W3C home > Mailing lists > Public > public-credentials@w3.org > May 2017

Verifiable Claims CG Telecon Minutes for 2017-05-16

From: <msporny@digitalbazaar.com>
Date: Tue, 16 May 2017 13:35:14 -0400
Message-Id: <1494956114288.0.18123@zoe>
To: Credentials CG <public-credentials@w3.org>
Thanks to Manu Sporny for scribing this week! The minutes
for this week's Verifiable Claims CG telecon are now available:


Full text of the discussion follows for W3C archival purposes.
Audio from the meeting is available as well (link provided below).

Verifiable Claims CG Telecon Minutes for 2017-05-16

  1. Introduce New Chairs
  2. New Members
  3. Review of Credentails CG Mission Statement
  4. Community Group Priorities
  5. Potential Work Items
Action Items:
  1. Manu to create preliminary list of work items for group and 
    send out to mailing list.
  2. ChristopherA to create first draft of new credential mission
  3. Christopher to create a new proposal for how digitial 
    verificaton group integrates.
  Manu Sporny
  Manu Sporny
  Manu Sporny, Christopher Allen, Kim (Hamilton) Duffy, Joe 
  Andrieu, Matt Stone, Nathan George, Dave Longley, David Chadwick, 
  David I. Lehn, Dan Burnett

Manu Sporny is scribing.

Topic: Introduce New Chairs

Christopher Allen:  Manu put out a call for new chair 
  nominations, have we received any?
Manu Sporny:  Nope, no new nominations.
Christopher Allen:  We're going to leave that open for now, if 
  someone else gets nominated, let us know. At present it's Kim 
  Hamilton and myself.
Christopher Allen:  My name is Christopher Allen, I've been 
  involved in Internet Cryptography work for a while. I co-authored 
  TLS. I've been involved in ad-hoc standards at IETF... been 
  involved in Verifiable Claims for 2 years or so. Also AC rep for 
Kim (Hamilton) Duffy:  I'm Kimberly Duffy, lead designer for 
  BlockCerts. I've been participating in Verifiable Claims for a 
  while, we're finding ourselves turning into a working prototype 
  of the work here. We've been involved in Rebooting Web of Trust 
  as well, very interested in expanding on that work as well.

Topic: New Members

Christopher Allen:  Are there any new members?
No new members at this meeting.

Topic: Review of Credentails CG Mission Statement

Christopher Allen:  This work started in 2014... with more work 
  before that in Web Payments CG. We have successfully established 
  a Verifiable Claims WG, so now is the time to review what we've 
  been doing and will do.
Christopher Allen:  A quick recap of our mission statement... (at 
  link above)
Christopher Allen:  There is one thing in here that's core to me 
  - the Credentials CG is to discuss, research, document, prototype 
  credential systems for the Web... that's the core of this.
Christopher Allen:  If there is some other aspect of that longer 
  paragraph that we should keep ... or something we should remove.
Manu Sporny:  That mission statement hasn't been updated in 2 
  years and it was put together in a rush. We should update it and 
  make it simpler and more concise. One thing about it that most of 
  the folks don't know about is that we wrote it understanding that 
  there were multiple groups that were hostile to the work at the 
  time. Anyone that was working on things like JWTs/JOSE/SAML/etc 
  may have viewed the work/at least the discussions at the time 
  were "you are reinventing the wheel don't do it". Much of that 
  statement was about allowing us to have the discussion around 
  whether the existing tech could meet the use cases we had. We've 
  come to the conclusion since then that existing tech doesn't but 
  we've tried to integrate the parts that do. I think we should 
  update that mission statement to reflect what we want to do over 
  the next 2 years. I think the environment isn't as hostile as it 
  used to be, the other procedural thing ... we can't change the 
  mission statement without contacting W3C staff and having them 
  update it. We should be absolutely sure with the text we want 
  before approaching them so we don't make them cranky. All that to 
  say, the best thing for that mission statement is to get 
  something on the table and have people nitpick it. Get it into a 
  Google doc and have people comment and have chairs try and 
  capture the essence. [scribe assist by Dave Longley]
Christopher Allen:  I'd like more comments, but no proposals just 
Joe Andrieu:  Reading this, the first thing that pops up is that 
  credential didn't seem quite right.
Joe Andrieu:  The credential isn't a statement about a fact, it's 
  an assertion about something by an authority.
Manu Sporny:  +1 To what Joe just said.
Matt Stone: +1 To JoeAndrieu comment
Christopher Allen:  We need to consider something that happened 
  six months ago - a number of the specs that the Task Force was 
  working on got moved over to the Digital Verification CG.
Christopher Allen:  What's important about that group is that 
  these are the signature standards. For instance, reading the 
  mission statement...
Christopher Allen:  The mission of the Digital Verification 
  Community Group is to study, design, promote, and deploy systems 
  that increase trust on the Web. These systems include, but are 
  not limited to signature systems, data normalization algorithms, 
  and computational proof systems.
Christopher Allen:  There's some interesting work going on there 
  - Merkle Proofs, Proof of Existence, etc. I'm the Chair of the 
  CG... mailing list isn't active... considering our role in this 
  CG... does it include that CG? Merge back? Wanted to review that 
  that was there. Wanted to hold off on specific proposals... There 
  are two communities currently.

