- From: Timothy Holborn <timothy.holborn@gmail.com>
- Date: Wed, 27 Jan 2016 21:25:10 +1100
- To: Harry Halpin <hhalpin@w3.org>
- Cc: Web Payments IG <public-webpayments-ig@w3.org>, Manu Sporny <msporny@digitalbazaar.com>, Credentials Community Group <public-credentials@w3.org>
- Message-ID: <CAM1Sok0WaMKLOkuWMZ0nFe+ha0b6+MkroGv4HBMduMo7Uxo2hw@mail.gmail.com>
Hi Harry, I pondered your metaphysical concept of identity? How are you defined by who you think you are, and how others think you are? How does LDP / RWW kinda tech. Enable you to store and manage this kinda stuff online, as enhanced from previous generations of society who depend upon offline means. therein also of course, are considerations relating to RDBMS vs. Graph. I'll let that go, understanding now both are possible beyond the means otherwise capable even a decade ago. the purpose of my questions is to better understand your views and foundations of consideration, around what credentials is working to achieve technically / politically (via open-standards W3C patent protocol and related inclusions...) Tim.H. On 26 January 2016 at 07:34, Manu Sporny <msporny@digitalbazaar.com> wrote: > This is input from Harry Halpin (in his personal capacity) on the > Verifiable Claims work at W3C: > > > ---------- Forwarded message ---------- > From: Harry Halpin <hhalpin@w3.org> > To: "Hodges, Jeff" <jeff.hodges@paypal.com>, Manu Sporny < > msporny@digitalbazaar.com>, Brad Hill <hillbrad@fb.com>, Dick Hardt < > dick@amazon.com>, "Karen O'Donoghue" <odonoghue@isoc.org>, Tony Arcieri < > bascule@gmail.com>, David Chadwick <d.w.chadwick@kent.ac.uk>, David > Singer <singer@apple.com>, Mike Schwartz <mike@gluu.org>, Christopher > Allen <ChristopherA@lifewithalacrity.com> > Cc: > Date: Tue, 19 Jan 2016 22:17:59 -0500 > Subject: Re: Verifiable Claims and W3C > I'm also swamped. I might second Jeff's response. > > 1) Don't ignore previous work: "Verifiable claims" are shipped around > rather constantly by OAuth and OAuth-based systems such as OpenID Connect. > While OpenID still hasn't quite worked out, there are probably more OAuth > transactions than Visa transactions. So I wouldn't throw out OAuth and > re-design. A user-centric approach doesn't have to ignore OAuth in favor of > a failed Mozilla Personae appraoch, but can make it easier for people to > run their own instances with increased privacy and security. > > 2) Don't repeat mistakes of PGP by pushing amateur crypto: WebID+TLS and > the key work coming out of the Credentials CG seems to have ignored the > fate of PGP, i.e. key management is not something people can do > successfully. I would avoid a one-key per user multi-origin paradigm. As > FIDO does correctly, aim for key derivation on a per origin basis and try > to understand (as I saw RDF folks sometimes get wrong) that the same key > should not be used for signatures and encryption, and not the same key used > again and again. Keys *will* have to be upgraded to larger key sizes and as > we seem tumult around elliptic and post-quantum transitions. Privacy and > security are hard, and any effort should incubate with these goals and the > right expertise in mind. > > 3) There's no real need to invent a new syntax Simply put, I'd ship claims > around using JSON Web Tokens. Even if one wants to ship RDF around, I'd > stick to well-defined IETF standards for transporting claims around: JSON > Web Tokens with JSON Web Signatures rather than re-invent the wheel. JWKs > are also supported by the WebCrypto API. RDF can be shipped around using > JSON-LD with a JWT. The W3C should not be in the business of making > competing 'standards' to already completed IETF work unless there's a real > gap analysis. > > That being said, if previous work can be taken into account, I'm sure a > more pragmatic way to a user-centric eco-system would be possible. However, > let's build > > Another option is to scope down and aim at a particular problem domain, > for example a uniform vocabulary for educational credentials. Throwing out > privacy and security concerns for high value use-cases like banking is a > non-starter, as should be obvious. > > Here's myself and Blaine Cook giving an entertaining overview in a video > called "Ten Years of Social Standards Failure" although I'm sure others on > this list could also chime in with equally entertaining stories. Everyone > is doing this work for the right reasons, but let's not repeat mistakes of > past! > > https://www.youtube.com/watch?v=BOLIuBr_2uM > > cheers, > harry > > > cheers, > harry > > > On 01/19/2016 08:46 PM, Hodges, Jeff wrote: > > [ dropped payments IG as I'm not a subscriber ] > > thanks for the invite, however I must offer