W3C home > Mailing lists > Public > public-credentials@w3.org > November 2015

Credentials CG Telecon Minutes for 2015-11-10

From: <msporny@digitalbazaar.com>
Date: Tue, 10 Nov 2015 13:25:08 -0500
Message-Id: <1447179908458.0.16808@zoe>
To: Credentials CG <public-credentials@w3.org>
Thanks to Dave Longley for scribing this week! The minutes
for this week's Credentials CG telecon are now available:

http://opencreds.org/minutes/2015-11-10/

Full text of the discussion follows for W3C archival purposes.
Audio from the meeting is available as well (link provided below).

----------------------------------------------------------------
Credentials Community Group Telecon Minutes for 2015-11-10

Agenda:
  https://lists.w3.org/Archives/Public/public-credentials/2015Nov/0014.html
Topics:
  1. Credentials Task Force in WPIG Update
  2. Tasks for Credentials CG
  3. Linked Data Fast Track WG Update
Organizer:
  Manu Sporny
Scribe:
  Dave Longley
Present:
  Dave Longley, Manu Sporny, Henry Story, Laura Fowler, Rebecca 
  Simmons, Brian Sletten, Gregg Kellogg, Nate Otto, Eric Korb, John 
  Tibbetts, Chris Webber
Audio:
  http://opencreds.org/minutes/2015-11-10/audio.ogg

Dave Longley is scribing.
Manu Sporny:  Last week we talked about what happened at W3C 
  TPAC. The good news is that the Web Payments IG wants to do 
  something around Credentials; we're trying to figure out where to 
  do the work and where to write the charter and tie up loose ends.
Manu Sporny:  There's an action item on me to propose a way 
  forward for Credentials at W3C. We made a proposal; it had mixed 
  feedback. We'll discuss that. We'll also be assigning tasks to 
  folks. We'll give an update on our discussion with the SoLiD team 
  as well. We chatted a bit with TimBL on the HTTP signatures stuff 
  as well.
Henry Story: Ah cool, interested about hearing the discussion on 
  SoLiD
Manu Sporny:  Anything else we need to cover today?

