- From: <msporny@digitalbazaar.com>
- Date: Fri, 12 Feb 2016 16:45:32 -0500
- To: Web Payments IG <public-webpayments-ig@w3.org>, Credentials CG <public-credentials@w3.org>
Thanks to Dave Longley for scribing this week! The minutes
for this week's Verifiable Claims telecon are now available:
http://w3c.github.io/vctf/meetings/2016-02-12/
Full text of the discussion follows for W3C archival purposes.
Audio from the meeting is available as well (link provided below).
----------------------------------------------------------------
Verifiable Claims Telecon Minutes for 2016-02-12
Agenda:
https://lists.w3.org/Archives/Public/public-webpayments-ig/2016Feb/0020.html
Topics:
1. Background on Jeanne, Bob, and the Credentials Transparency
Initiative
2. Problem Statement
3. Data Format
4. Technical Advisory Committee on Metadata
5. Need for Credentials Technology
Organizer:
Manu Sporny
Scribe:
Dave Longley
Present:
Dave Longley, Manu Sporny, Bob Sheets, Jeanne Kitchens
Audio:
http://w3c.github.io/vctf/meetings/2016-02-12/audio.ogg
Dave Longley is scribing.
Manu Sporny: We wanted to start off getting some background from
each of you and how you got involved with CTI, etc.
Manu Sporny: We'd like to know your perspective.
Manu Sporny: We'll add something to the agenda to talk about
what CTI is trying to do as well and then we'll get into the full
discussion.
Topic: Background on Jeanne, Bob, and the Credentials Transparency Initiative
Bob Sheets: I'm a research professor at GW Institute of Public
Policy, in addition to this project, I've been working for quite
a few ayers, what is the necessary data structure for the
credential marketplace that improves transparency and efficiency
in the greater marketplace and how you exchange information in
credential issuers, holders, [missed] -- I've laid out five
different building blocks ... we want make it clear what
credentials look like and how they issue and provide information
about credential holders and organizations.
Jeanne Kitchens: I'm Jeanne Kitchens [missed] Director at
Southern Illinois -- I've worked with Bob on many projects,
building on a bigger national picture not just focusing on it in
the state of Illinois.
Manu Sporny: If you could give us background on CTI and Lumina
that would be good.
Bob Sheets: We are just one of many projects that are being
funded by Lumina Foundation and their partners to address how we
improve the transparency in the credentialing marketplace
including how we more clearly define the connections between
credentials. The credentialing marketplace around the world is
becoming much mroe complex than it was historically with many
different types of creds and ways for individuals to say they
have creds through many different platforms not just transcripts
for example. We are focused on how do we have infrastructure to
allow any cred org to make any comparable info about their creds
available to the open marketplace and how to declare
relatinoships between their creds and others as part of that
process.
Jeanne Kitchens: The problem is the maze of credentials that are
currently out there the variety of types the confusion around
what is defined and what a credential is... the project is around
developing the meta data infrastructure, we say that it must
conform to the W3C spec for semantic metadata. Our hope is for
this to continue on past the project.
Manu Sporny: So why the need for a metadata standard? What
mechanisms are used today ... you said many different creds today
and ways to get them and display them, why is that not good
enough? Why do we need a metadata standard, isn't existing tech
good enough?
Bob Sheets: In one way, we've had existing metadata structures
for narrow bands of traditional creds that have common language
and vocab to describe themselves, but the cred marketplace now is
seeing much more other types of creds that can't be described in
the existing vocabs commonly used and the common currency among
creds is moving towards competencies and these haven't been
historically represented in a common way even with common creds.
We need to develop a vocab that is much more generalized so we
can use a consistent vocab to describe the creds. There are
certain aspects of creds that are becoming more apparent,
including statements about what people should be able to hold and
do when holding a cred.
Manu Sporny: Is the problem only in vocabulary, once you figure
that out, will that solve the problem or are there other tech
gaps that CTI is looking at right now?
Bob Sheets: I think we also have a situation where people make
assertions about each other and third parties make assertions
about each other ... and we need to make them available.
Jeanne Kitchens: Spekaing from the project perspective, one
clear deliverable is the metadata infrastructure, another is a
credential registry that will utilize that infrastructure as an
intermediate step, one reason we think this will show value-add
with this shared vocab ... we have to do it through a means to
store the data. Currently it would be impossible to get all this
information to grab it from hundreds of websites.
Bob Sheets: We're working up use cases ... for example, when an
individual has a resume and makes an assertion about a credential
they hold, historically many employers want to go back and find
out what's behind that. The cred org that issued that won't
maintain information on it or may not even be around.
Bob Sheets: Imagine where someone has a degree in CS from 1976.
