W3C home > Mailing lists > Public > public-credentials@w3.org > February 2016

Re: Comments on VCTF Report

From: Manu Sporny <msporny@digitalbazaar.com>
Date: Wed, 17 Feb 2016 16:59:06 -0500
Message-ID: <56C4ED2A.4090502@digitalbazaar.com>
To: Web Payments IG <public-webpayments-ig@w3.org>
CC: Credentials Community Group <public-credentials@w3.org>
On 02/16/2016 09:59 PM, Ian Jacobs wrote:
> I have several observations and questions that I'd like to share in 
> advance of the face-to-face meeting.

Thanks Ian, some responses to your observations and questions to clarify
some potential miscommunication.

> * Here is why I believe the report does not do justice to the 
> interviews: it includes information that I don't believe was part of
>  the task force's work, which clouds what the report could most 
> usefully communicate. Specifically:
> 
> - The survey in 5.1 was not part of the task force's work [0].

That survey was part of the Task Force's approved scope:

http://w3c.github.io/vctf/#scope

Specifically,

"Background research and documentation on current technologies and
approaches used to address the problem statement."

Our goal was to collect data and analyze it. Input from 43
organizations, a non-trivial number of them being W3C members, was
important input data to the research findings. I'll also note that the
interviewee's viewpoints, while important, can't be the only viewpoints
we consider in the research data that we collected.

> - While documenting use cases [2] is valuable, I did not read in the 
> interviewer's comments that they had considered the use cases.

We didn't do that for these reasons:

* We didn't want to influence what use cases the interviewees wanted to
  discuss by showing them a pre-screened set of them.
* We felt that some of the interviewees would focus on use cases that
  they didn't like, thus detracting from the conversation about the
  problem statement (which you had specifically asked us to focus on).
* Even if we had wanted to talk about use cases, we only had an hour
  with many of the interviewees and had plenty to talk about during
  that hour.
* We had already gathered important use cases when we did the survey w/
  43 organizations responding.

> It would have been interesting, for example, for the interviewees to 
> have considered the use cases, and to determine whether there was a 
> small number of them where there was clear consensus that it was 
> important to address them.

The use cases came out of the survey and the 2+ years of work collecting
data in the Credentials CG (and other fora - IMS Global, healthcare
industry, Credentials Transparency Initiative, Badge Alliance, Lumina
Foundation, etc.).

> But without connecting the interview comments to the use cases, I 
> believe they only cloud this report.

We could connect the interview comments to the use cases, we have the
raw data to do that, but it would take /a lot/ of time and I'm not
convinced that it would really change the outcome.

What would be better is whittling down the use cases in the charter
creation process and then presenting those use cases again to the
interviewers to see what they think about the core set that we
identified based on a broader set of input than just the interviews.
We'd do this before we would socialize the charter more broadly to the
W3C membership.

> Thus, I find confusing the assertion in 6.4 that a "point of 
> consensus" is that there are use cases. That may be the consensus of 
> the Credentials CG that produced them

The Credentials CG /participants/ were not the only source of the use
cases. The 43+ organizations that participated in the survey provided a
good chunk of the use cases, as did the interviews, as did conversations
in the Web Payments IG and groups at other standards bodies.

> goes beyond the work of this task force to include the use cases.

Use Cases are not beyond the scope of the Task Force. In the VCTF's
"Success Criteria":

http://w3c.github.io/vctf/#success

You can find the following text:

"produces clear documentation demonstrating that W3C can add value in
this area. The documentation should also support the creation of a W3C
Working Group charter to address the problem statement identified in
this proposal."

Supporting the creation of a successful WG charter typically involves
identifying important use cases.

> * I don't understand the role of section 4 ("Requirements Identified
>  by Research Findings"). This is not listed as a deliverable of the 
> task force [0] and it does not seem to me to be derived from the 
> interviews.

That section is a reformulation of the "Ramifications of User-Centric
vs. Service-Centric Ecosystems" that can be found on the VCTF page:

http://w3c.github.io/vctf/#design-approaches

Many of the interviews focused on the user-centric/privacy-aware and
service-centric approaches to verifiable claims. We took that input and
distilled it into a set of requirements that were either explicitly
mentioned or implicitly talked about in the interviews/survey feedback.

