- From: <msporny@digitalbazaar.com>
- Date: Tue, 09 Jun 2015 12:32:27 -0400
- To: Credentials CG <public-credentials@w3.org>
Thanks to Dave Longley and Manu Sporny for scribing this week! The minutes
for this week's Credentials CG telecon are now available:
http://opencreds.org/minutes/2015-06-09/
Full text of the discussion follows for W3C archival purposes.
Audio from the meeting is available as well (link provided below).
----------------------------------------------------------------
Credentials Community Group Telecon Minutes for 2015-06-09
Agenda:
https://lists.w3.org/Archives/Public/public-credentials/2015Jun/0035.html
Topics:
1. Web Payments IG and Credentials
Organizer:
Manu Sporny
Scribe:
Dave Longley and Manu Sporny
Present:
Dave Longley, Manu Sporny, Ian Jacobs, Eric Korb, Richard Varn,
Brian Sletten, Gregg Kellogg, Rob Trainer, Arto Bendiken, James
Anderson, David I. Lehn, Laura Fowler
Audio:
http://opencreds.org/minutes/2015-06-09/audio.ogg
Dave Longley is scribing.
Manu Sporny: We have Ian Jacobs with us from W3C, Staff Contact
for Web Payments work, a long time W3C veteran. We'll be talking
about what the Web Payments IG is going and how our work here
will impact it. We can also discuss use cases with any remaining
time.
Manu Sporny: Any changes to the agenda?
None
Topic: Web Payments IG and Credentials
Manu Sporny: As many of you know, the Web Payments IG has been
looking at credentials lately, there's a topic at the NYC F2F
next week where we'll be trying to extract use cases around
payment credentials.
Manu Sporny: I thought that it would be a good idea to get Ian
on the call to introduce ourselves to him and let him hear about
the work that's happening here. As a reminder, we all care about
credentials very much and see it succeed. If we can do anything
about credentials at W3C, we want to constructi t to be
successful. We're not trying to make any decisions today, just
getting background on Ian's thinking on credentials and
integrating it with the Web Payments work and feedback from orgs
in the education and healthcare space and what they'd like to see
as far as standards are concerned over the next few years.
Manu Sporny: Ian if you could give background on yourself and
what you'd like to see that would be great, sorry to put you on
the spot.
Ian Jacobs: Manu has talked to me a bit about the work of the
group and I claim only superficial knowledge of it and would like
to learn more.
Ian Jacobs: I'm the lead for the W3C staff for the Web Payments
IG and where we are currently, having launched in Oct., is that
we want to come to consensus on charters for new WGs to integrate
payments further into the Web. We are meeting next week face to
face where we will be discussing the work that has gone into our
use cases and capabilities which are functional modules for
enabling the use cases, and determining which groups, new or
existing, should work on the priority capabilities we've
identified for version 1. Part of the discussion is around
identity requirements.
Ian Jacobs:
https://www.w3.org/Payments/IG/wiki/Main_Page/FTF_June2015/Credentials
Ian Jacobs: Manu has brought to the IG's attention that a lot of
effort has gone into designing an approach originally rooted in
payments use cases but then has migrated closer to educational
and healthcare use cases. Manu and I have discussed that we an
hour long conversation within the IG to solidify and get a share
understanding of the financial industry's use cases. We've heard
horror stories of the cost of creating accounts for high networth
individiuals and creating a second account is just expensive as
the first one, and credentials could lower costs. Manu has looked
up the penalties involved in making sure identities are checked,
and credentials can help with that. There are some prominent use
cases in there already like making it easier for users to provide
data to merchants like age and so forth.
Ian Jacobs: Another one is for merchants/users to discuss a new
payment option and there's a contractual set up beyond the
technical integration and credentials could reduce costs for
establishing contracts for new payment mechanisms. We want the IG
to have confidence in proposing to the W3C work that would have
benefit to the payments industry. That's where we are today. I
know people have expressed interest in this and once, as an IG,
we have a better handle on the payments use cases then we can all
come together and look at opportunities to collaborate, depending
on overlapping needs, and possibly move forward as a block which
would be great, or as independent groups because that would be
more beneficial.
Ian Jacobs: I'll pause there to see if there are questions, etc.
