- From: <msporny@digitalbazaar.com>
- Date: Fri, 05 Feb 2016 17:26:49 -0500
- To: Web Payments IG <public-webpayments-ig@w3.org>, Credentials CG <public-credentials@w3.org>
Thanks to Nate Otto for scribing this week! The minutes
for this week's Verifiable Claims telecon are now available:
http://w3c.github.io/vctf/meetings/2016-02-02/
Full text of the discussion follows for W3C archival purposes.
Audio from the meeting is available as well (link provided below).
----------------------------------------------------------------
Verifiable Claims Telecon Minutes for 2016-02-02
Agenda:
https://lists.w3.org/Archives/Public/public-webpayments-ig/2016Feb/0007.html
Topics:
1. Summary of Interviews So Far
2. Documents Needed By Web Payments Face-to-Face
3. Verifiable Claims Task Force Final Report
4. Use Cases Document
5. Draft Charter Proposal
Organizer:
Manu Sporny
Scribe:
Nate Otto
Present:
Nate Otto, Manu Sporny, Daniel C. Burnett, Dave Longley, Matt
Stone, Richard Varn, Shane McCarron, Eric Korb, Henry Story,
David I. Lehn, Peter Hofman, Gregg Kellogg, Rob Trainer, Bill
DeLorenzo
Audio:
http://w3c.github.io/vctf/meetings/2016-02-02/audio.ogg
Nate Otto is scribing.
Manu Sporny: Let's go ahead and get started.
Manu Sporny: On the agenda: A summary of the interviews we've
done so far, figure out which documents we need by the Web
Payments Face to Face, we are going to talk about the documents.
Any additions to the Agenda?
No additions to Agenda.
Topic: Summary of Interviews So Far
Manu Sporny: Interview with Drummond Reed (of OASIS and XDI):
http://w3c.github.io/vctf/meetings/2016-01-27/
Manu Sporny: We did four interviews last week. Drummond was very
supportive of the problem statement we were trying to address,
gave a lot of great input; he thought very deeply about what we
were trying to say: what's user-centric, how does privacy play in
the ecosystem...
Manu Sporny: Interview with Christopher Allen (co-editor of the
SSL and TLS specifications):
http://w3c.github.io/vctf/meetings/2016-01-28/
Manu Sporny: Christopher was also fairly supportive of the
problem statement. Very interesting insight into how SSL & TLS
came to be, and some current crypto work at IETF.
Manu Sporny: Interview with Dick Hardt (of Amazon and lots of
Identity 2.0 / OpenID / OAuth work):
http://w3c.github.io/vctf/meetings/2016-01-29-1/
Manu Sporny: Dick also was really helpful, thought very deeply
about the problem; we got a lot of really good feedback about the
previous initiatives that have played around in this area: OpenID
Connect, OAuth, SAML, and Dick's involvement in those
initiatives, and what he thought was achievable in the short
term.
Manu Sporny: Interview with Michael Schwartz (who has implemented
SAML, LDAP, OpenID Connect, OAuth2, and heads an Identity (OTTO)
initiative in the Kantara initiative):
http://w3c.github.io/vctf/meetings/2016-01-29-2/
Manu Sporny: Michael had not had as much time to review it as
other folks had, but gave us really good feedback as well,
specifically about implementation and different factors
associated with the difficulty implementing SAML and OpenID
Connect.
Manu Sporny: These interviews are added to the feedback we
received from Harry Halpin, David Singer from Apple, and others.
We only have 3 interviews left, if those people have time
Manu Sporny: That's what we have so far as far as the interviews
are concerned. There are some things that we have consensus on,
and others we don't yet.
Manu Sporny: http://w3c.github.io/vctf/#problem
Manu Sporny: We have consensus on the problem statement
generally
Manu Sporny: We have gotten some good advice from Dick Hardt
that we shouldn't state it as user centric and service centric
(instead talk about privacycentric and privacy enhancing)
Manu Sporny: Largely we have broad buy-in to the problem
statement. That probably means we can arrange some work around
it.
Daniel C. Burnett: There may be some control aspects as well
implied in our "user-centric" term.
Manu Sporny: We also asked the question, where should this work
happen? W3C, OASIS, Kintara, IETF? Most folk felt that W3C would
be a good place for it, but some of the protocol stuff might be
pushed to IETF.
Manu Sporny: There was no opinion that the work should not be
done.
Dave Longley: +1 To burn, some modeling aspects too
Manu Sporny: Where we may have disagreement is that the current
pieces we have today (Oauth2, OpenID Connect, JOSE), what parts
they may play in a final technical solution. We are not at the
point of discussing a technical solution yet, so there may be a
fair bit of back and forth when we get to that point once we have
a working group.
Manu Sporny: That is a general summary of what we have done,
where we have consensus, and where we may not. Any questions at
this point?