We don't have a way for people on the Web to discover and verify
what that cred holder is asserting. That info isn't readily
available and consistently available. Especially when we have
cred orgs that don't have sufficient version control or they may
not even be in existence.
Topic: Problem Statement
Manu Sporny: Ok, so we've got background and information about
CTI. So now we're going to shift focus to the VCTF.
Manu Sporny: http://w3c.github.io/vctf/
Manu Sporny: [Points out problem statement]
Manu Sporny: One of the most important things we do in
pre-standardization work is figure out if there's agreement on
the problem first before trying to solve it. We've talked to 43
different orgs in healthcare, education, gov't, technology, we've
interviewed with 12+ people that are experts involved in
credentialing initiatives, etc. We're looking to see whether or
not you agree with the problem statement, your general thoughts
on it, etc.
Manu Sporny: Of the mechanisms that exist today where you can
express a credential in a digital form on the Web, they tend to
be service-centric instead of user-centric. The distinction being
who has control over where the data is stored. You can think of a
service-centric system you can think of data being tightly
coupled to those services. And when you send your data those
services necessarily know where you're sending it. If you stored
your creds at Google/Facebook/Whatever they would know where you
are applying for a job or oyu're in legal trouble or whatever, so
on, not a privacy-protecting system. Alternatively, in a user
centric system, whenever a credential is issued it is issued to
the credential holder. They take it and store it wherever they
want to. They could, for example, store it on
Google/Facebook/Whatever, or in their corporate environment,
their university, their mobile phone, a server in their house,
they choose where they want to store it. That doesn't mean the
issuer can't revoke the credential, for example, if a university
determined someone cheated/there was a mistake the credential can
still be revoked.
Manu Sporny: Does that make sense?
Bob Sheets: Yeah, a lot of sense.
Jeanne Kitchens: Yes.
Manu Sporny: The assertion we're making is that there is no
user-centric standard for verifiable claims and the user isn't in
control of this information today (or independent of services).
Today there are credentials but services are the middle party and
everything flows through them. The other issue there is that a
lot of the credentials are stored at that digital identity
provider.
Manu Sporny: This has knock on effects like vendor lock in, etc.
Manu Sporny: A variety of other issues arise, your identities
are tied very strongly to one service without losing your
identity in the process.
Dave Longley: I'm going to also offer up another way to look at
user-centric vs. service-centric - service centric is mike@google
or mike@facebook... whereas user-centric is just mike, and you
can take that wherever you want. [scribe assist by Manu Sporny]
Manu Sporny: As far as the problem statement, we're basically
saying that it's very difficult to assert qualifications today.
It's difficult to do the equivalent of reaching into your wallet
and pull out your driver's license. Hard to do on the Web today.
You're also forced to pick certain "wallets" on the Web and once
you've picked them, you're locked into those "wallets". You can't
move your credentials around.
Manu Sporny: Does that make sense? Would you frame the problem
this way or another way?
Bob Sheets: I was thinking the only thing I'm seeing now ... not
in the generic sense you're talking about. In our world, the
credentialing world, there's a big debate now over this question
the context of those people who historically provided different
credentials for people like transcript services. Then the
question becomes what if the student wants to hold that
transcript and then a university doesn't own the statements and
it's contributing to someone else. That's an idea ... it's
created a lot of discussion "how would all this work?" I'm
suggesting for communicating into our world an example would be
that.
Manu Sporny: Great, that's very helpful.
Manu Sporny: The fundamental notion for this work is we want a
rich and vibrant ecosystem for thousands of different issuers,
consumers, storage locations, etc. It's up to the credential
holder to decide where to store their credentials. We're not
trying to push any particular control model over those
credentials; it's perfectly viable for a university to issue a
credential and let a person carry it around but they can still
revoke it. You can also hand people credentials and say they
won't be revoked. No particular control model there, we're just
trying to create an interoperable ecosystem with options and the
mechanism used to represent and exchange credentials is the same
regardless of industry.
Bob Sheets: You've mentioned all the different orgs you've
brought this forward to. This would be very interesting to the
standards bodies that deal with the HR systems that deal with
employers, etc.
Manu Sporny: Yes, we are talking. The HR folks "we would love to
consume these credentials, who will start generating them?" Then
you got to the universities, some are on board, but others will
ask "Ok, who will start consuming them?" And we point at HR
systems.
Bob Sheets: What I'm saying is they are trying to consume old
credentials now and have a hard problem. They are trying to push
them into applicant tracking systems and there are a lot of
problems they have now. My suggestion is ... it's not that they
aren't trying to consume now.
Manu Sporny: What would you say are some of the problems with
getting existing credentials into these tracking systems?
