- From: <msporny@digitalbazaar.com>
- Date: Sun, 09 Nov 2014 22:33:02 -0500
- To: Credentials CG <public-credentials@w3.org>
Thanks to Brian Sletten and Karen O'Donoghue for scribing this week! The minutes
for this week's Credentials CG telecon are now available:
http://opencreds.org/minutes/2014-10-28/
Full text of the discussion follows for W3C archival purposes.
Audio from the meeting is available as well (link provided below).
----------------------------------------------------------------
Credentials Community Group - W3C TPAC F2F Minutes for 2014-10-28
Agenda:
http://docs.google.com/document/d/1FQmZt_2FTjRMO5YSBLS-3dwuNQFi_BFEvbIRoUg7pGA/edit
Topics:
1. Introduction
2. Identity Proofing
3. Scope of CG Work
4. Use Cases / Future Work
5. Identifier Portability
6. Data Rights, Legacy Support
Chair:
Manu Sporny
Scribe:
Brian Sletten and Karen O'Donoghue
Present:
Manu Sporny, Brian Sletten, Jörg Heuer, Glen Wiley, Pat Adler,
Karen O'Donoghue, Mountie Lee, Pindar Wong, Evert Fekkes, Eric
Korb, Bill Gebert, Mary Bold, Daniel Buchner, Shane McCarron,
Josh Soref
Brian Sletten is scribing.
Topic: Introduction
Manu Sporny: Here's the presentation deck for the intro:
http://opencreds.org/presentations/2014/tpac-credentials/
Manu Sporny: This is an attempt to do serious things on the Web
by being able to make strong claims about what we are entitled to
in a safe and secure way.
Manu Sporny: This is not an official W3C group, it's a community
group. Provides input and experiments to feed into the IG work.
Bill Gebert: ETS needs to provide credentialing for professional
development and education, but there are serious national
security concerns about foreign nationals being validated for
entrance into the U.S. by way of higher educational acceptance.
Jörg Heuer: Please add an 's' to Deutche Telekom on the slide.
:)
Manu Sporny: Badge Alliance and Open Payments Foundation bridge
the boundaries between technology collaborators (Web Payments CG,
Credentials CG, Web Payments IG, IETF) and policy/regulator
collaborators (US Dept of ???, educational institutions, Internet
Governance Forum, US Fed)
Pat Adler: The Fed is interested in the soundness of the economy
and consumer-facing requirements, opportunities for value
exchange, the processing, etc.
Manu Sporny: The Master Plan is to convince the W3C and WP IG
that Credentials are important enough to become their own group
with applicability across multiple communities. Wants to talk
advantage of the WP IG to short-track the spin out of groups to
focus on a narrow set of Identity as a Credentials Group.
Manu Sporny: Credentials are important for anti money
laundering, Know Your Customer, etc.
Manu Sporny: There is a lot of overlap between the financial
services and credential management.
Manu Sporny: This is a very narrowly-focused approach avoiding
the "solving the Identity on the Web" problem.
Topic: Identity Proofing
Jörg Heuer: Will we succeed until we solve this Identity on the
Web problem?
Manu Sporny: We need to have an Identifier. Identity means
different things to different people.
Jörg Heuer: When you want to prove that I am German, you need to
know who *I* is.
Jörg Heuer: Credentials seem very much tied to the person. So
Identity needs to be solved, no?
Daniel Buchner: Credentials are more of a specification to
represent various identities (government, education, etc.).
Manu Sporny: We don't have a clear definition of Identity.
Eric Korb: We have to find point of contacts to establish
identity. We need Experian and companies like that to help
establish the Identity.
Daniel Buchner: They provide the Last Mile of Identity.
Daniel Buchner: There is a Many-to-One Relationship to Identity.
Bill Gebert: There are various levels of Identity. Bronze level,
Silver level, Gold level based on the background or strength of
the individual identities.
Pat Adler: The Credentials themselves are just a collection of
attributes from a particular entity.
Evert Fekkes: The trust level is established as part of the
enrollment process.
Daniel Buchner: It's easier to get buy in by having a mechanism
for expressing these credentials and then saying, "Hey,
Government, we have a way of expressing this..."
Pat Adler: Accumulation of identity across a variety of sources.
Glen Wiley: Sounds like we are talking about authorization, not
just Identity.
Daniel Buchner: This credential can evolve over time and
accumulate more attributes over time.
