W3C home > Mailing lists > Public > public-webpayments@w3.org > August 2014

Re: [foaf-dev] Credentials Community Group

From: Tim Holborn <timothy.holborn@gmail.com>
Date: Fri, 1 Aug 2014 15:40:41 +1000
Cc: Manu Sporny <msporny@digitalbazaar.com>, foaf dev <foaf-dev@lists.foaf-project.org>, "public-webid@w3.org" <public-webid@w3.org>, Web Payments CG <public-webpayments@w3.org>, "public-rww@w3.org" <public-rww@w3.org>
Message-Id: <54EF4124-CE0A-4EF1-BF59-B58C60961B54@gmail.com>
To: Peter Williams <pwilliams@rapattoni.com>
IMHO - It’s with misfortune that the identity problems emerge, to form a situation that certainly deserves a response.   Yet, fragmenting the identity elements seems to meet failure.  I think it is such a volatile issue, that as yet - a considered response has not been endeavoured effectively - which results in the continuing need to look at it.

Bank and banking - require different capabilities.  I think this may be best deemed a format that is available to citizens should they seek to act in a manner that is lawful or in compliance with their law (of the state / place of citizenship? without taking into consideration factors relating to ‘choice of law’ and people of other nations signing agreements with internationally governed entities).

FOAF works for Persona - incredibly well, imo.  I appreciate the technical purpose of using the term ‘agent’, yet i also appreciate the legal definition, and the appropriation of the term more broadly throughout society.

ATM: it’s legitimate to understand that your Internet Provider can obtain an IP Request from a Website to effectively ‘ping’ the site.  When purchasing an Apple Product - it’s linked to an online account, with a credit card - which effectively furnishes a similar function. 

Yet, a start-up web-business selling say - computer games on the web - might end-up having their business threatened by ‘charge-backs’, which in-turn stimulates some ideas around how to set-up AML (anti-money laundering) / KYC (know your customer) capabilities, because they’re sick of sending games to scammers. 

Yet - this is certainly more complex, and i’m rather sure - an appropriate solution is not defined yet.  What’s worse, is that without a solution we’ve ended-up (perhaps) with more problems, as ‘tracking’ and other related ‘functions’ of what i think they call ‘big data’, continually undermine privacy - without actually providing any benefit to natural persons.

So - whilst I apologise for the cross-posting - across these groups, we’ve got alot of people thinking about different parts or constituents of identity and identity related services (including pseudo-anonymity) and it seems reasonable to at least facilitate an opportunity - to seek to get people working together on this very important area of dev.

On 1 Aug 2014, at 5:03 am, Peter Williams <pwilliams@rapattoni.com> wrote:

> seems VERY un-foaf
> 
> The memo sounds like all the same issues that folks used to talk about in the pre-internet EDI world,  which became the billion dollar PKI boondoggle of the 2001 era web, and now seems to have re-surfaced in new blob formats in the openid connect world - where all the same ideas are being hashed for the 100th time in the last 30 years.
> 
> The very think Ive liked about foaf community it that is distinguished itself from “ALL THAT”. it was speciifcally about the web citizen wanting to surf (and who is not some governed entity, some government id, some contracted service client, someone with this our or outrage about some issue, …).
> 

I’ve certainly been outraged by a few issues.  doesn’t mean i’m seeking to deprive anyone of liberty, human rights, democratic participation, etc.   The unfortunate issue, is that some realities in life are taboo - evil happens when good people, still watching, do nothing.  The capacities for ‘web-citizens’ - well…  it’s a rather serious issue.  we need different perspectives, from different ends of the spectrum, to come-up with things that may not simply require technical solutions in software code, but perhaps also - empowering systems of government to examine issues, and come-up with solutions that can help reinforce factors automated via software code.  The ability for someone to give each instance their personal attention - their personal approval - is becoming less, and less relevant.  The means to deconstruct problems that emerge via automated systems, are equally becoming more and more difficult.  Regardless, we have shared values and they’ve been enshrined in documents - such as UN Human Rights conventions - so it’s not like we’re starting from a blank canvas.  Regardless, the idea that someone owns IPR around how your identity is recognised by law?  identity issue, recognition of people issues have some very terrible potential outcomes.  I think we’re looking to build ‘things’ that help people grow to their fullest potential, in contributing to man-kind, in their way - doesn’t matter if they’re out giving soup to local homeless people, or standing on some stage speaking of rights, dignity and opportunity.  It starts to get ideological from therein.  

