W3C home > Mailing lists > Public > public-credentials@w3.org > January 2016

Re: Re: Verifiable Claims and W3C

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Tue, 26 Jan 2016 16:31:45 +0100
Message-ID: <CAKaEYh+3kf3gBN-QCx-ONhgJbVaAoLWDexT1XwP_Z0yTLs3j4w@mail.gmail.com>
To: Manu Sporny <msporny@digitalbazaar.com>
Cc: Web Payments IG <public-webpayments-ig@w3.org>, Credentials Community Group <public-credentials@w3.org>, Henry Story <henry.story@bblfish.net>
On 25 January 2016 at 21:34, Manu Sporny <msporny@digitalbazaar.com> wrote:

> This is input from Harry Halpin (in his personal capacity) on the
> Verifiable Claims work at W3C:
>

I followed the link presented and found the comment:

"(Henry Story) also attacked three other people in similar ways during the
Working Group. Folks like that lack the basic social skills and humility to
work in a Working Group or collaborative effort of any kind."

-- Harry Halpin

Whether or not it's true (I dont think is), I find this completely
inappropriate.  Henry has made valued contributions to the LDP WG and other
groups at the W3C.


>
>
> ---------- Forwarded message ----------
> From: Harry Halpin <hhalpin@w3.org>
> To: "Hodges, Jeff" <jeff.hodges@paypal.com>, Manu Sporny <
> msporny@digitalbazaar.com>, Brad Hill <hillbrad@fb.com>, Dick Hardt <
> dick@amazon.com>, "Karen O'Donoghue" <odonoghue@isoc.org>, Tony Arcieri <
> bascule@gmail.com>, David Chadwick <d.w.chadwick@kent.ac.uk>, David
> Singer <singer@apple.com>, Mike Schwartz <mike@gluu.org>, Christopher
> Allen <ChristopherA@lifewithalacrity.com>
> Cc:
> Date: Tue, 19 Jan 2016 22:17:59 -0500
> Subject: Re: Verifiable Claims and W3C
> I'm also swamped. I might second Jeff's response.
>
> 1) Don't ignore previous work: "Verifiable claims" are shipped around
> rather constantly by OAuth and OAuth-based systems such as OpenID Connect.
> While OpenID still hasn't quite worked out, there are probably more OAuth
> transactions than Visa transactions. So I wouldn't throw out OAuth and
> re-design. A user-centric approach doesn't have to ignore OAuth in favor of
> a failed Mozilla Personae appraoch, but can make it easier for people to
> run their own instances with increased privacy and security.
>
> 2) Don't repeat mistakes of PGP by pushing amateur crypto: WebID+TLS and
> the key work coming out of the Credentials CG seems to have ignored the
> fate of PGP, i.e. key management is not something people can do
> successfully. I would avoid a one-key per user multi-origin paradigm. As
> FIDO does correctly, aim for key derivation on a per origin basis and try
> to understand (as I saw RDF folks sometimes get wrong) that the same key
> should not be used for signatures and encryption, and not the same key used
> again and again. Keys *will* have to be upgraded to larger key sizes and as
> we seem tumult around elliptic and post-quantum transitions.  Privacy and
> security are hard, and any effort should incubate with these goals and the
> right expertise in mind.
>
> 3) There's no real need to invent a new syntax Simply put, I'd ship claims
> around using JSON Web Tokens. Even if one wants to ship RDF around, I'd
> stick to well-defined IETF standards for transporting claims around:  JSON
> Web Tokens with JSON Web Signatures rather than re-invent the wheel. JWKs
> are also supported by the WebCrypto API. RDF can be shipped around using
> JSON-LD with a JWT. The W3C should not be in the business of making
> competing 'standards' to already completed IETF work unless there's a real
> gap analysis.
>
> That being said, if previous work can be taken into account, I'm sure a
> more pragmatic way to a user-centric eco-system would be possible. However,
> let's build
>
> Another option is to scope down and aim at a particular problem domain,
> for example a uniform vocabulary for educational credentials. Throwing out
> privacy and security concerns for high value use-cases like banking is a
> non-starter, as should be obvious.
>
> Here's myself and Blaine Cook giving an entertaining overview in a video
> called "Ten Years of Social Standards Failure" although I'm sure others on
> this list could also chime in with equally entertaining stories. Everyone
> is doing this work for the right reasons, but let's not repeat mistakes of
> past!
>
> https://www.youtube.com/watch?v=BOLIuBr_2uM
>
>   cheers,
>       harry
>
>
>   cheers,
>          harry
>
>
> On 01/19/2016 08:46 PM, Hodges, Jeff wrote:
>
> [ dropped payments IG as I'm not a subscriber ]
>
> thanks for the invite, however I must offer apologies — I am totally
> soaked of late work-wise.  All I have time to do is scrawl some
