Re: Verifiable Claims Telecon Minutes for 2016-08-02

Sorry I missed the call yesterday -- was speaking all day at another
conference.  It looks from the minutes as if October 21st (or so) was being
considered as a time for us to meet rather than 27th-28th.  I just wanted
to give my +1 for that since I will be presenting in China Oct 28th-29th
and might have trouble joining you simultaneously in California at that
time.

-- dan


On Wed, Aug 3, 2016 at 10:23 AM, <msporny@digitalbazaar.com> wrote:

> Thanks to Shane McCarron for scribing this week! The minutes
> for this week's Verifiable Claims telecon are now available:
>
> http://w3c.github.io/vctf/meetings/2016-08-02/
>
> Full text of the discussion follows for W3C archival purposes.
> Audio from the meeting is available as well (link provided below).
>
> ----------------------------------------------------------------
> Verifiable Claims Telecon Minutes for 2016-08-02
>
> Agenda:
>
> https://lists.w3.org/Archives/Public/public-webpayments-ig/2016Aug/0000.html
> Topics:
>   1. Feedback on Charter from W3C Management
>   2. Verifiable Claims Face-to-Face Agenda
>   3. Terminology and Expiration
>   4. Linked Data Encrypted Signatures
> Action Items:
>   1. ShaneM to reach out to Chris Wilson about google contact
>   2. Manu to contact Daniel and ask about the space around IIW.
> Organizer:
>   Manu Sporny
> Scribe:
>   Shane McCarron
> Present:
>   Shane McCarron, Manu Sporny, Nate Otto, Dave Longley, Dave
>   Crocker, Christopher Allen, Eric Korb, David Chadwick, David
>   Ezell, David I. Lehn, Richard Varn, Matt Stone, Colleen Kennedy,
>   Matthew Larson, Les Chasen
> Audio:
>   http://w3c.github.io/vctf/meetings/2016-08-02/audio.ogg
>
> Shane McCarron is scribing.
> Manu Sporny:  We need to talk about Wendy Seltzer's responses.
>   We'll do that at the beginning of the call. Any other changes to
>   the agenda?
> Nate Otto: Manu, David Chadwick also requested to add two items
>   to agenda: "i) expiry time of credentials, ii) definitions for
>   user-centric and privacy-enhancing"
>
> Topic: Feedback on Charter from W3C Management
>
> Manu Sporny:  Wendy is the domain lead for the activity.  needs
>   to be okay before we put it to a vote.
>   ... has provided some high level feedback.  Similar to stuff we
>   have been hearing for a while.
>   ... has not made specific suggestions.  Just raised general
>   concerns.
>   ... High level points:
>   ... Problem Statement is too over-arching
> Manu Sporny:
>   http://w3c.github.io/webpayments-ig/VCTF/charter/#problem
>   ... Usually a charter problem statement will be solved when the
>   group is complete.
>   ... she asserts that our statements are visionary.
>   ... we assert that there is no widely used self-soverign
>   standard...
>   ... pushing back on widely used.  can't be sure that will be
>   solved.
>   ... if the scope of data model, we are not specifying a
>   protocol.  so there is no way to pass them back and forth.
>   ... we are not talking about transacting because there is no
>   protocol.
>   ... She also took issue with the word verifying.  There is a
>   big difference between this has a valid signature and this is
>   connected to valid data.
>   ... we are saying that there is a mechanism to verify a digital
>   signature, but there is no way to ensure that the data is valid.
>   ... There is substantial infrastructure required to make
>   self-soverign meaningful.
>   ... we would need more to have a complete ecosystem.
>   ... there is no way to ensure that the claims would be used in
>   a privacy-enhancing manner.  The links could be used in a privacy
>   invasive manner.
> Dave Longley: (If this is helpful: digital signatures are a
>   mechanism for verifying the authorship of the claim ... that's
>   what what is 'verifiable' about the claims)
> Manu Sporny:   She found similar problems with the goals.
>   ... she would like us to narrow the goals down to things that
>   are achieveable.
>   ... Also saying that she does not quite understand how service
>   provider independence would work with what we are proposing.
>   ... She doesn't see how we can develop vocabularies for groups
>   that do not participate.
