W3C home > Mailing lists > Public > public-credentials@w3.org > November 2014

Credentials CG Telecon Minutes for 2014-10-28

From: <msporny@digitalbazaar.com>
Date: Sun, 09 Nov 2014 22:33:02 -0500
Message-Id: <1415590382063.0.14378@zoe>
To: Credentials CG <public-credentials@w3.org>
Thanks to Brian Sletten and Karen O'Donoghue for scribing this week! The minutes
for this week's Credentials CG telecon are now available:

http://opencreds.org/minutes/2014-10-28/

Full text of the discussion follows for W3C archival purposes.
Audio from the meeting is available as well (link provided below).

----------------------------------------------------------------
Credentials Community Group - W3C TPAC F2F Minutes for 2014-10-28

Agenda:
  http://docs.google.com/document/d/1FQmZt_2FTjRMO5YSBLS-3dwuNQFi_BFEvbIRoUg7pGA/edit
Topics:
  1. Introduction
  2. Identity Proofing
  3. Scope of CG Work
  4. Use Cases / Future Work
  5. Identifier Portability
  6. Data Rights, Legacy Support
Chair:
  Manu Sporny
Scribe:
  Brian Sletten and Karen O'Donoghue
Present:
  Manu Sporny, Brian Sletten, Jörg Heuer, Glen Wiley, Pat Adler, 
  Karen O'Donoghue, Mountie Lee, Pindar Wong, Evert Fekkes, Eric 
  Korb, Bill Gebert, Mary Bold, Daniel Buchner, Shane McCarron, 
  Josh Soref

Brian Sletten is scribing.

Topic: Introduction

Manu Sporny: Here's the presentation deck for the intro: 
  http://opencreds.org/presentations/2014/tpac-credentials/
Manu Sporny:  This is an attempt to do serious things on the Web 
  by being able to make strong claims about what we are entitled to 
  in a safe and secure way.
Manu Sporny:  This is not an official W3C group, it's a community 
  group. Provides input and experiments to feed into the IG work.
Bill Gebert:  ETS needs to provide credentialing for professional 
  development and education, but there are serious national 
  security concerns about foreign nationals being validated for 
  entrance into the U.S. by way of higher educational acceptance.
Jörg Heuer:  Please add an 's' to Deutche Telekom on the slide. 
  :)
Manu Sporny:  Badge Alliance and Open Payments Foundation bridge 
  the boundaries between technology collaborators (Web Payments CG, 
  Credentials CG, Web Payments IG, IETF) and policy/regulator 
  collaborators (US Dept of ???, educational institutions, Internet 
  Governance Forum, US Fed)
Pat Adler:  The Fed is interested in the soundness of the economy 
  and consumer-facing requirements, opportunities for value 
  exchange, the processing, etc.
Manu Sporny:  The Master Plan is to convince the W3C and WP IG 
  that Credentials are important enough to become their own group 
  with applicability across multiple communities. Wants to talk 
  advantage of the WP IG to short-track the spin out of groups to 
  focus on a narrow set of Identity as a Credentials Group.
Manu Sporny:  Credentials are important for anti money 
  laundering, Know Your Customer, etc.
Manu Sporny:  There is a lot of overlap between the financial 
  services and credential management.
Manu Sporny:  This is a very narrowly-focused approach avoiding 
  the "solving the Identity on the Web" problem.

Topic: Identity Proofing

Jörg Heuer:  Will we succeed until we solve this Identity on the 
  Web problem?
Manu Sporny:  We need to have an Identifier. Identity means 
  different things to different people.
Jörg Heuer:  When you want to prove that I am German, you need to 
  know who *I* is.
Jörg Heuer:  Credentials seem very much tied to the person. So 
  Identity needs to be solved, no?
Daniel Buchner:  Credentials are more of a specification to 
  represent various identities (government, education, etc.).
Manu Sporny:  We don't have a clear definition of Identity.
Eric Korb:  We have to find point of contacts to establish 
  identity. We need Experian and companies like that to help 
  establish the Identity.
Daniel Buchner:  They provide the Last Mile of Identity.
Daniel Buchner:  There is a Many-to-One Relationship to Identity.
Bill Gebert:  There are various levels of Identity. Bronze level, 
  Silver level, Gold level based on the background or strength of 
  the individual identities.
Pat Adler:  The Credentials themselves are just a collection of 
  attributes from a particular entity.
Evert Fekkes:  The trust level is established as part of the 
  enrollment process.
Daniel Buchner:  It's easier to get buy in by having a mechanism 
  for expressing these credentials and then saying, "Hey, 
  Government, we have a way of expressing this..."
Pat Adler:  Accumulation of identity across a variety of sources.
Glen Wiley:  Sounds like we are talking about authorization, not 
  just Identity.
Daniel Buchner:  This credential can evolve over time and 
  accumulate more attributes over time.
Manu Sporny:  I think we are in violent agreement about what a 
  credential is and how we establish trust in existing identities.
Jörg Heuer:  In Germany we have a National ID by which we can now 
  interact with the Web and it has the ability express a strong 
  level of confidence of identity.
Pat Adler:  We talk a lot of about binding the identity to the 
  user. There is also the idea of attaching context to the binding. 
  Time of day, duration, in particular contexts.
Daniel Buchner:  We need enough inputs on the credential to 
  express these context.
Eric Korb:  My wife needs four credentials just to come to work 
  as nurse practitioner in NJ.
Eric Korb:  If her malpractice insurance expired, she can't get 
  into the pharmacy to get medications.
Jörg Heuer:  Combinations of different credentials make a lot of 
  sense to establish the context.