> off-top-of-head comments (these are only my personal thoughts and are not
> those of my employer)..
>
> *  the definition of a "verifiable claim" is in the eye of the beholder,
> ie they're context-specific (perhaps one could say "community-specific").
>  e.g. "student at Foo Univ" is arguably a "verifiable claim" in the context
> of higher ed institutions participating in InCommon.org
>
> *  there's folks who're exchanging such claims in non-trivial communities
> today, eg InCommon <
> https://www.incommon.org/federation/attributesummary.html>, eg the US
> Govt (via PIV cards), and others I would suspect.
>
> *  the list of user-centric "qualities" <
> http://w3c.github.io/vctf/#design-approaches>  is more a wishlist of
> qualities (than a definition) that may or may not be realistically
> achievable in practice.
>
> *  we already have multiple data encapsulation/expression/encoding formats
> & frameworks that can be used to express whatever "verifiable claims" you
> desire — it's a matter of ontology development, agreement on schemas and
> profiles, etc.   such claims/assertions can be conveyed with whatever
> protocols and message encapsulation one wishes, we already have many that
> are *profilable* (meaning that if you need yet another message exchange
> pattern(s), and/or message schema(s), you can specify them, without
> reinventing messages, or the entire framework).  Re-inventing the wheel
> from the ground up is likely not necessary as there's *much* prior work
> in this overall area.
>
> *  in practice, for such large-scale decentralized technology adoption and
> use, it appears that economics trumps technology, and bridging industry
> silos (as described in the problem statement) will only occur if the
> participants in said silos have real economic needs or there's demonstrable
> economic benefits.  c.f. . . .
>
> Economic Tussles in Federated Identity Management.
> Susan Landau, Tyler Moore; Oct-2012, First Monday.
>
> http://www.firstmonday.org/htbin/cgiwrap/bin/ojs/index.php/fm/article/view/4254/3340
>
> *  the vctf pages read to me very similarly to several (many?) prior
> efforts in the general "identity" space (saml, liberty, WS-*, Open*, etc)
>  — i can't really tell what is different about this verifiable claims effort
>
> *  please note that FIDO is not about "identity" -- it is about
> cryptographic asymetric-key-based peer-entity authentication, with
> provision for multiple "user verification" modalities layered on top (eg
> PIN, biometrics, whatever).  It is, however, possible to compose FIDO with
> your favorite flavor of federated identity management:  c.f.  <
> http://www.slideshare.net/CloudIDSummit/cis-2015-fido-and-federation-cis-2015-could-identity-summit-hodges>
>  for one example approach (how it composes of course depends upon the
> message flows of the "identity" framework/infrastructure one is composing
> with)
>
> I hope this helps,
>
> =JeffH
>
> ---
> On 12/20/15, 8:03 PM, "Manu Sporny" <msporny@digitalbazaar.com> wrote:
>
> Hi Brad, Dick, Jeff, Karen, Harry, Tony, DavidC, DavidS, Mike, and
> Christopher,
>
> As some of you may know, there is a group of us loosely organized around
> a W3C Community Group and the W3C Web Payments Interest Group that are
> looking into whether or not to form a Verifiable Claims (aka
> credentials, attestations) Working Group at W3C. We have a rough sketch
> of what the group would be about here:
>
> http://w3c.github.io/vctf/
>
> The group has identified each of you as a person that would be important
> to interview before we make a decision on whether to create a WG or not.
> Each interview would consist of you letting us know your thoughts on the
> initiative (after reading the link above). We'll have some questions[1]
> to guide the discussion if you're unsure about the sort of stuff we're
> trying to learn from you, but feel free to pose your own interesting
> questions (and answer them) during the interview.
>
> This is just a heads-up that we're going to be asking for some of your
> time in January. We'll work around your schedule. I'll send a time
> request in a separate email and we'll have a prep call (with recorded
> audio for those that can't make it) in early January as well.
>
> -- manu
>
> [1]
> https://www.w3.org/Payments/IG/wiki/ProposalsQ42015/VerifiableClaimsTaskForce#Open_Questions
>
> --
> Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
> Founder/CEO - Digital Bazaar, Inc.
> blog: Web Payments: The Architect, the Sage, and the Moral Voice
> https://manu.sporny.org/2015/payments-collaboration/
>
>
>
>
Received on Tuesday, 26 January 2016 15:32:30 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:26 UTC