W3C home > Mailing lists > Public > public-credentials@w3.org > February 2016

Verifiable Claims Telecon Minutes for 2016-02-12

From: <msporny@digitalbazaar.com>
Date: Fri, 12 Feb 2016 16:45:32 -0500
Message-Id: <1455313532803.0.14710@zoe>
To: Web Payments IG <public-webpayments-ig@w3.org>, Credentials CG <public-credentials@w3.org>
Thanks to Dave Longley for scribing this week! The minutes
for this week's Verifiable Claims telecon are now available:

http://w3c.github.io/vctf/meetings/2016-02-12/

Full text of the discussion follows for W3C archival purposes.
Audio from the meeting is available as well (link provided below).

----------------------------------------------------------------
Verifiable Claims Telecon Minutes for 2016-02-12

Agenda:
  https://lists.w3.org/Archives/Public/public-webpayments-ig/2016Feb/0020.html
Topics:
  1. Background on Jeanne, Bob, and the Credentials Transparency 
    Initiative
  2. Problem Statement
  3. Data Format
  4. Technical Advisory Committee on Metadata
  5. Need for Credentials Technology
Organizer:
  Manu Sporny
Scribe:
  Dave Longley
Present:
  Dave Longley, Manu Sporny, Bob Sheets, Jeanne Kitchens
Audio:
  http://w3c.github.io/vctf/meetings/2016-02-12/audio.ogg

Dave Longley is scribing.
Manu Sporny:  We wanted to start off getting some background from 
  each of you and how you got involved with CTI, etc.
Manu Sporny:  We'd like to know your perspective.
Manu Sporny:  We'll add something to the agenda to talk about 
  what CTI is trying to do as well and then we'll get into the full 
  discussion.

Topic: Background on Jeanne, Bob, and the Credentials Transparency Initiative

Bob Sheets:  I'm a research professor at GW Institute of Public 
  Policy, in addition to this project, I've been working for quite 
  a few ayers, what is the necessary data structure for the 
  credential marketplace that improves transparency and efficiency 
  in the greater marketplace and how you exchange information in 
  credential issuers, holders, [missed] -- I've laid out five 
  different building blocks ... we want make it clear what 
  credentials look like and how they issue and provide information 
  about credential holders and organizations.
Jeanne Kitchens:  I'm Jeanne Kitchens [missed] Director at 
  Southern Illinois -- I've worked with Bob on many projects, 
  building on a bigger national picture not just focusing on it in 
  the state of Illinois.
Manu Sporny:  If you could give us background on CTI and Lumina 
  that would be good.
Bob Sheets:  We are just one of many projects that are being 
  funded by Lumina Foundation and their partners to address how we 
  improve the transparency in the credentialing marketplace 
  including how we more clearly define the connections between 
  credentials. The credentialing marketplace around the world is 
  becoming much mroe complex than it was historically with many 
  different types of creds and ways for individuals to say they 
  have creds through many different platforms not just transcripts 
  for example. We are focused on how do we have infrastructure to 
  allow any cred org to make any comparable info about their creds 
  available to the open marketplace and how to declare 
  relatinoships between their creds and others as part of that 
  process.
Jeanne Kitchens:  The problem is the maze of credentials that are 
  currently out there the variety of types the confusion around 
  what is defined and what a credential is... the project is around 
  developing the meta data infrastructure, we say that it must 
  conform to the W3C spec for semantic metadata. Our hope is for 
  this to continue on past the project.
Manu Sporny:  So why the need for a metadata standard? What 
  mechanisms are used today ... you said many different creds today 
  and ways to get them and display them, why is that not good 
  enough? Why do we need a metadata standard, isn't existing tech 
  good enough?
Bob Sheets:  In one way, we've had existing metadata structures 
  for narrow bands of traditional creds that have common language 
  and vocab to describe themselves, but the cred marketplace now is 
  seeing much more other types of creds that can't be described in 
  the existing vocabs commonly used and the common currency among 
  creds is moving towards competencies and these haven't been 
  historically represented in a common way even with common creds. 
  We need to develop a vocab that is much more generalized so we 
  can use a consistent vocab to describe the creds. There are 
  certain aspects of creds that are becoming more apparent, 
  including statements about what people should be able to hold and 
  do when holding a cred.
Manu Sporny:  Is the problem only in vocabulary, once you figure 
  that out, will that solve the problem or are there other tech 
  gaps that CTI is looking at right now?
Bob Sheets:  I think we also have a situation where people make 
  assertions about each other and third parties make assertions 
  about each other ... and we need to make them available.
Jeanne Kitchens:  Spekaing from the project perspective, one 
  clear deliverable is the metadata infrastructure, another is a 
  credential registry that will utilize that infrastructure as an 
  intermediate step, one reason we think this will show value-add 
  with this shared vocab ... we have to do it through a means to 
  store the data. Currently it would be impossible to get all this 
  information to grab it from hundreds of websites.
Bob Sheets:  We're working up use cases ... for example, when an 
  individual has a resume and makes an assertion about a credential 
  they hold, historically many employers want to go back and find 
  out what's behind that. The cred org that issued that won't 
  maintain information on it or may not even be around.
Bob Sheets:  Imagine where someone has a degree in CS from 1976. 
  We don't have a way for people on the Web to discover and verify 
  what that cred holder is asserting. That info isn't readily 
  available and consistently available. Especially when we have 
  cred orgs that don't have sufficient version control or they may 
  not even be in existence.

