RE: Verifiable Claims Telecon Minutes for 2016-04-19 from Kaspar Korjus on 2016-04-21 (public-credentials@w3.org from April 2016)

From: Kaspar Korjus <Kaspar.Korjus@eas.ee>
Date: Thu, 21 Apr 2016 06:59:10 +0000
To: Anders Rundgren <anders.rundgren.net@gmail.com>, Adrian Hope-Bailie <adrian@hopebailie.com>
CC: "msporny@digitalbazaar.com" <msporny@digitalbazaar.com>, Credentials CG <public-credentials@w3.org>
Message-ID: <0956b037000d40f4944a1f9dbc17db8e@Ex13-2.eia.local>
Dear all, dear Anders,

True, I haven’t worked with eID solutions for 20 years, I have just lived in a fully digital society in 20 years. Last four times I voted in local elections while I was not being in Estonia; I just called my doctor to get e-prescription against my spring allergy as this year its very strong; last week I declared my taxes using my mobile phone at my summer house within 25 seconds; today I digitally signed a new contract while sitting in a lobby in Vienna, and I could continue with thousands of other use cases. It just works. These PKI and eID platforms are of course now been implemented in various other countries also, including Finland, Namibia, Palestine, Azerbaijan. And the new reality is that today 127 different nationalities use the same platform for everyday and business life https://app.cyfe.com/dashboards/195223/5587fe4e52036102283711615553. So, perhaps I would be more careful with these bold statements what is going to cease or not in the future.

Actually, just yesterday UNESCAP published an article how this platform can be a real enabler for Asia-Pacific countries and citizens to have equal lives and digital rights internationally http://www.unescap.org/resources/trade-digital-age-can-e-residency-be-enabler-asia-pacific-developing-countries-trade.


However, perhaps a bit lost in translation, but all I was saying in my last e-mail was standards about Verifiable Claims platform. People need it, and companies need it. Companies such as Nasdaq who are now integrating eID with their services (http://www.nasdaq.com/press-release/nasdaqs-blockchain-technology-to-transform-the-republic-of-estonias-eresidency-shareholder-20160212-00058) need to have transparent platform which would enable users to stay owners of their own data but the same time access all the necessary data for KYC/AML and for other purposes. And as I was saying, it would be just nice to have some standards as I’m going to develop that platform soon anyway.

Kaspar Korjus
e-Residency Managing Director
Enterprise Estonia
mobile: +372 59192446
e-mail: kaspar.korjus@eas.ee
Skype: kaspar.korjus
WWW: e-resident.gov.ee




From: Anders Rundgren [mailto:anders.rundgren.net@gmail.com]
Sent: Wednesday, April 20, 2016 8:31 PM
To: Adrian Hope-Bailie <adrian@hopebailie.com>
Cc: Kaspar Korjus <Kaspar.Korjus@eas.ee>; msporny@digitalbazaar.com; Credentials CG <public-credentials@w3.org>
Subject: Re: Verifiable Claims Telecon Minutes for 2016-04-19

On 2016-04-20 18:40, Adrian Hope-Bailie wrote:


On 20 April 2016 at 17:56, Anders Rundgren <anders.rundgren.net@gmail.com<mailto:anders.rundgren.net@gmail.com>> wrote:
On 2016-04-20 08:51, Kaspar Korjus wrote:
Hi Kaspar,

A problem with Estonia's eID system is that it builds on non-standard solutions and will most likely cease to work in the future (which happened with the previous solution which was built on now deprecated/outlawed technology).

That's a fantastically bold statement!

The support for eID has been discussed in great length in TAG and Web Security IG.  I can't repeat all of that but the core is that using the same identity to X numbers of unrelated domains is considered an unacceptable invasion of privacy.

The recommendation by Google and Facebook is using FIDO alliance technologies which has rather little to do with current eIDs.



What non-standard solutions are you referring to Anders?

Since eID and tons of other applications need to do things (like signatures) that are not natively supported by browsers, the eID implementers are playing with various tricks to extend browsers, none which is considered as standard.  "localhost" service is one solution which though also is under reconsideration by the browser vendors since this can be used for mounting attacks.  Native Messaging as featured in Chrome is another such method which Google wants to remove and Estonia's eID currently uses.




Your eID colleges in Sweden have therefore left the Web due to the lack of eID support in browsers.

And have adopted what? Some non-Web but still open and neutral standard?

