W3C home > Mailing lists > Public > public-credentials@w3.org > March 2016

Re: Review of Verifiable Claims Working Group Charter

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Fri, 11 Mar 2016 06:30:17 +0100
Message-ID: <CAKaEYhL4wbeD2fW1SxwbeOUAJsZb1+LfLBaR8hKeEWoDHVUWDQ@mail.gmail.com>
To: John Tibbetts <john.tibbetts@kinexis.com>
Cc: Manu Sporny <msporny@digitalbazaar.com>, W3C Credentials Community Group <public-credentials@w3.org>
On 11 March 2016 at 02:40, John Tibbetts <john.tibbetts@kinexis.com> wrote:

> I’ve reviewed the Working Group Charter and, with a couple of minor
> exceptions, think it’s a very creditable document.  It’s amazing to me how
> quickly this group’s deliverables have evolved even with half the troupe
> out sick.
> I have two comments:
> Section 2. Goals
> I was skeptical at first about Ian’s suggestion of making these points
> more goal-like.  But I now realize that was a failure of imagination on my
> part.  I now see that they are a big improvement.  (Manu says he’ll do some
> word-smoothing over the weekend, but with that it’s an impressive set).
> However there’s one other point that might strengthen the goals.  Since
> the Problem Statement explicitly includes the point about cross-industry
> interoperability shouldn’t there be a goal that makes some assertion like:
> Supporting extensible vocabularies that can serve the need of a variety of
> industries.
> My wording here is somewhat anemic but the sense of this is that this goal
> would address the capabilities that earlier on, in the ‘Retrospective' blog
> post, we categorized as ‘Extensible Data Model’, or slightly differently,
> ‘Decentralized Vocabulary’.  It seems that we ought to have some goal in
> this section that addresses these issues.
> Section 3.2. Security and Privacy Considerations
> I wonder if we shouldn’t slightly soften this sentence: "Protection of the
> privacy of all participants in a credentials ecosystem is essential to
> maintaining the trust that credential systems are dependent upon to
> function.”.  I’m saying we should tone this down a mite for W3C political
> reasons.  Think of it this way: there are a lot of folks out there who put
> a lot of trust in OpenID Connect even though it’s a basic premise of this
> group that we can do a lot better with Privacy.  So an OIDC advocate might
> read this sentence as saying: if you can’t provide privacy of all
> participants your credential system isn't trustworthy.  I’ll leave it to
> those in our group who are more politically astute to judge whether this is
> a vulnerability or just my imagination.

+1 soften.  It is slightly political but it shouldnt be political, it
should be more balanced and technical -- I was chatting with a
distinguished engineer at the IETF meet and the feeling is that we can do
better here in the standards world.

In general, much like the TSA in airports, we've gone a bit too far with
security paranoia in some areas, identity being the main one.  And not far
enough with other security items such as privacy, encryption and tracking.

> Very nice job gang.
> John
Received on Friday, 11 March 2016 05:30:48 UTC

This archive was generated by hypermail 2.3.1 : Friday, 11 March 2016 05:30:49 UTC