W3C home > Mailing lists > Public > public-credentials@w3.org > June 2015

Credentials CG Telecon Minutes for 2015-06-02

From: <msporny@digitalbazaar.com>
Date: Thu, 04 Jun 2015 13:56:16 -0400
Message-Id: <1433440576880.0.9840@zoe>
To: Credentials CG <public-credentials@w3.org>
Thanks to Dave Longley for scribing this week! The minutes
for this week's Credentials CG telecon are now available:

http://opencreds.org/minutes/2015-06-02/

Full text of the discussion follows for W3C archival purposes.
Audio from the meeting is available as well (link provided below).

----------------------------------------------------------------
Credentials Community Group Telecon Minutes for 2015-06-02

Agenda:
  https://lists.w3.org/Archives/Public/public-credentials/2015Jun/0000.html
Topics:
  1. Credentials WG Charter and WPIG
  2. Recruiting document
  3. Credential Management API update
  4. Use Cases
Organizer:
  Manu Sporny
Scribe:
  Dave Longley
Present:
  Dave Longley, Manu Sporny, Nate Otto, Richard Varn, Tim Holborn, 
  Sunny Lee, Eric Korb, David I. Lehn, Rob Trainer, Victoriano 
  Giralt, Gregg Kellogg
Audio:
  http://opencreds.org/minutes/2015-06-02/audio.ogg

Dave Longley is scribing.
Manu Sporny:  We've had a bump in the road in far as the 
  Credentials WG is concerned, so we'll discuss that.
Manu Sporny:  Then the other items on the agenda.
Manu Sporny:  Any other changes to the agenda?
None

