Re: Verifiable Claims Telecon Minutes for 2016-04-19 from Anders Rundgren on 2016-04-20 (public-credentials@w3.org from April 2016)

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Wed, 20 Apr 2016 19:31:14 +0200
To: Adrian Hope-Bailie <adrian@hopebailie.com>
Cc: Kaspar Korjus <Kaspar.Korjus@eas.ee>, "msporny@digitalbazaar.com" <msporny@digitalbazaar.com>, Credentials CG <public-credentials@w3.org>
Message-ID: <5717BCE2.1040002@gmail.com>
On 2016-04-20 18:40, Adrian Hope-Bailie wrote:
>
>
> On 20 April 2016 at 17:56, Anders Rundgren <anders.rundgren.net@gmail.com <mailto:anders.rundgren.net@gmail.com>> wrote:
>
>     On 2016-04-20 08:51, Kaspar Korjus wrote:
>     Hi Kaspar,
>
>     A problem with Estonia's eID system is that it builds on non-standard solutions and will most likely cease to work in the future (which happened with the previous solution which was built on now deprecated/outlawed technology).
>
>
> That's a fantastically bold statement!

The support for eID has been discussed in great length in TAG and Web Security IG.  I can't repeat all of that but the core is that using the same identity to X numbers of unrelated domains is considered an unacceptable invasion of privacy.

The recommendation by Google and Facebook is using FIDO alliance technologies which has rather little to do with current eIDs.

>
> What non-standard solutions are you referring to Anders?

Since eID and tons of other applications need to do things (like signatures) that are not natively supported by browsers, the eID implementers are playing with various tricks to extend browsers, none which is considered as standard.  "localhost" service is one solution which though also is under reconsideration by the browser vendors since this can be used for mounting attacks.  Native Messaging as featured in Chrome is another such method which Google wants to remove and Estonia's eID currently uses.

>
>     Your eID colleges in Sweden have therefore left the Web due to the lack of eID support in browsers.
>
>
> And have adopted what? Some non-Web but still open and neutral standard?

They have turned to "Apps" using proprietary solutions which they have control of.
These solutions are less than optional but they work and are extensively used.

I have worked with eID solutions for almost 20 years.

Anders

>
>
>     There is no project in W3C for making eIDs first-class citizens on the Web.
>
>
>     Anders
>
>>     Dear all,
>>
>>     Thank you for the call and the possibility to introduce myself.
>>
>>     Steven, regarding your comments about Google and MDFT blocks etc.. I would like to say a few supportive comments on the things you're building.
>>
>>     Estonia was facing the same challenges 20 years ago and obviously these changes didn’t go through easily. We had to change many laws before this really worked out. For example, Digital Signatures Act enforcing in year 2000 to establish PKI infrastructure and to make digital signatures equal to handwritten signatures; Identity Documents Act enforcing in 2002 making digital identities mandatory for every citizen; also ´data once` principle; a lot about making the platform transparent and making the user the owner of the data (e.g. every person can track who has accessed their data); also, legislation which strictly regulates the misuse of the data; etc. All of this has made us, the citizens, really trust the system, platform and the government, and we can't imagine the life without being fully digital anymore.
>>
>>     Similarly, Estonian ex-PM is, Mr Andrus Ansip, being VP of Digital Single Market on the European Commission, pushes rather similar steps in the Europe. Obviously it's challenging but the progress with regulations, including eIDAs, and yesterday's announcement of 50 billion budget (http://ec.europa.eu/news/2016/04/20160419_en.htm) looks pretty promising.
>>
>>     Also, this e-residents today need some kind of Verifiable Claims platform. I'm here to learn more about it, but if it would work out, we could give you pretty cool use case as the first government who has fully implemented the platform for not only its own citizens but for everybody, internationally. Without any standards, we would start developing something ourselves within a month time, and similarly would do other countries nearby. Eventually it would end up as ugly again as it is today with the digital EU market.
>>
>>     So, being young and naïve, I can't see any other way around it and I can't see Google's and Microsoft's blocking would stop at least the EU to follow this path.
>>
>>     Kaspar Korjus
>>
>>     e-Residency Managing Director
>>
>>     Enterprise Estonia
>>
>>     mobile: +372 59192446 <tel:%2B372%2059192446>
>>
>>     e-mail: kaspar.korjus@eas.ee <mailto:kaspar.korjus@eas.ee>
>>
>>     Skype: kaspar.korjus
>>
>>     WWW: e-resident.gov.ee <http://e-resident.gov.ee>
>>
>>     -----Original Message-----
>>     From: Steven Rowat [mailto:steven_rowat@sunshine.net]
>>     Sent: Tuesday, April 19, 2016 10:29 PM
>>     To: msporny@digitalbazaar.com <mailto:msporny@digitalbazaar.com>; Web Payments IG <public-webpayments-ig@w3.org> <mailto:public-webpayments-ig@w3.org>; Credentials CG <public-credentials@w3.org> <mailto:public-credentials@w3.org>
>>     Subject: Re: Verifiable Claims Telecon Minutes for 2016-04-19
>>
>>     On 4/19/16 10:12 AM, <mailto:msporny@digitalbazaar.com>msporny@digitalbazaar.com <mailto:msporny@digitalbazaar.com> wrote:
>>
>>     > Use cases doc is suffering from
>>
>>     >    lack of reviews.
>>
>>     I don't know if others felt the same, but I took a step back after Manu's report of what happened in the blocking/bifurcation of the Web Payments work. My own reasoning was that if this work is not going anywhere (if fully blocked by Google and MSFT, in other words) then my time would be better spent elsewhere. That's a difficult call to make though.
>>
>>     New explanations from this Telecon Minutes, combined with knowing about the UN identify conferences (the UNCITRAL April and the UN May) about identity, seem considerably more hopeful -- even if W3C doesn't use it, it seems like it may make its way to wherever it is most needed.
>>
>>     So one housekeeping question: I didn't see a link to the use-cases in the Telecon Minutes. I attempted to use links I had to get to the 'current' Use-cases draft, and got confused. I want to be sure I'm looking at the right one.
>>
>>     The link I had was for February 29, and it's long and I suspect has been amended:
>>
>>     http://opencreds.org/specs/source/use-cases/
>>
>>     So I clicked on the 'current draft' link at the top, and my browser complained that there was no security certificate (expired):
>>
>>     https://opencreds.org/specs/source/use-cases
>>
>>     So then I did a Google search for the use cases and got to this, April
>>
>>     12th:
>>
>>     http://w3c.github.io/webpayments-ig/VCTF/use-cases/
>>
>>     Is that correct? This is the one to review?
>>
>>     I also know that Shane spoke of preparing (has prepared?) a separate 'extended' use-cases document. Is that also to be looked at? (And, to be clear, the one above on April 12 isn't that one?)
>>
>>     Steven
>>
>>     >
>>
>>     >
>>
>>     >
>>
>>     >
>>
>>     >
>>
>
>
Received on Wednesday, 20 April 2016 17:31:47 UTC