提出若干可突破OpenID架构部分局限的技术替代方案，其中OAuth的UMA扩展及其A4DS配置文件，以及它们在GNAP中的集成值得深入探讨。未来需针对证明与提供方的异构性，开展统一查询（元）语言的深入研究。