Topic: Community Group Priorities

Christopher Allen:  We need to figure out our priorities going 
  forward... rename the group? revised mission? Merge CGs? 
  Timeframe? Concrete Deliverables?
Christopher Allen:  Maybe we can have some discussion, and then 
  talk about the pipeline?
Kim (Hamilton) Duffy:  With regard to signatures, a couple of the 
  near timeframe items that I had a goal to work on with this group 
  is basically coding out something around signature suites. RSA 
  signature suites, Merkle signature suites... those are more 
  follow your nose items... they need to be finished. It would be 
  nice to have an active group to collaborate on with those 
  efforts. Don't know if this is the right group for that work.
Christopher Allen:  I may be interested in seeing groups get 
  merged back together. We may want to see the other group as a 
  more crypto-aware group... more CFRG-like. Reviews things as a 
  high level. I have a couple of crypto folks to entice into 
  reviewing these specs. It's been a challenge to get those 
  reviews, one of the ways to get that is to offer a way to have 
  someone put something on their CV doing that sort of stuff.
Nathan George:  +1 To the idea of merging the groups... there is 
  some interest at Hyperledger on Verifiable Claims so people 
  outside their ledgers can see/verify the ledgers.
Dave Longley: Thanks
Nathan George:  I think being able to do different signature 
  schemes, that work would be useful to do here... we'll have to 
  split participation across both of those forums... consolidating 
  those may have to deal w/ real-world implementation.
Dave Longley: +1 To consolidate until there's a need to split ... 
  which there doesn't seem to be at the moment.
David Chadwick: My question is what about the whole life cycle of 
  using VCs, ie. inspectors telling users which VCs to send
David Chadwick: I could not connect by voice so am only on chat
Matt Stone: +1 On that line of discussion
David Chadwick: Users selecting the correct VCs (ie. giving 
  consent) and then the VCs being transferred to inspectors
Dave Longley: Further developing a protocol/query language for 
  inspectors and so on is definitely in this CG's domain
Christopher Allen:  This comes to the larger question... things 
  that the VCWG are not chartered to do... talked a bit about the 
  pipeline... we can incubate things early, at places like RWoT, 
  and then feed into the CG and formalize more, and then go into 
Matt Stone: There is a difference between the validity period of 
  a license/degree (profession credential) vs. the term that a 
  published claim can be used/relied upon.
Christopher Allen:  Potentially create Task Forces, WG... 
  thoughts. there, Manu?
Dave Longley: User selection of VCs, etc. related to a browser 
  polyfill tech, again, something this CG should work on, IMO.
Manu Sporny:  We want to be a bit careful with merging the two 
  CGs. Primarily from a messaging layer... the W3C membership, 
  there are 420-450 members, only 5% pay any attention to the CG 
  space. When you come to them with a proposal, if you have 
  something that's very clear, like "we have a new signature format 
  under consideration and the digital verification community has 
  been working on it for a while" that's a better message than it 
  coming from a group with a [scribe assist by Dave Longley]
Dave Longley: Different name, etc. We have to think about 
  branding, unfortunately.
Joe Andrieu: +1 To think about branding wrt merging & naming
Kim (Hamilton) Duffy: +1 To joint meetings, sounds easier 
Manu Sporny:  We have to think of a name that will put the W3C 
  membership at ease. We don't want them wondering why things are 
  coming from certain groups and it would take a while to educate 
  them. The reason we split signatures out was that we had it in 
  the payments group and people raised eye brows and then we moved 
  it to credentials and still an eye brow raise, then moved it to 
  the digital verification group and no more eye brows. That 
  doesn't mean we have to [scribe assist by Dave Longley]
Dave Longley: Work on it that way -- we can work on it however we 
  want. We can have joint meetings and say we're working on these 
  things jointly with the digital verification group. That would, I 
  think, be more beneficial than just combining the groups. Another 
  way is we could have a Verifiable Claims CG and if the WG gets a 
  good reputation and we say the CG has signatures coming out that 
  are needed for the WG, then that's a good line of argumentation. 
  If the brand if
Dave Longley: Good we can use it if it's good in a year or two, 
  or we continue to use the digital verification branding. And make 
  that where we put signatures and so forth there. I'm a bit 
  hesitant to recombine the groups and we spent some effort 
  splitting them apart.
Manu Sporny:  That's the signature format stuff. The pipeline ... 
  one of things we've worked hard to do over the last, even before 
  the Credentials CG was formed it was in Web Payments, 4+ years. 
  We've got a good pipeline finally setup. It's effectively, we 
  incubate super experimental stuff at IIW/RWoT/etc any workshop 
  that will have us. Those end up being formed into W3C like spec, 
  we then take that spec into a CG for incubation and once it's 
  incubated we hand it [scribe assist by Dave Longley]
Dave Longley: Off to a WG.
