- From: <msporny@digitalbazaar.com>
- Date: Tue, 16 May 2017 13:35:14 -0400
- To: Credentials CG <public-credentials@w3.org>
Thanks to Manu Sporny for scribing this week! The minutes
for this week's Verifiable Claims CG telecon are now available:
http://w3c.github.io/vctf/meetings/2017-05-16/
Full text of the discussion follows for W3C archival purposes.
Audio from the meeting is available as well (link provided below).
----------------------------------------------------------------
Verifiable Claims CG Telecon Minutes for 2017-05-16
Agenda:
https://lists.w3.org/Archives/Public/public-credentials/2017May/0035.html
Topics:
1. Introduce New Chairs
2. New Members
3. Review of Credentails CG Mission Statement
4. Community Group Priorities
5. Potential Work Items
Action Items:
1. Manu to create preliminary list of work items for group and
send out to mailing list.
2. ChristopherA to create first draft of new credential mission
3. Christopher to create a new proposal for how digitial
verificaton group integrates.
Organizer:
Manu Sporny
Scribe:
Manu Sporny
Present:
Manu Sporny, Christopher Allen, Kim (Hamilton) Duffy, Joe
Andrieu, Matt Stone, Nathan George, Dave Longley, David Chadwick,
David I. Lehn, Dan Burnett
Audio:
http://w3c.github.io/vctf/meetings/2017-05-16/audio.ogg
Manu Sporny is scribing.
Topic: Introduce New Chairs
Christopher Allen: Manu put out a call for new chair
nominations, have we received any?
Manu Sporny: Nope, no new nominations.
Christopher Allen: We're going to leave that open for now, if
someone else gets nominated, let us know. At present it's Kim
Hamilton and myself.
Christopher Allen: My name is Christopher Allen, I've been
involved in Internet Cryptography work for a while. I co-authored
TLS. I've been involved in ad-hoc standards at IETF... been
involved in Verifiable Claims for 2 years or so. Also AC rep for
Blockstream.
Kim (Hamilton) Duffy: I'm Kimberly Duffy, lead designer for
BlockCerts. I've been participating in Verifiable Claims for a
while, we're finding ourselves turning into a working prototype
of the work here. We've been involved in Rebooting Web of Trust
as well, very interested in expanding on that work as well.
Topic: New Members
Christopher Allen: Are there any new members?
No new members at this meeting.
Topic: Review of Credentails CG Mission Statement
Christopher Allen: This work started in 2014... with more work
before that in Web Payments CG. We have successfully established
a Verifiable Claims WG, so now is the time to review what we've
been doing and will do.
https://www.w3.org/community/credentials/
Christopher Allen: A quick recap of our mission statement... (at
link above)
Christopher Allen: There is one thing in here that's core to me
- the Credentials CG is to discuss, research, document, prototype
credential systems for the Web... that's the core of this.
Christopher Allen: If there is some other aspect of that longer
paragraph that we should keep ... or something we should remove.
Manu Sporny: That mission statement hasn't been updated in 2
years and it was put together in a rush. We should update it and
make it simpler and more concise. One thing about it that most of
the folks don't know about is that we wrote it understanding that
there were multiple groups that were hostile to the work at the
time. Anyone that was working on things like JWTs/JOSE/SAML/etc
may have viewed the work/at least the discussions at the time
were "you are reinventing the wheel don't do it". Much of that
statement was about allowing us to have the discussion around
whether the existing tech could meet the use cases we had. We've
come to the conclusion since then that existing tech doesn't but
we've tried to integrate the parts that do. I think we should
update that mission statement to reflect what we want to do over
the next 2 years. I think the environment isn't as hostile as it
used to be, the other procedural thing ... we can't change the
mission statement without contacting W3C staff and having them
update it. We should be absolutely sure with the text we want
before approaching them so we don't make them cranky. All that to
say, the best thing for that mission statement is to get
something on the table and have people nitpick it. Get it into a
Google doc and have people comment and have chairs try and
capture the essence. [scribe assist by Dave Longley]
Christopher Allen: I'd like more comments, but no proposals just
yet.
Joe Andrieu: Reading this, the first thing that pops up is that
credential didn't seem quite right.
