W3C home > Mailing lists > Public > public-credentials@w3.org > November 2017

Re: [MINUTES] W3C Credentials CG Call - 2017-10-31 12pm ET

From: David Chadwick <D.W.Chadwick@kent.ac.uk>
Date: Wed, 1 Nov 2017 12:02:29 +0000
To: public-credentials@w3.org
Message-ID: <b071c99f-e8a8-9989-768a-16a32eb7b59f@kent.ac.uk>
Here are some corrections to the minutes

regards

David

On 31/10/2017 18:30, msporny@digitalbazaar.com wrote:
> Thanks to Mike Lodder for scribing this week! The minutes
> for this week's Credentials CG telecon are now available:
> 
> https://w3c-ccg.github.io/meetings/2017-10-31/
> 
> Full text of the discussion follows for W3C archival purposes.
> Audio from the meeting is available as well (link provided below).
> 
> ----------------------------------------------------------------
> Credentials CG Telecon Minutes for 2017-10-31
> 
> Agenda:
>   https://lists.w3.org/Archives/Public/public-credentials/2017Oct/0116.html
> Topics:
>   1. Status of Action Items
>   2. Credential Handler API
>   3. W3C TPAC Planning
>   4. Post RWoT DID Spec
> Organizer:
>   Kim Hamilton Duffy and Christopher Allen
> Scribe:
>   Mike Lodder
> Present:
>   Mike Lodder, Kim Hamilton Duffy, David Chadwick, Christopher 
>   Allen, Ryan Grant, Dave Longley, Joe Andrieu, Manu Sporny, Susan 
>   Bradford, David I. Lehn, Adrian Gropper
> Audio:
>   https://w3c-ccg.github.io/meetings/2017-10-31/audio.ogg
> 
> Mike Lodder is scribing.
> 
> Topic: Status of Action Items
> 
> Kim Hamilton Duffy:  Will cover the DID PR
> David Chadwick:  Lifecycle document - haven't updated the 
>   document to Markdown yet.
> Christopher Allen:  Need more clarity on the webpage about what's 
>   been reviewed work items as opposed to what still needs to be 
>   reviewed
> Christopher Allen: Also not sure about WoT items having been 
>   approved / voted
> Ryan Grant: +1
> Kim Hamilton Duffy:  I will clarify work items that have been 
>   voted on vs approved
> Dave Longley: +1
> Kim Hamilton Duffy:  Deadline passed last week for DID PR
> Joe Andrieu: Can we get the PR url?
> Manu Sporny:  We just want to know if the new set of changes are 
>   a step in the right direction. We still need to fix some language 
>   things from RWOT
> Christopher Allen: +1
> Kim Hamilton Duffy: Pr: 
>   https://github.com/w3c-ccg/did-spec/pull/22
> Manu Sporny:  Does everyone believe that the PR overall improves 
>   the spec?
> Christopher Allen:  No issues with PR but I haven't done a formal 
>   review
> Ryan Grant:  Believe the PR is ok with direction
> Dave Longley: I recommend +1 for merging -- and outstanding 
>   problems get a new, specific github issue
> Mike Lodder: +1 Dlongley
> Ryan Grant: It doesn't have "//" that results in a location
> Manu Sporny:  DID are URL's, maybe introduce the concept of DID 
>   needs to be redone
> 
> Topic: Credential Handler API
> 
> Kim Hamilton Duffy:  DavidC should take the lead on discussing 
>   API spec
> Dave Longley: +1 Reword introduction, more focus on stable ID vs. 
>   "new" thing that isn't quite a URL (which it isn't)
> Dave Longley: 
>   https://docs.google.com/presentation/d/1qk9-6dpsZttrFr4qV-aID2L2OFTcKHL1epkzRgB8pZc/edit#slide=id.p3 
>   <-- slides from David Chadwick
> Kim Hamilton Duffy: Credential API github issue: 
>   https://github.com/w3c-ccg/credential-handler-api/issues/1
> David Chadwick:  FIDO protocol was used and keys are stored not 