Topic: Problem Statement

Manu Sporny:  Ok, so we've got background and information about 
  CTI. So now we're going to shift focus to the VCTF.
Manu Sporny: http://w3c.github.io/vctf/
Manu Sporny:  [Points out problem statement]
Manu Sporny:  One of the most important things we do in 
  pre-standardization work is figure out if there's agreement on 
  the problem first before trying to solve it. We've talked to 43 
  different orgs in healthcare, education, gov't, technology, we've 
  interviewed with 12+ people that are experts involved in 
  credentialing initiatives, etc. We're looking to see whether or 
  not you agree with the problem statement, your general thoughts 
  on it, etc.
Manu Sporny:  Of the mechanisms that exist today where you can 
  express a credential in a digital form on the Web, they tend to 
  be service-centric instead of user-centric. The distinction being 
  who has control over where the data is stored. You can think of a 
  service-centric system you can think of data being tightly 
  coupled to those services. And when you send your data those 
  services necessarily know where you're sending it. If you stored 
  your creds at Google/Facebook/Whatever they would know where you 
  are applying for a job or oyu're in legal trouble or whatever, so 
  on, not a privacy-protecting system. Alternatively, in a user 
  centric system, whenever a credential is issued it is issued to 
  the credential holder. They take it and store it wherever they 
  want to. They could, for example, store it on 
  Google/Facebook/Whatever, or in their corporate environment, 
  their university, their mobile phone, a server in their house, 
  they choose where they want to store it. That doesn't mean the 
  issuer can't revoke the credential, for example, if a university 
  determined someone cheated/there was a mistake the credential can 
  still be revoked.
Manu Sporny:  Does that make sense?
Bob Sheets:  Yeah, a lot of sense.
Jeanne Kitchens:  Yes.
Manu Sporny:  The assertion we're making is that there is no 
  user-centric standard for verifiable claims and the user isn't in 
  control of this information today (or independent of services). 
  Today there are credentials but services are the middle party and 
  everything flows through them. The other issue there is that a 
  lot of the credentials are stored at that digital identity 
  provider.
Manu Sporny:  This has knock on effects like vendor lock in, etc.
Manu Sporny:  A variety of other issues arise, your identities 
  are tied very strongly to one service without losing your 
  identity in the process.
Dave Longley:  I'm going to also offer up another way to look at 
  user-centric vs. service-centric - service centric is mike@google 
  or mike@facebook... whereas user-centric is just mike, and you 
  can take that wherever you want. [scribe assist by Manu Sporny]
Manu Sporny:  As far as the problem statement, we're basically 
  saying that it's very difficult to assert qualifications today. 
  It's difficult to do the equivalent of reaching into your wallet 
  and pull out your driver's license. Hard to do on the Web today. 
  You're also forced to pick certain "wallets" on the Web and once 
  you've picked them, you're locked into those "wallets". You can't 
  move your credentials around.
Manu Sporny:  Does that make sense? Would you frame the problem 
  this way or another way?
Bob Sheets:  I was thinking the only thing I'm seeing now ... not 
  in the generic sense you're talking about. In our world, the 
  credentialing world, there's a big debate now over this question 
  the context of those people who historically provided different 
  credentials for people like transcript services. Then the 
  question becomes what if the student wants to hold that 
  transcript and then a university doesn't own the statements and 
  it's contributing to someone else. That's an idea ... it's 
  created a lot of discussion "how would all this work?" I'm 
  suggesting for communicating into our world an example would be 
  that.
Manu Sporny:  Great, that's very helpful.
Manu Sporny:  The fundamental notion for this work is we want a 
  rich and vibrant ecosystem for thousands of different issuers, 
  consumers, storage locations, etc. It's up to the credential 
  holder to decide where to store their credentials. We're not 
  trying to push any particular control model over those 
  credentials; it's perfectly viable for a university to issue a 
  credential and let a person carry it around but they can still 
  revoke it. You can also hand people credentials and say they 
  won't be revoked. No particular control model there, we're just 
  trying to create an interoperable ecosystem with options and the 
  mechanism used to represent and exchange credentials is the same 
  regardless of industry.
Bob Sheets:  You've mentioned all the different orgs you've 
  brought this forward to. This would be very interesting to the 
  standards bodies that deal with the HR systems that deal with 
  employers, etc.
Manu Sporny:  Yes, we are talking. The HR folks "we would love to 
  consume these credentials, who will start generating them?" Then 
  you got to the universities, some are on board, but others will 
  ask "Ok, who will start consuming them?" And we point at HR 
  systems.
Bob Sheets:  What I'm saying is they are trying to consume old 
  credentials now and have a hard problem. They are trying to push 
  them into applicant tracking systems and there are a lot of 
  problems they have now. My suggestion is ... it's not that they 
  aren't trying to consume now.
Manu Sporny:  What would you say are some of the problems with 
  getting existing credentials into these tracking systems?