Joe Andrieu: The credential isn't a statement about a fact, it's
an assertion about something by an authority.
Manu Sporny: +1 To what Joe just said.
Matt Stone: +1 To JoeAndrieu comment
Christopher Allen: We need to consider something that happened
six months ago - a number of the specs that the Task Force was
working on got moved over to the Digital Verification CG.
https://www.w3.org/community/digital-verification/
Christopher Allen: What's important about that group is that
these are the signature standards. For instance, reading the
mission statement...
Christopher Allen: The mission of the Digital Verification
Community Group is to study, design, promote, and deploy systems
that increase trust on the Web. These systems include, but are
not limited to signature systems, data normalization algorithms,
and computational proof systems.
Christopher Allen: There's some interesting work going on there
- Merkle Proofs, Proof of Existence, etc. I'm the Chair of the
CG... mailing list isn't active... considering our role in this
CG... does it include that CG? Merge back? Wanted to review that
that was there. Wanted to hold off on specific proposals... There
are two communities currently.
Topic: Community Group Priorities
Christopher Allen: We need to figure out our priorities going
forward... rename the group? revised mission? Merge CGs?
Timeframe? Concrete Deliverables?
Christopher Allen: Maybe we can have some discussion, and then
talk about the pipeline?
Kim (Hamilton) Duffy: With regard to signatures, a couple of the
near timeframe items that I had a goal to work on with this group
is basically coding out something around signature suites. RSA
signature suites, Merkle signature suites... those are more
follow your nose items... they need to be finished. It would be
nice to have an active group to collaborate on with those
efforts. Don't know if this is the right group for that work.
Christopher Allen: I may be interested in seeing groups get
merged back together. We may want to see the other group as a
more crypto-aware group... more CFRG-like. Reviews things as a
high level. I have a couple of crypto folks to entice into
reviewing these specs. It's been a challenge to get those
reviews, one of the ways to get that is to offer a way to have
someone put something on their CV doing that sort of stuff.
Nathan George: +1 To the idea of merging the groups... there is
some interest at Hyperledger on Verifiable Claims so people
outside their ledgers can see/verify the ledgers.
Dave Longley: Thanks
Nathan George: I think being able to do different signature
schemes, that work would be useful to do here... we'll have to
split participation across both of those forums... consolidating
those may have to deal w/ real-world implementation.
Dave Longley: +1 To consolidate until there's a need to split ...
which there doesn't seem to be at the moment.
David Chadwick: My question is what about the whole life cycle of
using VCs, ie. inspectors telling users which VCs to send
David Chadwick: I could not connect by voice so am only on chat
Matt Stone: +1 On that line of discussion
David Chadwick: Users selecting the correct VCs (ie. giving
consent) and then the VCs being transferred to inspectors
Dave Longley: Further developing a protocol/query language for
inspectors and so on is definitely in this CG's domain
Christopher Allen: This comes to the larger question... things
that the VCWG are not chartered to do... talked a bit about the
pipeline... we can incubate things early, at places like RWoT,
and then feed into the CG and formalize more, and then go into
WG.
Matt Stone: There is a difference between the validity period of
a license/degree (profession credential) vs. the term that a
published claim can be used/relied upon.
Christopher Allen: Potentially create Task Forces, WG...
thoughts. there, Manu?
Dave Longley: User selection of VCs, etc. related to a browser
polyfill tech, again, something this CG should work on, IMO.
Manu Sporny: We want to be a bit careful with merging the two
CGs. Primarily from a messaging layer... the W3C membership,
there are 420-450 members, only 5% pay any attention to the CG
space. When you come to them with a proposal, if you have
something that's very clear, like "we have a new signature format
under consideration and the digital verification community has
been working on it for a while" that's a better message than it
coming from a group with a [scribe assist by Dave Longley]
Dave Longley: Different name, etc. We have to think about
branding, unfortunately.
