Credentials CG Telecon Minutes for 2015-04-14

Thanks to Brian Sletten for scribing this week! The minutes
for this week's Credentials CG telecon are now available:

http://opencreds.org/minutes/2015-04-14/

Full text of the discussion follows for W3C archival purposes.
Audio from the meeting is available as well (link provided below).

----------------------------------------------------------------
Credentials Community Group Telecon Minutes for 2015-04-14

Agenda:
  https://lists.w3.org/Archives/Public/public-credentials/2015Apr/0018.html
Topics:
  1. Use Cases
  2. WebAppSec Credential Management API
  3. Credentials/Badges Vocabulary Update
Resolutions:
  1. Switch the primary use cases document over to the micro-use 
    cases approach, concentrate all future use case work into that 
    document.
Organizer:
  Manu Sporny
Scribe:
  Brian Sletten
Present:
  Brian Sletten, Kerri Lemoie, Manu Sporny, Nate Otto, Dave 
  Longley, Sunny Lee, Gregg Kellogg, Adrian Hope-Bailie, Eric Korb, 
  Brent Shambaugh, Joe Kaplan, Laura Fowler, Rob Trainer, David I. 
  Lehn, Hassan Almas
Audio:
  http://opencreds.org/minutes/2015-04-14/audio.ogg

Brian Sletten is scribing.
Kerri Lemoie: Sounds good
Manu Sporny:  Let's change the agenda order since Sunny has to 
  drop off early.

Topic: Use Cases

Manu Sporny: 
  https://docs.google.com/document/d/1GySrTXAYpwa4vDPsGE3BMA42FwIAqAyLGigKuKUTGks/edit
Manu Sporny:  The Micro use cases document has been updated with 
  all of the content from the current document. The move over 
  happened without incident. Some concern about whether we had the 
  right number of phases. Nate has commented, Dave Longley has 
  commented, Sunny and Kerri have commented. Let's hear from each 
  of you about the document, if you have any concerns, if you think 
  this is a good approach.
Kerri Lemoie:  I like this format a lot. It makes sense, it's 
  easy to read. Similar to other Use Cases doc. I put some comments 
  in. We don't have to get to all of them today. I really like this 
  and think it will help those who are coming in.
Nate Otto: My linphone is crashing over and over -- can I call in 
  on the regular phone?
Manu Sporny:  Thanks for your comments, Kerri. They are pertinent 
  and good and need to address them.
Dave Longley:  +1 What Kerri said. Once we get it into a web 
  page, it will be even more readable. It's a big improvement.
Sunny Lee:  +1 What Kerri said. I read it thoroughly. It was 
  cohesive and read well. Our use cases fit well here.
Nate Otto: I like it
Manu Sporny:  I am hearing generally positive comments on the 
  document.
Kerri Lemoie: +1
Manu Sporny:  Does everyone feel comfortable on making this our 
  use cases document? Are these operations ordered properly? Can we 
  take this document, clean it up and in a month's time have 
  something that we are comfortable pointing to when what other 
  people to join the work formally.
Nate Otto: I added one set for recipient-initiated sharing flow, 
  which then duplicates 2 steps from the consumer-initiated flow. 
  Is this useful, or should they be refactored.
Gregg Kellogg:  Are we decided on using Google Docs or should we 
  use ReSpec?
Nate Otto: +1 Moving back to ReSpec in order to publish, but I do 
  like Google Docs for collaborating at this scale.
Manu Sporny:  We find that Google Docs is easier to collaborate 
  with comments. Eventually, Web Annotations will help. This stuff 
  needs to be in a certain format. We need to timestamp these 
  documents when we put them out. My expectation is that we will 
  collaborate in the Google Docs until things settle down and then 
  we'll move over to the ReSpec version and that will be our 
  time-stamped document.
Brian Sletten:  Are we suggesting that there could be other use 
  cases emerging in the document? [scribe assist by Manu Sporny]
Manu Sporny:  We will be adding to the document moving forward. 
  Tim Holborn wants to add a more specific online bullying take 
  down language.
Manu Sporny:  There is still a decent amount of work to the 
  document.
Gregg Kellogg:  Should we cover the WebAppSec use cases to help 
  address their needs?
Nate Otto: Thanks to Manu & Dave for digging into the WebAppSec 
  document on such short notice.
Dave Longley:  The WebAppSec spec looks like it was created 
  thinking Login use cases were key, but based on our experience is 
  that Login credentials are simply one tiny use case in a sea of 
  use cases.
Manu Sporny:  That means we should have a set of login uses cases 
  in our document.
Kerri Lemoie: Adrian is very quiet - or its me.
Adrian Hope-Bailie:  I wanted to say that this can swing both 
  ways. What they look at as a credential is a user name and 
  password. We look at it as a signature. Maybe there is scope for 
  us to expand our definition of credential to be login credential.
Dave Longley:  I think we want any api to support both uses. We 
  can get people to adopt the api before they necessarily adopt the 
  credentials work. However, I don't think we want username 
  password as a credential to persist as a long term solution 
  because it isn't a great credential.
Manu Sporny:  Yes, we need Login use cases. Do they go in 
  WebAppSec documents? Credentials documents? Both?