Topic: Data Format

Bob Sheets:  In a non-technical way, many employers are getting 
  three million applications and a lot of times they are trying to 
  figure out how to parse out a resume that should be like a 
  database ... and how do I parse out a resume into my data fields 
  for screening on eligibility. Sometimes those conditions would be 
  like age, something about work history, minimal credential 
  health, etc. They need to be able to parse that into an 
  infrastructure they can use, so many times they make applicants 
  fill out a structured form online.
Bob Sheets:  That can make sense for small employers and 20-30 
  applicants, but the Web allows people to apply for hundreds of 
  jobs and then people say "Just attach your resume and 
  transcript". You can't immediately get that into a data structure 
  or data base.
Manu Sporny:  Yes, that's a data modeling and data format 
  problem. We're asserting there is no standard data model or 
  format that you could put a credential into today that IBM/Oracle 
  or a small software vendor could build something around.
Bob Sheets:  In the old credential world that's a problem that's 
  not resolved, in the new credential world we have things called 
  competencies that add a level of complexities that overwhelms the 
  old problem that still hasn't been solved.
Manu Sporny:  Jeanne you said you're looking at W3C tech to solve 
  this problem, which techs and how far along are you?

Topic: Technical Advisory Committee on Metadata

Jeanne Kitchens:  We have a tech advisory committee and tech 
  advisor and we're working through that process and looking at the 
  domain model and figuring out the properties and vocab to fully 
  describe the credentials, I can't give you a percentage on how 
  far along we are but we have that information available to the 
  public on our website. We have placeholders for the 
  infrastructure and what that design looks like.
Manu Sporny:  Do you have a link to that?
Jeanne Kitchens:  Sure, one moment.
Manu Sporny:  Bob, what do you see as the ideal ecosystem here? 
  If CTI's successful and there's a set of technologies in place, 
  what do you see as the future?
Bob Sheets:  I'm really excited about what you are all doing 
  because you're dealing with a related problem that we all have. 
  What we're trying to address is to allow any cred org to clearly 
  say when someone holds my cred, an individual, these are the cred 
  requirements that they met to hold it. That declaration is in 
  version control allowing them to say that when I awarded creds 
  during a time period and actually no one can do and they had 
  other requirements. And they are issuing creds in a way that 
  provides an authN service and... certain creds are time limited 
  sometimes and other cases they aren't. This infrastructure would 
  allow any credentialing org to publish on the Web comparing 
  information about those declarations and make links to other 
  types. We need others like you all to figure out the solutions 
  around what you're describing is a service for individuals to 
  hold a variety of creds that they can make available to 
  employers, other cred orgs, or any other sort of users. We see 
  this as a necessarily, complementary development to what we're 
  trying to do.
Manu Sporny: http://credreg.net/
Manu Sporny: Draft domain model: 
  https://drive.google.com/file/d/0Bye25TO-7pllenhGUWctWHlVb2c/view
Manu Sporny:  I'm trying to give the W3C membership an idea of 
  what you're doing. It looks like you're using Linked Data with 
  some prototypes and examples in JSON-LD.
Jeanne Kitchens:  Yes.
Bob Sheets:  Yes.
Jeanne Kitchens:  There are some examples and viewers on the 
  website.
Manu Sporny: Linked Data properties viewer: 
  http://credreg.net/page/propertiesviewer
Jeanne Kitchens:  In step three, under description, that's where 
  you'd see the evolving Linked Data format.
Manu Sporny:  Ok, this will help us demonstrate that CTI is 
  looking at W3C technology.

