- From: <msporny@digitalbazaar.com>
- Date: Tue, 30 Jun 2015 15:36:33 -0400
- To: Credentials CG <public-credentials@w3.org>
Thanks to Gregg Kellogg for scribing this week! The minutes for this week's Credentials CG telecon are now available: http://opencreds.org/minutes/2015-06-30/ Full text of the discussion follows for W3C archival purposes. Audio from the meeting is available as well (link provided below). ---------------------------------------------------------------- Credentials Community Group Telecon Minutes for 2015-06-30 Agenda: https://lists.w3.org/Archives/Public/public-credentials/2015Jun/0103.html Topics: 1. Credentials WG Plan 2. Introductions of New Members 3. Recruiting Organizer: Manu Sporny Scribe: Gregg Kellogg Present: Gregg Kellogg, Manu Sporny, Richard Varn, Nate Otto, Eric Korb, Matt Collier, Christoph Dorn, Jim Goodell, Brian Sletten, Sunny Lee, Rob Trainer Audio: http://opencreds.org/minutes/2015-06-30/audio.ogg Gregg Kellogg is scribing. Manu Sporny: On agenda, update to WG plan, recruiting, and maybe DIDs discussion. Topic: Credentials WG Plan Manu Sporny: I had a discussion with W3C Staff last week, and the payments IG had a discussion on Monday. … Due to feedback in round-table and W3C got after F2F meeting ,,, … A number of people came back saying they didn’t intend for it to be struck. … We have a go-ahead for pitching a WG to W3C. … W3CM would like to see a list of organizations that are committed to joining the work if it gets started at W3C. We have a list started, but we need more organizations interested. Manu Sporny: They’ve looked at the list in Credentials CG and would like to see more representatives from a broader set of organizations. … They’d like to see about 30 organizations before they’re comfortable with proposing a new WG to W3CM. … There are a number of back-channel discussions working against us, particularly from the security community. … Unfortunately, they’re not coming here, but are voicing directly to W3CM. … There are 2 blog posts/papers they’d like to see us put together to counter these arguments. … 1) What makes this credentials approach different from the last 15 years of approaches that have failed: SAML, OpenID Connect, … … 2) Define where W3C can add value. Why should the work be done at W3C vs IETF/OASIS/ISO? … The Payments IG will wait for us to put this strategy together, in concert with some W3C Staff, to put together a proposal that will be a sell to W3CM. … Also joining will be some banking and finance, where were taken aback by what happened at the Payments IG F2F. … That puts us in a better possition than a week or so ago, but still not where we want to be. Richard Varn: What would be the timeline for deciding yes/no, and where? Nate Otto: Are the concerns shared specifically about security and privacy? Was there anything specific that was critiqued about the suggested technical approach in this CG? Manu Sporny: The question will be does W3CM feel comfortable proposing a draft charter to the membership in August? That would be the most agressive thing that can happen. … We may still be able to have our first meeting at TPAC. … Less agressive would be September, which would be too late for TPAC. We’d probably try to have a meeting there anyway. That would drive more people into the group. … Or, we can’t do it at all :( Nate Otto: Were concerns from security and privacy related directly to that? Manu Sporny: I don’t think the loudest critics really understand what we’re trying to do. … “I don’t think it’s a good idea to create an identifier that can be used across multiple websites”, for example. Nate Otto: Oh, like an email address . ;) … There is privacy push-back; they’d rather see bearer credtitials. … Also against using an email address. … I think this group cares very deeply about privacy, and we want to be sure we are as privacy enhancing as possible, without gutting the core use case. Nate Otto: +1 To being as privacy-enhancing as possible without gutting the core use case. … The other thing is security: “why aren’t you guys using JOSE for using signatures, why propose a new mechanism?” … Thinks we’re trying to end-around the security community with LD-Signatures, and trying to go around JOSE. … It’s not that, but they’re quite focused on JOSE, and don’t have spare-bandwidth to look at LD-Signatures. Clearly we’ll get a good security review. Nate Otto: Working in the badges community, we have concerns as well. Is it possible to put the genie back in the bottle. Eric Korb: +1 … Eventually we’ll need a high-level security review, but we could always go