apologies — I am totally > soaked of late work-wise. All I have time to do is scrawl some > off-top-of-head comments (these are only my personal thoughts and are not > those of my employer).. > > * the definition of a "verifiable claim" is in the eye of the beholder, > ie they're context-specific (perhaps one could say "community-specific"). > e.g. "student at Foo Univ" is arguably a "verifiable claim" in the context > of higher ed institutions participating in InCommon.org > > * there's folks who're exchanging such claims in non-trivial communities > today, eg InCommon < > https://www.incommon.org/federation/attributesummary.html>, eg the US > Govt (via PIV cards), and others I would suspect. > > * the list of user-centric "qualities" < > http://w3c.github.io/vctf/#design-approaches> is more a wishlist of > qualities (than a definition) that may or may not be realistically > achievable in practice. > > * we already have multiple data encapsulation/expression/encoding formats > & frameworks that can be used to express whatever "verifiable claims" you > desire — it's a matter of ontology development, agreement on schemas and > profiles, etc. such claims/assertions can be conveyed with whatever > protocols and message encapsulation one wishes, we already have many that > are *profilable* (meaning that if you need yet another message exchange > pattern(s), and/or message schema(s), you can specify them, without > reinventing messages, or the entire framework). Re-inventing the wheel > from the ground up is likely not necessary as there's *much* prior work > in this overall area. > > * in practice, for such large-scale decentralized technology adoption and > use, it appears that economics trumps technology, and bridging industry > silos (as described in the problem statement) will only occur if the > participants in said silos have real economic needs or there's demonstrable > economic benefits. c.f. . . . > > Economic Tussles in Federated Identity Management. > Susan Landau, Tyler Moore; Oct-2012, First Monday. > > http://www.firstmonday.org/htbin/cgiwrap/bin/ojs/index.php/fm/article/view/4254/3340 > > * the vctf pages read to me very similarly to several (many?) prior > efforts in the general "identity" space (saml, liberty, WS-*, Open*, etc) > — i can't really tell what is different about this verifiable claims effort > > * please note that FIDO is not about "identity" -- it is about > cryptographic asymetric-key-based peer-entity authentication, with > provision for multiple "user verification" modalities layered on top (eg > PIN, biometrics, whatever). It is, however, possible to compose FIDO with > your favorite flavor of federated identity management: c.f. < > http://www.slideshare.net/CloudIDSummit/cis-2015-fido-and-federation-cis-2015-could-identity-summit-hodges> > for one example approach (how it composes of course depends upon the > message flows of the "identity" framework/infrastructure one is composing > with) > > I hope this helps, > > =JeffH > > --- > On 12/20/15, 8:03 PM, "Manu Sporny" <msporny@digitalbazaar.com> wrote: > > Hi Brad, Dick, Jeff, Karen, Harry, Tony, DavidC, DavidS, Mike, and > Christopher, > > As some of you may know, there is a group of us loosely organized around > a W3C Community Group and the W3C Web Payments Interest Group that are > looking into whether or not to form a Verifiable Claims (aka > credentials, attestations) Working Group at W3C. We have a rough sketch > of what the group would be about here: > > http://w3c.github.io/vctf/ > > The group has identified each of you as a person that would be important > to interview before we make a decision on whether to create a WG or not. > Each interview would consist of you letting us know your thoughts on the > initiative (after reading the link above). We'll have some questions[1] > to guide the discussion if you're unsure about the sort of stuff we're > trying to learn from you, but feel free to pose your own interesting > questions (and answer them) during the interview. > > This is just a heads-up that we're going to be asking for some of your > time in January. We'll work around your schedule. I'll send a time > request in a separate email and we'll have a prep call (with recorded > audio for those that can't make it) in early January as well. > > -- manu > > [1] > https://www.w3.org/Payments/IG/wiki/ProposalsQ42015/VerifiableClaimsTaskForce#Open_Questions > > -- > Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny) > Founder/CEO - Digital Bazaar, Inc. > blog: Web Payments: The Architect, the Sage, and the Moral Voice > https://manu.sporny.org/2015/payments-collaboration/ > > > >
Received on Wednesday, 27 January 2016 10:26:39 UTC