Topic: Credentials Task Force in WPIG Update

Manu Sporny: 
  https://www.w3.org/Payments/IG/wiki/Main_Page/ProposalsQ42015/Credentials
Manu Sporny:  We have made some modifications to the proposal as 
  a result of the call yesterday. I'll review what was proposed and 
  then talk next steps.
Manu Sporny:  The goal is to determine whether or not a W3C 
  Working Group should be created. The outcome of this task force 
  will either be a charter for the W3C member to vote on to start 
  the work or it's going to be a finding that we should not do the 
  work at W3C. Clearly, the people in this group would like to see 
  it started at W3C. There are some other people who feel the world 
  isn't ready to see this work start.
Manu Sporny:  A lot of the proposal is based on the survey we 
  did. 58 orgs filled it out; how they view a proper credential 
  ecosystem. We had them rate capabilities. We kept it data driven 
  and so it was difficult for people who are against the work to 
  argue against.
Manu Sporny: 
  https://www.w3.org/Payments/IG/wiki/Main_Page/ProposalsQ42015/Credentials#Concerns
Manu Sporny:  There were a number of concerns that were raised. 
  The concerns were added to the wiki.
Manu Sporny:  Some of those concerns are questions we need to 
  answer. Some of them we are in no position to answer. "What is 
  the jurisdictional scope of a credential and how are they 
  regulated?" Way too early to answer but it was raised as a 
  question to answer at some point.
Manu Sporny:  In general, the IG said "Yes, we should do 
  something about this and this proposal isn't offbase." Only +1's 
  to say we should proceed with the work. The pushback was where 
  the work would happen.
Manu Sporny:  The proposal was that this group (this CG) would 
  just shift gears and work on the questions.
Manu Sporny:  There was almost immediate objection to that. 
  Because there are people (some of whom we know, and some of whom 
  we don't know) that feel that we don't have a neutral forum here. 
  Meaning, we've worked on technology like the Open Badges stuff, 
  technical implementations have been discussed and because of 
  that, this group isn't neutral.
Henry Story: Argh.
Manu Sporny:  A request was made for another group to be made 
  that can't talk about the technology; and only talk about 
  capabilities.
Manu Sporny:  Speaking as an individual, this is fantastically 
  frustrating because we strive to be very neutral in this group 
  and have a good track record of doing so. This group started out 
  with use cases and no particular technology focus. We had two 
  input specs. We didn't have a strong technical view, etc. we did 
  discussions, found data, worked from there. There are people are 
  saying (again, people we don't know who they are) that we aren't 
  neutral and that they weren't involved. These people didn't join 
  the work a year or so ago but now they are saying that their 
  views weren't taken into account. We have identified a number of 
  people that we *do* know and we've been talking with them and 
  asking them to discuss things with us and that's great and is not 
  an issue. The problem is the people who are only talking through 
  W3C staff and we can't talk to them directly ... and the only 
  solution seems to be creating a new group that is filled with the 
  same people in this group, plus a few more, and that can't talk 
  about technology solutions.
Manu Sporny:  Please provide your input ... do you support a new 
  Community Group focused only on capabilities and writing, no 
  tech, etc. We need to hear opinions from this group.
Henry Story:  If I look at the Linked Data Protocol group, which 
  was headed by IBM. They had implementations, they had a lot of 
  people, they had narrowed down the technology and the specifics 
  and a proposal put forward. This seems suspicious to me; I don't 
  know the process all that mutch, but it seems a bit weird.
Henry Story:  I'd like to speak with Arnaud and see what he said. 
  I think you just need 20 members or some percentage to get people 
  on board. The danger is if you get too many people on board then 
  it's too general and becomes hard to succeed. That's me from an 
  outsider's perspective.
Henry Story:  You have more understanding, Manu, of the politics.
Manu Sporny:  I think you're right in that it's strange. I think 
  there's a fair degree of misunderstanding. There is a mismatch 
  between what we're trying to do and what people think we're doing 
  here. Let me try and draw where the various points of confusion 
  are. I think there's a misunderstanding on what we're working on. 
  Like we're working on authentication protocols like FIDO. We're 
  absolutely not doing that here. The tech we're using here could 
  be used with authentication but that's not what we're primarily 
  pushing here.
Manu Sporny:  So there's confusion and objection over that.
Manu Sporny:  There's also confusion over where this group 
  started. This group started with "we need to have verifiable 
  claims/attributes" and we called them credentials and we were 
  open to anyone to come and discuss at length.
Manu Sporny:  I think one problem is that there is some work 
  going on at IETF that is similar; that group had already started 
  and was already charted and once chartered they really push their 
  world view. For example JOSE. There's nothing wrong with that 
  there's a good technical implementation that fits their use 
  cases. But their use cases aren't our use cases. And some people 
  looked at this work and thought "nothing needs to be done." Now a 