> Dave Longley: And the vocabularies are interoperable
> Manu Sporny:  There is some confusion about what we are
>   proposing.  We are not saying that we will define the
>   terminology.  We are saying we will define the data format FOR
>   the vocabularies.
> Manu Sporny:  We will need to close the loop with her on some of
>   these.  We can probably make edits to address some others.
> Manu Sporny:  We have not heard back from the JWT folks.
> Dave Crocker:  There was a discussion at the IETF meeting
>   ... it was brief.  two items stand out.
>   ... One clarified the suggestion about education vertical.
>   Wendy made the comment that it was suggested because that was
>   where the effort had gotten support as far as she knew.
>   ... The other was more general: She wasn't seeing a depth of
>   support that would encourage one to believe that it would get
>   adopted once the work was done.
>   ... I can't evaluate how accurate that is.
>   ... Sometimes efforts like these get started because some
>   people are enthusiastic. When there is a strong support of
>   implelentors and consumers there is more likelihood of success.
> Manu Sporny: These are the organizatins that say they're going to
>   implement: http://w3c.github.io/webpayments-ig/VCTF/implementers/
> Manu Sporny:  One of the issues we have with that sort of comment
>   is that we have gone to a lot of trouble to present those
>   organizations.
> Manu Sporny: Demonstrate that there is industry support:
>   http://w3c.github.io/webpayments-ig/VCTF/support/
>   ... as far as industry suypport we went to a lot of trouble to
>   demonstrate that there is industry support.
>   ... I am wondering if she still feels that is not enough.  If
>   so that is very confusing to me
>   ... We have had others that had far less support and got
>   started.
> Manu Sporny:  I feel like we have answered the question over and
>   over again.  Either Wendy has not seen the links or they are not
>   convincing to her.
> Dave Crocker:  I have known wendy for a long time but not very
>   well.  My superficial assessment is that she is focusing upon
>   pragmatics.
>   ... my experience with these types of situations is that they
>   need a sit-down dialog with the proponents and thrash it out in
>   realtime.
>   ... these types of differences in perception don't get resolved
>   in emails.
> Manu Sporny:  We have tried to get a meeting for a long time.
>   Wendy is very busy.
>   ... my hope is that we can have that sit-down soon.  We are
>   having it with microsoft now and we are making progress.
> Christopher Allen:  Has there been any progress with Google?
> Manu Sporny:  No - not yet.
> Dave Crocker:  Who's the contact?
> Manu Sporny:  Chris Wilson the issue but it was mainly on
>   process.  It is not clear if Chris was coordinating with the
>   Google identity team.
>   ... if anyone ahs a contact there please letme know.
> Manu Sporny:  My thinking is that if google withdraws their
>   objection, microsoft will follow suit.
>   ... we would prefer they both say this is great stuff and we
>   want to be involved.
>   ... we are still trying to get in touch with Google.
> Eric Korb: Is there someone else who can contact them?
> David Chadwick:  Perhaps microsoft's objection is different than
>   google's
>   ... maybe it is a business issue, not a technical issue.
> Manu Sporny:  That may be the case, but it is not what they said
>   on the phone and in email.
>   ... they are usually straight forward.
>   ... we have not seen them strongly oppose work that actively
>   overlaps with one of their business units.  But that doesnt mean
>   it is implossible
> Shane McCarron:  I can reach out to Google. [scribe assist by
>   Manu Sporny]
>
> ACTION: ShaneM to reach out to Chris Wilson about google contact
>
> Nate Otto:  Are we going to edit the problem statement?  Or are
>   we waiting?
> Manu Sporny:  Yes - I am going to do it because I am the only one
>   who has been in contact with everyone.
>   ... I will put it up as a draft alternative. Bring it back to
>   see if the group agrees.
>   ... might be a fairly aggressive set of changes.
>   ... which will be okay if the group goes for it...  and if that
>   satisfies the objections.
> Nate Otto:  Good luck!
> Manu Sporny:  Probably no meeting next week.
> Nate Otto: Here's some text I put together as we were chatting,
>   you may consider -- or it may be quite a bit off where you want
>   to go with it: "There is no standard data format and vocabulary
>   that may currently be used to make claims about entities and the
>   properties attributable to them in a way that is compatible
>   across industries, carries verifiable digital signatures, and
>   protects the privacy and agency of the individuals and
>   organizations that are the subjects of these claims."