Manu Sporny:  We have this pipeline setup for VC, not only data 
  format and syntax, but protocols, moving over browsers or 
  NFC/whatever, whether we need to work on nice gen tech, 
  blockchain, etc.  The core thing is that we have to keep the 
  pipeline alive. Three seconds, super experimental stuff, CG 
  prepping stuff, WG stuff. Any of those stalls or shuts down we 
  have to go through a lot of effort to get it up and working 
  again. We want to make sure all sections of [scribe assist by 
  Dave Longley]
Dave Longley: The pipeline are fed at all times and we have a 
  fairly good idea of what the roadmap is. That might be a hint 
  that one of the things after the mission statement is a roadmap 
  and priorities so everyone knows the focus and where things are 
  in the pipeline. It also helps us with TPAC presentations, etc so 
  people get a heads up for what's coming down the pipeline. This 
  is just a proposal on how we work, it seems to have paid off at 
  present. We hope to
Dave Longley: Continue to have it working for us over the next 2 
Christopher Allen:  We talked about the pipeline as having 3 
  phases, but there is a 4th phase - security/crypto review... 
  we've talked about them, but we haven't had that kind of formal 
  aspect of this.
Christopher Allen:  The Credentials CG should be doing things 
  like talking about privacy, incorporating Joe's ideas at a high 
  level - what do we need? What do we mean when we talk about 
  Privacy? It's the place for Use Cases that don't fall into the 
  VCWG charter. Human rights use cases, Web of Trust use cases.
Christopher Allen:  Once we get down to the details, maybe we 
  need to get into Digital Verification CG sub community. I could 
  see this used by other WGs to sign other JSON messages... JSON-LD 
  messages, but are not technically a Verifiable Claim.
Christopher Allen:  If we can support that, that would be good. 
  Maybe we could get two active work items... implementations and 
  finalizing spec - two at a time, of list of things in Digital 
  Verification CG. Separate from higher-level on issuing 
  requirements/reports, DIDs, and other stuff.
Christopher Allen:  I'm open to it, recognize the conflict... in 
  some ways, it's clear that we're in the bits level and Kim should 
  be Chair of that group along w/ cryptographer... or we do 
  Credentials CG differently.
David Chadwick: Re: Privacy. At EIC last week, it was suggested 
  that the IETF token binding spec 
  (draft-ietf-tokbind-https-09.txt) can be used to privacy protect 
  VCs and allow them to be transferred from issuer to inspector 
  without the issuer knowing who the inspector is
Christopher Allen:  This is another example of a more detailed 
  bit-level spec that could be a part of either group.
Manu Sporny:  +1 To looking into tokenbinding in this group.
Kim (Hamilton) Duffy:  I'm fine either way (wrt. splitting 
  groups) - only thing that I'm worried about is if signature folks 
  in this group care about only one side of it. I'm curious to find 
  out more about what the general group is interested in.
Manu Sporny:  I think we should gather a list of things we could 
  work on and see where the most amount of interest is and a 
  specific focus on people who would not only work on the spec but 
  implement. [scribe assist by Dave Longley]
Dave Longley: "Champions"
Manu Sporny:  Interoperable implementations really moves things 
  forward. Signatures we should polish up and get finished. There 
  are other specs out there like the DID (Decentralized Identifier) 
  specs, lots of implementer interest there. Browser API specs that 
  we really need a long lead time on to pass by Google/Mozilla/etc. 
  to see if they are interested in implementing in the browser. 
  We've had a lot of people list of a number of specs/techs they 
  are interested [scribe assist by Dave Longley]
Dave Longley: In working on. We also have people that don't say 
  much on the calls or people in Europe/Asia/Australia that can't 
  join the calls. Putting out a poll with a list of things to work 
  on and have people rank them that basically tells us what the 
  group should be doing.
Christopher Allen:  Having 2 or 3 mailing lists could be a useful 
  way of doing things.
Dave Longley: Was just going to add that it would be good to have 
  champions for different techs -- which are also usually the 
  editors for specs -- important to move things forward.
Joe Andrieu: Please add Engagement Model similar to Joram 1.0.0 
  to possible work, to help flesh out the pipeline/lifecycle for 
Kim (Hamilton) Duffy: +1 On champions
Manu Sporny:  Just to push back a bit on splitting too early ... 
  it's always obvious when you've got too much going on in a group 
  and part of the group wants to split off, but it's really hard to 
  start in three separate groups to get the momentum on any single 
  item. Let's not do multiple telecons/mailing lists, let's just 
  rate a bunch of stuff in this group and then get feedback on what 
  we choose. [scribe assist by Dave Longley]
Manu Sporny:  (Reduce overhead until necessary) Split off when it 
  becomes obvious when we need to do that. [scribe assist by Dave 
Christopher Allen:  Kim and I will take it as our charge to keep 
  an eye on things, monitor, ask periodically. I agree, one joint 
  call, one joint mailing list, only split when we have to seems 
David Chadwick: +1