  year later, we have another group at W3C are backing doing work 
  with Credentials. Now that other group is objecting because there 
  would be two technical specs that conflict with one another. 
  There are some things in common but I think the OpenID Connect, 
  OAuth, IETF folks think there is more overlap than there is. For 
  example, with the digital signature stuff, the JOSE folks are 
  looking at that and saying "The Open Credentials folks are coming 
  up with a new signature format" but they don't understand Linked 
  Data; they aren't looking at the technology and they are just 
  saying "We should just try to use their stuff before doing 
  something new" without understanding that we already tried that. 
  The mistake we made was not better documenting that effort.
Manu Sporny:  There are a couple of places where there is 
  confusion: authentication vs. authorization, etc. and there are 
  objections that our group is trying to do something that has been 
  done before. There are people that don't understand the 
  technology and some say we need to slow the process so people can 
  understand that.
Henry Story: Yep makes sense
Manu Sporny:  I think those are the politics being played but I 
  don't think any of it is mean spirited, I just think it's people 
  who aren't familiar with the work we're trying to do and jumping 
  to conclusions. And then those people talk to W3C staff and say 
  "You are on the brink of doing work that's being done elsewhere" 
  And W3C doesn't want to do that and says we need to document 
  what's different.
Rebecca Simmons:  What you said makes sense, but as an outsider 
  it's hard to say what needs to be done.
Henry Story: It would be itneresting to have a document to show 
  how what you are doing goes beyond jose, for example.
Manu Sporny:  If we can answer all of the criticisms and make 
  everyone happy then we can create a charter and go forward with 
  the work.
Henry Story: I have some ideas, of how it goes beyond, but it is 
  interesting to know it.
Brian Sletten: If we create a new CG, what's to stop them from 
  throwing up obstacles to that CG?
Manu Sporny:  One primary question for this group: Do we want to 
  push back and say "This CG you are proposing is the same thing 
  we've already done. We'd rather have the people who are objecting 
  make themselves known and join us and have the discussion in 
  public." the other choice is "We'll create a new CG that doesn't 
  talk technology at all and just talks capabilities and that group 
  is going to go out and focus these people who are having issues 
  and document their objections."
Manu Sporny:  Or there might be another option? Thoughts from the 
  group?
Gregg Kellogg:  It seems clear that this is just a mechanism to 
  push through their own agenda to overwhelm a new group. Even 
  though technology discussions are off the table there I can see 
  how it would be phrased to push one tech over another. It seems 
  like a big scheme to me. I do think that the work we've done over 
  the last year is exactly what a new group would do. I'd like to 
  know what would be in front of a new CG that would be different 
  that might then lead to a different outcome; otherwise it's a lot 
  of wasted effort of a lot of people's time for no good reason 
  other than to satisfy a powerful minority that seems frustrated.
Henry Story: That makes sense to try to find out what these 
  people want.
Manu Sporny:  To go back to Henry's point, you only need 20-25 
  member companies to say this work should start; but that is only 
  after getting W3C Management approval. They have to agree there 
  is consensus around what to work on. Right now ... I thought it 
  was there, positive feedback from CEO and some staff contacts, 
  but the person in charge of making the decision is unconvinced. 
  We want to reach out to that person to find out what would 
  convince them. I believe it's down to one person that is holding 
  the process up.
Manu Sporny:  I think the general point that the W3C staff 
  members in the IG were making was that, "yes, we realize that 
  this is somewhat annoying, but you need to create a neutral 
  playing field. If a group of people are saying there isn't a 
  neutral field, you need to create one so they'll come in." One 
  proposal is to create a new CG with the same calls and time as 
  this one (just replace it) but tightly focus that group around 
  the creation of a charter and answering the questions around what 
  needs to be done.
Manu Sporny:  So there are maybe 8 people, at most, that we need 
  to interview. We can say it has to be on the record and public on 
  what needs to be done. Once we get all those interviews out of 
  the way, we will clear those interviews with the W3C staff who 
  are saying people are objecting; we'll get a list from them and 
  interview those people, clearly document those concerns, etc. and 
  then hope that the argument that those people feel they aren't 
  being heard is addressed.
Manu Sporny:  The other approach is that we have way more than 20 
  orgs that want to start this work.
Manu Sporny:  We could, instead, and say "If you want something 
  else done, you have to propose something. Everyone can't just 
  stop because someone feels there's some nebulous better solution 
  out there... if you feel it's out there, propose it so the group 
  can talk about it."
Dave Longley:  It would be an option to invite them to this 
  group. I know they don't think this group is a natural fit. We're 