> David Ezell:  I have a conversation coming up with Microsoft.
> Manu Sporny:  Different than the one I have been having.
> David Ezell:  Mike Champion and I have worked together for years.
>    No one has a crystal ball.  Some objections might be about
>   making a complicated set of udner constructions standards.
>   ... it is kind of a thin argument.  None of the activities may
>   be adequate.  The group has tried looking at things that are
>   already in progress.
>   ... I know MS cares about ISO and X9.  I know that the people
>   involved from the Petro and Payments side are pretty disenchanted
>   as they apply to payments.  even if you look at the ISO/X9 way of
>   doing things there are things missing.
>   ... it may come up that the WG that is being proposed will
>   develop the data model, but then step back and give the
>   requiremetns to the speciality groups to create the PKI structure
>   or whatever.
>   ... I would like to talk with you, Manu, before my meeting with
>   Mike.
> Manu Sporny:  We are actively working the problem.  Trying to
>   find common ground.
> Christopher Allen:  MS is doing a variety of things relating to
>   blockchain.  Daniel Duchner is working with the block stack
>   people on bringing that tech into MS related work
>   ... as I understand it they are working with other groups.  I
>   know that blockstack is planning on using verified credentials
>   and JSON-LD and other things.
>   ... so there is work in this space ongoing at MS.  They put a
>   lot of importance into BC.
>   ... whoever is talking to them might remind MS that internally
>   they are already interested.
> Manu Sporny:  There are three touchpoints.  dezell is speaking to
>   the AC rep.  Manu is speaking with the identity contact.  And
>   then Kim Cameron - identity czar at MS
>   ... Mike doesn't have a position as far as I know.  Anthony
>   doesn't seem as opposed.  Kim's group is already actively looking
>   at VC.
>   ... there isn't one opinion at MS.  They are coming up to
>   speed.
>   ... It is migrating to "let it run its course" or "let's get
>   more involved".
>
> Topic: Verifiable Claims Face-to-Face Agenda
>
> Manu Sporny:
>
> https://docs.google.com/document/d/1uYDRcHs_EOpJzezJerKnKT4Grni1sFLX2nRp7zlq2BE/edit
> Manu Sporny:  Based upon most recent feedback it is not going to
>   happen in time for TPAC
>   ... the most we can hope for is that if the vote is open we can
>   invite people to participate.  Bring people up to speed.
>   ... we have asked the WPIG for a block of time.
>   ... There is an opportunity to hang the meeting off another
>   meeting at the end of October.
>   ... Last day of IIW and day after
>   ... We have floated the idea past Phil just to get it on the
>   radar.  Given the schedule that is the most reasonable plan we
>   could have for a F2F meeting.
>   ... The upside is whether the WG happens or not we can probably
>   do something at IIW.
>   ... We are going to have to plan all of it ourselves and pay
>   for it ourselves.
>   ... We need to find sponsors, figure out space etc.
> Shane McCarron:  +1 To attaching it to IIW
> Manu Sporny:  It'll be around October 27 & 28
> Nate Otto: Can't come -- in London for MozFest until the 31st.
>   But +1 to attaching a F2F to a compatible event sometime in the
>   latter half of 2016.
> Christopher Allen:  We also have a rebooting web of trust at the
>   end of september
>   ... We have had enough people who are critical who feel like
>   they cannot make that meeting.
>   ... We want it to be a 3 day event but the first day is a
>   conflict.
>   ... We were talking about moving it to the three days before
>   IIW.
>   ... MS says that they can hold that space for us.
>   ... 10 or so people have paid for the original dates so we are
>   closing the loop with them.
>   ... Maybe we should contact Daniel about the MS space and if
>   that might work for the VC F2F.
>
> ACTION: Manu to contact Daniel and ask about the space around
>   IIW.
>
> Christopher Allen:  Does this change the TPAC plan?
> Manu Sporny:  There will still be 2 VC events at TPAC.  Breakout
>   session on Wednesday and another during the WPIG meeting.  Talk
>   about charter questions etc.
> Christopher Allen:  I am trying to rate my attendence at that
>   meeting.  This is the only topic I am interested in.  Do I travel
>   to Lisbon for that?