Matt Stone: Manu, are you satisfied with the outcome of the
interviews?
Manu Sporny: We are very satisfied with the outcome of these
interviews.
Manu Sporny: The VCTF (this present group) was chartered to see
if there was consensus that there was work to be done. We feel we
have done this. We presented this stuff on a call with W3C Staff
yesterday and the staff representative was still unconvinced.
That is frustrating.
Manu Sporny: If all the people we talk to in membership feel
there is work to be done, W3C is the place to do it, why is there
still resistance from w3c? Maybe one strategy is to summarize all
the work, package it up, so we don't dump an amount of
information that is too much to synthesize.
Manu Sporny: The other concern was that if we don't have clear
Payments use cases...
Manu Sporny: A good chunk of the invited experts we interviewed
said they don't feel the financial industry will be the first
movers on this. They expect the first movers to be the education
industry, which we have seen is true. They are organizations that
are comfortable with moving and putting in cache. Staff objects
that payments should follow, not lead, which opens up a question
of who should support this, maybe we should have a workshop
(which would set us back a number of months.)
Manu Sporny: There are very clear payments use cases: Knowing
who's on the other end of a transaction, coupons, loyalty
cards...
Dave Longley: While they were pushing back saying maybe not the
web payments IG as the best palce for for this, if there are
clear use cases that may not be primary could still make the IG a
good home for the work.
Manu Sporny: We must focus on demonstrating that there are clear
web payments use cases, make it easy for the Web Payments IG to
make a case to the W3C Membership so the W3C doesn't get stuck in
an 8-9 month chartering process where a bunch of companies are
confused about what makes this separate from OpenID Connect etc.
Topic: Documents Needed By Web Payments Face-to-Face
Manu Sporny: Let's jump to the next topic. There were 3
documents that would help prove this case.
Manu Sporny: First: a summary pointing to statistics collected,
interview outcomes: Here's why the work should be done..
Manu Sporny: Second: Use cases document
Manu Sporny: Also: vision document, and maybe draft charter
proposal outlining the work that must be done over the next year
Richard Varn: Seems like we keep running into this issue. Maybe
we can segment our statements. We have one component: overlap,
where we have common tasks addressed in the same way across
sectors (one part of a use case). They might also be interested
in things that are interdependent&mutually beneficial, but might
not be the same solution. 3. as we're deploying stuff that has
commonality, the fact that we're building the social fabric in
one industry, we
Richard Varn: Built the foundation that makes it possible to use
the technology in another industry, like payments.
Richard Varn: ... Even if payments is not the first mover.
Manu Sporny: I'm focusing right now on documents we can create
in the next three weeks
Richard Varn: Maybe focus on things where we're all aligned
Manu Sporny: Agree: outline the things that matter to
healthcare, finance, other...
Manu Sporny: There are other stuff we don't have consensus on --
people are pushing back on the protocol to move credentials
around, which we clearly need to build the ecosystem. The thing
the working group would focus on is the spec that underlays the
ecosystem: ("if you want to express a credential on the web, this
is how you do it")
Manu Sporny: We're trying to focus down on just the stuff that
we know there is broad agreement on.
Manu Sporny: If we do that by the end of February, there is a
good chance the IG will push this forward.
Dave Longley: David ezell (chair of web payments IG) more or less
said: "If there are 12 use cases and only 2 are payments use
cases, we could still push the work"
Shane McCarron: Want to push back on the concept a bit that we
want to bury the extended use cases. I've been wanting to
percolate the some small number of requirements that are backed
up by use cases that multiple industries nee.
Shane McCarron: I don't want to lose that important data about
all the other industries we're going to help at the same time.
Shane McCarron: No objection to prioritizing things out.
archiutectural view is important.
Manu Sporny: This is exactly what happened in the Web Payments
use cases: We had 130 use cases, of which much fewer were
specifically targeted. We had a huge number of use cases to paint
a picture of where we're going, but they didn't have a specific
point on the timeline.
Manu Sporny: I raised that perspective and we got a lot of
pushback from Ian (W3C Management)
Manu Sporny: If folks remember, we were getting pushed off for
starting this task force last year, and the membership overrulled
management above minor objections that it was too early to start.
Manu Sporny: It's good to hear staff perspective because they
have a lot of experience dealing with the management, but
sometimes they're too risk-averse.
Manu Sporny: Best thing we can do right now is convince the 127
individuals in the Web Payments IG that this work is worth doing.
Make it very clear what that data is saying. We have use cases,
we have an idea on a charter. If we can do that by the end of
Feb, we stand a good chance of moving this to the next step, of
seeing whether the membership wants to approve a charter.
Shane McCarron: Note that there is nothing terribly unusual about
how long this is taking. That doesn't make it any less
frustrating.
