W3C home > Mailing lists > Public > public-credentials@w3.org > December 2019

Re: PDS/IdH/EDV Discussion - Suggested proposals and clarifications (was Re: PDS/IdH/EDV Discussion - 2019-11-22 Minutes)

From: Rouven Heck <rouven@identity.foundation>
Date: Thu, 5 Dec 2019 11:17:51 -0500
Message-ID: <CACx+mnZ7dJRQMpvLXiGt=_ScOTgZvLgrWFtCtJU9Z+vH1uZ1xg@mail.gmail.com>
To: Manu Sporny <msporny@digitalbazaar.com>
Cc: public-credentials@w3.org, Daniel Buchner <daniel.buchner@microsoft.com>, Sam Curren <telegramsam@gmail.com>, aries@lists.hyperledger.org, indy@lists.hyperledger.org, Rouven Heck <rouven.heck@consensys.net>, tobias.looker@mattr.global, daniel.hardman@evernym.com, Orie Steele <orie@transmute.industries>, dzagidulin@gmail.com, "David Rudin (CELA)" <David.Rudin@microsoft.com>, Balázs Némethi <balazs@identity.foundation>, Oliver Terbu <oliver.terbu@consensys.net>
Hi Manu & all,

sorry for the delayed response.

Due to a filter for mailing lists, I only saw the email yesterday evening
when Daniel mentioned it.

I would like to clarify some misunderstandings and add some comments:

1) Scope

>> The work item being proposed for standardization is not clear and

>> therefore where it should be incubated isn't clear.

> There is only one work item being proposed for pre-standardization. It's

> some yet-to-be finalized combination of the Identity Hubs and Encrypted

> Data Vaults documents:

> That is it. All other items, such as DIDComm, remain in their respective

> communities and groups. Yes, we may talk about UMA, DIDComm, and other

> work items, but they are not DIRECTLY a part of what is being proposed.

> What is being proposed is much more narrow (only the two specifications

> above and only the parts of those specifications that the group came to

> consensus on during the last call).

Based on the conversation on Nov 22nd and discussion in the ecosystem over
the last months, it seems to be useful to define the interface & scope
between DIDComm, Aries Agents, Solid, and others in more detail. It might
be clear for certain people, but I don't have the impression the scope &
context are clear enough to avoid confusion going forward.

I suggested during the call that we use the next few months to figure out
these details together; yes - it might be a little slower now but likely
will allow us to move much faster going forward and being better aligned.


> 2. DIF provides more protection against companies that may try to disrupt
the standardization effort.

DIF, like W3C and other organizations, face similar risks.

The difference I wanted to highlight is the DIF's mission & governance.
DIFs mission is focused on enabling the development of decentralized
Identity solutions.

The organization is governed by companies who are all actively building
decentralized identity solutions - therefore the incentives are strongly
aligned to make fast and aligned progress towards since it's
mission-critical for many of these companies.


> 3. DIF policies enable things to easily be incubated at DIF and moved to
W3C.

DIF is set up as a JDF project (http://www.jointdevelopment.org) which
provides the structure to move items to other SDOs (or likely develop ISO
conform standards itself). Therefore incubating the ideas or specifications
within DIF gives the chance to define the specific work items and their
interfaces to each other and then move these items to W3C, IETF or other
places where it's most appropriate.

DIF already uses ‘W3C Mode’ as its Patent Policy. As individual
contributions, JDF uses a ‘Feedback Agreement’ designed to provide a more
rigorous IP regime than W3C’s CLA. Since I’m not a lawyer or IP expert, I’m
looping in David Rudin (https://www.linkedin.com/in/drudin/) who is the
legal expert for JDF and wrote both the original CLA for W3C and the
‘Feedback Agreement’ for JDF.

Operational aspects like recording meetings, transcripts, public posting,
etc. are possible. DIF would provide the infrastructure, but the group
members would need to make sure they transcript, record, and post (which
should be the same everywhere).



I hope this clarified some of the points. Looking forward to the
conversation on Friday.