Topic: Need for Credentials Technology

Manu Sporny:  If we were not able to get this work started, how 
  would that impact the work you're trying to do? We're talking 
  about a cred ecosystem, that can issue credentials, store them at 
  cred holder's choice, and then a credential consumer like an HR 
  department could technically request a set of creds from someone 
  and get them in a machine readable format. If the membership 
  votes down this proposal, what would the effect be on your 
  initiative?
Bob Sheets:  We would have a hard time because it's part of a 
  three legged stool. We need to have the cred orgs publish 
  comparable info in the marketplace, we need individuals to be 
  able to communicate claims and send to their employers, etc. If 
  someone doesn't address the problems you're dealing with on your 
  leg that would be a problem ... if someone isn't working on the 
  individual side of this and how the information is held and 
  communicated in the marketplace that is one building block of the 
  cred marketplace that isn't being addressed and we hope you all 
  do it.
Bob Sheets:  Think about this on the employer side. I'm not just 
  dealing wit hthings a cred org would give to a individual, 
  employers want a variety of other things like citizenship, and 
  other things an individual is attesting they are that go along 
  with the cred info we're talking about, which is why I like what 
  you're doing.
Bob Sheets:  It all needs to be handled in the same way.
Manu Sporny:  Yes, that's what we're proposing, the way all of 
  these credentials would be handled in the same way. We have some 
  CG technical proposals showing how that can be done.
Bob Sheets:  That's why I love the power of your guys vision 
  because it needs to be handled in the same way.
Manu Sporny:  There's currently some back and forth going on with 
  what the technical work might be. There are two views, all at 
  once and a phased approach. Phased approach would be first, 
  figure out the data model and format for expressing these 
  credentials. There are orgs saying that should be easy and we can 
  get it done in a year and let's focus on that. How the creds flow 
  around the ecosystem can wait. Another camp says we need that, 
  but without a protocol for saying how you transmit these 
  credentials around (request creds, store them, etc). then it's 
  not good enough. The questions is should we phase this work or 
  have it done all in one go? Would it be worth while to focus on 
  the data model and data format and determine how to express this 
  from a technical format, or do you feel like just expressing them 
  isn't enough?
Jeanne Kitchens:  I'm not sure how to answer that, but I 
  understand the question.
Bob Sheets:  Same here. I know one thing that keeps coming up ... 
  question we keep getting is what is the protocols for controlling 
  the information by the issuers of the credentials. That is the 
  biggest deal, most cred orgs ... I'm constantly being asked about 
  authentication services and maintaining my brand in the 
  marketplace. That gets at protocols. My worry is that to 
  introduce it to people that we deal with that aren't the 
  technical people ... the people who would have to buy on as 
  stakeholders if you don't convince people you've given sufficient 
  thought to the protocols you may get some resistance.
Manu Sporny:  The resistance is primarily around "can we take 
  baby steps to try and address this issue or can we not see any 
  benefit until we see both data model+format and protocol in 
  place?"
Bob Sheets:  If you had just laid out what the questions are on 
  the protocol that need to be addressed, that would give people 
  more confidence that it's been scoped out sufficiently.
Manu Sporny:  Ok, that's helpful. From both of your standpoints, 