PROPOSAL:  Switch the primary use cases document over to the 
  micro-use cases approach, concentrate all future use case work 
  into that document.

Brian Sletten: +1
Dave Longley: +1
Manu Sporny: +1
Gregg Kellogg: +1
Nate Otto: +1
David I. Lehn: +1
Kerri Lemoie: +1

RESOLUTION: Switch the primary use cases document over to the 
  micro-use cases approach, concentrate all future use case work 
  into that document.

Nate Otto: Ok, added a quick Login use case to the doc if you 
  want to take look.
Manu Sporny: Thank you NateOtto :)
Kerri Lemoie: Nice work on this doc!

Topic: WebAppSec Credential Management API

Manu Sporny: Initial email to list is here: 
  https://lists.w3.org/Archives/Public/public-webappsec/2015Apr/0097.html
Manu Sporny: The proposed spec is here: 
  https://w3c.github.io/webappsec/specs/credentialmanagement/published/2015-04-FPWD.html
Manu Sporny: WebAppSec use cases are here: 
  https://w3c.github.io/webappsec/usecases/credentialmanagement/
Manu Sporny: Interesting "future work is here": 
  https://github.com/jden/web-login
Manu Sporny: Technical Review part 1 is here: 
  https://lists.w3.org/Archives/Public/public-credentials/2015Apr/0027.html
Manu Sporny: Technical Review part 2 is here: 
  https://lists.w3.org/Archives/Public/public-credentials/2015Apr/0029.html
Manu Sporny:  To summarize: There's a lot of information here and 
  will continue to be so over the next couple of weeks. In general, 
  this is what is going on. The WebAppSec is considering publishing 
  a FWPD of credential management.
Manu Sporny:  There is disagreement with how much overlap there 
  is between this initiative and the Credentials CG and what the 
  Web Payments IG wants.
Manu Sporny:  There are a number of issues that I have raised so 
  far. Adrian has raise. Dave Longley has raised. A lot of other 
  people have not weighed in yet. The call for consensus started 
  last Friday and ends this Friday. For those that care about the 
  CG work it is important that you get your mind wrapped around 
  what is going on here. The problems, potentials solutions and the 
  path forward.
Manu Sporny:  Dave Longley, do you want to go down the list?
Dave Longley:  My read on this spec that they are calling for 
  consensus. I think it is primarily designed to allow web pages 
  access to password managers and are trying to be forward-looking 
  about potentially doing more with credentials in the future. I 
  think the short-term efforts are not as overlapping, but that the 
  future work definitely will and won't work well.
Dave Longley:  There is no mechanism to sync credentials between 
  browsers. Browser-based password managers don't do this now so 
  they don't think it is a problem. We don't want to build specs 
  based upon what is only available now. We want to avoid 
  credentials getting locked into browsers.
Dave Longley:  Allowing plugins to replace part of the browser 
  API for credential management might help migration in the short 
  term, but has security implications.
Dave Longley:  Let's make the core api work the right way rather 
  than design for what is now and work around it in the future.
Dave Longley:  The api doesn't really seem to be about killing 
  the password. They do talk about federated logins via super 
  providers (Twitter, Facebook, Google). This will guarantee super 
  providers because developers have to iterate over them. Mike West 
  suggests maybe you can specify which providers you support, the 
  sites can specify who they support and the browsers can show  you 
  the overlap/intersection. Our approach suggests t
Dave Longley:  And doesn't need to be handled specially.
Dave Longley:  The spec assumes that there will be two different 
  apis in the future. It will be difficult for us to work with 
  their api without creating a new api (and therefore two different 
