W3C home > Mailing lists > Public > public-credentials@w3.org > June 2015

Credentials CG Telecon Minutes for 2015-06-30

From: <msporny@digitalbazaar.com>
Date: Tue, 30 Jun 2015 15:36:33 -0400
Message-Id: <1435692993912.0.9189@zoe>
To: Credentials CG <public-credentials@w3.org>
Thanks to Gregg Kellogg for scribing this week! The minutes
for this week's Credentials CG telecon are now available:

http://opencreds.org/minutes/2015-06-30/

Full text of the discussion follows for W3C archival purposes.
Audio from the meeting is available as well (link provided below).

----------------------------------------------------------------
Credentials Community Group Telecon Minutes for 2015-06-30

Agenda:
  https://lists.w3.org/Archives/Public/public-credentials/2015Jun/0103.html
Topics:
  1. Credentials WG Plan
  2. Introductions of New Members
  3. Recruiting
Organizer:
  Manu Sporny
Scribe:
  Gregg Kellogg
Present:
  Gregg Kellogg, Manu Sporny, Richard Varn, Nate Otto, Eric Korb, 
  Matt Collier, Christoph Dorn, Jim Goodell, Brian Sletten, Sunny 
  Lee, Rob Trainer
Audio:
  http://opencreds.org/minutes/2015-06-30/audio.ogg

Gregg Kellogg is scribing.
Manu Sporny:  On agenda, update to WG plan, recruiting, and maybe 
  DIDs discussion.

Topic: Credentials WG Plan

Manu Sporny:  I had a discussion with W3C Staff last week, and 
  the payments IG had a discussion on Monday.
  … Due to feedback in round-table and W3C got after F2F meeting 
  ,,,
  … A number of people came back saying they didn’t intend for it 
  to be struck.
  … We have a go-ahead for pitching a WG to W3C.
  … W3CM would like to see a list of organizations that are 
  committed to joining the work if it gets started at W3C. We have 
  a list started, but we need more organizations interested.
Manu Sporny:  They’ve looked at the list in Credentials CG and 
  would like to see more representatives from a broader set of 
  organizations.
  … They’d like to see about 30 organizations before they’re 
  comfortable with proposing a new WG to W3CM.
  … There are a number of back-channel discussions working 
  against us, particularly from the security community.
  … Unfortunately, they’re not coming here, but are voicing 
  directly to W3CM.
  … There are 2 blog posts/papers they’d like to see us put 
  together to counter these arguments.
  … 1) What makes this credentials approach different from the 
  last 15 years of approaches that have failed: SAML, OpenID 
  Connect, …
  … 2) Define where W3C can add value. Why should the work be 
  done at W3C vs IETF/OASIS/ISO?
  … The Payments IG will wait for us to put this strategy 
  together, in concert with some W3C Staff, to put together a 
  proposal that will be a sell to W3CM.
  … Also joining will be some banking and finance, where were 
  taken aback by what happened at the Payments IG F2F.
  … That puts us in a better possition than a week or so ago, but 
  still not where we want to be.
Richard Varn:  What would be the timeline for deciding yes/no, 
  and where?
Nate Otto: Are the concerns shared specifically about security 
  and privacy? Was there anything specific that was critiqued about 
  the suggested technical approach in this CG?
Manu Sporny:  The question will be does W3CM feel comfortable 
  proposing a draft charter to the membership in August? That would 
  be the most agressive thing that can happen.
  … We may still be able to have our first meeting at TPAC.
  … Less agressive would be September, which would be too late 
  for TPAC. We’d probably try to have a meeting there anyway. That 
  would drive more people into the group.
  … Or, we can’t do it at all :(
Nate Otto:  Were concerns from security and privacy related 
  directly to that?
Manu Sporny:  I don’t think the loudest critics really understand 
  what we’re trying to do.
  … “I don’t think it’s a good idea to create an identifier that 
  can be used across multiple websites”, for example.
Nate Otto: Oh, like an email address . ;)
  … There is privacy push-back; they’d rather see bearer 
  credtitials.
  … Also against using an email address.
  … I think this group cares very deeply about privacy, and we 
  want to be sure we are as privacy enhancing as possible, without 
  gutting the core use case.
Nate Otto: +1 To being as privacy-enhancing as possible without 
  gutting the core use case.
  … The other thing is security: “why aren’t you guys using JOSE 
  for using signatures, why propose a new mechanism?”
  … Thinks we’re trying to end-around the security community with 
  LD-Signatures, and trying to go around JOSE.
  … It’s not that, but they’re quite focused on JOSE, and don’t 
  have spare-bandwidth to look at LD-Signatures. Clearly we’ll get 
  a good security review.
Nate Otto:  Working in the badges community, we have concerns as 
  well. Is it possible to put the genie back in the bottle.
Eric Korb: +1
  … Eventually we’ll need a high-level security review, but we 
  could always go back to JOSE if LD-Signatures won’t work. We’ll 
  work with the security community to make sure we have a valid 
  solution.
Manu Sporny:  ALso, note that LD-Signatures is not inventing new 
  cryptographic methods. The problem is that the statements are 
  coming from someone who doesn’t understand this. We’re simply 
  re-using RSA, eliptic curve, …
  … The new thing is the normalization and message structure of 
  the signature.
  … Once security folks at the F2F understood this, they thought 
  it would be straight-forward.
Eric Korb:  The idea of signing the credentials, is it critically 
  important, or is it an option?
  … The badge aliance is mostly doing hosted credentials, and 
  signing isn’t as important.
  … Can we make this optional?
Manu Sporny:  Sure, they don’t need to be signed. There can be 
  other ways of validating.
  … If an open badges badge has an alternate way of validating, 
  that mechanism could be used.
  … Signatures are for hard cases like financial use cases.
Eric Korb: +1
  … Other industries don’t have the same high-stakes 
  requirements.
  … IF you recieve a signed credential, you don’t even have to 
  validate it.
Eric Korb:  An reciever should validate, if it needs to. If it’s 
  not there, and you don’t mind it not being there, you should be 
  able to use it.
Richard Varn:  We should probably be exploring a parallel path, 
  in case the W3C doesn’t work out.
Manu Sporny:  I have some concerns over sending mixed messages if 
  approaching both W3C and IMS Global.
  … We may want to take IMS Global guys aside to discuss them as 
  an alternative.
Eric Korb:  I don’t think it’s an either/or, it’s a “please join 
  the work”
Richard Varn:  There’s an opportuinty for IMSG to bring some new 
  things to the table. It’s getting them to associate the work 
  they’re going to do anyway with the W3C initiative.
  … It could grow into a broader standards effort if we don’t get 
  anywhere with the W3C.
Eric Korb: The project we currrently working on is eTranscript to 
  be demoed at educause
Manu Sporny:  This group is focusing on recruiting. I have an 
  action to write up 2 blog posts about what’s different about what 
  we’re doing.