Topic: Credentials WG Charter and WPIG

Manu Sporny: 
  https://docs.google.com/document/d/1xfdzFahQpaQKGL4aOvePlIdsJO6Q5OJkPgSIxtUx9Vc/edit
Manu Sporny:  If folks have seen, there have been a number of 
  comments on the Credentials WG charter.
Manu Sporny:  The comments to pay attention to in particular are 
  by Ian Jacobs. He's the W3C staff contact. He's in charge of 
  putting together the official charter that will go up for a vote.
Manu Sporny:  His mandate seems to be from the W3C CEO and the 
  domain lead. Which is the payments activity domain. It seems to 
  be about making credentials as narrowly focused on payments as 
  possible.
Manu Sporny:  At first he said it would be nearly impossible to 
  get anything focused on education, etc. through that didn't 
  mention/focus on payments.
Nate Otto: Thanks for raising those objections, manu & dlongley
Manu Sporny:  So we said it's nice that you want a focused 
  charter but the payments folks haven't been the ones doing the 
  work or the deploys of experimental tech or anything today. So 
  writing a charter that's focused on payments and not education, 
  etc. then that would cause a problem with the gruops involved 
  today.
Manu Sporny: Credentials presentation for Web Payments 
  face-to-face in NYC: 
  https://www.w3.org/Payments/IG/wiki/Main_Page/FTF_June2015/Credentials
Manu Sporny:  We're trying to figure out the conflict and what 
  the F2F presentation on credentials will be about.
Manu Sporny:  I was asked to put together a presentation that 
  focuses primarily on payments credentials to bring the payments 
  group up to speed because they haven't talked credentials at all 
  until like last week. So they are way behind the curve with 
  respect to what we're doing here. They believe that working on 
  credentials for education and healthcare would present an 
  entirely different solution than for payments. So they don't 
  understand the unified tech we've been putting together here.
Manu Sporny:  So a lot of education needs to happen.
Manu Sporny:  We're trying to figure out a way to get a charter 
  written such that it gets buy in from W3C staff, CEO, and 
  membership that care about payments but also doesn't alienate the 
  education and healthcare sector.
Manu Sporny:  What we need from this group is some fairly loud 
  voices... or some fairly strong statements about your 
  organization believes the charter should focus on. Should it 
  focus on education, healthcare, payments, or balance all of 
  those, or what.
Manu Sporny:  Right now it's just me saying what I think this 
  group believes in general which has been that the same solution 
  works in all the verticals and we shouldn't just focus on a 
  particular vertical. We have and need a unified solution.
Manu Sporny:  But they are just hearing it from me, not from 
  anyone else.
Richard Varn:  I always thought this was attractive being inside 
  the payments work. We can lead with payments thinking, but we can 
  do it where there aren't so many players here in other verticals 
  so we can further. We are going to pilot it with education and 
  healthcare and you can see how it would work with web payments 
  more effectively with credentials. I thought that was our pitch?
Manu Sporny:  That's exactly right, and that's our pitch.
Richard Varn:  Who is pushing back?
Nate Otto: That's a great pitch. The nontraditional education 
  market is ready and itching to experiment.
Manu Sporny:  So the pushback is coming from the W3C staff and a 
  couple of folks in the financial industry.
Manu Sporny:  I believe it's because they don't understand what 
  we have here, they haven't been keeping themselves up to date 
  with what we've been doing and they don't understand its full 
  impact. And because of that they can't understand how what we're 
  doing in healthcare/education can work in payments.
Manu Sporny:  We need you to say that exact same thing from 
  someone who isn't me.
Manu Sporny:  They need to hear it from you and from 
  Accreditrust, etc.
Nate Otto:  Should we be sharing these comments on that charter 
  document or is there a better place?
Manu Sporny:  I thought this group, ETS, Accreditrust, etc. would 
  review a charter doc from Ian and discuss there. But Ian said he 
  doesn't believe we're at the point we can write a charter to even 
  get comments on. He also said he thinks the charter we've put 
  together wouldn't fly at W3C. But I don't think he knows the 
  whole picture yet.
Manu Sporny:  I think the wiki page may be one of the places we 
  could do it, I think the credentials W3C charter may be another 
  place to put in feedback.
Tim Holborn: Does the payments use of credentials include a 
  signed digital receipt?  ie: capacity to embed information about 
  the purchase?
Manu Sporny:  So I'm saying I dont' know where feedback should go 
  right now, but I'm starting to think that we should really have a 
  call between Ian, the staff domain lead for payments, EriK 
  Andersen and Bloomberg, Richard, Eric, Sunny and Nate, put 
  everyone on the call and get them to hear we don't think it's the 
  right direction from someone other than m.e
Manu Sporny:  I think that's the best bet later this week or 
  early next week.
Tim Holborn: I’m on IRC
Richard Varn:  I think that will work, maybe friday.
Eric Korb: +1 Korb too
Sunny Lee: Works for me
Sunny Lee: Depends on time
Sunny Lee: Though
Tim Holborn: I mean, i haven’t dialed in; but was participating 
  via IRC in anycase.  let me know if you’d prefer me to simply 
  observe.
Sunny Lee:  Since you have the most experience with the folks at 
  the W3C, could you tell us what the precedence is here... a CG 
  wants to get formalized and W3C pushes back, do a lot of 
  negotations happen?
Manu Sporny:  Yes.
Manu Sporny:  I want to be very clear, they are listening and 
  they always take a broad set of input into account.
Manu Sporny:  W3C wants to make sure that they are demonstrating 
  leadership and whatever they end up chartering will end up 
  successful and quickly.
Manu Sporny:  Not drawn out for 5-10 years.
Tim Holborn: If the specification is to apply specifically to 
  payments; what do they consider to be the specified role of 
  credentials; for any form of payments related use-case.
Manu Sporny:  That's why they are pushing back.
Tim Holborn: Ie: university degree is economically recgonised by 
  way of a certificate.
Manu Sporny:  The best way to make it successful is to tie it to 
  an activity that is moving forward rapidly.
Manu Sporny:  They are pushing back because they feel that there 
  is a better way to go about this. They haven't heard from people 
  that aren't payments folks and don't understand the idea of the 
  deploying in education+healthcare sectors first.