  apis). It would be difficult to support (if not impossible) the 
  use cases we have.
Manu Sporny:  These are just the high level issues with this 
  spec. The second email above goes into a number of issues we have 
  with the design. Does anyone have any questions?
Nate Otto: Thanks, dlongley, your explanation over email and 
  audio was fairly clear.
Eric Korb:  My biggest concern is how much impact this will have 
  on us if they push forward without our consideration. Where are 
  we in our stage vs where they are in their stage in a WG?
Manu Sporny:  It's unclear how damaging this could be. If they 
  don't listen to our concerns, we could have two different 
  credential apis. One doing login/sso credentials and ours 
  digitally-signed credentials. That's kind of the worst case 
  scenario. It's Google. They could ignore us and be very 
  successful getting it into Chrome. They are also close with 
  Mozilla which means it could be shoe-in to the platform. We want 
  an api built into t
Manu Sporny:  It won't be good if they don't want to collaborate. 
  Strategy should be: How can we make the minimum number of changes 
  to what Mike is proposing to ensure that the kind of credentials 
  we are talking about and the ability to store them in a vault is 
  supported as a first class feature in their api.
Manu Sporny:  That would be a huge win for the Credentials CG 
  because it would be in the browser before we expected. It would 
  be a win for them because we have done a lot of the future work 
  for them. And they would get a few more CG/WGs using their api.
Nate Otto: WebAppSec seems like a good group to be doing the part 
  of this that has to do with the browser API. If they want to push 
  on the browser vendors, we should do our best to show how our use 
  cases are valuable and explain what it means to have credential 
  == signed claim about an identity/identifier.
Manu Sporny:  We know what kind of changes we'd like to see to 
  their api. The question is whether they will listen and want to 
  slow down their work or not. There is still quite a bit of 
  miscommunication. I don't think they are up to speed on what we 
  are doing. They haven't engaged yet despite multiple attempts 
  (last fall).
Kerri Lemoie: Does w3c have a process of arbitrating this?
Manu Sporny:  If people stay silent, the FPWD will go through and 
  we'll have to fix it later.
Manu Sporny:  If you agree and care about this stuff, send in an 
  email.
Brent Shambaugh: Will anyone see them in person?
Nate Otto: Do you have to sign up on the public-webapps mailing 
  list before your messages to that address would be visible?
Manu Sporny:  In the next month, we need to see how to 
  collaborate and get them up to speed. We need to get the staff 
  contact up to speed as well.
Nate Otto:  No, it's a public list, it may just take a few 
  minutes to clear your first email to the list [scribe assist by 
  Dave Longley]
Nate Otto: Thanks, dlongley
Eric Korb:  Thanks Manu. This is what I was looking for. We need 
  an api and working with them would be great.
Kerri Lemoie: :)
Manu Sporny:  We don't want to go down the Formal Objection 
  route.
Dave Longley:  We just want to let them know that they don't have 
  consensus.
Adrian Hope-Bailie:  I agree. We need to emphasize the win-win 
  nature of us working together.
Manu Sporny:  Any other questions or concerns about this stuff?

Topic: Credentials/Badges Vocabulary Update

Nate Otto:  Badge Alliance is finalizing 1.1 version, we're 
  waiting for input on the canonical URL. After that, we're going 
  to move forward to 2.0 and see what it means to do badges with 
  Linked Data.
Manu Sporny:  Any other business before we close the call?
Manu Sporny:  The highest priority is responding to the email and 
  requesting coordination before the FPWD.

Received on Tuesday, 14 April 2015 18:05:50 UTC