Manu Sporny: I think we are in violent agreement about what a
credential is and how we establish trust in existing identities.
Jörg Heuer: In Germany we have a National ID by which we can now
interact with the Web and it has the ability express a strong
level of confidence of identity.
Pat Adler: We talk a lot of about binding the identity to the
user. There is also the idea of attaching context to the binding.
Time of day, duration, in particular contexts.
Daniel Buchner: We need enough inputs on the credential to
express these context.
Eric Korb: My wife needs four credentials just to come to work
as nurse practitioner in NJ.
Eric Korb: If her malpractice insurance expired, she can't get
into the pharmacy to get medications.
Jörg Heuer: Combinations of different credentials make a lot of
sense to establish the context.
Topic: Scope of CG Work
Manu Sporny: The clear sign that this initiative will fail is if
the Use Cases keep growing. If it looks like we are heading down
to a very complex endeavor, that's a sign that we are solving the
wrong problem.
Manu Sporny: We can't prescribe how you get a Level 3 National
Identity card.
Manu Sporny: Education has a different set of requirements than
healthcare. That's not the problem we want to solve.
Daniel Buchner: There are different ways to take a fingerprint
(ink vs camera). I don't want to specify what it means to express
a fingerprint.
Bill Gebert: Who determines what is High Stakes. It's the
consumer who decides. The level of sophistication and compliance
is the consumer itself, not the binding.
Bill Gebert: We collect retina scan, fingerprints, etc. to deal
with fraud. That might be Gold Standard identity to some people,
but not others.
Daniel Buchner: These things he's talking about didn't exist
twenty years ago. Our definition of the standards or faith in
them change over time.
Pat Adler: The bindings can change in time during expiration of
credentials and re-upping the identity. You get a new token or a
new card.
Glen Wiley: It seems we need to talk more than just about
transmission of credentials.
Brian Sletten: The use of JSON-LD will allow us to model
different kinds of credentials (Fingerprint vs InkFingerprint).
Jörg Heuer: We should think about both sides of this: Who is
guaranteeing the credentials and the consumer who is establishing
a level of trust.
Manu Sporny: Fantastic discussion, I am hearing a lot of
agreement and it seems aligned with the definition of CG.
Karen O'Donoghue: Here is a link to the IETF mailing list that is
starting a discussion around vectors of trust or levels of
assurance.
Karen O'Donoghue: https://www.ietf.org/mailman/listinfo/vot
Karen O'Donoghue: There is no chartered work at this point, but
this is a preliminary mailing list to discuss possible directions
that this might go, and one of the possible directions might be
contributing to an update of NIST SP 800-63
Jörg Heuer: I don't think Payment requires Identity. You need
sufficient funds. Cash is useful for anonymous interactions we
should protect it.
Pat Adler: What does this mean at the Protocol Level? What are
the core components of the transaction? Identity is part of some
transactions, but not other.
Jörg Heuer: Even if we don't establish the identity of the
consumer for the payment, we are still dealing with pseudonyms
and technical identifiers like email accounts ("Mickey Mouse
identity") and that may still be important to keep track of.
Evert Fekkes: Each Identity maps to a certain context.
Pat Adler: Entitlement can apply to groups. Buying as a member
of group (digital media, Kickstarter, etc.)
Pat Adler: There can be multiple identities associated with a
payment.
Brian Sletten: Access control specification sounds like a
different approach than not prescribing the credentials. In order
for me to express a restricted use of credentials, we need to
agree on what that means.
Pat Adler: We need to protect the transmission of the
credentials via extensible authorization and authentication
mechanisms as well.
Manu Sporny: Ok, let's break for lunch and meet back here in an
hour to dive into the use cases, specs, or demos.
Group breaks for lunch.
Topic: Use Cases / Future Work
Karen O'Donoghue is scribing.
Manu Sporny: Options for what we could do this afternoon (use
cases, draft specs, demos, etc...)
Jörg Heuer: We could try to distill the earlier conversation
Daniel Buchner: Would use cases accomplish this?
Manu Sporny: Since this is a CG we can recharter at any point
based on a vote of the group itself
Manu Sporny: Before we start adding use cases, we should look at
the ones we already have
Pat Adler: We could analyze the use cases for domain factors and
look for commonality
Pat Adler: Need to visualize the relationships, one to one, one
to many, many to one, etc
Manu Sporny: We should probably develop something like that
Pat Adler: I will make a first attempt at this graphic
Manu Sporny: These use cases were taken out of the Web Payments
workshop
Daniel Buchner: What vantage point were these use cases taken
from
Manu Sporny: http://opencreds.org/specs/source/use-cases/
Manu Sporny: This document is nowhere near done
Jörg Heuer: Are we expecting credentials to live on forever?