Sunny Lee:  That makes sense, thank you.
Tim Holborn: I think healthcare is a particularly sensitive 
  field.
Manu Sporny:  Everyone should have the expectation of a fairly 
  chaotic call, but should be thought of an educational call.
Tim Holborn: In a WebID-TLS FOAF id for example; FOAF is used to 
  denote a number of references.
Tim Holborn: Webpayments/opencreds would reasaonably require the 
  capacity to provide a verified reciept.
Tim Holborn: Therein; appears like the debate is about 
  ontologies.  or have i missed something?
Richard Varn:  You're pitching this as an "either-or" and I 
  thought it was a "yes-and". That we'd be riding along with the 
  payments work and it would all be symbiotic. I don't object to 
  someone getting going on payments, I'd rather join their effort 
  than get in the way.
Manu Sporny:  If you'd notice there are no payments people in the 
  credentials CG (other than DB)
Manu Sporny:  I think we have a minority, but they're loud. I 
  think all the people that really care about this right now are in 
  healthcare and education. We want to say this stuff is really 
  important for payments and also education and healthcare. The 
  first deployments will be in education and healthcare and finance 
  will likely follow.
Eric Korb: Add insurance
Manu Sporny:  We have three different market verticals 
  interested, and education/healthcare, ETS, Accreditrust, Badge 
  Alliance, others we're talking to want to move quickly.
Tim Holborn: Is business applications of technology within the 
  scope of specificiations definition?
Manu Sporny:  In the finance space, they aren't moving as quickly 
  in that sector because their pain points aren't the same. I think 
  flipping it so payments has to be done first and then 
  education+healthcare is backwards. I think we can come up with 
  the same solution for all the verticals and we can be fairly 
  focused in doing it and the solution is aligned between the 
  industries. If it turns out we're somehow wrong (weren't not) we 
  will have to change what we're doing, but I think we can move 
  forward liek that.
Richard Varn:  I would add to that, in our space there are people 
  who talk about how to advance this and there are proprietary 
  solutions that could move forward, in the financial space they 
  have much bigger players that fight each other and it's harder to 
  get a standard going.
Tim Holborn:  What is the W3C's role in defining how the "washer" 
  works (if the analog is talking about the parts for a washer)?
Tim Holborn:  Isn't the credential itself just an extensible 
  credential? What it's used for it doesn't really matter. It's a 
  bit like a "washer" you put that on a bolt.
Manu Sporny:  Yes, that's right.
Manu Sporny:  We believe we have a generic solution that works 
  for financial, healthcare, education.
Dave Longley:  We believe we have that solution, but there are 
  people in the Web Payments group that doesn't think that's 
  workable. [scribe assist by Manu Sporny]
Tim Holborn:  I want to understand... where is the role of the 
  W3C in defining how a tech may be used for any particular 
  application. This conversation is about whether it be applied for 
  a particular industry.
Manu Sporny:  The only reason it matters has to do with how 
  quickly the work will happen. Working Groups need to be very 
  focused and they try to pick an industry that would join the work 
  and deploy the technology. They believe that the financial 
  industry would join the work and deploy the tech. We're saying 
  we're saying maybe to that, but we definitely think the 
  education/healthcare sectors would join the work and deploy the 
  tech.
Manu Sporny:  They are trying to create a charter to attract the 
  right participants and to deploy the standard once it's done.
Tim Holborn:  In the healthcare market, how does this relate to 
  private healthcare records? In terms of banking or education 
  infrastructure, the risk is far less than the misuse of personal 
  information. I question the use in the healthcare sector.
Tim Holborn:  I do question the use of the tech in that market.
Nate Otto: Tim, there are some easier use cases in health care 
  that are particular to public information in the healthcare 
  space, like the licenses of professionals
Manu Sporny:  I don't think we're going to healthcare records in 
  version one. We're talking about licenses and workforce much more 
  than patient records.
Manu Sporny:  I agree that patient records is a minefield and we 
  don't plan on focusing on that in version one.
Tim Holborn:  So it's better defined as professional licensing, 
  etc. than medical.
Dave Longley:  We should say something like "it's about 
  professional licensing in healthcare" [scribe assist by Manu 
  Sporny]
Tim Holborn:  We acknowledge the sensitivity of medical records 
  and private data. [scribe assist by Manu Sporny]
Richard Varn:  Education has areas of privacy as well. Perhaps 
  not equal with medical records. But our security requirements are 
  no different from trying to protect data using HIPAA 
  requirements.
Richard Varn:  The security levels that end up getting 
  implemented are very similar.
Nate Otto: Yep, mediaprophet, privacy of records is important to 
  lots of our callers. We're interested in developing credentials 
  that don't leak educational records even as we are using 
  credentials to assert individuals have X or Y qualification or 
  experience.
Tim Holborn:  I think someone's degree, providing a verified 
  certificate that says you have a degree is within the realm of 
  public data but going for medical data are very sensitive, 
  private data.
Richard Varn:  I think we're coming in at a lower level of risk, 
  I agree, which is why it's a more attractive starting place.
Tim Holborn:  There is also legislation and so forth that needs 
  to be considered over time, not just standards, but it may affect 
  decisions.
Manu Sporny:  I think this stuff is missing from W3C staff 
  discussions, they need to know we're having these discussions and 
  be aware of their particulars.
Manu Sporny:  So we need to move on to other items on the agenda, 
  this was a heads up and we'll get some kind of call so they can 
  hear other voices.
Richard Varn:  Inviting them to the tuesday meeting is a backup.
Manu Sporny:  Yes, we've invited them many times.
Richard Varn:  Tell them "or else"! :)
Nate Otto: +1 Let's add a payments use case; I have an idea for 
  one particularly.
Manu Sporny:  One of the points they've made is that they've 
  looked at the credentials use cases and I didn't see many 
  payments use cases. They will not support any kind of initiative 
  that doesn't have more payments use cases. I think we should add 
  them right away.
Manu Sporny:  I will go and try to add those in.