Joe Andrieu: +1 To think about branding wrt merging & naming
Kim (Hamilton) Duffy: +1 To joint meetings, sounds easier
politically
Manu Sporny: We have to think of a name that will put the W3C
membership at ease. We don't want them wondering why things are
coming from certain groups and it would take a while to educate
them. The reason we split signatures out was that we had it in
the payments group and people raised eye brows and then we moved
it to credentials and still an eye brow raise, then moved it to
the digital verification group and no more eye brows. That
doesn't mean we have to [scribe assist by Dave Longley]
Dave Longley: Work on it that way -- we can work on it however we
want. We can have joint meetings and say we're working on these
things jointly with the digital verification group. That would, I
think, be more beneficial than just combining the groups. Another
way is we could have a Verifiable Claims CG and if the WG gets a
good reputation and we say the CG has signatures coming out that
are needed for the WG, then that's a good line of argumentation.
If the brand if
Dave Longley: Good we can use it if it's good in a year or two,
or we continue to use the digital verification branding. And make
that where we put signatures and so forth there. I'm a bit
hesitant to recombine the groups and we spent some effort
splitting them apart.
Manu Sporny: That's the signature format stuff. The pipeline ...
one of things we've worked hard to do over the last, even before
the Credentials CG was formed it was in Web Payments, 4+ years.
We've got a good pipeline finally setup. It's effectively, we
incubate super experimental stuff at IIW/RWoT/etc any workshop
that will have us. Those end up being formed into W3C like spec,
we then take that spec into a CG for incubation and once it's
incubated we hand it [scribe assist by Dave Longley]
Dave Longley: Off to a WG.
Manu Sporny: We have this pipeline setup for VC, not only data
format and syntax, but protocols, moving over browsers or
NFC/whatever, whether we need to work on nice gen tech,
blockchain, etc. The core thing is that we have to keep the
pipeline alive. Three seconds, super experimental stuff, CG
prepping stuff, WG stuff. Any of those stalls or shuts down we
have to go through a lot of effort to get it up and working
again. We want to make sure all sections of [scribe assist by
Dave Longley]
Dave Longley: The pipeline are fed at all times and we have a
fairly good idea of what the roadmap is. That might be a hint
that one of the things after the mission statement is a roadmap
and priorities so everyone knows the focus and where things are
in the pipeline. It also helps us with TPAC presentations, etc so
people get a heads up for what's coming down the pipeline. This
is just a proposal on how we work, it seems to have paid off at
present. We hope to
Dave Longley: Continue to have it working for us over the next 2
years.
Christopher Allen: We talked about the pipeline as having 3
phases, but there is a 4th phase - security/crypto review...
we've talked about them, but we haven't had that kind of formal
aspect of this.
Christopher Allen: The Credentials CG should be doing things
like talking about privacy, incorporating Joe's ideas at a high
level - what do we need? What do we mean when we talk about
Privacy? It's the place for Use Cases that don't fall into the
VCWG charter. Human rights use cases, Web of Trust use cases.
Christopher Allen: Once we get down to the details, maybe we
need to get into Digital Verification CG sub community. I could
see this used by other WGs to sign other JSON messages... JSON-LD
messages, but are not technically a Verifiable Claim.
Christopher Allen: If we can support that, that would be good.
Maybe we could get two active work items... implementations and
finalizing spec - two at a time, of list of things in Digital
Verification CG. Separate from higher-level on issuing
requirements/reports, DIDs, and other stuff.
Christopher Allen: I'm open to it, recognize the conflict... in
some ways, it's clear that we're in the bits level and Kim should
be Chair of that group along w/ cryptographer... or we do
Credentials CG differently.
David Chadwick: Re: Privacy. At EIC last week, it was suggested
that the IETF token binding spec
(draft-ietf-tokbind-https-09.txt) can be used to privacy protect
VCs and allow them to be transferred from issuer to inspector
without the issuer knowing who the inspector is
Christopher Allen: This is another example of a more detailed
bit-level spec that could be a part of either group.
Manu Sporny: +1 To looking into tokenbinding in this group.
Kim (Hamilton) Duffy: I'm fine either way (wrt. splitting
groups) - only thing that I'm worried about is if signature folks
in this group care about only one side of it. I'm curious to find
out more about what the general group is interested in.