Topic: Scope of CG Work

Manu Sporny:  The clear sign that this initiative will fail is if 
  the Use Cases keep growing. If it looks like we are heading down 
  to a very complex endeavor, that's a sign that we are solving the 
  wrong problem.
Manu Sporny:  We can't prescribe how you get a Level 3 National 
  Identity card.
Manu Sporny:  Education has a different set of requirements than 
  healthcare. That's not the problem we want to solve.
Daniel Buchner:  There are different ways to take a fingerprint 
  (ink vs camera). I don't want to specify what it means to express 
  a fingerprint.
Bill Gebert:  Who determines what is High Stakes. It's the 
  consumer who decides. The level of sophistication and compliance 
  is the consumer itself, not the binding.
Bill Gebert:  We collect retina scan, fingerprints, etc. to deal 
  with fraud. That might be Gold Standard identity to some people, 
  but not others.
Daniel Buchner:  These things he's talking about didn't exist 
  twenty years ago. Our definition of the standards or faith in 
  them change over time.
Pat Adler:  The bindings can change in time during expiration of 
  credentials and re-upping the identity. You get a new token or a 
  new card.
Glen Wiley:  It seems we need to talk more than just about 
  transmission of credentials.
Brian Sletten:  The use of JSON-LD will allow us to model 
  different kinds of credentials (Fingerprint vs InkFingerprint).
Jörg Heuer:  We should think about both sides of this: Who is 
  guaranteeing the credentials and the consumer who is establishing 
  a level of trust.
Manu Sporny:  Fantastic discussion, I am hearing a lot of 
  agreement and it seems aligned with the definition of CG.
Karen O'Donoghue: Here is a link to the IETF mailing list that is 
  starting a discussion around vectors of trust or levels of 
  assurance.
Karen O'Donoghue: https://www.ietf.org/mailman/listinfo/vot
Karen O'Donoghue: There is no chartered work at this point, but 
  this is a preliminary mailing list to discuss possible directions 
  that this might go, and one of the possible directions might be 
  contributing to an update of NIST SP 800-63
Jörg Heuer:  I don't think Payment requires Identity. You need 
  sufficient funds. Cash is useful for anonymous interactions we 
  should protect it.
Pat Adler:  What does this mean at the Protocol Level? What are 
  the core components of the transaction? Identity is part of some 
  transactions, but not other.
Jörg Heuer:  Even if we don't establish the identity of the 
  consumer for the payment, we are still dealing with pseudonyms 
  and technical identifiers like email accounts ("Mickey Mouse 
  identity") and that may still be important to keep track of.
Evert Fekkes:  Each Identity maps to a certain context.
Pat Adler:  Entitlement can apply to groups. Buying as a member 
  of group (digital media, Kickstarter, etc.)
Pat Adler:  There can be multiple identities associated with a 
  payment.
Brian Sletten:  Access control specification sounds like a 
  different approach than not prescribing the credentials. In order 
  for me to express a restricted use of credentials, we need to 
  agree on what that means.
Pat Adler:  We need to protect the transmission of the 
  credentials via extensible authorization and authentication 
  mechanisms as well.
Manu Sporny:  Ok, let's break for lunch and meet back here in an 
  hour to dive into the use cases, specs, or demos.
Group breaks for lunch.