not -> on

>   the smartphones and computers
> David Chadwick:  Presented to others

at EIC 2017 Munich, and some attendees

> from JOSE / Web 
>   Authentication 

said that the FIDO spec is

> now out of date

delete next line
-----
> David Chadwick:  To look at other specs at W3C 
-----
> David Chadwick: FIDO spec is being replaced by W3C Web Auth and IETF token binding specs. The interface is easy to use and tested with 
>   hospital patients
> David Chadwick:  Hospital patients like it much better
> David Chadwick:  With his interface users didn't need to enter 
>   usernames or passwords
> Dave Longley: https://w3c-ccg.github.io/credential-handler-api/
> Dave Longley:  Web authentication should be viewed as 
>   complementary vs alternative to credential handler api
> Dave Longley:  What are the reasons why your approach is easier
> Dave Longley:  How does this stuff work on the web?
> David Chadwick:  Credentials are on the device
> David Chadwick:  Its easier to use because there are less steps 
>   involved
> David Chadwick:  Manu's was cumbersome and complex
> David Chadwick:  The phone handles the logic and allows the user 
>   to choose

which VCs to use and give his

> consent
> Dave Longley:  Credentials handler can potentially live on the 
>   device or can live on the web in a secure location
> Ryan Grant: That was/is my question: how are credentials 
>   reestablished in case the device is lost?

David Chadwick: If the device is lost the user must register with the
issuers again
(unless he already has a backup device holding the credentials)

> Dave Longley:  The interface is dependent on the software 
>   implementer
> Dave Longley:  The point is to have the browser do the minimum 
>   amount of work

> David Chadwick:  

Agreed

> The protocols need to be standardized to allow 
>   for mixing and matching

of the various system components

> Ryan Grant:  Where are the separation of concerns addressed?
> David Chadwick:  I would like the protocol between the inspector 
>   and holder to be standardized
> Dave Longley: +1 For standardizing the "policy"/"query" and 
>   response
> David Chadwick:  Whatever approach we choose should be compatible 
>   with how browsers are today
> Ryan Grant: I understand the focus and will consider lost devices 
>   a problem to be solved by implementaitons.
> Manu Sporny: Agree that the way to get browser adoption is to 
>   make the browser vendors do as little as possible.
> Mike Lodder:  +1 Rgrant, that problem is up to the vendor To 
>   solve
> Dave Longley:  Credential handler api is lower than the layer 
>   that DavidC was talking about
> Christopher Allen: Time check. TPAC review is critical path.
> David Chadwick:  Allowing multiple wallets adds lots of 
>   complexity
> Dave Longley:  Different wallets can provide different 
>   credentials
> Kim Hamilton Duffy:  Do we have any action items to close out 
>   this topic
> Ryan Grant: Do we have consensus that it fits?
> Ryan Grant: I think so
> Manu Sporny:  I don't think this is an item that gets closed out
> Kim Hamilton Duffy:  Manu will guide us through TPAC

David Chadwick: I would like Manu to add a slide to say that W3C Web
Auth protocol can be used by VCs. This will also help VCs to be
supported by others in W3C.

> 
> Topic: W3C TPAC Planning
> 
> Manu Sporny:  Give a heads up to W3C group about what we are 
>   trying to do
> Manu Sporny: A Vision for a Self-Sovereign Web: 
>   https://docs.google.com/presentation/d/1woq0pZD872NvhBIu90GIZMf8MQLWCtXM1NCx8n6s0VM/edit
> Joe Andrieu: +1 On slide deck, btw. That's my review. =)
> Manu Sporny:  This shows how to combine: credential handler, 
>   DIDs, and web payments
> Manu Sporny:  And addresses some use cases
> Manu Sporny:  Here's how we are doing it
> Manu Sporny:  How to refine the pitch for self sovereign web
> Kim Hamilton Duffy:  What time constraints are there for the 
>   chairs to review our proposals
> Ryan Grant: Go Oma!
> Kim Hamilton Duffy:  To start a slide deck to address the action 
>   items
> Ryan Grant: Very visual slides, loved it
> Christopher Allen: I'm limited on time. I'm hoping that I don't 
>   have to spend all day Wednesday.
> Ryan Grant: Meh
> Christopher Allen: We said last week there will be no call next 
>   week.
> David Chadwick: +1
> 
> Topic: Post RWoT DID Spec
> 
> Christopher Allen: We should first dive into post #RWOT spec 
>   first, then Post IIW DID spec.
> Susan Bradford: Drummond is confirmed to attend
> Kim Hamilton Duffy:  No meeting next week but we will dive into 
>   DID spec stuff after that
> 
> 
> 
> 
> 
Received on Wednesday, 1 November 2017 12:04:18 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:42 UTC