> The bullets don't really say "Here is the problem that needs to be 
> solved." I think the use cases comes closer, and we need more 
> information about business stories as mentioned above. Talking about
>  things like software agents helping people store claims feels like a
>  different level of discussion.

It's the best formulation we have been able to come up with given the
input from the surveys and interviewees. Note that this is something the
VCTF, Credentials CG, and Web Payments CG has been iterating on for many
years, so we've tried to be very careful to formulate a list of
important bullet points from a very large body of data and that specific
item you point out is a core theme across many of the discussions we've had.

> I think the following headline phrase is more accurate: "Reuse
> widely deployed technology to the extent possible." You do say
> something close to that in the paragraph that follows, and again in
> 7.8.

Changed to:

"Reuse Widely Deployed Technology When Possible"

> - "Minimum First Step is to Establish a Way to Express Verifiable 
> Claims"
> 
> First of all, I did not reach that result from reading the 
> interviews.  Second, the very sentences in the paragraphs that
> follow suggest there is no consensus.

Then we'll need to figure out a way to convey that there is consensus on
a minimum first step because the VCTF believes there is consensus on
this point. To phrase this another way:

* No one said don't proceed with work in this area.
* We specifically asked people if data model, syntax, and protocol
  should be worked on. No one said data model and syntax shouldn't
  be worked on.
* There is a logically indivisible first step - data model and
  expression syntax for credentials. If we don't do at least that,
  you can't begin to solve the problem statement.

> * "Many of the interviewers suggested that having a data model and 
> syntax for the expression of verifiable claims AS ONLY PART OF THE 
> SOLUTION." (This suggests they may not agree that "expression" is a 
> minimal first step and that MORE is required in a first step.)

We don't have to guess on this point, we have statements from many of
the interviewers that data model and syntax is a valid first step, but
some would like to do more than that. That last bit is what we don't
have consensus on - that we should start work on a protocol. We can make
solid progress by just doing data model and syntax.

> * "Some of the interviewers asserted that the technology already 
> exists to do this and that W3C should focus on vocabulary 
> development." (So this is a recommendation to do vocabulary work.)

Yes, but the people providing that input (Harry Halpin, specifically)
was not aware that the Credentials Transparency Initiative existed and
that they are already doing that work. So, the suggestion that W3C
should do industry-specific vocabulary work is misguided, and we did an
interview with the Credential Transparency Initiative specifically to
demonstrate that, among getting other useful feedback from them.

> * "Others asserted that vocabulary development is already happening 
> in focused communities (such as the Badge Alliance, the Credentials 
> Transparency Initiative)." (This doesn't say anything about what W3C 
> should do; perhaps this sentence could be attached to the previous 
> one instead.)

It says what W3C should not do - which is focus on education vocabularies.

> * "Many of the interviewers suggested that the desirable outcome of 
> standardization work is not only a data model and syntax for the 
> expression of verifiable claims, but a protocol for the issuing, 
> storage, and retrieval of those claims, but acknowledged that it may 
> be difficult to convince W3C member companies to undertake all of 
> that work in a single Working Group charter. " (This sounds like a 
> repeat of the first bullet.)

I'll try to rephrase that after I get your responses to the above.

> * "In the end, consensus around the question what kind of W3C
> charter would garner the most support seemed to settle on the
> creation of a data model and one or more expression syntaxes for
> verifiable claims."
> 
> Basically, I do not think there is a consensus to do that among the 
> interviewees.

I'll ask if the rest of the VCTF feels that there is consensus or not,
but I think you are unique in your opinion that there is no consensus to
start a WG around data model and syntax. Here's what the interviewees said:

> - Brad Hill: "I don't know"

That's not what he said in relation to the minimum first step. You can
find what he said (audio starts at 48:00-53:30), reference is here:

http://w3c.github.io/vctf/meetings/2016-01-08/#113

Manu Sporny: The pushback we have on that is that it's too bold and we
could start with the format of the claim first and phase 2 we talk about
the agent and how it interfaces with the other parties.

Manu Sporny: Should we do that or just go ahead with doing both?

Brad Hill: You can approach it either way.