  going to bring together the same group of people w/ other people. 
  Could we invite them specifically? [scribe assist by Manu Sporny]
Dave Longley:  Make it a more formal invitation to those that 
  have concerns - we want them to talk about concerns - we want 
  this to be a neutral group. [scribe assist by Manu Sporny]
Manu Sporny:  I proposed that and they said "It doesn't matter, 
  they don't think you have a neutral group so they won't 
  participate."
Manu Sporny:  So we could say "ok, fine, people seem to think 
  this isn't a neutral group, so let's just create a new group." 
  But we'd have all the same people like you said, with a new group 
  name. We'd just be going through new mailing list and set up and 
  all that.
Manu Sporny:  I believe that the W3C staff wants to hear from the 
  rest of this group. If they don't hear from the rest of the 
  people in this CG, and no one else speaks up, their counter 
  argument is going to be that it's just Digital Bazaar's opinion, 
  not the groups.
Manu Sporny:  Gregg and Henry spoke up but we need more people to 
  voice their opinions on where they want this group to go.
Manu Sporny:  If we say people can just join this group the 
  counter argument will be that they won't join because it's not a 
  neutral group. If we have people in this group clearly saying we 
  should either "Create a new group" or "No, same people would 
  join."
Nate Otto: Without all the context, I think creating a new group 
  would be more work for uncertain gains.
Brian Sletten:  If we create a new group and they don't come ... 
  procedurally what is our response? At some point they are just 
  doing a denial of service attack.
Eric Korb: Why is the onus on us to do this work? How do we 
  substantiate their claims?
Manu Sporny:  Procedurally, we'd have to write a new charter, get 
  approval of the charter, create the group via W3C CG process, 
  create new mailing list, new IRC channel, etc. About a week. Once 
  we do all that it would be all of us on the call again, but 
  hopefully 4-5 more people.
Brian Sletten:  If they still don't show up, what then?
Manu Sporny:  It helps if we can say there are some folks in the 
  group that believe this won't help.
Brian Sletten:  At some point you need to be out in the open, you 
  can't just hide behind anonymity and try to stop work that other 
  people are working on.
John Tibbetts:  We've done a lot of homework over the last few 
  years and months, including the survey. It's time to start 
  talking about the technology issues. Talking about the technology 
  helps you think about the problem; it's time to be doing that. I 
  think we need to push back on that.
John Tibbetts:  We need to get on with it.
Eric Korb: So, lets object to their work!
Manu Sporny:  Eric asks "How do we substantiate their claims?" 
  This is asymmetric. We do a lot of work to answer a concern and 
  then there's an objection that says "No you didn't cover this 
  other thing." This is coming from someone who cares about 
  privacy/security, which is good, but they don't have a company 
  that depends on the tech, they aren't going to deploy it, etc -- 
  lower priority. One of the problems with that is that we went out 
  and documented a bunch of the stuff we've been saying here in 
  this group and doing an enormous amount of work which has moved 
  things forward a bit, but not far enough. The onus is on us 
  because we want to do something; all anyone else has to do is 
  just object. One reason the onus has continued to be on us is 
  because we've been very receptive to questions and concerns of 
  people outside this group. It is getting to the point where we're 
  wondering when we've done enough work.
Manu Sporny:  Eric, we can't object to their work because some of 
  them aren't doing any, and others of them aren't working on the 
  problems we're working on. They are just objecting to our work 
  because they think we're working on the same stuff, but we're 
  not.
Nate Otto: I have found this group to have some members who have 
  clear ideas about a technical direction to proceed in, but that 
  those people are very open to making sure that we are building 
  the right technology and formulating our use cases properly. We 
  hope this effort moves forward. (Nate Otto, Director, Badge 
  Alliance)
Eric Korb: Manu, thx
Manu Sporny:  The only work out there to "object" to would be 
  things like OpenID Connect/OAuth/SAML/etc, but we don't even 
  necessarily object to those technologies, some of them may work 
  for their use cases, etc -- this again has to do with the 
  misunderstandings. SAML and OpenID Connect doesn't work for our 
  use cases, and that's the issue. There is work we're doing like 
  the expression of a digital credential, there is no work out 
  there that is as extensive as we've done. There are things like 
  "here's how you can express an email address or a name" but 
  there's no work about cryptographically verifiable claims like 
  education credentials, doctor's licenses, where people work, etc. 
  That is being proposed/created by this group.
Chris Webber: So I'll speak up mainly so that I am on the record. 
  For me, this work is very important because in order to really 
  see federation succeed, I think we need to have clear 
  authorization systems and methods of verifying that communication 
  has come from one place to another.  We've already seen this in 
  the ActivityPump spec, where we are basically forced to keep 
  record of conversation forever in order so that clients can 
  verify its source.