  would it be better to do data format+model and protocol together 
  or can we wait a couple years to do the data format+model and 
  then wait to get the protocol done after trying it out in the 
  marketplace?
Bob Sheets:  I have a hard time addressing that question, 
  whatever it takes to get your group started and on the map and 
  doing work the better. I would urge the group start up and get a 
  center of gravity because it would bring coordination that won't 
  be fruitful without a stake in the ground. That would be 
  wonderful as soon as possible.
Manu Sporny:  Thanks, very helpful. This question we ask more to 
  the more technical people, but do you have any opinions on which 
  standards bodies should be involved? We're proposing W3C could do 
  some work and IMSGlobal is participating with the task force.
Bob Sheets:  I would suggest look at [missed] whether they'd be a 
  good partner. You may have to interview them.
Bob Sheets:  What I'd like to do ... We're trying to coordinate 
  with all these different standards groups. I'll be attending the 
  HR consortium meeting in March, I'll know more then I'd be more 
  than happy to connect with them in this space.
Manu Sporny:  That would be fantastic. We need connections in 
  that space.
Bob Sheets:  I'll be talking with them in the middle of March 
  I'll send information or suggest connections after that.
Manu Sporny:  Thank you very much for that.
Manu Sporny:  We've gone through many of the things we wanted to 
  cover today, now that you have a bit more of an idea of what 
  we're trying to do... If we're able to get a W3C WG to work on 
  this, ... once they are chartered the group could produce an 
  international recommendation for how to express 
  credentials/potentially a protocol, do you have any other ideas 
  or concerns about that space? Maybe about how difficult it is to 
  deploy that stuff, business models, etc.?
Bob Sheets:  No reservations at all. As long as you are 
  coordinating with IMS Global, etc. in this space, it's really 
  important work and if W3C can coordinate related initiatives in 
  this work that would be very valuable.
Manu Sporny:  To put a finer point on it, whatever CTI ends up 
  creating, you've got a registry and this is what these 
  credentials mean, one of the use cases we're going to be putting 
  in here would be that you could take something from the CTI 
  registry and issue a digital credential that someone can store 
  someone using this W3C technology. That's the kind of 
  coordination we kind of see 6-18 months down the road. Are both 
  of you under the same impression?
Bob Sheets:  Yes, exactly I'm real excited. Because of the 
  importance of having that connection, especially on 
  authentication services, that is such a critical connection.
Manu Sporny:  Anything else for the interview today?
Bob Sheets:  How do we keep in contact w/ where you're at?
Manu Sporny: http://w3c.github.io/vctf/meetings/
Manu Sporny: https://www.w3.org/community/credentials/
Manu Sporny:  Jeanne has my email address, there's a VCTF page 
  showing the meetings, all recorded and transcribed. There's also 
  a Credentials CG I recommend people from CTI join, we do have 
  some people already joining VCTF, such as Stuart Sutton who is 
  fantastic and knows what's going on.
Bob Sheets:  That's wonderful. As long as Stuart and Jeanne are 
  connected that's wonderful.
Manu Sporny:  Thank you, Jeanne and Bob, we really appreciate you 
  taking the time and talking about CTI, etc. We will publish these 
  minutes publicly within the next day or two and we'll give you a 
  link to the final report on these interviews (probably around end 
  of this month). We'd like to get a WG started up if we can 
  convince 300+ companies. :)
Received on Friday, 12 February 2016 21:45:57 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:27 UTC