W3C home > Mailing lists > Public > public-credentials@w3.org > November 2015

Re: [IMPORTANT] Verifiable Claims Task Force Proposal for Monday

From: David Chadwick <d.w.chadwick@kent.ac.uk>
Date: Sat, 21 Nov 2015 22:42:09 +0000
To: public-credentials@w3.org
Message-ID: <5650F341.8010903@kent.ac.uk>
Hi Manu

a couple of comments below

On 21/11/2015 21:57, Manu Sporny wrote:
> Hi all,
> 
> After LOTS of socializing the proposal this week, we seem to have
> general alignment among the various groups involved. Here's the proposal
> as it stands right now:
> 
> https://www.w3.org/Payments/IG/wiki/Main_Page/ProposalsQ42015/VerifiableClaimsTaskForce
> 
> The full text is included below for those that would like to respond
> in-line.
> --------------------------------------------------------------------
> 
> Verifiable Claims Task Force PROPOSAL
> 
> Goals
> 
>    Determine if a W3C Working Group should be created to standardize
>    technology around a verifiable claims ecosystem (aka: credentials,
>    attestations).
> 
>    The Task Force will invite a diverse set of participants**1
>    into a neutral group to discuss use cases (such as enrollment) and
>    the problem area in general. The group will document and analyze
>    concerns raised in various fora around the value-add that W3C
>    could provide around verifiable claims that are user-centric.
> 
>    **1 Participants are expected to be invited from organizations like
>    W3C, IETF, IMS Global, claims issuers, identity providers, claims
>    consumers, the Credentials CG, the general public, and a variety
>    of other organizations and individuals that have shown interest in
>    the space.
> 
> Definitions
> 
>      * verifiable claim - a cryptographically non-repudiable set of
>        statements made by an entity about another entity.
>      * user-centric - a system that places people and organizations
>        in the center of an ecosystem. To understand more about this
>        design choice, read about its ramifications in the section
>        titled "User-Centric vs. Service-Centric Architecture".
>      * service-centric - a system that places services in the center
>        of an ecosystem. To understand more about this
>        design choice, read about its ramifications in the section
>        titled "User-Centric vs. Service-Centric Architecture".
> 
> Problem Statement
> 
>    There is currently no widely used user-centric standard for
>    expressing and transacting verifiable claims (aka: credentials,
>    attestations) via the Web. Data has been gathered demonstrating a
>    desire to create such an interoperable ecosystem around the
>    expression and transmission of verifiable claims.
> 
>    These problems exist today:
>      * In existing service-centric architectures, identity services
>        inject themselves into every relationship in the ecosystem.
>        This means users can't easily change their service provider
>        without losing their digital identity. This leads to vendor
>        lock-in, identity fragility, reduced competition in the
>        marketplace, and reduced privacy.
>      * There is no interoperable standard capable of expressing and
>        transmitting rich verifiable claims that cuts across
>        industries (e.g. finance, retail, education, and healthcare).
>        This leads to industry-specific solutions that are costly,
>        inefficient, proprietary, and inhibits users' ability to
>        manage their digital identities in a coherent way.
>      * There is no standard that makes it easy for users to assert
>        their qualifications to a service provider (e.g. I am a
>        citizen of the USA, I am a board-certified doctor, etc.).
> 
> Out of Scope
> 
>    The following items have been identified as out of scope for the
>    Task Force.
>      * Making any decisions on the "correct" set of technologies to
>        use to solve the problem. However, discussion about
>        technologies that exist and how they could be applied to the
>        problem are in scope.
> 
> Stakeholders
> 
>      * Issuers - ETS, Pearson, Walmart, Verisys, Target, NACS, New
>        Zealand Government, Bloomberg, IMS Global member companies
>      * Identity Providers / Identity Vaults - Accreditrust, Verisys,
>        Bill and Melinda Gates Foundation, Deutche Telekom,
>      * Consumers - Walmart, Target, NACS, Bloomberg, New Zealand
>        Government, Education Institutions (IMS Global member
>        companies), Financial Institutions, (customers of Issuers
>        today)

The proposal would benefit from definitions of all the entities that are
involved in the eco-system