Topic: Recruiting document

Manu Sporny: 
  https://docs.google.com/document/d/1sIMtVYYCeMeuunv-4gsVsldGlWJZ1RyjmnxOVJEjXiE/edit
Manu Sporny:  We have a recruiting document that is being worked 
  on right now. Brian and Joe have worked on this. Hopefully that's 
  getting fairly close to done.
Manu Sporny:  Two weeks ago I sent out the recruiting doc for W3C 
  members, I think I contacted 140 members. We have heard back from 
  definite positives from around 10 of them. We have another 10 
  that said they will "more than likely" join the work but they 
  have to pass it by legal and corporate.
Manu Sporny:  That easily puts us at the 5% support we need to 
  get a WG. This is for our charter.
Manu Sporny:  These members said they were happy to support it.
Manu Sporny:  This just means we've met the minimum bar. So out 
  of 140 only 20 responded ... the others didn't for one reason or 
  another. I want to hand those others off to people in the group 
  and ask them to do follow up.
Manu Sporny:  So we can say "Hey, we need your feedback"
Manu Sporny:  One downside is that W3C corporate contacts are 
  generally overworked and they have a hard time responding to 
  email.
Manu Sporny:  Richard, Eric, if you have someone who can do some 
  follow up that would be great.
Eric Korb:  Me or Rob and do that.
Manu Sporny:  We might take like 20 orgs and divvy those out to 
  each group.
Richard Varn:  I have like two or three people who volunteered to 
  do some of that work. I have people, I'll assign it to a few.
Manu Sporny:  Fantastic.
Manu Sporny:  Anyone have anything else on recruiting?
Tim Holborn:  There's some interest in the Melbourne market.
Manu Sporny:  If you could make sure they fill out the 
  questionnaire that would be fantastic, we need them to do that to 
  show it to W3C management to show support.
Tim Holborn:  I haven't had time yet, if we can get analysis of 
  their business problems we can do that.
Manu Sporny:  We have some of those documents already, the thing 
  we're missing right now are orgs saying "Yes I will join the work 
  or W3C to help with credentials" If we don't have that we won't 
  have a group.