Manu Sporny: I think we should gather a list of things we could
work on and see where the most amount of interest is and a
specific focus on people who would not only work on the spec but
implement. [scribe assist by Dave Longley]
Dave Longley: "Champions"
Manu Sporny: Interoperable implementations really moves things
forward. Signatures we should polish up and get finished. There
are other specs out there like the DID (Decentralized Identifier)
specs, lots of implementer interest there. Browser API specs that
we really need a long lead time on to pass by Google/Mozilla/etc.
to see if they are interested in implementing in the browser.
We've had a lot of people list of a number of specs/techs they
are interested [scribe assist by Dave Longley]
Dave Longley: In working on. We also have people that don't say
much on the calls or people in Europe/Asia/Australia that can't
join the calls. Putting out a poll with a list of things to work
on and have people rank them that basically tells us what the
group should be doing.
Christopher Allen: Having 2 or 3 mailing lists could be a useful
way of doing things.
Dave Longley: Was just going to add that it would be good to have
champions for different techs -- which are also usually the
editors for specs -- important to move things forward.
Joe Andrieu: Please add Engagement Model similar to Joram 1.0.0
to possible work, to help flesh out the pipeline/lifecycle for
credentials
Kim (Hamilton) Duffy: +1 On champions
Manu Sporny: Just to push back a bit on splitting too early ...
it's always obvious when you've got too much going on in a group
and part of the group wants to split off, but it's really hard to
start in three separate groups to get the momentum on any single
item. Let's not do multiple telecons/mailing lists, let's just
rate a bunch of stuff in this group and then get feedback on what
we choose. [scribe assist by Dave Longley]
Manu Sporny: (Reduce overhead until necessary) Split off when it
becomes obvious when we need to do that. [scribe assist by Dave
Longley]
Christopher Allen: Kim and I will take it as our charge to keep
an eye on things, monitor, ask periodically. I agree, one joint
call, one joint mailing list, only split when we have to seems
reasonable.
David Chadwick: +1
Topic: Potential Work Items
Christopher Allen: I'll focus on new mission statement, personal
action item.
Dave Longley: I'm interested on implementation and spec for
Credentials polyfill API... this is the main piece that's missing
for people that want to share credentials on the web. Digital
Bazaar has built a polyfill for this a number of years ago,
polyfill API has changed in tandem with Credential Management
API... ours is an extension to that spec. We need to figure out
if we want to continue down that path.
Dave Longley: There is a lot of different discussion that needs
to happen there. Implementation work on that polyfil. Important
part of ecosystem that needs to be done.
Joe Andrieu: I would like to put some effort into larger use
case. Engagement model for Joram is an example of that. I'd like
to pick a use case and walk through it. Lifecycle of a Verifiable
Claim.
Joe Andrieu: It has resonance in areas that we can't yet talk
about in the VCWG and outside as well.
David Chadwick: +1
Manu Sporny: I wanted to second Dave Longley's browser API spec
thing. This speaks a bit to what David Chadwick mentioned earlier
in the call. The question of how do we get these things around.
How do you store verifiable claims, how do people ask for them,
how do we move them around from A to B in an interoperable way.
It's critical for the ecosystem to operate. I'm a bit concerned
in skipping a step where we document why you can't accomplish
this with [scribe assist by Dave Longley]
Dave Longley: SAML/JOSE, we've done some of that analysis but
need to write it up. That's also part of the VCWG charter and no
reason the CG can't help them with that.
Manu Sporny: I also wanted to mention the DID spec, as those
involved in this group have seen over time, it started as a
Mozilla Persona thing as a way to do Persona correctly... [scribe
assist by Dave Longley]
Manu Sporny: Eventually Evernym folks picked up the work and we
helped them put out a spec. It's mature enough to turn into a W3C
format style spec and getting two interoperable implementations
on that spec would be good to queue that up to get into a WG.
