Re: PDS/IdH/EDV Discussion - Suggested proposals and clarifications (was Re: PDS/IdH/EDV Discussion - 2019-11-22 Minutes)

Sorry for reposting - my DIF email address has bounced back from the
various mailing lists.

On Thu, Dec 5, 2019 at 11:17 AM Rouven Heck <rouven@identity.foundation>
wrote:

> Hi Manu & all,
>
> sorry for the delayed response.
>
> Due to a filter for mailing lists, I only saw the email yesterday evening
> when Daniel mentioned it.
>
> I would like to clarify some misunderstandings and add some comments:
>
> 1) Scope
>
> >> The work item being proposed for standardization is not clear and
>
> >> therefore where it should be incubated isn't clear.
>
> > There is only one work item being proposed for pre-standardization. It's
>
> > some yet-to-be finalized combination of the Identity Hubs and Encrypted
>
> > Data Vaults documents:
>
> > That is it. All other items, such as DIDComm, remain in their respective
>
> > communities and groups. Yes, we may talk about UMA, DIDComm, and other
>
> > work items, but they are not DIRECTLY a part of what is being proposed.
>
> > What is being proposed is much more narrow (only the two specifications
>
> > above and only the parts of those specifications that the group came to
>
> > consensus on during the last call).
>
> Based on the conversation on Nov 22nd and discussion in the ecosystem over
> the last months, it seems to be useful to define the interface & scope
> between DIDComm, Aries Agents, Solid, and others in more detail. It might
> be clear for certain people, but I don't have the impression the scope &
> context are clear enough to avoid confusion going forward.
>
> I suggested during the call that we use the next few months to figure out
> these details together; yes - it might be a little slower now but likely
> will allow us to move much faster going forward and being better aligned.
>
>
> > 2. DIF provides more protection against companies that may try to
> disrupt the standardization effort.
>
> DIF, like W3C and other organizations, face similar risks.
>
> The difference I wanted to highlight is the DIF's mission & governance.
> DIFs mission is focused on enabling the development of decentralized
> Identity solutions.
>
> The organization is governed by companies who are all actively building
> decentralized identity solutions - therefore the incentives are strongly
> aligned to make fast and aligned progress towards since it's
> mission-critical for many of these companies.
>
>
> > 3. DIF policies enable things to easily be incubated at DIF and moved to
> W3C.
>
> DIF is set up as a JDF project (http://www.jointdevelopment.org) which
> provides the structure to move items to other SDOs (or likely develop ISO
> conform standards itself). Therefore incubating the ideas or specifications
> within DIF gives the chance to define the specific work items and their
> interfaces to each other and then move these items to W3C, IETF or other
> places where it's most appropriate.
>
> DIF already uses ‘W3C Mode’ as its Patent Policy. As individual
> contributions, JDF uses a ‘Feedback Agreement’ designed to provide a more
> rigorous IP regime than W3C’s CLA. Since I’m not a lawyer or IP expert, I’m
> looping in David Rudin (https://www.linkedin.com/in/drudin/) who is the
> legal expert for JDF and wrote both the original CLA for W3C and the
> ‘Feedback Agreement’ for JDF.
>
> Operational aspects like recording meetings, transcripts, public posting,
> etc. are possible. DIF would provide the infrastructure, but the group
> members would need to make sure they transcript, record, and post (which
> should be the same everywhere).
>
>
>
> I hope this clarified some of the points. Looking forward to the
> conversation on Friday.
>
>
>
> Best,
>
> Rouven
>
>
>
>
>
>
>> ---------- Forwarded message ---------
>> From: Manu Sporny <msporny@digitalbazaar.com>
>> Date: Fri, Nov 29, 2019 at 10:10 PM
>> Subject: PDS/IdH/EDV Discussion - Suggested proposals and clarifications
>> (was Re: PDS/IdH/EDV Discussion - 2019-11-22 Minutes)
>> To: <public-credentials@w3.org>
>> Cc: Daniel Buchner <daniel.buchner@microsoft.com>, Sam Curren <
>> telegramsam@gmail.com>, aries@lists.hyperledger.org <
>> aries@lists.hyperledger.org>, indy@lists.hyperledger.org <
>> indy@lists.hyperledger.org>, Rouven Heck <rouven.heck@consensys.net>,
>> Tobias Looker <tobias.looker@mattr.global>, Daniel Hardman <
>> daniel.hardman@evernym.com>, Orie Steele <orie@transmute.industries>,
>> Dmitri Zagidulin <dzagidulin@gmail.com>
>>
>>
>> Hi all, you should have received an invite by now for the Personal Data
>> Stores Superfriends call for Dec 6th at 1pm ET. As a reminder, this is
>> not a free form discussion, it's focused time to drive to consensus on
>> specific proposals.
>>
>> In an attempt to prepare for that call, here are a few proposals that we
>> could try to drive to consensus as well as a few clarifications for
>> points made on the last call that were preventing us from coming to
>> consensus.
>>
>> PROPOSAL: The Identity Hubs and Encrypted Data Vaults documents will
>> be used as use case, requirements, and technical input for
>> the collaborative effort. The DID Comm, UMA, and OAuth2 work will
>> continue in parallel and are acknowledged as important related work that
>> might influence the direction of the collaborative effort.
>>
>> PROPOSAL: The intent is to eventually standardize the W3C-specific work
>> -- at a minimum, data models, syntax, CRUD API, and a minimum viable
>> HTTP-based interface -- at W3C under W3C's Royalty-Free Patent policy.
>> Regular Task Force calls will be hosted under the W3C Credentials
>> Community Group under the aforementioned IPR policy.
>>
>> The reasoning behind these proposals is clarified below, for those that
>> have the time and motivation to read about the details. Responses are