If systems are deployed that bind a persons identity via HTTP - then if it’s not made with the capacity to support pseudo-anonymity, i don’t think it matters which ontology you prefer.  Fundamentally - their is a difference between systems built for relational database methods; and, those developed for graph database methods.  I like many parts of the world; but my passport and birth-certificate says i’m Australian.  I’d like to send an secured message that is date-stamped, in a manner that makes it as useful as a patent document.  I’m sure other ‘inventors’ who don’t have the ~500k to secure patent protection for different forms of work would also like some other means for recognition.  I’d also like to ensure that if an external influencer, not trackable by a system - unreasonably damages a persons identifiers on the system - means are defined in-order to reasonably figure things out.  Equally, those who have mental-health care issues - perhaps a bad period of time, that shouldn’t damage their capacity to be employed.  Or means to protect vulnerable people who are threatened or harmed by acts that are illegal and materially damaging to others, but formerly perhaps - without the interest - the technology never applied to help such people, almost like an ideological decision.

It’s a complicated area.  i see the need for the credentials capability, but it needs to be well thought out, and i figured sending this note might be a positive step rather than an ignorant or thoughtless reception, to what i believe is a very complex area with a gap-analysis that doesn’t come-up with a very positive review.

TimH. 

> Sent from Surface Pro
> 
> From: Tim Holborn
> Sent: ýWednesdayý, ýJulyý ý30ý, ý2014 ý11ý:ý28ý ýPM
> To: Manu Sporny
> Cc: foaf dev, public-webid@w3.org, Web Payments CG, public-rww@w3.org
> 
> Hi Manu,
> 
> I’m really pleased to see the initiative set-up to form a community that’s seemingly designed to focus on identity issues specifically, rather than the use of identity in trade use-cases.  Potentially a great outcome.  I’m therefore hoping the notes below can be assessed, considered and perhaps put into more cognoscente set of considerations overall..
> 
> I haven’t seen any references supporting loosely coupled identifiers (i.e. private associations between the proposed identity credential tools - and psudo-anonymity / loosely coupled identifiers).
> 
> I refer back to http://www.verisigninc.com/en_US/innovation/verisign-labs/speakers-series/evolution-of-internet/index.xhtml  (particularly @23minutes - but the whole thing is good)
> 
> This in-turn relates to issues such as ‘choice of law’, when signing-up to site services and an array of other more sophisticated problems / considerations, that perhaps people generally could better understand as a constituent of entering into any-such agreements. 
> 
> I also note that WebID and FOAF is not listed in the proposal, nor are what i’d term ‘data-rights declarations’ listed in the scope of work.  In terms of ’safety’ (per the video above) or security, i think the ability to include other identity related ‘linked-data’ issues - such as methods for credential holders to make declaration about the use-expectations for information/data provided to 3rd parties; and, the ability to not require individuals to unnecessarily disclose identity information. Inclusively providing means to beneficially support protection of individuals, whilst still establishing new identity related tools (which in-turn bring new safety issues for web-users).  In effect, a more holistic approach may benefit the requirements (and/or intent) pursuant to other safety issues inclusive to identity and authentication, whether explicit or implicit; and, as described in precedent requirements such as KYC / AML. 
> 
> Without the use of identity for authentication - the identity credential itself becomes useless.   
> 
> ’not everyone needs to know or see everything’. 
> 
> It seems that the authentication principles (inc. systems) also form important elements of the identity credentials lifecycle. I’ve been constructing concept of ‘data rights’, which has yielded some interest already - and i’m yet to find a technical home for it, though i believe could fit in well to a W3 CG that’s appropriately broad in its considerations of personal identity requirements.  
> 
> Therein; some of the ‘data rights' ontological concepts i’ve considered include,
> 
> Data:Reuse
> Data:Accessibility
> Data:Security
> Data:Privacy
> Data:Sovereignty 
> Data:Storage
> 
> I note that in my research i’ve found that organisations may suffer from the costs incurred if / when privacy (or other) legislation is passed by a state, incurring new obligations that in-turn need to be enacted through DB related SYSADMIN tasks. therein, the capacity for individuals to be presented with choices (perhaps also incentives for different types of choices - i.e. join the loyalty program get 10% discount, free-updates, etc.) assists all parties involved in the transaction.  I think in other instances, it’s a bit like seeing advertising your actually interested in - or ensuring the direct mail is being received by people, not dumped into the virtual dumpster - which is a waste of energy, if not to consider other issues therein.
> 
> Finally - these standards most affect individuals, who are not ordinarily paid-up members of W3C.   The membership of W3C in-turn have fiduciary requirements around what they need, in-order to comply with law.  Due to the truly amazing behaviours, works and passion - arguably for furthering humanity (can’t think of a way to summarise it - i’ve started considering the concepts around how we all share WWW citizenship..) the platform exists, as may not have been the case should some of the initial decisions have been different..  The motivations were designed to help organisations, by empowering people to communicate more effectively.  
> 