Chris Webber: This is bad if you are concerned with privacy.
Henry Story: Though you need to be careful about authorization.
Eric Korb: +1 Nate
Chris Webber: Right
Chris Webber: Authentication and credentials are one of the 
  notoriously hardest parts to get working right in federated 
  systems.  I have a lot of confidence in the members of this group 
  to think things through well.
Manu Sporny:  So I'm going to play devil's advocate here; W3C 
  staff would channel these other people and say "Yes, but, you 
  need a clear set of use cases and you need buy in around that set 
  of use cases and you need to talk about capabilities before you 
  talking about specs or anything of that nature."
Manu Sporny:  I can take the minutes from today and push back. 
  The group can say "We'd like to just do the interviews in the 
  group and talk about it with them."
Manu Sporny:  It seems like there is consensus around the group 
  that "creating a new CG wouldn't address the issues". People feel 
  that they aren't being heard so let's bring them in and listen to 
  them and write down those concerns... and maybe from that we can 
  figure out if people think they are being heard or if we need a 
  new group."
Eric Korb: +1 Chris
Manu Sporny:  I think we have high attendance in these calls 
  because we've really tried to be open and transparent.
Dave Longley:  I second the notion to figure out if the group is 
  neutral - why don't people come to the group and receive their 
  concerns - why don't we just try that instead of assuming this 
  group is not neutral. They should come and try out the group - 
  that hasn't even happened yet. The people that have these 
  concerns haven't even come to the group to try it out. Let's give 
  it a shot. If a new group needs to be created, so be it. [scribe 
  assist by Manu Sporny]
Dave Longley:  I would expect that we'd give them a warm welcome 
  and address their concerns. [scribe assist by Manu Sporny]
Eric Korb: +1 Dlongley
Henry Story: +1 I agree. I am new to the group, and it feels very 
  friendly here.
Manu Sporny:  So I think consensus is that we should invite 
  people who have concerns and we can spend 30 mins to 1 hour with 
  them and clearly document their concerns and how they'd like to 
  proceed. Once we've done that, we could talk to them and ask if 
  they feel that they are being listened to.
Chris Webber: Yes, I've experienced a lot of patience and 
  thoughtful consideration with my questions here :)
Manu Sporny:  Then we can see where we are at that point. So 
  let's not start a new group and instead invite people here and 
  see what they have to say and we'll document and circle back 
  around and see if they feel heard. If they are, there's no need 
  to create a new group.
John Tibbetts: I support the work in this group because it takes 
  a higher-level semantic viewpoint for web security; that is, a 
  concept of credential, rather than just focussing on the 
  lower-level flows and protocols...This is what we need for the 
  more semantically rich credentials to support something like an 
  electronic transcript.  John Tibbetts, IMS Global Chief Product 
  Architect.
Dave Longley:  +1 To that proposal
Henry Story: And I think the other is to speak about the size of 
  the members support
Brian Sletten:  I think the other part of the response would be 
  to just find out what the exact objections are that are keeping 
  us from moving forward. If they don't act in good faith, what is 
  our recourse?
Henry Story: ( I don't actually know how big the support is being 
  new to this group )
Manu Sporny:  Yes, to get that before we proceed. We want it to 
  be clear to us that we aren't wasting our time and so it's clear 
  to the others what is happening if they don't participate in the 
  discussion.
Manu Sporny:  Eric, if they dont' show, we need to clearly 
  negotiate what happens in that case. I'm going to strongly assert 
  that the work should not stop if they don't show. We've got a 
  number of people around the table that want the work to proceed; 
  we don't want it held hostage by people who won't discuss.
Eric Korb: As CEO of Accreditrust, I echo Nate Otto's comments, 
  "I have found this group to have some members who have clear 
  ideas about a technical direction to proceed in, but that those 
  people are very open to making sure that we are building the 
  right technology and formulating our use cases properly."
Manu Sporny:  There's already enough member support to approve a 
  charter and the hope is that it's growing.
Manu Sporny:  We have 44 organizations saying "Yes, we want this 
  problem solved", 17 of them are W3C members, 7 of them are 
  non-members that would join, and 16 of them are sitting on the 
  fence.
Eric Korb: I also support the opinions of JohnTib, "I support the 
  work in this group because it takes a higher-level semantic 
  viewpoint for web security; that is, a concept of credential, 
  rather than just focussing on the lower-level flows and 
  protocols...This is what we need for the more semantically rich 
  credentials to support something like an electronic transcript."
Manu Sporny:  I'm going to take what has been said in the call 
  today back to W3C staff. Say that the group would like to start 
  by interviewing all these folks that have not been necessarily 
  supportive/critical of the work, etc and get all their thoughts 
  down. And that specifically that we feel that creating a new 
  group is unnecessary; that this is an open forum. People and 
  their orgs can come in and we can document their concerns.