Manu Sporny: I think that's a very accurate description of where
we are. If you're interested in asking questions do `q+` and
you'll get on the queue.
Manu Sporny: The main concern the group had voiced was in the
coming together, figuring out how, if we can come up with a
unified way to address all these use cases.
Manu Sporny: And what the timeline would be, yet. We'd do F2F in
NYC, get use cases, derive capabilities out of the use cases,
then once we have that, see if there's overlap with the other
credentials use cases.
Manu Sporny: Credentials Use Cases:
https://docs.google.com/document/d/1GySrTXAYpwa4vDPsGE3BMA42FwIAqAyLGigKuKUTGks/edit
Ian Jacobs: You hit something on the head more clearly than we
had discussed previously. Let me explain how we're using the
terms. The use cases are stories, probably very similar to the
work the CG has done. We want to say "so and so is paying through
a website or using an NFC connection, etc." Right now it's the
consumer+merchant experience. The capabilities is more about the
technology needs we have for the use cases. The next level down
will be requirements like "the user interface needs to be
accessible, etc."
Ian Jacobs: I think if we end up having the same capabilities
then that suggests we have a lot of overlap and the work can go
on in concern. That's less about use cases and more about
capabilities.
Ian Jacobs: That seems like a good thing to aim for.
Manu Sporny: I don't think this group has seen the trust and
capabilities document yet.
Manu Sporny: We can focus there.
Manu Sporny: DRAFT DRAFT Trust and Identity capabilities for Web
Payments:
https://docs.google.com/document/d/1FbHscEFUA1P6Frm9h-98bgBF8oCNNu3_0BZh8l7Aa0c/edit#heading=h.yekwqd5iky7q
[scribe assist by Manu Sporny]
Ian Jacobs: We're wrestling with the content and the display of
it, and it will likely evolve again. Looking at it now is a good
place to start but expect a lot of changes between now and 10
days from now.
Manu Sporny: I think there's a high degree of overlap in the
trust capabilities with the Web Payments and what will come out
of the Credentials CG. Surely there's still work to do to
establish if/where overlap is. But for the first time I think we
know what we're going to use to determine if we need one or more
groups on credentials.
Manu Sporny: Ian, do you expect, if we're able to have a
capability to capability comparison in late June/July then we
could write a charter by September?
Eric Korb: Manu, would that get inline for TPAC in Japan?
Manu Sporny: Yes
Ian Jacobs: For me, we're trying to have a draft charter for a
payments architecture, that the interest group is happy with by
end of next week. At that point, in terms of process, the staff
will review it, go over resource allocation, etc. There will be a
membership review and a typical slowdown in August. I think
having a charter that the IG is happy with in mid June would have
its first F2F in Oct 2015. It takes a couple of weeks before the
group launches because of the advisory committee. It's feasible
to get a draft committee together in August/Sept and have work
start in November. Yes, that's feasible, there's the issue of the
summer slowdown (US summer slowdown).
Richard Varn: This is Richard Varn with ETS. I've been working
on identity security/management, for ~30 years now. I wanted to
provide a perspective on that there's a real synergy between
healthcare/educational credentials. I also work with [missed]
retail federation to work on this. I bring a lot of different
perspectives. I think to the extent possible, we would want the
standards and components we use in healthcare and educationat KYC
in the financial industry. We'd want it to be common, largely,
and extensible where needed.
Ian Jacobs: I think where we can get broad consensus on a common
standard is only benefits. In our particular case, the
Credentials CG, as a community, has been discussing this for
quite some time and the payments industry has not. And we need to
get up to speed, basically, at which point there's a lot of good
will to seek a common solution without saying what it is, but
seeking it is our daily bread at W3C, so I don't hear any
pushback on that.
Richard Varn: Here are some of the issues why we haven't moved
quickly as a group, society. The people that are the custodians
of records that are accepted broadly ... I would say the bear
anonymous use, by and large, of credentials... the people who
manage the records are document and paper based, there are few
standards that they all follow, and we need to use them as a
point of reference for all tehse different systems and it's
difficult to get them to help. That's one problem. On the ID
site. On the money side, there are a lot of financial industry
conflicts, GOTR stuff. So many people have strong interest in how
that works they don't want to be disadvantaged. The third issue
has been the overlap with privacy, security, access, and use.