> I find "Network Theory Seminar with Tim Berners-Lee” presentation https://twitter.com/WebCivics/status/492707794760392704  (the https://twitter.com/WebCivics/ will be resourcing an array of links around this territory of consideration / ‘web science’) quite grounding; and in-turn, we are certainly at a stage where identity, the digital treatment of persons is a massive issue, on so very many levels.  This area is a can of worms.  So my $0.02c (or currently about 0.03488uBTC) would be that credentials is an element of identity and personal permissions standards - or - regardless of the name - perhaps your scope is a little too narrow, as to best serve the needs of its intended beneficiaries.
> 
> - Authentication is required to create ‘barriers’ around someone who is not you, ‘authenticating’ as you - on computing systems.
> - Permissions are required so that we’re not entrapping people into things they’re otherwise not required to do.
> - Personal - is different from any act you make, in association to others whether acting as an agent or a member of the community.
> 
> Identity is more broadly nebulous, a concept of study in many social sciences / liberal arts - manifestly, something that is not digital or binary.  YET, we have credentials and identifiers, or 'footprints'…  We are legally recognised entities - or at least, we should be.  
> 
> inclusive concepts of course: include, the rights, privileges and responsibilities of citizenship and social participation; yet, then it starts to become more complicated.  In this world, without economic recognition - people can barely subsist. 
> 
> Access to justice for incorporated entities, vs. access to justice for the majority of WWW citizens is not reasonably equal. large companies and individuals have issues sharing intellectual property, without a ledger - who knows who did what first; generally, the individual does not have a legal department, yet equally perhaps they’ve got some strategy that could waste alot of time and shareholder money - or perhaps, someone had a KPI that they found difficult to meet without ‘cutting corners’.  
> 
> when dealing with identity - at this level no less - I think it’s imperative that we ensure the scope is defined in a manner that holistically ensures ‘duty of care’, as we are able to discharge as professional - community members - on a best-efforts basis, to make an attempt that our work is defined in such a way that it seeks not diminish the responsibility or opportunity of any party, to act in good-faith and to maintain our responsibilities as citizens throughout our affairs, including those in which we act as an authorised representative and/or agent - for an incorporated entity. 
>  
> love it or hate it - most things that affect us has an economic price-tag, whether that rational has been realised, is yet to become realised or has become subject to barriers and may be unaccessible. 
> 
> FUNCTIONAL
> 
> I note an array of community initiatives.
> 
> https://webwewant.org/
> http://webfoundation.org/
> http://www.purpose.com/
> 
> (noting that many others exist…)
> 
> I’m also working on this concept called ‘web civics’ which aims to create events that link ‘locals’ with ‘international experts’, help finish product produced by scientists such as those on these lists, etc. 
> 
> I’ve found that people are engaging me about these sorts of issues and that the most interesting conversations are with people who are consummate professionals, in different (and sometimes related or complimentary) fields.  I feel it’s important to develop these conversations, build social bridges.
> 
> Yet when it gets down to functional - the concepts need to be converted into standards, and i believe supporting W3C Community group works - is the best possible method to get that work done.  Perhaps, this is misguided - not sure.  ATM i can see an array of different groups looking at identity related issues.  From the persistent messages about different crypto standards, to ontological debates, messaging standards (i.e.: serialisation methods - turtle vs. json-ld), etc.
> 
> underlying some of these issues is most likely a host of patent / IPR issues, etc.
> 
> If, 
> 
> W3 participants specialised in this field - no matter where in the ideological spectrum they’re focused upon - can accumulatively collaborate / cooperate - towards a standard that can support an array of different use-cases (focused on the use of Linked-Data / RDF / including decentralised web tech.) then, i believe the potential for standards work could have enormously beneficial implications.
> 
> However -  I equally understand that this may in-turn bring about a resourcing issue.  To which, a largely philosophical strategy might need to be deployed in considering how these needs be met.  
> 
> 
> 
>  
> On 31 Jul 2014, at 2:03 pm, Manu Sporny <msporny@digitalbazaar.com> wrote:
> 
> For those of you that may have missed it in the minutes, we believe we
> now have enough momentum to launch a Credentials Community Group at W3C
> to take over the identity/credentials use cases and technology that this
> group has been working on for a few years now.
> 
> There has been concern voiced that this group would be side-tracked by
> much of the identity/credentials work. We now believe that we've found
> some other organizations in the payments, education, and government ID
> spaces that would like to lead the work (ensuring that the identity use
> cases related to payment continue to be supported). The proposed charter
> for that group is here:
> 
> https://docs.google.com/document/d/1dPzWbPF0jlox8UHnr522nBWCjLJMQ_vGbbtsA5-pAsg/edit
> 
> Please provide input on the charter. It's heavily modeled on the charter
> for this group (so if you like the way this group is run, you should
> like the way that group is run).
> 
> The discussion around the formation of the group starts here:
> 
> https://web-payments.org/minutes/2014-07-30/#2
> 
> -- manu
> 
> -- 
> Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
> Founder/CEO - Digital Bazaar, Inc.
> blog: The Marathonic Dawn of Web Payments
> http://manu.sporny.org/2014/dawn-of-web-payments/
Received on Friday, 1 August 2014 05:44:51 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:03:38 UTC