Brad Hill: Maybe defining the claims format first, if and what, the
business cases are and what the interest is to drive it going forward.

> - Christopher Allen: (I don't see any comment)

Here's what Christopher Allen said about minimum first step:

Manu Sporny: What about identifiers and formats [of] these claims?

Manu Sporny: Are those good work items?

Christopher Allen: Absolutely. (... followed by elaboration on why)

> - Drummond Reed: "user-side control of key management"

Drummond Reed: Really the problem is getting to consensus and code bases
that will implement... portable claims and digital identity.

> - John Tibbetts: "document what a credential looks like
                   (perhaps either a data model or ontology)
                   plus a graphical diagram"

Yes, John specifically also said this in our latest call:

John Tibbetts: I do think there's value in data format...

> - Bob Sheets: "I have a hard time addressing that question,
                 whatever it takes to get your group started and
                 on the map and doing work the better."

This is what Bob had to say about minimum viable first step:

Manu: If we were not able to get this work started, how would that
impact the work you're trying to do?

Bob Sheets: We would have a hard time because it's part of a three
legged stool. We need to have the cred orgs publish comparable info in
the marketplace, we need individuals to be able to communicate claims
and send to their employers, etc. If someone doesn't address the
problems you're dealing with on your leg that would be a problem ... if
someone isn't working on the individual side of this and how the
information is held and communicated in the marketplace that is one
building block of the cred marketplace that isn't being addressed and we
hope you all do it.

> - David Chadwick: (I don't see any comment)

VCTF: Should there be a standard way of expressing verifiable claims
(e.g. educational transcripts, professional licenses, KYC information,
government IDs, etc.)?

David Chadwick: Yes. Since the same claims can be used in many different
context.

> - Mike Schwartz:  (I don't see any comment)

We didn't get into this as deeply with Mike, but he did say:

Mike Schwartz: "there is a big gap for how we create a trusted profile
of the user across many domains."

"creating a trusted profile across many domains" is exactly what we're
proposing for the minimal viable first step.

> - Dick Hardt:  (I don't see any comment)

Dick Hardt: The other questions you put up there... do we need a way of
expressing claims?

Dick Hardt: I don't think we need yet another way of expressing a claim,
that's well-trodden path. Do we need an architecture that's privacy
protecting? We need that today.

Manu Sporny: How would you express claims?

Dick Hardt: I would just use JWTs (jots).

Dick Hardt: If someone wants to use [missed] we can do that too. I don't
think we need a new way to do that, what am I binding these things to
... that's privacy protecting and that's missing.

The bit that's important there is that we don't have a
privacy-protecting way to express claims today (and that goes to data
format and syntax, at a minimum and JWTs don't tell you how to do that).

> - Jeff Hodges: (I don't see any comment)

To be fair, Jeff sent in an email but we don't believe he really
understood what we were trying to do at depth because he didn't have the
time to be interviewed or read more deeply into the initiative.

> - Harry Halpin: "Another option is to scope down and aim at a 
> particular problem domain, for example a uniform vocabulary for 
> educational credentials. "

Harry didn't realize that the Credentials Transparency Initiative is
already doing this (and we interviewed them to confirm that).

> - David Singer: (I don't see any comment)

We weren't able to ask David the question directly because he noted that
he didn't have enough time to participate in a full interview either -
he sent some high-level thoughts in via email.

> * I found interesting the section on "areas of concern" (along with 
> Brad Hill's comments). It might be possible to categorize the 
> concerns like this:

I'm fine w/ that categorization, how do you think that would help the
document convey the VCTF's findings?

> c) Communication 7.1 communicate vision / big picture (BTW, I agree, 
> but this does not imply it belongs in a charter).

I don't think we'd put the vision in the charter (after we revise it in
the next day or so). We'd link to it like you did in the Web Payments
Charter (via a more extended FAQ of some kind).

> * Please list the editors of the report. Also, if possible, please 
> list in an acknowledgments section of the report the participants in 
> the task force.

Done and done. There is now an Acknowledgments section at the end of
the document.

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: Web Payments: The Architect, the Sage, and the Moral Voice
https://manu.sporny.org/2015/payments-collaboration/
Received on Wednesday, 17 February 2016 21:59:40 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:27 UTC