Manu Sporny: One more parting thought: The whole reason we went
through the Web Payments IG on this was that the Credentials work
had spun out of the Web Payments (at the time) Community Group,
and we thought it would take less time to do this VCTF than to do
a workshop and go through the standard W3C process. At this point
it seems like the two approaches would have taken about the same
amount of time, with a caveat: Identity on the web has a huge
long history
Manu Sporny: Of partial successess and partial failures, and
it's because of that we're being slowed down. Know for certain
we've gathered way more data than a workshop on this sort of
stuff usually gathers.
Manu Sporny: If the Web Payments IG sees what we're doing and
agrees with it, it will have been a good decision to have gone
this way.
Shane McCarron: It doesn't make it seem less like we're pushing
a boulder up a hill only to have it roll back down, but doesn't
mean we take our marbles somewhere else.
Topic: Verifiable Claims Task Force Final Report
Manu Sporny: Let's talk about the documents.
Manu Sporny:
https://docs.google.com/document/d/1dYup3KC2nak3LVTzyapr996TKxDj1w5Eyp4g13rQQBA/edit
Manu Sporny: I've started filling out the document general
structure and themes
Manu Sporny: Second page we have a bulleted summary of findings
Manu Sporny: Page three, we break this up into topics we have
consensus on, and topics where there may be potential pitfalls
(topics we have not been able to dig into deeply enough yet at
this phase to see if there is consensus, but concerns have been
raised)
Manu Sporny: This is where we want to hear feedback from the
folks who are in each industry. Richard, Matt, John Tibbetts,
that's where we'd want to hear a response to "there's no case for
using this in ___industry___"
Manu Sporny: Clearly people who are at large billion dollar
businesses will be prioritized to get responses in this section
Shane McCarron: Question: I know there's a couple interviews
left to do -- what's the timeline on a solid draft of this
document?
Manu Sporny: We're not going to wait for those interviews --
we'll let them know we'd love to talk to them, and we'll
incorporate feedback when we can talk to them, but we're not
going to wait. We contacted them three times. Hoping to have a
final draft by the 12th.
Manu Sporny: Going to be presented on the 22nd of Feb
Shane McCarron: I assume you want the use cases document solid
by then as well?
Manu Sporny: Yes, solid = "in some shape we can present it to
the Web Payments IG" May be in draft form still, but presentable.
Dave Longley: +1 Burn, user centric is about more than just
privacy
Daniel C. Burnett: You got one piece of feedback that
privacy-enhancing is better than user-centric and the
"privacy-enhancing" term appears in this draft, many in the group
think there is more meant by "user-centric" than the narrower
term.
Manu Sporny: You are correct, put back "user centric" and added
a note that someone has suggested "privacy-enhancing"
Manu Sporny: Many people said "user-centric" is problematic
because the openId work has coopted the term to mean something
different than what is meant in this group
Manu Sporny: For example, when we talked to Mike Schwartz, "user
centric is problematic because OpenID already does that, cuts the
legs out from your justification" "It doesn't matter what the
dictionary definition is -- of credential -- that's what
professionals in teh security community thinks it means"
Manu Sporny: Argument that Dick Hardt made that was convincing
was that if you focus on privacy-enhancing, the user-centric
aspects happen naturally
Dave Longley: There was also "self-sovereign" terminology
Dave Longley: Brought up by Christopher Allen
Richard Varn: Three main pillars: knowledge, consent, & choice;
been working on privacy and policy statements around these three
things in commerce software.
Richard Varn: Privacy-enhancing user-centrism is cool, but the
pillars are how the system is designed, and these adjectives then
describe it.
Matt Stone: +1
Dave Longley: We also go down and list exactly what we mean by
user-centric and privacy-enhancing. I don't think we want to use
the other things we mean by user-centric, analyze them and see
whether there is a different term that is not coopted
Manu Sporny: Here's the issue with the bulleted list: Nobody
read them. It became very clear that interviewees started talking
about user-centric without leading the list
Dave Longley: Seeing a new term (other than user-centric) might
make it more likely that they would look at the supporting
documentation
Manu Sporny: Let's think about it over the next week. Send good
fresh ideas to the mailing list
Manu Sporny: We'll touch base on this next week to see if we can
find something not as problematic as "user-centric"
Topic: Use Cases Document
Manu Sporny: Will take action to drive that document forward
Manu Sporny: Excellent work from ShaneM ,burn , and __ to get
that document into shape
Manu Sporny: http://opencreds.org/specs/source/use-cases/
Shane McCarron: We've migrated the document into ReSpec,
coalescing the data from the original version of the CG use cases
document, pulling from multiple use case drafts.
Shane McCarron: Three of us working on it, dividing by section
so we don't stomp on toes. We're trying to put these use cases
together as scenarios that support specific requirements.