That's where you end up with a discussion we've been having here,
for example with short term anonymous credentials that go away
quickly, etc. And you have to have discussions with privacy
advocates, etc. Those are some of the backend problems we have to
address, even if we have common capabilities, etc. there is a lot
of drag that pulls us back. In the education/healthcare area, I'm
excited that a lot of the same problems can be addressed in the
same way and mroe people in those industries are aligned to help
each other vs. in other industries they are adversaries. The
interest in solving the problems are well aligned and what we can
get done there can offer potential common solutions that people
can ride on in other things.
Richard Varn: To be able to go somewhere else in the same
organization even helps ("we're doing this with driver's
licenses, let's do it with birth records").
Richard Varn: While education/healthcare may actually help lead
the way to a more common, quicker standardization method.
Gregg Kellogg: +1 To what Richard said
Eric Korb: I'd like to dovetail some of the things he's talking
about with regards to work in the healthcare industry and
banking. We're starting to see the emergence of healthcare
banking. Banks can do their healthcare and insurance payments
now. As it gets broader ...
Eric Korb: Credentials will get even more important.
Eric Korb: We're seeing credentialing in the issuer and
fulfiller of the prescription -- and that ties into payments with
the person at the counter.
Eric Korb: Those things could be validated at the point of sale,
etc. banking and healthcare merging.
Eric Korb: I think other overlaps with education are well
documented. Everything starts with education. Everything else is
heartbeat, so on, that we don't want to put on the internet so we
need robots to handle our ID. We need to validate robots that are
working on our behalf and credentials need to be validated on
those claims and typically those claims are based on our
education or other things about us we've achieved.
Eric Korb: Also, I'd add that students pay their tution almost
exclusively online.
Eric Korb: Plus, gov't student loans are tramsmitted
electronically.
Manu Sporny: I think deployment is well care before the horse,
however, Richard has been doing this for 30 years, Eric has been
getting this stuff deployed and we can see what needs to be done
for deployment and we know why past deployments have failed in
the financial institutions. And many of that is because sharing
KYC, to a certain degree, has been seen as a disadvantage.
Education/healthcare has seen credentials as a big help, don't
know if we can see that up to recently at least with financial
industry. Richard and Eric has said you need a willing
coalition/set of orgs to go and deploy this technology and get it
adopted. Education primarily and the healthcare sector want to do
deployments. The financial industry may jump on the bandwagon but
aren't the first players.
Eric Korb: Financial payments made by students, I know Xerox, a
major part of their business is collecting funds/tuition.
Education being a big part of state economy, would benefit from
credentials in payment space.
Ian Jacobs: I'm hearing a couple of different threads in the
conversation. One thread seems to be that, as industries converge
and the Web serves as a bridge between multiple industries, the
value of a common standard goes up. We're in strong agreement on
that. It's helpful to hear those use cases that cross the
boundaries among the different industries.
Ian Jacobs: The second thread is how to strategically address
the desire of the education/healthcare community and credential
CG and how to move forward and how to address the use cases and
the alignment of that and how to leverage the commonality in the
work.
Ian Jacobs: I'm happy to engage with you in that conversation,
but I don't think that's the one we need to have today. My job is
to find out what the payments industry needs, it's therefore
premature to think of a strategy that doesn't involve the
payments folks. In my role, we need the payments people involved.
Richard Varn: I hope you weren't thinking we didn't want them
involved.
Ian Jacobs: No.
Ian Jacobs: Not that.
Richard Varn: Yeah, we need them. We need payments and identity
to work correctly. We've been waiting a long time. We want to see
that advance. We just think they can advance better together.
Ian Jacobs: I apologize for the blinders I have on... my limited
perspective is having a valuable and informed discussion on
identity and credential needs. I need to hear more from you in
historic pitfalls in what has been tried and how this work takes
those into account and is different. For example, Richard/Eric
said that the banks may resist change, is that something that is
going to doom in the IG to failure or there's simply lessons
learned so we can be sure to take the economics into account in
our discussions so even with competing interests we can be
explicit about them or even better find corresponding benefits
for interested parties. Also, who is stepping up from the Web
community for the particular approach being taken by the CG? It's
possible even to have... to split the conversation to have the
functionality we need and we're all in agreement in that, but it
may be harder to get agreement on a particular solution because
we have different communities within W3C like SemWeb who may want
JSON-LD but that may be in conflict with the broader community.