Topic: Data Format
Bob Sheets: In a non-technical way, many employers are getting
three million applications and a lot of times they are trying to
figure out how to parse out a resume that should be like a
database ... and how do I parse out a resume into my data fields
for screening on eligibility. Sometimes those conditions would be
like age, something about work history, minimal credential
health, etc. They need to be able to parse that into an
infrastructure they can use, so many times they make applicants
fill out a structured form online.
Bob Sheets: That can make sense for small employers and 20-30
applicants, but the Web allows people to apply for hundreds of
jobs and then people say "Just attach your resume and
transcript". You can't immediately get that into a data structure
or data base.
Manu Sporny: Yes, that's a data modeling and data format
problem. We're asserting there is no standard data model or
format that you could put a credential into today that IBM/Oracle
or a small software vendor could build something around.
Bob Sheets: In the old credential world that's a problem that's
not resolved, in the new credential world we have things called
competencies that add a level of complexities that overwhelms the
old problem that still hasn't been solved.
Manu Sporny: Jeanne you said you're looking at W3C tech to solve
this problem, which techs and how far along are you?
Topic: Technical Advisory Committee on Metadata
Jeanne Kitchens: We have a tech advisory committee and tech
advisor and we're working through that process and looking at the
domain model and figuring out the properties and vocab to fully
describe the credentials, I can't give you a percentage on how
far along we are but we have that information available to the
public on our website. We have placeholders for the
infrastructure and what that design looks like.
Manu Sporny: Do you have a link to that?
Jeanne Kitchens: Sure, one moment.
Manu Sporny: Bob, what do you see as the ideal ecosystem here?
If CTI's successful and there's a set of technologies in place,
what do you see as the future?
Bob Sheets: I'm really excited about what you are all doing
because you're dealing with a related problem that we all have.
What we're trying to address is to allow any cred org to clearly
say when someone holds my cred, an individual, these are the cred
requirements that they met to hold it. That declaration is in
version control allowing them to say that when I awarded creds
during a time period and actually no one can do and they had
other requirements. And they are issuing creds in a way that
provides an authN service and... certain creds are time limited
sometimes and other cases they aren't. This infrastructure would
allow any credentialing org to publish on the Web comparing
information about those declarations and make links to other
types. We need others like you all to figure out the solutions
around what you're describing is a service for individuals to
hold a variety of creds that they can make available to
employers, other cred orgs, or any other sort of users. We see
this as a necessarily, complementary development to what we're
trying to do.
Manu Sporny: http://credreg.net/
Manu Sporny: Draft domain model:
https://drive.google.com/file/d/0Bye25TO-7pllenhGUWctWHlVb2c/view
Manu Sporny: I'm trying to give the W3C membership an idea of
what you're doing. It looks like you're using Linked Data with
some prototypes and examples in JSON-LD.
Jeanne Kitchens: Yes.
Bob Sheets: Yes.
Jeanne Kitchens: There are some examples and viewers on the
website.
Manu Sporny: Linked Data properties viewer:
http://credreg.net/page/propertiesviewer
Jeanne Kitchens: In step three, under description, that's where
you'd see the evolving Linked Data format.
Manu Sporny: Ok, this will help us demonstrate that CTI is
looking at W3C technology.
Topic: Need for Credentials Technology
Manu Sporny: If we were not able to get this work started, how
would that impact the work you're trying to do? We're talking
about a cred ecosystem, that can issue credentials, store them at
cred holder's choice, and then a credential consumer like an HR
department could technically request a set of creds from someone
and get them in a machine readable format. If the membership
votes down this proposal, what would the effect be on your
initiative?
Bob Sheets: We would have a hard time because it's part of a
three legged stool. We need to have the cred orgs publish
comparable info in the marketplace, we need individuals to be
able to communicate claims and send to their employers, etc. If
someone doesn't address the problems you're dealing with on your
leg that would be a problem ... if someone isn't working on the
individual side of this and how the information is held and
communicated in the marketplace that is one building block of the
cred marketplace that isn't being addressed and we hope you all
do it.
Bob Sheets: Think about this on the employer side. I'm not just
dealing wit hthings a cred org would give to a individual,
employers want a variety of other things like citizenship, and
other things an individual is attesting they are that go along
with the cred info we're talking about, which is why I like what
you're doing.
Bob Sheets: It all needs to be handled in the same way.
Manu Sporny: Yes, that's what we're proposing, the way all of
these credentials would be handled in the same way. We have some
CG technical proposals showing how that can be done.
Bob Sheets: That's why I love the power of your guys vision
because it needs to be handled in the same way.