Topic: Potential Work Items

Christopher Allen:  I'll focus on new mission statement, personal 
  action item.
Dave Longley:  I'm interested on implementation and spec for 
  Credentials polyfill API... this is the main piece that's missing 
  for people that want to share credentials on the web. Digital 
  Bazaar has built a polyfill for this a number of years ago, 
  polyfill API has changed in tandem with Credential Management 
  API... ours is an extension to that spec. We need to figure out 
  if we want to continue down that path.
Dave Longley:  There is a lot of different discussion that needs 
  to happen there. Implementation work on that polyfil. Important 
  part of ecosystem that needs to be done.
Joe Andrieu:  I would like to put some effort into larger use 
  case. Engagement model for Joram is an example of that. I'd like 
  to pick a use case and walk through it. Lifecycle of a Verifiable 
Joe Andrieu:  It has resonance in areas that we can't yet talk 
  about in the VCWG and outside as well.
David Chadwick: +1
Manu Sporny:  I wanted to second Dave Longley's browser API spec 
  thing. This speaks a bit to what David Chadwick mentioned earlier 
  in the call. The question of how do we get these things around. 
  How do you store verifiable claims, how do people ask for them, 
  how do we move them around from A to B in an interoperable way. 
  It's critical for the ecosystem to operate. I'm a bit concerned 
  in skipping a step where we document why you can't accomplish 
  this with [scribe assist by Dave Longley]
Dave Longley: SAML/JOSE, we've done some of that analysis but 
  need to write it up. That's also part of the VCWG charter and no 
  reason the CG can't help them with that.
Manu Sporny:  I also wanted to mention the DID spec, as those 
  involved in this group have seen over time, it started as a 
  Mozilla Persona thing as a way to do Persona correctly... [scribe 
  assist by Dave Longley]
Manu Sporny:  Eventually Evernym folks picked up the work and we 
  helped them put out a spec. It's mature enough to turn into a W3C 
  format style spec and getting two interoperable implementations 
  on that spec would be good to queue that up to get into a WG. 
  [scribe assist by Dave Longley]
Nathan George: I won't queue myself unless others think it is 
  needed (a lot of this has already been mentinoed, and is related 
  to the DID suite of specs): Comparisons with OAuth/OpenID 
  Connect/SAML, Protocol work (Claim Request, Claim Response, Proof 
  Request, Proof Response), Signature schemes for anoncreds, 
  credential management issues (at sovrin we sometimes call this a 
  proof solver), expanding on the use of VCs and DIDs 
  (Authentication, API spec, non-repudiabilty of
Nathan George: Identity owner APIs)
Manu Sporny:  That may be a heavy lift. We'd have to do some 
  education on W3C and IETF and why the world needs DIDs. I'd 
  rather get started on that work now, understanding that it's 
  going to take a while for people to get it. Having a spec and 
  interop implementations help people get it. I also agree with Kim 
  in that the signature stuff is super important. We've gotten 
  tired with the "why didn't you consult me/work with these crypto 
  people to do it" -- we can't [scribe assist by Dave Longley]
Dave Longley: Wait on the "right" people to look on it ("right" 
  being relative).
Manu Sporny:  To be clear, it's in that order ... priorities: 1. 
  signatures, 2. browser API spec, 3. DIDs [scribe assist by Dave 
Manu Sporny:  As far as my personal preference is concerned. 
  [scribe assist by Dave Longley]
Christopher Allen:  I'm committed to continuing to work with 
  Community to drive that forward. Some things at a higher level - 
  original DPKI - we need to revisit that. Now that we've done 
  DIDs... say "This is why we're doing DIDs... here are the 
