Re: Preliminary Credentials Use Cases (Scope) from Manu Sporny on 2014-08-27 (public-credentials@w3.org from August 2014)

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Tue, 26 Aug 2014 20:48:34 -0400
To: Tim Holborn <timothy.holborn@gmail.com>
CC: W3C Credentials Community Group <public-credentials@w3.org>, public-webid <public-webid@w3.org>
Message-ID: <53FD2AE2.1010802@digitalbazaar.com>

On 08/25/2014 02:35 AM, Tim Holborn wrote:
> *FEEDBACK ON CURRENT USE-CASE SCOPE* It is my suggestion that we
> review and update the identity/credentials use-cases.

+1, I think this work is slated to start not next week, but the week
after. The week of September 9th.

> ‘Credential’ based ‘data aggregation’ - what stops a ‘master
> credential’ being used to aggregate all user-data, using the
> credential as an epicentre - what protection exists surrounding how
> this can be done?

Yes, it's a concern with this work. Not many people are going to create
a different identity/persona for themselves for each credential that
they hold.

The best solution to this that we've discovered is a legal remedy.
Create a binding digital contract that states that the delivery of the
credential may only be used for X, Y, and Z purposes. For example, my
digital government issued ID may only be used to identify me on the
receiving site. It specifically MUST NOT be transmitted to a 3rd party
for purposes other than verifying who I am. It MUST NOT be used to
aggregate data about me for advertising, spying, etc. purposes.

> IMPLICATIONS FOR DEFINITIONS AND LANGUAGE USED WHEN DEFINING
> CREDENTIALS?
> 
> DEFINE:  “A Credential allow an authorising party to produce and
> make available a digital instrument for the purpose of providing a
> credential to a 3rd party.” ??

I'm sure we're going to bikeshed the hell out of 'credential'. My hope
is that we can get that out of our collective system quickly and move
onto the technology. Definitions are important, but discussing them
endlessly does drive people away.

> - What are the privacy, or ‘data safety' implications surrounding
> the use and issuance of Credentials?

This is an ongoing discussion and should probably be outlined in a W3C
Note or CG publication.

> What forms of Authentication are assessable?

What do you mean by "assessable"?

> Is an identity displaceable?

What do you mean by this?

> NB: I’ve initially sought to consider ‘data rights’ [2].  Yet,
> overtime i keep considering the concepts conveyed by Vint Cerf, in
> the verisign presentation [3] and am led to consider that perhaps the
> better term is "data ‘safety’".

+1 for 'data safety'

The whole 'rights' thing gets into 'human rights' and arguments about
whether or not the Web is a human right, or access to the Internet is a
human right. We should be careful to avoid those discussions here, those
topics are great perma-thread fodder.

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: The Marathonic Dawn of Web Payments
http://manu.sporny.org/2014/dawn-of-web-payments/

Received on Wednesday, 27 August 2014 00:49:04 UTC