Eric Korb: They have a expiration date
Topic: Identifier Portability
Manu Sporny: The key that we have found, when we are creating
the credential we need to ensure that we don't tie it to
something that can't be moved. It's strange, but URLs are great
at achieving vendor lock-in.
Manu Sporny: There will have to be revocation lists
... two sides of a credential, customer and user,
Jörg Heuer: Would this be optional because there may be privacy
problems here
... further discussion on how revocation might work and
decisions involved
Daniel Buchner: Are there any steps involved when reissuing or
moving credentials?
Eric Korb: Open badges today uses Persona, email address is
embedded,
Eric Korb: Every time it is moved it goes through a validation
process, the question is whether it should also go through a
verification process
Eric Korb: How do you move them, what happens when you move one
from the university.
Pat Adler: Is an identity provider the same as a credential
provider, they are different things?
... can they play both roles?
Manu Sporny: Two sets of terminology currently in use (Badge
Alliance and Credentials CG)
... credential servers store credentials issued by issuers
Eric Korb: Credential curator (backpack, key chain)
...long term issuer independent storage
Glen Wiley: Difference between registrar and registry
Glen Wiley: There are example of this type of critical service
in internet infrastructure
Manu Sporny: There are examples of decentralized service but
they don't exist in a web context
Glen Wiley: There are very few things that the government can't
shut down, (stipulating that it has to be safe from government
intervention)
Manu Sporny: Telehash is an interesting example of a technology
that might address some of this
Manu Sporny: It is a decentralized hash on that
Manu Sporny: Objective is to have at least one technology
solution that will solve the problem
Manu Sporny: We can solve the problem without providing this
decentralized solution by tying the credential to the provider
Glen Wiley: You could get credentials from different
organizations based on your level of faith in their longevity
Brian Sletten: You get the credentials from the organization
that you have the most trust in
Topic: Data Rights, Legacy Support
Manu Sporny: Data rights ... almost like a reverse terms of
service
Daniel Buchner: Isn't this another example of an area where
Manu Sporny: If they have a text file about you, you can copy
Manu Sporny: Data rights is a policy representation, not a
technical solution
Manu Sporny: Data rights is a high level design criteria without
a technical solution
Manu Sporny: Legacy Support: is there a way we can provide both
the old way (user name and password) and the new way (credential
based) with the new credential
Manu Sporny: Last Pass is an example of this
Jörg Heuer: Are we to replace user name and password with this?
Jörg Heuer: Sounds like OAUTH to me.
Manu Sporny: There are other technologies out there, OAUTH is
more about access control
...we could wrap OAUTH credentials in the system.
Manu Sporny: What is the best thing for web developers, they
don't want to implement OAUTH 2.0
Manu Sporny: Don't know how all this plays with OpenID Connect
or OAUTH
Manu Sporny: OAUTH 1.0 and OAUTH 2.0 aren't really competitors
to this, OpenID Connect is a more open question
Manu Sporny: We have now completely destroyed our agenda, but
that's ok because we're having a great discussion. Great to see
how aligned most of us are.
Daniel Buchner: It is helpful to know there is a decision
trusted providers as a/the mechanism
Pat Adler: Four key things... (scribe missed the four key
things)
Manu Sporny: We have to have a way to have verifiable claims
Eric Korb: We see three kinds of transactions 1) establish
identities; 2) make offers; 3) verify information
Eric Korb: TrueCred Api slide
Manu Sporny: Flexible access control is about the user not being
present to perform a credential exchange. For example, you
authorizing emergency workers to access your credential in the
event of an emergency.
Manu Sporny: We want to support two types of signatures -
original credential plus endorsement (a set of signatures)
Manu Sporny: Chained credentials (an array of dependent
signatures, each one dependent on the previous one)
Manu Sporny: Wrapup - we didn't cover much of our agenda, but
did a good bit of ground work. This is a community group open to
anyone, great to see so much interest in it. We meet Tuesdays at
11am ET. Learn more here: http://opencreds.org/minutes/
Received on Monday, 10 November 2014 03:33:24 UTC