> Manu Sporny:  It would have been ideal to have a f2f there... but
>   it is too slow.
> David Ezell:  As we are building this agenda for TPAC (WPIG) manu
>   you should get a page and put this down as a definite session.
> Manu Sporny:  I thought Ian said he didn't want anything definite
>   yet.
> David Ezell:  Well, putting your name on the slot makes it more
>   definite.
> Christopher Allen: What was that topic named?
> David Ezell:  If you have additional topics for the IG that would
>   make the meeting more interesting just let me know.
>   ... I know that I wanted to talk with you ChristopherA about
>   emerging markets.  Maybe that is of interest?
> Christopher Allen: Thank you.
> David I. Lehn:  Not available.  At a meeting in Paris.
> Richard Varn:  As noted before, EDUCAUSE is october 25-28 in
>   Anaheim. i am currently planning on attending that
> Christopher Allen:  I could do the friday before IIW (21st of
>   October).
> Richard Varn:  I can do that
> David I. Lehn:  I could probably do that.  I need to know pretty
>   soon though.
> Nate Otto: Doesn't make a difference for me. I'm blocked October
>   15-31. But I'm just one.. :)
> Matt Stone:  My calendar is open for late Oct.
> Manu Sporny:  That is really pretty interesting.  We could do it
>   the friday and saturday...
> Christopher Allen: What is the paris event?
>   ... WG meetings are usually two days. I think having it on the
>   27th and 28th.  But if there is no venue then it doesn't matter.
> Manu Sporny:  I will keep you in the loop ChristopherA so that we
>   are not stomping on one another's events.
> Dave Crocker:  The anti-abuse group is meeting in Paris at that
>   time.
> Nate Otto: https://www.m3aawg.org/upcoming-meetings in Paris
>   M3AAWG Oct 24-27 FYI
>
> Topic: Terminology and Expiration
>
> David Chadwick:  I am writing a paper about VC and an
>   implementation we ahve done
>   ... a key point is that VC are user centric and privacy
>   enabled.  They are not in the glossary.  They should be.
> Manu Sporny:
>   http://w3c.github.io/webpayments-ig/VCTF/charter/#terminology
>   ... I have provided some candidate definitions.
> Manu Sporny:  We have definitions int he charter
>   ... they should have been in the glossary.  Can you look them
>   over and see if you agree or if they should be changed?
> Nate Otto: I see self-sovereign, but I don't see "user-centric"
>   or "privacy enabling"
> David Chadwick:  They key terms are not in that glossary.
> Christopher Allen: +Q
> Dave Longley:  We stopped using the term user-centric.  We
>   switched to self-sovereign.  We had some discussions about
>   privacy enhancing and how much we wanted totalk about that.
> David Chadwick:  We don't have the term defined.  It would be
>   okay to have a local definition of user-centric or replace it
>   with another.
> David I. Lehn:  I recommend against using the term with a new
>   definition.
> Dave Longley:  Our intention was to replace the term.
> Christopher Allen:  I am responding to the privacy question...  I
>   am hoping that we can defer identifier and confidentiality
>   issues.
>   ... I need the format now.  We can dive deeper in another round
>   of work.
>   ... are we saying there are real privacy enhancements now?
> Dave Longley: "Omnidirectional vs. unidirectional"
> Manu Sporny:  We are saying that we are enabling it.  Privacy has
>   a lot to do with the idenitifiers that are used.  If an
>   identifier is long lived and ties everything together it is NOT
>   privacy enhancing.  If you have one that is generated on each
>   transaction...
>   ... let's not do this in 1.0.  we can do it in 2.0 as long as
>   we are very aware of the limitations.
> Christopher Allen:  In many cases it is not even the data.   I
>   didn't know if moving things forward causes thigns to be unclear.
>    We just want flexibility for the future.
> Manu Sporny:  We have 10 minutes left.
> David Chadwick:  Expiration time.  Nothing has really come of the
>   discussions.
> Dave Longley: http://w3c.github.io/webpayments-ig/VCTF/ <-- much
>   of this supersedes the VCTF final report, so whatever terms are
>   there are what we're proposing to W3C
> David Chadwick:  I thought we had agreed that there should be a
>   time in the credential.