Topic: Credential Management API update

Nate Otto: Some of the Australian universities (Curtin, UQ, ANU, 
  Deakin) might be interested.
Manu Sporny:  We have been talking with the webappsec group, the 
  email thread is up to 132 emails going back and forth on various 
  things. The chair stepped in and said they don't feel it's worth 
  pursuing. The type of credential exchange we're outlining is far 
  more involved and delicate than they wanted to touch. So speaking 
  in his chair capacity he didn't see a resolution.
Manu Sporny:  The editor of the specification, came in and asked 
  us for a further set of changes to the WebIDL (which is the 
  interface definition language, what developers would program to)
Manu Sporny:  We've been saying the changes are minimal to that, 
  to align with what we're doing. And he kind of contradicted what 
  the chair was saying, and then the chair backpedaled a bit and 
  said if we're making progress keep going.
Manu Sporny:  We have said "You've said your API is extensible, 
  we have tried it and it's a problem." And they've said, it is, 
  but not in the way you want. And we've said, take out the 
  extensibility part then because we don't see how it's going to be 
  useful to extend it if it can't do, for example, the kind of 
  thing we want to do. Then we've asked what the real benefit is 
  for their API at all if it can't do credentials stuff, only pass 
  word management.
Manu Sporny:  The good thing is that they're not staking a claim 
  on credentials, we could come to a conclusion where we rename 
  their API to some login/password manager API, if we must.

