- From: David Chadwick <d.w.chadwick@kent.ac.uk>
- Date: Sat, 21 Nov 2015 22:42:09 +0000
- To: public-credentials@w3.org
Hi Manu a couple of comments below On 21/11/2015 21:57, Manu Sporny wrote: > Hi all, > > After LOTS of socializing the proposal this week, we seem to have > general alignment among the various groups involved. Here's the proposal > as it stands right now: > > https://www.w3.org/Payments/IG/wiki/Main_Page/ProposalsQ42015/VerifiableClaimsTaskForce > > The full text is included below for those that would like to respond > in-line. > -------------------------------------------------------------------- > > Verifiable Claims Task Force PROPOSAL > > Goals > > Determine if a W3C Working Group should be created to standardize > technology around a verifiable claims ecosystem (aka: credentials, > attestations). > > The Task Force will invite a diverse set of participants**1 > into a neutral group to discuss use cases (such as enrollment) and > the problem area in general. The group will document and analyze > concerns raised in various fora around the value-add that W3C > could provide around verifiable claims that are user-centric. > > **1 Participants are expected to be invited from organizations like > W3C, IETF, IMS Global, claims issuers, identity providers, claims > consumers, the Credentials CG, the general public, and a variety > of other organizations and individuals that have shown interest in > the space. > > Definitions > > * verifiable claim - a cryptographically non-repudiable set of > statements made by an entity about another entity. > * user-centric - a system that places people and organizations > in the center of an ecosystem. To understand more about this > design choice, read about its ramifications in the section > titled "User-Centric vs. Service-Centric Architecture". > * service-centric - a system that places services in the center > of an ecosystem. To understand more about this > design choice, read about its ramifications in the section > titled "User-Centric vs. Service-Centric Architecture". > > Problem Statement > > There is currently no widely used user-centric standard for > expressing and transacting verifiable claims (aka: credentials, > attestations) via the Web. Data has been gathered demonstrating a > desire to create such an interoperable ecosystem around the > expression and transmission of verifiable claims. > > These problems exist today: > * In existing service-centric architectures, identity services > inject themselves into every relationship in the ecosystem. > This means users can't easily change their service provider > without losing their digital identity. This leads to vendor > lock-in, identity fragility, reduced competition in the > marketplace, and reduced privacy. > * There is no interoperable standard capable of expressing and > transmitting rich verifiable claims that cuts across > industries (e.g. finance, retail, education, and healthcare). > This leads to industry-specific solutions that are costly, > inefficient, proprietary, and inhibits users' ability to > manage their digital identities in a coherent way. > * There is no standard that makes it easy for users to assert > their qualifications to a service provider (e.g. I am a > citizen of the USA, I am a board-certified doctor, etc.). > > Out of Scope > > The following items have been identified as out of scope for the > Task Force. > * Making any decisions on the "correct" set of technologies to > use to solve the problem. However, discussion about > technologies that exist and how they could be applied to the > problem are in scope. > > Stakeholders > > * Issuers - ETS, Pearson, Walmart, Verisys, Target, NACS, New > Zealand Government, Bloomberg, IMS Global member companies > * Identity Providers / Identity Vaults - Accreditrust, Verisys, > Bill and Melinda Gates Foundation, Deutche Telekom, > * Consumers - Walmart, Target, NACS, Bloomberg, New Zealand > Government, Education Institutions (IMS Global member > companies), Financial Institutions, (customers of Issuers > today) The proposal would benefit from definitions of all the entities that are involved in the eco-system > > Task Force Operation > > If formed, the WPIG Verifiable Claims Task Force will: > * be composed of representatives from the Financial, Education, > Healthcare, NGO, and Government sectors > * have individual recorded interview calls at times that work > for the interviewees > * have weekly calls starting on Tuesdays at 11am ET (but could > be rescheduled for other times that work better for > participants) on a to-be-determined teleconference bridge > * work on completing the identified deliverables > * will report its findings to the WPIG by early February > > Success criteria > > Either > * Clear documentation demonstrating that W3C cannot add value in > this area, or > * A well-socialized W3C Credentials Working Group charter (and > supporting documentation) that would go to a W3C AC vote. > > User-Centric vs. Service-Centric Architecture > > * A verifiable claims ecosystem that is [26]user-centric has the > following attributes: > + Users are positioned in the middle between issuers and > consumers. > + Users receive and store verifiable claims from issuers > through an agent that the issuer does not need to trust. > + Users provide verifiable claims to consumers through an > agent that consumers needn't trust; they only need to > trust issuers. If consumers only need to trust issuers, then how does a consumer trust that the user/agent presenting the claims is entitled to posses them? ie. are you proposing a cash-like (bearer credential) system rather than a PoP system? I would much prefer a PoP system, but this implies that the consumer must have some trust in the user and/or his/her agent. > + Verifiable claims are associated with users, not > particular services; users can decide how to aggregate > claims and manage their own digital identities. I would say verifiable claims are associated with digital identities, rather than users since there is an air gap between the human user and the agent/device that is the digital representation of the user. > + Users can control and own their own identifiers. > + Users can control which verifiable claims to use and > when. > + Users may freely choose and swap out the agents they > employ to help them manage and share their verifiable > claims. Does this imply it will be pain free? Or instant? I can freely choose which credit card issuer I use, but it is not pain free, nor is it instant, nor is it automatic. regards David > + Does not require users that share verifiable claims to > reveal the identity of the consumer to their agent or to > issuers. > > * A verifiable claims ecosystem that is [27]service-centric has > the following attributes: > + Services are positioned in the middle between issuers, > users, and consumers. > + Users receive and store verifiable claims from issuers > through an agent that the issuer must trust, or they must > be the same entity. > + Users provide verifiable claims to consumers through an > agent that consumers must trust. > + Verifiable claims must be associated with services, > fracturing a user's digital identity potentially against > their desire. > + Services control and own their user's identifiers. > + User's verifiable claims are locked in agent silos. > + Requires users that share verifiable claims to reveal the > identity of the consumer to their agent and issuers. > + Consumers may have to register with user's agents to > consume verifiable claims. > > Deliverables > > * Recorded interviews around the problem statement with at > least: Brad Hill, Dick Hardt, Jeff Hodges, Karen O'Donahue, > Harry Halpin > * Technology comparisons between at least these existing > technologies: OpenID Connect, SAML, Identity Credentials > * A Verifiable Claims Use Cases document > * A Verifiable Claims Vision document (optional) > > If W3C can add value in the space, the WPIG will produce: > * A widely socialized Verifiable Claims WG charter > * A Verifiable Claims Roadmap document (optional) > > Milestones / Timelines > > * 2015-11 - WPIG - Discussion of Verifiable Claims Task Force > Proposal and if all goes well, the creation of the Task Force > * 2015-12 - VCTF - Perform background research listed in > deliverables > * 2016-01 - WPIG - Start drafting charter for feedback, start > finalizing input documents to future WG > * 2016-02 - WPIG - Publish background research findings, > finalize draft charter, finalize input documents > * 2016-03 - VCTF/WPIG/CCG - Co-locate face-to-face meeting to > discuss path forward (AC review, WG creation, etc.) > > -- manu >
Received on Saturday, 21 November 2015 22:42:15 UTC