>   ... there needs to be a way to ensure that credentials can
>   expire.  Nothing is in there now.
> Nate Otto: On expiration: Sounds like something the official work
>   should take up and make part of the vocabulary. I don't think
>   expiration should be a mandatory property of a credential.
> Manu Sporny:  There is nothing in the proposal, but it is all
>   over the spec.  I think what you are asking is that it is there
>   in the definition.
> David Chadwick:  It should be a mandatory propoerty of a
>   credential.
> Manu Sporny:  The group has typically landed on that propoerty
>   being optional and specified by the vertical.
> Matt Stone:  Should recommend the verification package have an
>   expiration period that's separate from the claim itself
> Manu Sporny:  On the other hand ever use case we have seen has
>   included expiry information.
>   ... we have always intended stuff to expire in the general
>   case.
> Christopher Allen: In Smart Signatures, the expiration is part of
>   the signature, but it is a separate standard.
>
> Topic: Linked Data Encrypted Signatures
>
> Christopher Allen: (I.e. the signature expires, not the cliam)
> Nate Otto:  Reading use cases and saw that no use case requires
>   the actual subject of the claim.  That seems strange in a
>   self-sovereign architecture.
>   ... it feels inconsistent in that any older of a claim could
>   share the claim with anyone else without the approval of the
>   subject.
> Matt Stone:  In concept, the claim payload is still available,
>   but no longer verifiable in "this" transaction
>   ... I proposed an optional extension to have the subject and
>   the issuer to agree on inspectors who can verify the claim.
> Manu Sporny:  We had a discussion off line and in email about
>   encrypted signatures.  So that only the targeted recipient can
>   decrypt the signature and verify the data.
>   ... how does this really protect the subject.
> Christopher Allen: That feels like a signature format
> Dave Longley: I'd like to see any of this be heavily use case
>   driven
>   ... not clear.  But regardless it demonstrates how flexible
>   linked data signatures are.
> Manu Sporny:  If the goal is to make sure that the receiver of
>   the information cannot misuse it... well, that's not possible.
>   Once an inspector has the information, they can do anything with
>   the data.
> Nate Otto: To be clear: any information that an individual has
>   may be shared with others. I posit that there is a significant
>   difference between a verifiable claim and an unverifiable claim
>   (a claim with a signature that cannot be verified by the holder).
> Christopher Allen: (You can make it such that forwarded it
>   doesn't validate)
> Manu Sporny:  We don't think the technical solution prevents
>   misuse of their information.
> Christopher Allen:  You can't prevent someone from taking the
>   claim information and passing it on, but you CAN make it such
>   that the signature is not valid when you pass it on.
> Nate Otto: +1 To ChristopherA. I think this subtle distinction
>   may be significant in the long run. At least enough that I may be
>   interested in implementing this behavior.
>   ... if you are only relying upon VC as being valid, then it
>   will work.
> David Chadwick:  The issue is about trust.  You use the signature
>   so that you know who sent it.  If I cannot check the signature
>   but I get it from someone else who says "I chedked it" and I
>   trust them, then I have a trust chain and it holds up.
> Dave Longley: Very clear use cases will help
> Manu Sporny:  That all folds into whether the information remains
>   trustworthy.  If you want to restrict forwarding of VALID data
>   there are ways to do that.
> Christopher Allen: (It is even possible to link those two, such
>   that the sign fails untill the countersign is made)
> Manu Sporny:  In case people are not aware, the current protocol
>   has the subject countersign the claim when it is handed over.
>   One is from the original issuer, and one from the subject that
>   indicates "I was in control when I handed it over to you,
>   inspector".
> Nate Otto: +1 To David. A chain of trust is a valid use case for
>   this. This is not designed to prevent an inspector who has
>   verified the signature from telling others about that information
>   in a technical sense. That is actually a valuable use case as
>   well. I doubt that all implementers of VCs will want to implement
>   this extra complicated behavior, but there are some valuable use
>   cases I think for some people implementing this.
> Manu Sporny:  Even that mechanism does not prevent the misuse of
>   information.
> Nate Otto: Sounds like my task will be to define a better set of
>   use cases. Thanks for bringing this to the floor, manu.
>
>
>
>
>

Received on Wednesday, 3 August 2016 15:34:14 UTC