Re: Re: Verifiable Claims and W3C from Melvin Carvalho on 2016-01-27 (public-webpayments-ig@w3.org from January 2016)

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Wed, 27 Jan 2016 10:07:27 -0600
To: Manu Sporny <msporny@digitalbazaar.com>
Message-Id: <CAKaEYh+3kf3gBN-QCx-ONhgJbVaAoLWDexT1XwP_Z0yTLs3j4w@mail.gmail.com>
On 25 January 2016 at 21:34, Manu Sporny <msporny@digitalbazaar.com <mailto:msporny@digitalbazaar.com>> wrote:
This is input from Harry Halpin (in his personal capacity) on the
Verifiable Claims work at W3C:

I followed the link presented and found the comment:

"(Henry Story) also attacked three other people in similar ways during the Working Group. Folks like that lack the basic social skills and humility to work in a Working Group or collaborative effort of any kind."

-- Harry Halpin

Whether or not it's true (I dont think is), I find this completely inappropriate.  Henry has made valued contributions to the LDP WG and other groups at the W3C.



---------- Forwarded message ----------
From: Harry Halpin <hhalpin@w3.org <mailto:hhalpin@w3.org>>
To: "Hodges, Jeff" <jeff.hodges@paypal.com <mailto:jeff.hodges@paypal.com>>, Manu Sporny <msporny@digitalbazaar.com <mailto:msporny@digitalbazaar.com>>, Brad Hill <hillbrad@fb.com <mailto:hillbrad@fb.com>>, Dick Hardt <dick@amazon.com <mailto:dick@amazon.com>>, "Karen O'Donoghue" <odonoghue@isoc.org <mailto:odonoghue@isoc.org>>, Tony Arcieri <bascule@gmail.com <mailto:bascule@gmail.com>>, David Chadwick <d.w.chadwick@kent.ac.uk <mailto:d.w.chadwick@kent.ac.uk>>, David Singer <singer@apple.com <mailto:singer@apple.com>>, Mike Schwartz <mike@gluu.org <mailto:mike@gluu.org>>, Christopher Allen <ChristopherA@lifewithalacrity.com <mailto:ChristopherA@lifewithalacrity.com>>
Cc:
Date: Tue, 19 Jan 2016 22:17:59 -0500
Subject: Re: Verifiable Claims and W3C
I'm also swamped. I might second Jeff's response.

1) Don't ignore previous work: "Verifiable claims" are shipped around rather constantly by OAuth and OAuth-based systems such as OpenID Connect. While OpenID still hasn't quite worked out, there are probably more OAuth transactions than Visa transactions. So I wouldn't throw out OAuth and re-design. A user-centric approach doesn't have to ignore OAuth in favor of a failed Mozilla Personae appraoch, but can make it easier for people to run their own instances with increased privacy and security.

2) Don't repeat mistakes of PGP by pushing amateur crypto: WebID+TLS and the key work coming out of the Credentials CG seems to have ignored the fate of PGP, i.e. key management is not something people can do successfully. I would avoid a one-key per user multi-origin paradigm. As FIDO does correctly, aim for key derivation on a per origin basis and try to understand (as I saw RDF folks sometimes get wrong) that the same key should not be used for signatures and encryption, and not the same key used again and again. Keys *will* have to be upgraded to larger key sizes and as we seem tumult around elliptic and post-quantum transitions.  Privacy and security are hard, and any effort should incubate with these goals and the right expertise in mind.

3) There's no real need to invent a new syntax Simply put, I'd ship claims around using JSON Web Tokens. Even if one wants to ship RDF around, I'd stick to well-defined IETF standards for transporting claims around:  JSON Web Tokens with JSON Web Signatures rather than re-invent the wheel. JWKs are also supported by the WebCrypto API. RDF can be shipped around using JSON-LD with a JWT. The W3C should not be in the business of making competing 'standards' to already completed IETF work unless there's a real gap analysis.

That being said, if previous work can be taken into account, I'm sure a more pragmatic way to a user-centric eco-system would be possible. However, let's build

Another option is to scope down and aim at a particular problem domain, for example a uniform vocabulary for educational credentials. Throwing out privacy and security concerns for high value use-cases like banking is a non-starter, as should be obvious.