They have turned to "Apps" using proprietary solutions which they have control of.
These solutions are less than optional but they work and are extensively used.

I have worked with eID solutions for almost 20 years.

Anders




There is no project in W3C for making eIDs first-class citizens on the Web.

Anders

Dear all,



Thank you for the call and the possibility to introduce myself.



Steven, regarding your comments about Google and MDFT blocks etc.. I would like to say a few supportive comments on the things you're building.



Estonia was facing the same challenges 20 years ago and obviously these changes didn’t go through easily. We had to change many laws before this really worked out. For example, Digital Signatures Act enforcing in year 2000 to establish PKI infrastructure and to make digital signatures equal to handwritten signatures; Identity Documents Act enforcing in 2002 making digital identities mandatory for every citizen; also ´data once` principle; a lot about making the platform transparent and making the user the owner of the data (e.g. every person can track who has accessed their data); also, legislation which strictly regulates the misuse of the data; etc. All of this has made us, the citizens, really trust the system, platform and the government, and we can't imagine the life without being fully digital anymore.



Similarly, Estonian ex-PM is, Mr Andrus Ansip, being VP of Digital Single Market on the European Commission, pushes rather similar steps in the Europe. Obviously it's challenging but the progress with regulations, including eIDAs, and yesterday's announcement of 50 billion budget (http://ec.europa.eu/news/2016/04/20160419_en.htm) looks pretty promising.



Also, this e-residents today need some kind of Verifiable Claims platform. I'm here to learn more about it, but if it would work out, we could give you pretty cool use case as the first government who has fully implemented the platform for not only its own citizens but for everybody, internationally. Without any standards, we would start developing something ourselves within a month time, and similarly would do other countries nearby. Eventually it would end up as ugly again as it is today with the digital EU market.



So, being young and naïve, I can't see any other way around it and I can't see Google's and Microsoft's blocking would stop at least the EU to follow this path.



Kaspar Korjus

e-Residency Managing Director

Enterprise Estonia

mobile: +372 59192446<tel:%2B372%2059192446>

e-mail: kaspar.korjus@eas.ee<mailto:kaspar.korjus@eas.ee>

Skype: kaspar.korjus

WWW: e-resident.gov.ee<http://e-resident.gov.ee>









-----Original Message-----
From: Steven Rowat [mailto:steven_rowat@sunshine.net]
Sent: Tuesday, April 19, 2016 10:29 PM
To: msporny@digitalbazaar.com<mailto:msporny@digitalbazaar.com>; Web Payments IG <public-webpayments-ig@w3.org><mailto:public-webpayments-ig@w3.org>; Credentials CG <public-credentials@w3.org><mailto:public-credentials@w3.org>
Subject: Re: Verifiable Claims Telecon Minutes for 2016-04-19



On 4/19/16 10:12 AM, msporny@digitalbazaar.com<mailto:msporny@digitalbazaar.com> wrote:

> Use cases doc is suffering from

>    lack of reviews.



I don't know if others felt the same, but I took a step back after Manu's report of what happened in the blocking/bifurcation of the Web Payments work. My own reasoning was that if this work is not going anywhere (if fully blocked by Google and MSFT, in other words) then my time would be better spent elsewhere. That's a difficult call to make though.



New explanations from this Telecon Minutes, combined with knowing about the UN identify conferences (the UNCITRAL April and the UN May) about identity, seem considerably more hopeful -- even if W3C doesn't use it, it seems like it may make its way to wherever it is most needed.



So one housekeeping question: I didn't see a link to the use-cases in the Telecon Minutes. I attempted to use links I had to get to the 'current' Use-cases draft, and got confused. I want to be sure I'm looking at the right one.



The link I had was for February 29, and it's long and I suspect has been amended:

http://opencreds.org/specs/source/use-cases/




So I clicked on the 'current draft' link at the top, and my browser complained that there was no security certificate (expired):

https://opencreds.org/specs/source/use-cases




So then I did a Google search for the use cases and got to this, April

12th:

http://w3c.github.io/webpayments-ig/VCTF/use-cases/




Is that correct? This is the one to review?



I also know that Shane spoke of preparing (has prepared?) a separate 'extended' use-cases document. Is that also to be looked at? (And, to be clear, the one above on April 12 isn't that one?)



Steven





>

>

>

>

>
Received on Thursday, 21 April 2016 06:59:50 UTC