Topic: Tasks for Credentials CG

Manu Sporny: https://github.com/opencreds/website/issues/14
Manu Sporny:  The more people we have on these tasks and the 
  faster we can get the list done the faster we can get to a 
  charter for a WG. A lot of this is documentation work. We need to 
  explain our thinking around each one of these items. Will anyone 
  volunteer for what's on that list?
Brian Sletten:  What's the time frame?
Nate Otto: I can put some time in... looking
Manu Sporny:  ASAP. If we can get it all done in 4 months, we can 
  potentially get a group started then. If it's 8 months, it's that 
  long.
Henry Story: My guess is that January would be the fastest any 
  work can be done.
Manu Sporny:  If you say, for example, say you sign up for 
  "Create a comparison between Identity Credentials and OpenID 
  Connect" then you'd write a paper/blog post on that.
Brian Sletten:  I'll commit to a couple of them.
Nate Otto: I can do one or two of the comparison blog posts at 
  least.
Manu Sporny:  Just tell me offline what you're signing up for and 
  I'll put your name beside it.
Henry Story: I am still too new to this work, but I'll be 
  interested to review
Eric Korb: I updated doc
Nate Otto:  I can do both SAML and OpenID Connect.

Topic: Linked Data Fast Track WG Update

Manu Sporny:  We demo'd the credentials work to Sir Tim Berners 
  Lee's team at MIT. I know Henry is involved with that team as 
  well. There is consensus to coordinate on RDF Dataset 
  Normalization and Linked Data Signatures. I had a fairly in depth 
  conversation with Tim about that. Right now there is a fast track 
  proposal for the RDF Dataset Normalization work. We will work on 
  a charter and still need 20 votes, but believe we can do it. 
  There's no one pushing back, it's just a matter of writing the 
  charter, get feedback, and then put in front of W3C staff and 
  then membership for a vote.
Manu Sporny:  Any other concerns/comments on the direction we're 
  taking over the next week or so?
Henry Story: Is that Linked Data Fast Track _Platform_ or  just 
  Linked Data Fast Track?
None
Manu Sporny: Henry, it's really "Specification Fast Track" - one 
  of the first specs might be the RDF Dataset Normalization spec.
Henry Story: What is the Fast track thing? Is it to do with LDP 
  or with Linked Data?
Henry Story: Ah cool
Manu Sporny: It's to do w/ general W3C process. A number of the 
  member companies at W3C TPAC this year were trying to figure out 
  a way to get a spec to REC faster than the 4+ year process it 
  takes.
Manu Sporny: JSON-LD made it through in 2 years.
Manu Sporny: I think they're trying to speed it up to 1 year now.
Henry Story: Btw. does your normalisation algorithm allow me to 
  normalise rdf to disk, so as to minimize differences when someone 
  edits a file?
Manu Sporny: The idea is that you start at CR (if you have a 
  fully baked spec, at least two implementations, and a test suite)
Henry Story: Nice
Henry Story: And here they want to do PATCH too?
Manu Sporny: The normalization algorithm that dlongley created 
  does enable you to normalize RDF to disk
Manu Sporny: PATCH may be in a different fast track group
Manu Sporny: We're trying to focus on something that has an 
  almost guaranteed chance of success.
Henry Story: Yes. makes sense.
Manu Sporny: There are some that are saying that LD Patch isn't 
  ready
Manu Sporny: I don't think anyone is saying RDF Dataset 
  Normalization isn't ready.
Manu Sporny: We're just trying to reduce the number of variables 
  that might create failure.
Henry Story: ( I can imagine that it can be complex as new 
  mathematical algorithms come out )
Manu Sporny: There are improvements that could be made (for 
  example, memory consumption w/ large bnode graphs), but we have 
  to cut version 1.0 at some point.
Manu Sporny: And the solutions that the algorithm creates aren't 
  wrong, we just need to seek if we have consensus since a 
  standardized solution doesn't exist right now.
Received on Tuesday, 10 November 2015 18:25:33 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:26 UTC