Best,

Rouven






> ---------- Forwarded message ---------
> From: Manu Sporny <msporny@digitalbazaar.com>
> Date: Fri, Nov 29, 2019 at 10:10 PM
> Subject: PDS/IdH/EDV Discussion - Suggested proposals and clarifications
> (was Re: PDS/IdH/EDV Discussion - 2019-11-22 Minutes)
> To: <public-credentials@w3.org>
> Cc: Daniel Buchner <daniel.buchner@microsoft.com>, Sam Curren <
> telegramsam@gmail.com>, aries@lists.hyperledger.org <
> aries@lists.hyperledger.org>, indy@lists.hyperledger.org <
> indy@lists.hyperledger.org>, Rouven Heck <rouven.heck@consensys.net>,
> Tobias Looker <tobias.looker@mattr.global>, Daniel Hardman <
> daniel.hardman@evernym.com>, Orie Steele <orie@transmute.industries>,
> Dmitri Zagidulin <dzagidulin@gmail.com>
>
>
> Hi all, you should have received an invite by now for the Personal Data
> Stores Superfriends call for Dec 6th at 1pm ET. As a reminder, this is
> not a free form discussion, it's focused time to drive to consensus on
> specific proposals.
>
> In an attempt to prepare for that call, here are a few proposals that we
> could try to drive to consensus as well as a few clarifications for
> points made on the last call that were preventing us from coming to
> consensus.
>
> PROPOSAL: The Identity Hubs and Encrypted Data Vaults documents will
> be used as use case, requirements, and technical input for
> the collaborative effort. The DID Comm, UMA, and OAuth2 work will
> continue in parallel and are acknowledged as important related work that
> might influence the direction of the collaborative effort.
>
> PROPOSAL: The intent is to eventually standardize the W3C-specific work
> -- at a minimum, data models, syntax, CRUD API, and a minimum viable
> HTTP-based interface -- at W3C under W3C's Royalty-Free Patent policy.
> Regular Task Force calls will be hosted under the W3C Credentials
> Community Group under the aforementioned IPR policy.
>
> The reasoning behind these proposals is clarified below, for those that
> have the time and motivation to read about the details. Responses are
> encouraged so we can try to get to consensus more quickly on the call
> next week.
>
> --------------------------------
>
> There was some confusion during the last call that I'll try to highlight
> and clarify so that the next call goes a bit more smoothly and with the
> hope that we can get to closure on where to have regular meetings and
> under which IPR policy. Here were the points of confusion/contention:
>
> 1. The work item being proposed for standardization is not clear and
>    therefore where it should be incubated isn't clear.
> 2. DIF provides more protection against companies that may try to
>    disrupt the standardization effort.
> 3. DIF policies enable things to easily be incubated at DIF and moved to
>    W3C.
>
> ------------------------------
>
> > The work item being proposed for standardization is not clear and
> > therefore where it should be incubated isn't clear.
>
> There is only one work item being proposed for pre-standardization. It's
> some yet-to-be finalized combination of the Identity Hubs and Encrypted
> Data Vaults documents:
>
>
> https://github.com/decentralized-identity/identity-hub/blob/master/explainer.md
> https://digitalbazaar.github.io/encrypted-data-vaults/
>
> That is it. All other items, such as DIDComm, remain in their respective
> communities and groups. Yes, we may talk about UMA, DIDComm, and other
> work items, but they are not DIRECTLY a part of what is being proposed.
> What is being proposed is much more narrow (only the two specifications
> above and only the parts of those specifications that the group came to
> consensus on during the last call).
>
> ------------------------------
>
> > DIF provides more protection against companies that may try to
> > disrupt the standardization effort.
>
> Google and Facebook were named directly as organizations that would be
> actively hostile to the PDS/IdH/EDV work and a reason why the work
> shouldn't be done at W3C or IETF.
>
> For DIF to provide more protection against companies attempting to
> disrupt the standardization effort, it would have to have policies in
> place (and the membership support) to prevent such a thing from
> happening. So, the question becomes how would DIF be able to prevent
> large organizations from disrupting the work? Not allow them to join DIF?
>
> We do have multiple data points of large organizations throwing their
> weight around at W3C and IETF. One of those large organizations *is* a
> DIF member and actively attacked the Verifiable Credentials work and
> the DID work. While that member seems to be behaving now, there is
> nothing that would prevent that from happening at DIF.
>
> The reality of standards is that there is nothing to prevent large
> organizations from joining a standards effort and throwing their weight
> around. The only protection against that is a cohesive community of
> member organizations that can push back (by stating that they will
> implement a given specification, even if the large organization says
> that they will not).
>
> DIF is more susceptible to this sort of attack than W3C or IETF because
> it has never dealt with this sort of thing and it's membership numbers
> aren't as great as W3C or IETF. W3C and IETF often deal with this sort
> of thing - there are processes in place to mitigate this sort of behaviour.
>
> ------------------------------
>
> > DIF policies enable things to easily be incubated at DIF and moved
> > to W3C.
>
> If this is true, then it doesn't matter where the work is incubated.
>
> We do know that the PDS/IdH/EDV work could start in a W3C CCG next week
> if we agreed to that (an initial spec exists under W3C IPR and many of
> us are already members of the W3C CCG). So, starting and transition
> costs are already paid. It was not clear that this is true for DIF. The
> trepidation is that we'd be testing this approach with PDS/IdH/EDV for
> the first time and because it's the first time, we're bound to hit snags
> that will slow the work down.
>
> So, the only thing that needs to be done is for DIF to produce proof
> that they can provide the same things as the W3C CCG, which means:
>
> * Membership in the PDS/IdH/EDV group MUST be accessible to the general
>   public at no cost to fully participate.
> * The PDS/IdH/EDV group MUST do its work in the open and record work
>   products (meeting transcriptions, specs, notes) on a publicly
>   accessible and archived website. It should clearly articulate where
>   the work products will go and who will do the work to make that
>   happen.
> * The PDS/IdH/EDV group MUST keep transcriptions of every meeting so
>   that those not able to attend and those with accessibility needs
>   can follow the conversation.
> * The PDS/IdH/EDV group MUST be be covered by an IPR policy that does
>   not require IPR sign-off to be repeated once transferred to W3C/IETF.
>   While it has been asserted that this is true, W3C legal counsel has
>   not weighed in on that assertion, and that needs to happen.
>
> The first three are easy - we just need the DIF Executive Director to
> make a legally binding statement to that effect. The last one may take
> time, but needs to happen so we don't hit a snag half way through.
>
> If all of that can be done on an acceptable time frame to the
> communities participating, then we might be able to achieve consensus
> from the group during the call next week.
>
> -- manu
>
> --
> Manu Sporny (skype: msporny, twitter: manusporny)
> Founder/CEO - Digital Bazaar, Inc.
> blog: Veres One Decentralized Identifier Blockchain Launches
> https://tinyurl.com/veres-one-launches
>
>
>
> --
>
> Balázs Némethi
> Operations @ DIF
>
Received on Thursday, 5 December 2019 16:56:04 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:19:06 UTC