[scribe assist by Dave Longley]
Nathan George: I won't queue myself unless others think it is
needed (a lot of this has already been mentinoed, and is related
to the DID suite of specs): Comparisons with OAuth/OpenID
Connect/SAML, Protocol work (Claim Request, Claim Response, Proof
Request, Proof Response), Signature schemes for anoncreds,
credential management issues (at sovrin we sometimes call this a
proof solver), expanding on the use of VCs and DIDs
(Authentication, API spec, non-repudiabilty of
Nathan George: Identity owner APIs)
Manu Sporny: That may be a heavy lift. We'd have to do some
education on W3C and IETF and why the world needs DIDs. I'd
rather get started on that work now, understanding that it's
going to take a while for people to get it. Having a spec and
interop implementations help people get it. I also agree with Kim
in that the signature stuff is super important. We've gotten
tired with the "why didn't you consult me/work with these crypto
people to do it" -- we can't [scribe assist by Dave Longley]
Dave Longley: Wait on the "right" people to look on it ("right"
being relative).
Manu Sporny: To be clear, it's in that order ... priorities: 1.
signatures, 2. browser API spec, 3. DIDs [scribe assist by Dave
Longley]
Manu Sporny: As far as my personal preference is concerned.
[scribe assist by Dave Longley]
Christopher Allen: I'm committed to continuing to work with
Community to drive that forward. Some things at a higher level -
original DPKI - we need to revisit that. Now that we've done
DIDs... say "This is why we're doing DIDs... here are the
requirements... there is no better way to meet these use cases."
Then we can dive into specifics of protocols/formats of DIDs. We
do have a persuasion job... Self-sovereign identity, DPKI, we're
not doing a fabulous job explaining to uninitiated what that is
and why it's important. I'd like the Credentials group to work on
that.
Christopher Allen: We have particular problems in data
minimization and selective disclosure - I'd like to see a report
- what exactly is selective disclosure, different forms of it...
when I say something as a cryptographer, it means something
specific. Some others think that's "data minimization".
Christopher Allen: There are things like Merkle Proof signature
- that may be more important than other signature formats. We
don't know that yet, community hasn't accepted that yet, but we
haven't decided what our privacy/public disclosure stuff is.
Dave Longley: I have interest and spec+implementation input on
everything discussed so far :)
Kim (Hamilton) Duffy: Ditto
David Chadwick: I more or less agree with the priority order. the
W3C web auth spec is also of interest to me
(https://www.w3.org/TR/webauthn/). This comes under priority 2.
But under 2. we should also consider the whole VC lifecycle
model
Manu Sporny: You only need another 12 hours in the day to work
on those items, folks :)
Christopher Allen: We are going to have to prioritize...
Dave Longley: Voip-vctf: connections?
Christopher Allen: I'd really like to hear from some of the
other players - you're spending a good chunk of time here - what
are your areas of interest? What can you commit to?
Kim (Hamilton) Duffy: I was going to ask a similar question -
there was a lot of traction around DIDs at last RWoT... any areas
of focus there? If not, we can follow up on mailing list. I
definitely want to work on signature suite stuff.
Christopher Allen: If Credentials group things we want to take
in DIDs, we have 100+ people in RWoT community, we can try to
broaden the community to get them in.
Christopher Allen: How can we add items to this list and further
the list.
Nathan George: The Sovrin and Decentralized Identity folks have
started talking about DID TLS (using SNI hints and token binding)
as well as a DID Auth spec
Manu Sporny: What we might be able to do is put the list in a
google doc and put it out the mailing list and say "If you have
any other items please add them". We give people a week to weigh
in, then create a poll that allows people to assign priorities,
like 0-10, and items that get the most votes are the ones that we
end up working on. [scribe assist by Dave Longley]
Dave Longley: You should also ask people what they will work on
[scribe assist by David Chadwick]
ACTION: Manu to create preliminary list of work items for group
and send out to mailing list.
Christopher Allen: We may want to get a list of things that
people want to work on.
Christopher Allen: That is, something they are willing to commit
to.
ACTION: ChristopherA to create first draft of new credential
mission
Christopher Allen: Please get back to me on mission statement.
Christopher Allen: We'll meet at same time next week. Progress
on action items, we can continue to dive into the potential
projects here. I'm reluctant to recruit a cryptographer to do
sigantures group yet until we know that that's the way we're
going to be running things. Potential action item - decision to
keep those things separate as a repo. What are our requirements
there? Any other action items for next week?
ACTION: Christopher to create a new proposal for how digitial
verificaton group integrates.
Christopher Allen: Let's the Chairs know if you have further
agenda items.
Received on Tuesday, 16 May 2017 17:35:45 UTC