Topic: Use Cases

Manu Sporny:  The end result for us is that we were hoping to 
  chop a year and a half of work off by reusing an API, but they 
  aren't chartered to work on the type of credentials we're working 
  on here and it may not work out.
Manu Sporny: 
  https://docs.google.com/document/d/1GySrTXAYpwa4vDPsGE3BMA42FwIAqAyLGigKuKUTGks/edit
Nate Otto:  Sunny, Kerri, and I all looked at the doc over the 
  past week. I accepted a good handful of changes I thought were 
  non-controversial. I added a few more. I took a stab at writing 
  up one of those sections about "credentials in the real world", I 
  went through a workforce training scenario and the different 
  phases. I found that the payments stuff put a note when a 
  particular phase wasn't used.
Nate Otto:  Should we do that here?
Manu Sporny:  Yes.
Nate Otto:  Some of the phases are slightly out of order, ... 
  they depend on the type of use case. Endorsing/Consuming may 
  happen in different orders, phases may happen at different times. 
  Maybe in other scenarios farther down the page they would appear 
  in different orders.
Dave Longley:  I thought we had renamed phases to operations 
  because the order can change. [scribe assist by Manu Sporny]
Nate Otto:  That's right [scribe assist by Manu Sporny]
Dave Longley:  I think it's fine if it happens in a different 
  order, that's how credentials work. [scribe assist by Manu 
  Sporny]
Manu Sporny:  Great work, very helpful.
Nate Otto:  I think in some places expiration/revoking were 
  conflated/confusing.
Manu Sporny:  I saw that, so to clarify, you split those into two 
  separate things?
Nate Otto:  One issue is resolved, and with the approval of the 
  group we'll resolve the other remaining one.
Nate Otto:  Can we talk about web payments use cases to 
  integrate?
Nate Otto:  I thought the operation around confirming the person 
  whose identifier the credential is about is important for KYC.
Nate Otto:  I didn't know if it that was a step in the consuming 
  operation or what.
Manu Sporny:  A step in the consuming operation, yes. When you 
  transfer a credential to monster.com, etc. you counter sign it, 
  as the recipient. That establishes that you, the recipient, one, 
  authorize the transmission, and, two, you have a private key 
  associated with the identity that received the credential.
Manu Sporny:  So that's a step in the operation.
Tim Holborn:  How about digital receipts? You purchase and get a 
  digital receipt with warranty operation.
Manu Sporny:  In the web payments group we're not thinking of 
  receipts as credentials, just other kinds of signed documents, so 
  no overlap there. In the payments stuff, coupons and loyalty 
  cards are credentials.
Eric Korb: +1 Expiration and Revoking are separate items
Nate Otto: +1 Add loyalty Credentials in the Real World use case
Tim Holborn:  There's loyalty and coupons... two payments use 
  cases we need in the document.
Manu Sporny:  Yes, we need to add those.
Manu Sporny: Use cases: 
  https://www.w3.org/Payments/IG/wiki/Main_Page/FTF_June2015/Credentials
Richard Varn:  I thought there was associating a credential with 
  a recipient, meta data with a credential, etc. all of these 
  things were going to be spec'd out.
Manu Sporny:  Yes.
Tim Holborn:  How about things that require licenses, like guns, 
  cars, etc.?
Manu Sporny:  Yes, those are also payments use cases.
Manu Sporny: Other web payments use cases: 
  https://web-payments.org/specs/source/use-cases/
Nate Otto: Let's illustrate those items in the Credentials in the 
  Real World section, I think, showing how things like identity 
  equivalence and composition can work.
Manu Sporny:  Nate, there are more payments use cases in a really 
  old doc. I'll get you a link.
Manu Sporny: Credentials / payments use cases: 
  http://opencreds.org/specs/source/use-cases/
Tim Holborn:  Another one might be someone pitching a creative 
  work, they might want to present a credential related around 
  acceptance.
Manu Sporny:  That is a use of a credential to establish 
  ownership over intellectual property during commerce, which is 
  good.
Manu Sporny:  The feedback we got from the payments people was 
  that they didn't see enough payments use cases in the document 
  and adding these will help fix that.
Sunny Lee: We used 
  https://web-payments.org/specs/source/use-cases/ as a foundation 
  and built off of that for current use cases doc
Eric Korb: That would be good for creds
Sunny Lee: So maybe need to go through 
  https://www.w3.org/Payments/IG/wiki/Main_Page/FTF_June2015/Credentials 
  ?
Nate Otto: I'm going to have to drop off the audio in just a 
  couple minutes. Looks like we have a good foundation to now flesh 
  out to cover a number of these other cases.
Eric Korb: Ownership
Manu Sporny:  Eric, those things will require credentials.
Manu Sporny:  If you're sending a lot of money overseas, you need 
  a number of credentials, trading stocks, etc. same thing.
Eric Korb: Transfer of ownership
Eric Korb: All creds
Nate Otto: Manu, dlongley : I want to follow up with you on that 
  "prove-you-are-the-credential-recipient" step in the consuming 
  operation.
Manu Sporny:  This is mostly for Nate, Sunny, Kerri, we need to 
  integrate those things into our use cases document.
Sunny Lee:  I wanted to say I'm half working with Nate and Kerri 
  on the use cases document, but while we'll look at those links 
  you provided we should have someone with payments experience to 
  be involved.
Manu Sporny:  Excellent point, why don't I do that ... I'll take 
  the action to migrate those things into the document.
Manu Sporny:  Would that work better?
Sunny Lee:  Yes, absolutely.
Tim Holborn:  I can help where I can.
Manu Sporny:  Thanks, Tim. You can suggest changes in the google 
  doc.
Tim Holborn:  Is there anything about buying a car?
Manu Sporny:  No.
Nate Otto: Cool. Thanks all. Dropping off audio now.
Eric Korb: Cars in US is Title
Eric Korb: Known as "Title"
Tim Holborn:  You've got gov't control over it and you can enter 
  credentials to make that purchase easier.
Manu Sporny:  The other thing to make sure people understand with 
  the use cases is that we don't have to implement *all* of them in 
  version 1, we can implement some in other versions, but it's good 
  to have them all.
Manu Sporny:  Any other questions/concerns about the use cases?
Eric Korb: US Titles are controlled by State
Tim Holborn: Ie: purchasing a motor vehicle and using credentials 
  to support the transferral of license and motor vehicle ownership 
  information with the relevent agency.
Manu Sporny:  I'm going to schedule the call with W3C folks for 
  friday. Hopefully a number of us will chat again with them then.
Manu Sporny:  Thanks all!
Sunny Lee: Thanks all!
Received on Thursday, 4 June 2015 17:56:40 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:24 UTC