> 
> Task Force Operation
> 
>    If formed, the WPIG Verifiable Claims Task Force will:
>      * be composed of representatives from the Financial, Education,
>        Healthcare, NGO, and Government sectors
>      * have individual recorded interview calls at times that work
>        for the interviewees
>      * have weekly calls starting on Tuesdays at 11am ET (but could
>        be rescheduled for other times that work better for
>        participants) on a to-be-determined teleconference bridge
>      * work on completing the identified deliverables
>      * will report its findings to the WPIG by early February
> 
> Success criteria
> 
>    Either
>      * Clear documentation demonstrating that W3C cannot add value in
>        this area, or
>      * A well-socialized W3C Credentials Working Group charter (and
>        supporting documentation) that would go to a W3C AC vote.
> 
> User-Centric vs. Service-Centric Architecture
> 
>      * A verifiable claims ecosystem that is [26]user-centric has the
>        following attributes:
>           + Users are positioned in the middle between issuers and
>             consumers.
>           + Users receive and store verifiable claims from issuers
>             through an agent that the issuer does not need to trust.
>           + Users provide verifiable claims to consumers through an
>             agent that consumers needn't trust; they only need to
>             trust issuers.

If consumers only need to trust issuers, then how does a consumer trust
that the user/agent presenting the claims is entitled to posses them?
ie. are you proposing a cash-like (bearer credential) system rather than
a PoP system?

I would much prefer a PoP system, but this implies that the consumer
must have some trust in the user and/or his/her agent.


>           + Verifiable claims are associated with users, not
>             particular services; users can decide how to aggregate
>             claims and manage their own digital identities.

I would say verifiable claims are associated with digital identities,
rather than users since there is an air gap between the human user and
the agent/device that is the digital representation of the user.


>           + Users can control and own their own identifiers.
>           + Users can control which verifiable claims to use and
>             when.
>           + Users may freely choose and swap out the agents they
>             employ to help them manage and share their verifiable
>             claims.

Does this imply it will be pain free? Or instant?
I can freely choose which credit card issuer I use, but it is not pain
free, nor is it instant, nor is it automatic.

regards

David

>           + Does not require users that share verifiable claims to
>             reveal the identity of the consumer to their agent or to
>             issuers.
> 
>      * A verifiable claims ecosystem that is [27]service-centric has
>        the following attributes:
>           + Services are positioned in the middle between issuers,
>             users, and consumers.
>           + Users receive and store verifiable claims from issuers
>             through an agent that the issuer must trust, or they must
>             be the same entity.
>           + Users provide verifiable claims to consumers through an
>             agent that consumers must trust.
>           + Verifiable claims must be associated with services,
>             fracturing a user's digital identity potentially against
>             their desire.
>           + Services control and own their user's identifiers.
>           + User's verifiable claims are locked in agent silos.
>           + Requires users that share verifiable claims to reveal the
>             identity of the consumer to their agent and issuers.
>           + Consumers may have to register with user's agents to
>             consume verifiable claims.
> 
> Deliverables
> 
>      * Recorded interviews around the problem statement with at
>        least: Brad Hill, Dick Hardt, Jeff Hodges, Karen O'Donahue,
>        Harry Halpin
>      * Technology comparisons between at least these existing
>        technologies: OpenID Connect, SAML, Identity Credentials
>      * A Verifiable Claims Use Cases document
>      * A Verifiable Claims Vision document (optional)
> 
>    If W3C can add value in the space, the WPIG will produce:
>      * A widely socialized Verifiable Claims WG charter
>      * A Verifiable Claims Roadmap document (optional)
> 
> Milestones / Timelines
> 
>      * 2015-11 - WPIG - Discussion of Verifiable Claims Task Force
>        Proposal and if all goes well, the creation of the Task Force
>      * 2015-12 - VCTF - Perform background research listed in
>        deliverables
>      * 2016-01 - WPIG - Start drafting charter for feedback, start
>        finalizing input documents to future WG
>      * 2016-02 - WPIG - Publish background research findings,
>        finalize draft charter, finalize input documents
>      * 2016-03 - VCTF/WPIG/CCG - Co-locate face-to-face meeting to
>        discuss path forward (AC review, WG creation, etc.)
> 
> -- manu
> 
Received on Saturday, 21 November 2015 22:42:15 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:26 UTC