Ian Jacobs: Those are all things I want to hear and get us on
the same page.
Ian Jacobs: [Ian understands that mosaic of credentials will
paint a picture of identity]
Richard Varn: I was going to add that the one part of this about
this that overlaps in the Identity space is the collection of
credentials. In the way a wallet provides a set of evidence about
who someone is, credentials does that, there's going to be a
diversity of opinion on ways people will do that, we'd have one
very hard to crack token and maybe people want that but that's
unlikely and other people want to do more diverse things. We want
to have credentials that are difficult to fake because they are
based on a whole portfolio of things that are based on industries
that issued them etc. (missed some)
Manu Sporny: So why have these other credentialing mechanisms
failed? There are a lot of broad ID mechanisms like
OpenID/Connect, and those have failed to address these use cases
because they don't carry high-stakes credentials; they can
establish you have an account with facebook but they are
incapable of expressing information like citizenship, proof of
age, etc. We have technologies that are fairly naive about the
information they carry. They have attributes that are
self-asserted, not countersigned by trusted authorities/issuers.
We've seen this happen in healthcare and education: the solutions
only take one industry into account, gov't have adopted piv
tokens for federal security/buildings/etc. There's an entire
ecosystem around credentials but that's never taken into account
in these smaller solutions. Banking has focused on credentials
only for banking, and then adopted proprietary and
patent-encumbered tech, to get "latest greated" so that was
really expensive. Then the orgs that actually exchanged the
credentials were operating on a non-public network, so under 10K
orgs worldwide able to use them. They were never deemed to be
more broadly applicable. So different problems with previous
solutions. The industries tend to try and address them in a
fairly insular fashion and we just want to try and fix them in
our industry and we're sure it will propagate out to others. And
using proprietary and patent-encumbered tech has been a problem
sometimes turning out to be snake oil. I think that's over
simplifying it, if you look at any identity/credentialing systems
before now. Problems: 1. No high-stakes creds in scope when
building the tech out (OpenId/Connect), 2. Industry only took
their market vertical into account., 3. Belief that proprietary
tech was best, but patent-encumbered ruined scalability with
cost, etc.
Manu Sporny: I think those are the primary reasons
Richard Varn: There came as an insistence that a privacy
(missed) be agreed and enforced through the identity security
mechanisms. I've had all kinds of discussions in different
industries -- and trying to force identity/security/privacy all
through the same mechanism it doesn't have to be the same.
Ian Jacobs: Can you say more about the particular
community/communities that have been involved in the development
of this. It is often the case that without browser awareness, it
becomes harder to get browser deployment. It may be that support
in browsers is not a key piece in the deployment of this, in
which case understanding that would be helpful. I don't know if
in the Payments case browser support is a key piece of it, etc.
I'd like to hear your views on the role of the browser and the
... support of this.
Manu Sporny is scribing.
Dave Longley: We've been having discussions with the WebAppSec
group at W3C regarding a credential management API that they've
been working on.
Dave Longley: They primarily started that spec to make it easier
for browsers to manage passwords for people. People use a lot of
tools to autofill passwords. They're taking baby steps to get
direct access to password manager for websites.
Dave Longley: They're also trying to make the system extensible
and work with federated credentials - we saw the work happening,
gave feedback. They had been creating something called a
'credential management API' - we saw lots of overlap.
Dave Longley: We had built out something similar - we thought
that if we could build a credential agent in the browser, and we
could hook that up to people's identity providers and we could
hook that back to websites. We'd like to see an API in the
browser to request credentials that the website needs.
Dave Longley: We wanted the browser to go fetch the credentials
when asked - given permission by recipient - etc.
Dave Longley: Ultimately, that's the role we'd like the browser
to play - to protect privacy of person using credentials.
Eric Korb: "Kill the password dead"
Ian Jacobs: Back up for a sec. I understand role of credential
agent in the browser.
Ian Jacobs: Is the IdP tracking you?
Dave Longley: No, we want to prevent it from tracking you.