Here's myself and Blaine Cook giving an entertaining overview in a video called "Ten Years of Social Standards Failure" although I'm sure others on this list could also chime in with equally entertaining stories. Everyone is doing this work for the right reasons, but let's not repeat mistakes of past!

https://www.youtube.com/watch?v=BOLIuBr_2uM <https://www.youtube.com/watch?v=BOLIuBr_2uM>

  cheers,
      harry


  cheers,
         harry


On 01/19/2016 08:46 PM, Hodges, Jeff wrote:
> [ dropped payments IG as I'm not a subscriber ]
> 
> thanks for the invite, however I must offer apologies — I am totally soaked of late work-wise.  All I have time to do is scrawl some off-top-of-head comments (these are only my personal thoughts and are not those of my employer)..
> 
> *  the definition of a "verifiable claim" is in the eye of the beholder, ie they're context-specific (perhaps one could say "community-specific").  e.g. "student at Foo Univ" is arguably a "verifiable claim" in the context of higher ed institutions participating in InCommon.org
> 
> *  there's folks who're exchanging such claims in non-trivial communities today, eg InCommon <https://www.incommon.org/federation/attributesummary.html <https://www.incommon.org/federation/attributesummary.html>>, eg the US Govt (via PIV cards), and others I would suspect.
> 
> *  the list of user-centric "qualities" <http://w3c.github.io/vctf/#design-approaches <http://w3c.github.io/vctf/#design-approaches>>  is more a wishlist of qualities (than a definition) that may or may not be realistically achievable in practice.
> 
> *  we already have multiple data encapsulation/expression/encoding formats & frameworks that can be used to express whatever "verifiable claims" you desire — it's a matter of ontology development, agreement on schemas and profiles, etc.   such claims/assertions can be conveyed with whatever protocols and message encapsulation one wishes, we already have many that are profilable (meaning that if you need yet another message exchange pattern(s), and/or message schema(s), you can specify them, without reinventing messages, or the entire framework).  Re-inventing the wheel from the ground up is likely not necessary as there's much prior work in this overall area.
> 
> *  in practice, for such large-scale decentralized technology adoption and use, it appears that economics trumps technology, and bridging industry silos (as described in the problem statement) will only occur if the participants in said silos have real economic needs or there's demonstrable economic benefits.  c.f. . . .
> 
> Economic Tussles in Federated Identity Management.
> Susan Landau, Tyler Moore; Oct-2012, First Monday.
> http://www.firstmonday.org/htbin/cgiwrap/bin/ojs/index.php/fm/article/view/4254/3340 <http://www.firstmonday.org/htbin/cgiwrap/bin/ojs/index.php/fm/article/view/4254/3340>
> 
> *  the vctf pages read to me very similarly to several (many?) prior efforts in the general "identity" space (saml, liberty, WS-*, Open*, etc)  — i can't really tell what is different about this verifiable claims effort
> 
> *  please note that FIDO is not about "identity" -- it is about cryptographic asymetric-key-based peer-entity authentication, with provision for multiple "user verification" modalities layered on top (eg PIN, biometrics, whatever).  It is, however, possible to compose FIDO with your favorite flavor of federated identity management:  c.f.  <http://www.slideshare.net/CloudIDSummit/cis-2015-fido-and-federation-cis-2015-could-identity-summit-hodges <http://www.slideshare.net/CloudIDSummit/cis-2015-fido-and-federation-cis-2015-could-identity-summit-hodges>>  for one example approach (how it composes of course depends upon the message flows of the "identity" framework/infrastructure one is composing with)
> 
> I hope this helps,
> 
> =JeffH
> 
> ---
> On 12/20/15, 8:03 PM, "Manu Sporny" <msporny@digitalbazaar.com <mailto:msporny@digitalbazaar.com>> wrote:
> 
> Hi Brad, Dick, Jeff, Karen, Harry, Tony, DavidC, DavidS, Mike, and
> Christopher,
> 
> As some of you may know, there is a group of us loosely organized around
> a W3C Community Group and the W3C Web Payments Interest Group that are
> looking into whether or not to form a Verifiable Claims (aka
> credentials, attestations) Working Group at W3C. We have a rough sketch
> of what the group would be about here:
> 
> http://w3c.github.io/vctf/ <http://w3c.github.io/vctf/>
> 
> The group has identified each of you as a person that would be important
> to interview before we make a decision on whether to create a WG or not.
> Each interview would consist of you letting us know your thoughts on the
> initiative (after reading the link above). We'll have some questions[1]
> to guide the discussion if you're unsure about the sort of stuff we're
> trying to learn from you, but feel free to pose your own interesting
> questions (and answer them) during the interview.
> 
> This is just a heads-up that we're going to be asking for some of your
> time in January. We'll work around your schedule. I'll send a time
> request in a separate email and we'll have a prep call (with recorded
> audio for those that can't make it) in early January as well.
> 
> -- manu
> 
> [1]https://www.w3.org/Payments/IG/wiki/ProposalsQ42015/VerifiableClaimsTaskForce#Open_Questions <https://www.w3.org/Payments/IG/wiki/ProposalsQ42015/VerifiableClaimsTaskForce#Open_Questions>
> 
> --
> Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
> Founder/CEO - Digital Bazaar, Inc.
> blog: Web Payments: The Architect, the Sage, and the Moral Voice
> https://manu.sporny.org/2015/payments-collaboration/ <https://manu.sporny.org/2015/payments-collaboration/>
>
Received on Wednesday, 27 January 2016 16:07:30 UTC