back to JOSE if LD-Signatures won’t work. We’ll work with the security community to make sure we have a valid solution. Manu Sporny: ALso, note that LD-Signatures is not inventing new cryptographic methods. The problem is that the statements are coming from someone who doesn’t understand this. We’re simply re-using RSA, eliptic curve, … … The new thing is the normalization and message structure of the signature. … Once security folks at the F2F understood this, they thought it would be straight-forward. Eric Korb: The idea of signing the credentials, is it critically important, or is it an option? … The badge aliance is mostly doing hosted credentials, and signing isn’t as important. … Can we make this optional? Manu Sporny: Sure, they don’t need to be signed. There can be other ways of validating. … If an open badges badge has an alternate way of validating, that mechanism could be used. … Signatures are for hard cases like financial use cases. Eric Korb: +1 … Other industries don’t have the same high-stakes requirements. … IF you recieve a signed credential, you don’t even have to validate it. Eric Korb: An reciever should validate, if it needs to. If it’s not there, and you don’t mind it not being there, you should be able to use it. Richard Varn: We should probably be exploring a parallel path, in case the W3C doesn’t work out. Manu Sporny: I have some concerns over sending mixed messages if approaching both W3C and IMS Global. … We may want to take IMS Global guys aside to discuss them as an alternative. Eric Korb: I don’t think it’s an either/or, it’s a “please join the work” Richard Varn: There’s an opportuinty for IMSG to bring some new things to the table. It’s getting them to associate the work they’re going to do anyway with the W3C initiative. … It could grow into a broader standards effort if we don’t get anywhere with the W3C. Eric Korb: The project we currrently working on is eTranscript to be demoed at educause Manu Sporny: This group is focusing on recruiting. I have an action to write up 2 blog posts about what’s different about what we’re doing. Topic: Introductions of New Members Eric Korb: IMS Global Project http://www.imsglobal.org/cbe/index.html Matt Collier: Working with Digital Bazaar on this and authorization.io. Christoph Dorn: I work independently. My focus is on software tooling. I’m interested in creating an open prototype embodying the specs and staying up to date, and allow people to on-board early. Jim Goodell: I’m with Quality Information Partners, we’ve been working on common education standards. I’m interested form education- and workforce- credientials cases. Eric Korb: Welcome all! Topic: Recruiting Manu Sporny: https://docs.google.com/document/d/1u0DC4U7jAayv1IvOY2qu7nMRtiFOPxwCT3BkPJek5ho/edit Manu Sporny: I’ll get a list by EOD to eric and richard with W3C members who have not yet responded. … Last week we had said it might be a better strategy for people to construct their own introductions and try to bring people on board. … I’d like folks to commit to contact new large W3C members. Eric Korb: I’ve started on Parchment, but haven’t yet reached out awaiting dodumentation. … I wanted to be sure we had an agreed upon common message. Manu Sporny: We’re backing off on that. There’s the executive summary. Manu Sporny: Open Credentials Executive Summary: https://docs.google.com/document/d/1Nq543-Am1hQUIZ2hhzAFl8KexvIEBwDDc_f3Ikz1opQ/edit Manu Sporny: We’re transitioning over to “hard asks”; you should have everythign you need to make the initial contact/ask. Manu Sporny: Eric, I have you against Accreditrust, Credly, Scrip-Safe and Iq4. … (More discussions of assignments captured in document) Nate Otto: Discendum Oy Nate Otto: DigitalME Manu Sporny: What W3C really wants to know is if new organizations will become members. That’s the main thing they need to see. … Mozilla is in a strange place; the people at the F2F were pretty much opposed to what we’re doing. … If David Barron doesn’t feel that Mozilla should be involved, they won’t be. Nate Otto: They’re involved with the Badge Alliance, though. … They’re committed to supporting badges going forward. Manu Sporny: The key would be to get that person from Mozilla involved in the work. … We’ve been hearing from people not involved in the work at Mozilla speaking out. Manu Sporny: We have the Merchant Advisory Group that said they’d join. The contact person is from Walmart, which is great. Brian Sletten: Manu, Is NACS on the list? Manu Sporny: We have strong connects with NACS, Veriphone, and ???
Received on Tuesday, 30 June 2015 19:36:57 UTC