Shane McCarron: Hopefully also synthesizing the motivation for
each case, so people understand the motivation for each
requirement. We'll go through a quick cycle of prioritizing
things: Initially, Someday, etc. Gut feel reactions from editors
at the moment.
Manu Sporny: How paralellizable is the work right now?
Shane McCarron: Working very well, don't think we can divide it
any further
Manu Sporny: Do you think we'll be done by the 12th?
Shane McCarron: Will survey editors after this call to see how
they feel about it and redistribute effort if necessary.
Manu Sporny: Any questions on where we are on use cases?
Manu Sporny: Thanks a ton Shane and other editors for moving
this forward. It's looking good. You've made a lot of progress
over the last week
Topic: Draft Charter Proposal
Manu Sporny: http://w3c.github.io/vctf/charter/proposal.html
Manu Sporny: We've got some pushback on presenting this at the
face to face meeting from the w3c staff contact. VCTF pushed back
on that saying "we need to get something in front of people so
they can see what we're doing"
Manu Sporny: Where we have consensus so far is in data format
data model in expressing verifiable claims.
Manu Sporny: Many have objected that this is not very useful
unless there is a protocol for how you deliver, request, and
store a credential
Manu Sporny: In the interim we can submit a "W3C Membership
Note": "while we're getting consensus on this current scope, X
proposed protocol is what a number of organizations are deploying
because they can't implement without a protocol and can't wait
for the W3C and we expect the W3C to pick up this protocol at a
later date"
Manu Sporny: Estimated 18 months to get data format to W3C Rec
status, and we may even start protocol work before the data
format group work is wrapped up
Manu Sporny: Any company on the call pushing a solutilon into
the market that needs a W3C standard stamp on the protocol? Or
are folks comfortable implementing something that doesn't have
the stamp on it
Matt Stone: We're hearing from our user base that this topic is
important
Manu Sporny: Would it be enough if you could point to official
work on data format this already happening. Would those
stakeholders feel ok with your commitment to standards in that
case?
Matt Stone: One of the reasons we're so interested in the
success of this group: we're promising that we're contributing..
Eric Korb: Accreditrust is pushing for a solution for standard
from this group
Nate Otto: Badge Alliance Community, we also need a protocol -
the one that was divised in 2012 - the one that came out of
Mozilla - sending/requesting badges - the same sort of problems
that are expected in the protocol work you're talking about -
just Friday Mozilla made efforts to release more of ecosystem to
community control. [scribe assist by Manu Sporny]
Eric Korb: Stone, +1
Nate Otto: We're going to need to work on this protocol sooner
than later - adopting something from W3C would be good - if it
was official W3C work as opposed to an alternative to the Mozilla
protocol. [scribe assist by Manu Sporny]
Nate Otto: We do need to move pretty fast - we need a
replacement protocol pretty soon with modifications to Mozilla
protocol as a polyfill. [scribe assist by Manu Sporny]
Manu Sporny: We can certainly work through the technical
protocol in the CG and submit a member submission pretty quickly,
but it wouldn't mean much
Nate Otto: I think the best course of action is to maintain a
good idea of where proposals are in the standardization process.
We don't want to align with something that's headed down a
different track. [scribe assist by Manu Sporny]
Henry Story: https://www.w3.org/TR/ldp/
Henry Story: https://www.w3.org/wiki/WebAccessControl
Henry Story: There is the LDP work which is a protocol standard,
but they never added authentication to it. There is a web access
control thing people have implemented that can be added to that,
which allows you to authenticate with any kinds of means (OpenID,
Web Signature). There might be something that could be done in
parallel. If the credentials work works with it, perhaps that
could be tied in and completed at the same time.
Manu Sporny: We've looked at LDP, the issue has been that some
of the protocol is expected to be built into the browser (a
credential management API)... that does malware/site checking,
authorization. The LDP stuff is really good for automated
credential exchange that happens behind the scenes. LDP would be
one way to ship these credentials back and forth. That's why in
the first phase of the work we propose just expressing the
credential.
Manu Sporny: Some of our feedback from invited experts is that
you shouldn't try to "pick a winner" protocol, because this stuff
might be reused in other/multiple protcol.s
Manu Sporny: Because some of concerns, because LDP might work
for some use cases, they specifically might not work for some
education partners.
Henry Story: Would be interesting to get some feedback on what
those concerns were, LDP is working to adapt
Matt Stone: Seems like the last few minutes is mixing concerns
from VCTF and the Community Group work that had been working on
this bigger vision
Eric Korb: Stone, +1
Shane McCarron: +1
Manu Sporny: Agreed, that sounds like very good input. As the
task force wraps up around the end of this month, we'll start CG
calls again and get back into that.
Henry Story: Yes, agree. I was just responding to the concern
that some people expressed that they may need a protocol with a
W3C stamp of approval to move their work forward in their company
Received on Friday, 5 February 2016 22:27:15 UTC