Topic: Use Cases / Future Work

Karen O'Donoghue is scribing.
Manu Sporny:  Options for what we could do this afternoon (use 
  cases, draft specs, demos, etc...)
Jörg Heuer:  We could try to distill the earlier conversation
Daniel Buchner:  Would use cases accomplish this?
Manu Sporny:  Since this is a CG we can recharter at any point 
  based on a vote of the group itself
Manu Sporny:  Before we start adding use cases, we should look at 
  the ones we already have
Pat Adler:  We could analyze the use cases for domain factors and 
  look for commonality
Pat Adler:  Need to visualize the relationships, one to one, one 
  to many, many to one, etc
Manu Sporny:  We should probably develop something like that
Pat Adler:  I will make a first attempt at this graphic
Manu Sporny:  These use cases were taken out of the Web Payments 
  workshop
Daniel Buchner:  What vantage point were these use cases taken 
  from
Manu Sporny: http://opencreds.org/specs/source/use-cases/
Manu Sporny:  This document is nowhere near done
Jörg Heuer:  Are we expecting credentials to live on forever?
Eric Korb:  They have a expiration date

Topic: Identifier Portability

Manu Sporny:  The key that we have found, when we are creating 
  the credential we need to ensure that we don't tie it to 
  something that can't be moved. It's strange, but URLs are great 
  at achieving vendor lock-in.
Manu Sporny:  There will have to be revocation lists
  ... two sides of a credential, customer and user,
Jörg Heuer:  Would this be optional because there may be privacy 
  problems here
  ... further discussion on how revocation might work and 
  decisions involved
Daniel Buchner:  Are there any steps involved when reissuing or 
  moving credentials?
Eric Korb:  Open badges today uses Persona, email address is 
  embedded,
Eric Korb:  Every time it is moved it goes through a validation 
  process, the question is whether it should also go through a 
  verification process
Eric Korb:  How do you move them, what happens when you move one 
  from the university.
Pat Adler:  Is an identity provider the same as a credential 
  provider, they are different things?
  ... can they play both roles?
Manu Sporny:  Two sets of terminology currently in use (Badge 
  Alliance and Credentials CG)
  ... credential servers store credentials issued by issuers
Eric Korb:  Credential curator (backpack, key chain)
  ...long term issuer independent storage
Glen Wiley:  Difference between registrar and registry
Glen Wiley:  There are example of this type of critical service 
  in internet infrastructure
Manu Sporny:  There are examples of decentralized service but 
  they don't exist in a web context
Glen Wiley:  There are very few things that the government can't 
  shut down, (stipulating that it has to be safe from government 
  intervention)
Manu Sporny:  Telehash is an interesting example of a technology 
  that might address some of this
Manu Sporny:  It is a decentralized hash on that
Manu Sporny:  Objective is to have at least one technology 
  solution that will solve the problem
Manu Sporny:  We can solve the problem without providing this 
  decentralized solution by tying the credential to the provider
Glen Wiley:  You could get credentials from different 
  organizations based on your level of faith in their longevity
Brian Sletten:  You get the credentials from the organization 
  that you have the most trust in

Topic: Data Rights, Legacy Support

Manu Sporny:  Data rights ... almost like a reverse terms of 
  service
Daniel Buchner:  Isn't this another example of an area where
Manu Sporny:  If they have a text file about you, you can copy
Manu Sporny:  Data rights is a policy representation, not a 
  technical solution
Manu Sporny:  Data rights is a high level design criteria without 
  a technical solution
Manu Sporny:  Legacy Support: is there a way we can provide both 
  the old way (user name and password) and the new way (credential 
  based) with the new credential
Manu Sporny:  Last Pass is an example of this
Jörg Heuer:  Are we to replace user name and password with this?
Jörg Heuer:  Sounds like OAUTH to me.
Manu Sporny:  There are other technologies out there, OAUTH is 
  more about access control
  ...we could wrap OAUTH credentials in the system.
Manu Sporny:  What is the best thing for web developers, they 
  don't want to implement OAUTH 2.0
Manu Sporny:  Don't know how all this plays with OpenID Connect 
  or OAUTH
Manu Sporny:  OAUTH 1.0 and OAUTH 2.0 aren't really competitors 
  to this, OpenID Connect is a more open question
Manu Sporny:  We have now completely destroyed our agenda, but 
  that's ok because we're having a great discussion. Great to see 
  how aligned most of us are.
Daniel Buchner:  It is helpful to know there is a decision 
  trusted providers as a/the mechanism
Pat Adler:  Four key things... (scribe missed the four key 
  things)
Manu Sporny:  We have to have a way to have verifiable claims
Eric Korb:  We see three kinds of transactions 1) establish 
  identities; 2) make offers; 3) verify information
Eric Korb:  TrueCred Api slide
Manu Sporny:  Flexible access control is about the user not being 
  present to perform a credential exchange. For example, you 
  authorizing emergency workers to access your credential in the 
  event of an emergency.
Manu Sporny:  We want to support two types of signatures - 
  original credential plus endorsement (a set of signatures)
Manu Sporny:  Chained credentials (an array of dependent 
  signatures, each one dependent on the previous one)
Manu Sporny:  Wrapup - we didn't cover much of our agenda, but 
  did a good bit of ground work. This is a community group open to 
  anyone, great to see so much interest in it. We meet Tuesdays at 
  11am ET. Learn more here: http://opencreds.org/minutes/
Received on Monday, 10 November 2014 03:33:24 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:21 UTC