Dave Longley: We want there to be a system that holds on to your
credentials, but they don't know who you're giving those
credentials to.
Dave Longley: The other piece in the browser is providing a
mechanism for issuing websites to use to issue credentials via
the browsers.
Dave Longley: To tie it back into credential management API -
API that they designed allowed websites to ask for previously
stored passwords or credential tokens... they had the same sort
of idea of how the API would work, but their current spec is very
narrowly focused on just the login case - primarily the password
case.
Dave Longley: We'd like the scope to be broader - we see the
future of the Web to be a bit less about login and more about
having credential to get access to a particular portion of a
website.
Dave Longley: Certainly, usernames and passwords will continue
to be used - but you can get more granular with community groups.
Ian Jacobs: I know there have been questions about identity
management around domains - what in the conversations w/
WebAppSec and w/ browser vendors specifically - was there any
feedback on lack of interest on this general approach?
Ian Jacobs: Were there other questions around support or
reluctance around this idea.
Dave Longley: There has been pushback - first was that the
WebAppSec was not chartered to deal w/ our use cases in any way.
We came up w/ a proposal to support generalized credential use
case.
Dave Longley: The Chair of WebAppSec pushed back and questioned
that the API was a good for both cross-origin and same-origin
credentials.
Dave Longley: Mostly people want to stay w/ same origin policy -
we don't want to touch that too much
Dave Longley: This is something that needs to happen on the Web,
just because there is a secure way to secure certain types of
data. We shouldn't say we're not going to look at it.
Ian Jacobs: So, I think that's a big hurdle. I've been hearing
that tracking is important in some ways, and in other cases we
care about privacy.
Ian Jacobs: The default expectation on the Web - the things that
we enable that allow tracking is problematic.
Ian Jacobs: So, I'm hearing two things - we want to support
certain use cases that require tracking, but others we want to
default to privacy.
Ian Jacobs: We may need to do something about same origin vs.
cross origin policy.
Eric Korb: +1
Dave Longley is scribing.
Manu Sporny: I think there's one point I want to make before we
hang up and that's the thing that we've found with the WebAppSec
group is that the charter was very narrow on the type of
credential they were looking at. That meant whenever we get close
to talking about the meat of the discussion, the charter got in
the way. In my personal opinion, we know that what they are
trying to do is not the best thing for the Web. There are
password managers out there, building that into the browser may
cause lock in problems, then Chrome shares all passwords within
Chrome and it's difficult to export to Firefox, etc. and that's
being swept under the rug. And just because we understand the
same origin policy very well, that doesn't mean there aren't very
good use cases for cross-origin credentials and there are ways to
secure some of that information. The problem is whenever we try
to have a discussion about it it gets shut down. So charters or
security people get nervous and it gets shutdown. So "this makes
me nervous, stop talking."
Ian Jacobs: Have you scheduled a chat with the security IG or
TAG, etc.?
Manu Sporny: Talking with the security group has resulted in
people feeling nervous and not wanting to discuss and TAG would
take a lot of time but it's something we have to do.
Ian Jacobs: Raising awareness of the TAG needs to be considered
because some of what you have heard may be "This is how the Web
works for security" (I'm imagining that as something people might
say). And we need to check in and see if the TAG really thinks
that's true and we may need to push boundaries. Just like the Web
has moved into a place where JS has a more prominent role vs.
angled brackets. I think it's worth having the TAG there as an
architectural grounding influence. Post IG meeting, that may be
something to look into. With Wendy (Seltzer) she's our security
lead and we can discuss with her. We didn't get to the economics
of credentials and I imagine they are different for each industry
or if not what's similar? I'd like to see who would want a
vibrant open market for credential providers. What's the
expectation for gov't agencies to step up, what about people who
don't want to use these IDs, maybe there are countries that have
done IDs successfully, how will the economics work and I'm
particularly interested in the payments landscape.
Eric Korb: Thx Ian
Manu Sporny: I know Richard has a tremendous amount of
experience in that space and hopefully we can use his time in NYC
to dig in deeper with that. Thank you, Ian for joining.
Manu Sporny: We won't have a call next week because the Web
Payments F2F will be going on and a number of us will be there.
Thanks all!
Received on Tuesday, 9 June 2015 16:32:51 UTC