Topic: Introductions of New Members

Eric Korb: IMS Global Project 
  http://www.imsglobal.org/cbe/index.html
Matt Collier:  Working with Digital Bazaar on this and 
  authorization.io.
Christoph Dorn:  I work independently. My focus is on software 
  tooling. I’m interested in creating an open prototype embodying 
  the specs and staying up to date, and allow people to on-board 
  early.
Jim Goodell:  I’m with Quality Information Partners, we’ve been 
  working on common education standards. I’m interested form 
  education- and workforce- credientials cases.
Eric Korb: Welcome all!

Topic: Recruiting

Manu Sporny: 
  https://docs.google.com/document/d/1u0DC4U7jAayv1IvOY2qu7nMRtiFOPxwCT3BkPJek5ho/edit
Manu Sporny:  I’ll get a list by EOD to eric and richard with W3C 
  members who have not yet responded.
  … Last week we had said it might be a better strategy for 
  people to construct their own introductions and try to bring 
  people on board.
  … I’d like folks to commit to contact new large W3C members.
Eric Korb:  I’ve started on Parchment, but haven’t yet reached 
  out awaiting dodumentation.
  … I wanted to be sure we had an agreed upon common message.
Manu Sporny:  We’re backing off on that. There’s the executive 
  summary.
Manu Sporny: Open Credentials Executive Summary: 
  https://docs.google.com/document/d/1Nq543-Am1hQUIZ2hhzAFl8KexvIEBwDDc_f3Ikz1opQ/edit
Manu Sporny:  We’re transitioning over to “hard asks”; you should 
  have everythign you need to make the initial contact/ask.
Manu Sporny:  Eric, I have you against Accreditrust, Credly, 
  Scrip-Safe and Iq4.
  … (More discussions of assignments captured in document)
Nate Otto: Discendum Oy
Nate Otto: DigitalME
Manu Sporny:  What W3C really wants to know is if new 
  organizations will become members. That’s the main thing they 
  need to see.
  … Mozilla is in a strange place; the people at the F2F were 
  pretty much opposed to what we’re doing.
  … If David Barron doesn’t feel that Mozilla should be involved, 
  they won’t be.
Nate Otto:  They’re involved with the Badge Alliance, though.
  … They’re committed to supporting badges going forward.
Manu Sporny:  The key would be to get that person from Mozilla 
  involved in the work.
  … We’ve been hearing from people not involved in the work at 
  Mozilla speaking out.
Manu Sporny:  We have the Merchant Advisory Group that said 
  they’d join. The contact person is from Walmart, which is great.
Brian Sletten: Manu, Is NACS on the list?
Manu Sporny:  We have strong connects with NACS, Veriphone, and 
  ???
Received on Tuesday, 30 June 2015 19:36:57 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:24 UTC