  requirements... there is no better way to meet these use cases." 
  Then we can dive into specifics of protocols/formats of DIDs. We 
  do have a persuasion job... Self-sovereign identity, DPKI, we're 
  not doing a fabulous job  explaining to uninitiated what that is 
  and why it's important. I'd like the Credentials group to work on 
Christopher Allen:  We have particular problems in data 
  minimization and selective disclosure - I'd like to see a report 
  - what exactly is selective disclosure, different forms of it... 
  when I say something as a cryptographer, it means something 
  specific. Some others think that's "data minimization".
Christopher Allen:  There are things like Merkle Proof signature 
  - that may be more important than other signature formats. We 
  don't know that yet, community hasn't accepted that yet, but we 
  haven't decided what our privacy/public disclosure stuff is.
Dave Longley: I have interest and spec+implementation input on 
  everything discussed so far :)
Kim (Hamilton) Duffy: Ditto
David Chadwick: I more or less agree with the priority order. the 
  W3C web auth spec is also of interest to me 
  (https://www.w3.org/TR/webauthn/). This comes under priority 2. 
  But under 2. we  should also consider the whole VC lifecycle 
Manu Sporny:  You only need another 12 hours in the day to work 
  on those items, folks :)
Christopher Allen:  We are going to have to prioritize... 
Dave Longley: Voip-vctf: connections?
Christopher Allen:  I'd really like to hear from some of the 
  other players - you're spending a good chunk of time here - what 
  are your areas of interest? What can you commit to?
Kim (Hamilton) Duffy:  I was going to ask a similar question - 
  there was a lot of traction around DIDs at last RWoT... any areas 
  of focus there? If not, we can follow up on mailing list. I 
  definitely want to work on signature suite stuff.
Christopher Allen:  If Credentials group things we want to take 
  in DIDs, we have 100+ people in RWoT community, we can try to 
  broaden the community to get them in.
Christopher Allen:  How can we add items to this list and further 
  the list.
Nathan George: The Sovrin and Decentralized Identity folks have 
  started talking about DID TLS (using SNI hints and token binding) 
  as well as a DID Auth spec
Manu Sporny:  What we might be able to do is put the list in a 
  google doc and put it out the mailing list and say "If you have 
  any other items please add them". We give people a week to weigh 
  in, then create a poll that allows people to assign priorities, 
  like 0-10, and items that get the most votes are the ones that we 
  end up working on. [scribe assist by Dave Longley]
Dave Longley:  You should also ask people what they will work on 
  [scribe assist by David Chadwick]

ACTION: Manu to create preliminary list of work items for group 
  and send out to mailing list.

Christopher Allen:  We may want to get a list of things that 
  people want to work on.
Christopher Allen:  That is, something they are willing to commit 

ACTION: ChristopherA to create first draft of new credential 

Christopher Allen:  Please get back to me on mission statement. 
Christopher Allen:  We'll meet at same time next week. Progress 
  on action items, we can continue to dive into the potential 
  projects here. I'm reluctant to recruit a cryptographer to do 
  sigantures group yet until we know that that's the way we're 
  going to be running things. Potential action item - decision to 
  keep those things separate as a repo. What are our requirements 
  there? Any other action items for next week?

ACTION: Christopher to create a new proposal for how digitial 
  verificaton group integrates.

Christopher Allen:  Let's the Chairs know if you have further 
  agenda items.
Received on Tuesday, 16 May 2017 17:35:45 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:37 UTC