>> encouraged so we can try to get to consensus more quickly on the call
>> next week.
>>
>> --------------------------------
>>
>> There was some confusion during the last call that I'll try to highlight
>> and clarify so that the next call goes a bit more smoothly and with the
>> hope that we can get to closure on where to have regular meetings and
>> under which IPR policy. Here were the points of confusion/contention:
>>
>> 1. The work item being proposed for standardization is not clear and
>>    therefore where it should be incubated isn't clear.
>> 2. DIF provides more protection against companies that may try to
>>    disrupt the standardization effort.
>> 3. DIF policies enable things to easily be incubated at DIF and moved to
>>    W3C.
>>
>> ------------------------------
>>
>> > The work item being proposed for standardization is not clear and
>> > therefore where it should be incubated isn't clear.
>>
>> There is only one work item being proposed for pre-standardization. It's
>> some yet-to-be finalized combination of the Identity Hubs and Encrypted
>> Data Vaults documents:
>>
>>
>> https://github.com/decentralized-identity/identity-hub/blob/master/explainer.md
>> https://digitalbazaar.github.io/encrypted-data-vaults/
>>
>> That is it. All other items, such as DIDComm, remain in their respective
>> communities and groups. Yes, we may talk about UMA, DIDComm, and other
>> work items, but they are not DIRECTLY a part of what is being proposed.
>> What is being proposed is much more narrow (only the two specifications
>> above and only the parts of those specifications that the group came to
>> consensus on during the last call).
>>
>> ------------------------------
>>
>> > DIF provides more protection against companies that may try to
>> > disrupt the standardization effort.
>>
>> Google and Facebook were named directly as organizations that would be
>> actively hostile to the PDS/IdH/EDV work and a reason why the work
>> shouldn't be done at W3C or IETF.
>>
>> For DIF to provide more protection against companies attempting to
>> disrupt the standardization effort, it would have to have policies in
>> place (and the membership support) to prevent such a thing from
>> happening. So, the question becomes how would DIF be able to prevent
>> large organizations from disrupting the work? Not allow them to join DIF?
>>
>> We do have multiple data points of large organizations throwing their
>> weight around at W3C and IETF. One of those large organizations *is* a
>> DIF member and actively attacked the Verifiable Credentials work and
>> the DID work. While that member seems to be behaving now, there is
>> nothing that would prevent that from happening at DIF.
>>
>> The reality of standards is that there is nothing to prevent large
>> organizations from joining a standards effort and throwing their weight
>> around. The only protection against that is a cohesive community of
>> member organizations that can push back (by stating that they will
>> implement a given specification, even if the large organization says
>> that they will not).
>>
>> DIF is more susceptible to this sort of attack than W3C or IETF because
>> it has never dealt with this sort of thing and it's membership numbers
>> aren't as great as W3C or IETF. W3C and IETF often deal with this sort
>> of thing - there are processes in place to mitigate this sort of
>> behaviour.
>>
>> ------------------------------
>>
>> > DIF policies enable things to easily be incubated at DIF and moved
>> > to W3C.
>>
>> If this is true, then it doesn't matter where the work is incubated.
>>
>> We do know that the PDS/IdH/EDV work could start in a W3C CCG next week
>> if we agreed to that (an initial spec exists under W3C IPR and many of
>> us are already members of the W3C CCG). So, starting and transition
>> costs are already paid. It was not clear that this is true for DIF. The
>> trepidation is that we'd be testing this approach with PDS/IdH/EDV for
>> the first time and because it's the first time, we're bound to hit snags
>> that will slow the work down.
>>
>> So, the only thing that needs to be done is for DIF to produce proof
>> that they can provide the same things as the W3C CCG, which means:
>>
>> * Membership in the PDS/IdH/EDV group MUST be accessible to the general
>>   public at no cost to fully participate.
>> * The PDS/IdH/EDV group MUST do its work in the open and record work
>>   products (meeting transcriptions, specs, notes) on a publicly
>>   accessible and archived website. It should clearly articulate where
>>   the work products will go and who will do the work to make that
>>   happen.
>> * The PDS/IdH/EDV group MUST keep transcriptions of every meeting so
>>   that those not able to attend and those with accessibility needs
>>   can follow the conversation.
>> * The PDS/IdH/EDV group MUST be be covered by an IPR policy that does
>>   not require IPR sign-off to be repeated once transferred to W3C/IETF.
>>   While it has been asserted that this is true, W3C legal counsel has
>>   not weighed in on that assertion, and that needs to happen.
>>
>> The first three are easy - we just need the DIF Executive Director to
>> make a legally binding statement to that effect. The last one may take
>> time, but needs to happen so we don't hit a snag half way through.
>>
>> If all of that can be done on an acceptable time frame to the
>> communities participating, then we might be able to achieve consensus
>> from the group during the call next week.
>>
>> -- manu
>>
>> --
>> Manu Sporny (skype: msporny, twitter: manusporny)
>> Founder/CEO - Digital Bazaar, Inc.
>> blog: Veres One Decentralized Identifier Blockchain Launches
>> https://tinyurl.com/veres-one-launches
>>
>>
>>
>> --
>>
>> Balázs Némethi
>> Operations @ DIF
>>
>

Received on Thursday, 5 December 2019 16:56:05 UTC