Manu Sporny: There's currently some back and forth going on with
what the technical work might be. There are two views, all at
once and a phased approach. Phased approach would be first,
figure out the data model and format for expressing these
credentials. There are orgs saying that should be easy and we can
get it done in a year and let's focus on that. How the creds flow
around the ecosystem can wait. Another camp says we need that,
but without a protocol for saying how you transmit these
credentials around (request creds, store them, etc). then it's
not good enough. The questions is should we phase this work or
have it done all in one go? Would it be worth while to focus on
the data model and data format and determine how to express this
from a technical format, or do you feel like just expressing them
isn't enough?
Jeanne Kitchens: I'm not sure how to answer that, but I
understand the question.
Bob Sheets: Same here. I know one thing that keeps coming up ...
question we keep getting is what is the protocols for controlling
the information by the issuers of the credentials. That is the
biggest deal, most cred orgs ... I'm constantly being asked about
authentication services and maintaining my brand in the
marketplace. That gets at protocols. My worry is that to
introduce it to people that we deal with that aren't the
technical people ... the people who would have to buy on as
stakeholders if you don't convince people you've given sufficient
thought to the protocols you may get some resistance.
Manu Sporny: The resistance is primarily around "can we take
baby steps to try and address this issue or can we not see any
benefit until we see both data model+format and protocol in
place?"
Bob Sheets: If you had just laid out what the questions are on
the protocol that need to be addressed, that would give people
more confidence that it's been scoped out sufficiently.
Manu Sporny: Ok, that's helpful. From both of your standpoints,
would it be better to do data format+model and protocol together
or can we wait a couple years to do the data format+model and
then wait to get the protocol done after trying it out in the
marketplace?
Bob Sheets: I have a hard time addressing that question,
whatever it takes to get your group started and on the map and
doing work the better. I would urge the group start up and get a
center of gravity because it would bring coordination that won't
be fruitful without a stake in the ground. That would be
wonderful as soon as possible.
Manu Sporny: Thanks, very helpful. This question we ask more to
the more technical people, but do you have any opinions on which
standards bodies should be involved? We're proposing W3C could do
some work and IMSGlobal is participating with the task force.
Bob Sheets: I would suggest look at [missed] whether they'd be a
good partner. You may have to interview them.
Bob Sheets: What I'd like to do ... We're trying to coordinate
with all these different standards groups. I'll be attending the
HR consortium meeting in March, I'll know more then I'd be more
than happy to connect with them in this space.
Manu Sporny: That would be fantastic. We need connections in
that space.
Bob Sheets: I'll be talking with them in the middle of March
I'll send information or suggest connections after that.
Manu Sporny: Thank you very much for that.
Manu Sporny: We've gone through many of the things we wanted to
cover today, now that you have a bit more of an idea of what
we're trying to do... If we're able to get a W3C WG to work on
this, ... once they are chartered the group could produce an
international recommendation for how to express
credentials/potentially a protocol, do you have any other ideas
or concerns about that space? Maybe about how difficult it is to
deploy that stuff, business models, etc.?
Bob Sheets: No reservations at all. As long as you are
coordinating with IMS Global, etc. in this space, it's really
important work and if W3C can coordinate related initiatives in
this work that would be very valuable.
Manu Sporny: To put a finer point on it, whatever CTI ends up
creating, you've got a registry and this is what these
credentials mean, one of the use cases we're going to be putting
in here would be that you could take something from the CTI
registry and issue a digital credential that someone can store
someone using this W3C technology. That's the kind of
coordination we kind of see 6-18 months down the road. Are both
of you under the same impression?
Bob Sheets: Yes, exactly I'm real excited. Because of the
importance of having that connection, especially on
authentication services, that is such a critical connection.
Manu Sporny: Anything else for the interview today?
Bob Sheets: How do we keep in contact w/ where you're at?
Manu Sporny: http://w3c.github.io/vctf/meetings/
Manu Sporny: https://www.w3.org/community/credentials/
Manu Sporny: Jeanne has my email address, there's a VCTF page
showing the meetings, all recorded and transcribed. There's also
a Credentials CG I recommend people from CTI join, we do have
some people already joining VCTF, such as Stuart Sutton who is
fantastic and knows what's going on.
Bob Sheets: That's wonderful. As long as Stuart and Jeanne are
connected that's wonderful.
Manu Sporny: Thank you, Jeanne and Bob, we really appreciate you
taking the time and talking about CTI, etc. We will publish these
minutes publicly within the next day or two and we'll give you a
link to the final report on these interviews (probably around end
of this month). We'd like to get a WG started up if we can
convince 300+ companies. :)
Received on Friday, 12 February 2016 21:45:57 UTC