Credentials CG Telecon Minutes for 2015-06-09

Thanks to Dave Longley and Manu Sporny for scribing this week! The minutes
for this week's Credentials CG telecon are now available:

http://opencreds.org/minutes/2015-06-09/

Full text of the discussion follows for W3C archival purposes.
Audio from the meeting is available as well (link provided below).

----------------------------------------------------------------
Credentials Community Group Telecon Minutes for 2015-06-09

Agenda:
  https://lists.w3.org/Archives/Public/public-credentials/2015Jun/0035.html
Topics:
  1. Web Payments IG and Credentials
Organizer:
  Manu Sporny
Scribe:
  Dave Longley and Manu Sporny
Present:
  Dave Longley, Manu Sporny, Ian Jacobs, Eric Korb, Richard Varn, 
  Brian Sletten, Gregg Kellogg, Rob Trainer, Arto Bendiken, James 
  Anderson, David I. Lehn, Laura Fowler
Audio:
  http://opencreds.org/minutes/2015-06-09/audio.ogg

Dave Longley is scribing.
Manu Sporny:  We have Ian Jacobs with us from W3C, Staff Contact 
  for Web Payments work, a long time W3C veteran. We'll be talking 
  about what the Web Payments IG is going and how our work here 
  will impact it. We can also discuss use cases with any remaining 
  time.
Manu Sporny:  Any changes to the agenda?
None

Topic: Web Payments IG and Credentials

Manu Sporny:  As many of you know, the Web Payments IG has been 
  looking at credentials lately, there's a topic at the NYC F2F 
  next week where we'll be trying to extract use cases around 
  payment credentials.
Manu Sporny:  I thought that it would be a good idea to get Ian 
  on the call to introduce ourselves to him and let him hear about 
  the work that's happening here. As a reminder, we all care about 
  credentials very much and see it succeed. If we can do anything 
  about credentials at W3C, we want to constructi t to be 
  successful. We're not trying to make any decisions today, just 
  getting background on Ian's thinking on credentials and 
  integrating it with the Web Payments work and feedback from orgs 
  in the education and healthcare space and what they'd like to see 
  as far as standards are concerned over the next few years.
Manu Sporny:  Ian if you could give background on yourself and 
  what you'd like to see that would be great, sorry to put you on 
  the spot.
Ian Jacobs:  Manu has talked to me a bit about the work of the 
  group and I claim only superficial knowledge of it and would like 
  to learn more.
Ian Jacobs:  I'm the lead for the W3C staff for the Web Payments 
  IG and where we are currently, having launched in Oct., is that 
  we want to come to consensus on charters for new WGs to integrate 
  payments further into the Web. We are meeting next week face to 
  face where we will be discussing the work that has gone into our 
  use cases and capabilities which are functional modules for 
  enabling the use cases, and determining which groups, new or 
  existing, should work on the priority capabilities we've 
  identified for version 1. Part of the discussion is around 
  identity requirements.
Ian Jacobs: 
  https://www.w3.org/Payments/IG/wiki/Main_Page/FTF_June2015/Credentials
Ian Jacobs:  Manu has brought to the IG's attention that a lot of 
  effort has gone into designing an approach originally rooted in 
  payments use cases but then has migrated closer to educational 
  and healthcare use cases. Manu and I have discussed that we an 
  hour long conversation within the IG to solidify and get a share 
  understanding of the financial industry's use cases. We've heard 
  horror stories of the cost of creating accounts for high networth 
  individiuals and creating a second account is just expensive as 
  the first one, and credentials could lower costs. Manu has looked 
  up the penalties involved in making sure identities are checked, 
  and credentials can help with that. There are some prominent use 
  cases in there already like making it easier for users to provide 
  data to merchants like age and so forth.
Ian Jacobs:  Another one is for merchants/users to discuss a new 
  payment option and there's a contractual set up beyond the 
  technical integration and credentials could reduce costs for 
  establishing contracts for new payment mechanisms. We want the IG 
  to have confidence in proposing to the W3C work that would have 
  benefit to the payments industry. That's where we are today. I 
  know people have expressed interest in this and once, as an IG, 
  we have a better handle on the payments use cases then we can all 
  come together and look at opportunities to collaborate, depending 
  on overlapping needs, and possibly move forward as a block which 
  would be great, or as independent groups because that would be 
  more beneficial.
Ian Jacobs:  I'll pause there to see if there are questions, etc.
Manu Sporny:  I think that's a very accurate description of where 
  we are. If you're interested in asking questions do `q+` and 
  you'll get on the queue.
Manu Sporny:  The main concern the group had voiced was in the 
  coming together, figuring out how, if we can come up with a 
  unified way to address all these use cases.
Manu Sporny:  And what the timeline would be, yet. We'd do F2F in 
  NYC, get use cases, derive capabilities out of the use cases, 
  then once we have that, see if there's overlap with the other 
  credentials use cases.
Manu Sporny: Credentials Use Cases: 
  https://docs.google.com/document/d/1GySrTXAYpwa4vDPsGE3BMA42FwIAqAyLGigKuKUTGks/edit
Ian Jacobs:  You hit something on the head more clearly than we 
  had discussed previously. Let me explain how we're using the 
  terms. The use cases are stories, probably very similar to the 
  work the CG has done. We want to say "so and so is paying through 
  a website or using an NFC connection, etc." Right now it's the 
  consumer+merchant experience. The capabilities is more about the 
  technology needs we have for the use cases. The next level down 
  will be requirements like "the user interface needs to be 
  accessible, etc."
Ian Jacobs:  I think if we end up having the same capabilities 
  then that suggests we have a lot of overlap and the work can go 
  on in concern. That's less about use cases and more about 
  capabilities.
Ian Jacobs:  That seems like a good thing to aim for.
Manu Sporny:  I don't think this group has seen the trust and 
  capabilities document yet.
Manu Sporny:  We can focus there.
Manu Sporny:  DRAFT DRAFT Trust and Identity capabilities for Web 
  Payments: 
  https://docs.google.com/document/d/1FbHscEFUA1P6Frm9h-98bgBF8oCNNu3_0BZh8l7Aa0c/edit#heading=h.yekwqd5iky7q 
  [scribe assist by Manu Sporny]
Ian Jacobs:  We're wrestling with the content and the display of 
  it, and it will likely evolve again. Looking at it now is a good 
  place to start but expect a lot of changes between now and 10 
  days from now.
Manu Sporny:  I think there's a high degree of overlap in the 
  trust capabilities with the Web Payments and what will come out 
  of the Credentials CG. Surely there's still work to do to 
  establish if/where overlap is. But for the first time I think we 
  know what we're going to use to determine if we need one or more 
  groups on credentials.
Manu Sporny:  Ian, do you expect, if we're able to have a 
  capability to capability comparison in late June/July then we 
  could write a charter by September?
Eric Korb: Manu, would that get inline for TPAC in Japan?
Manu Sporny: Yes
Ian Jacobs:  For me, we're trying to have a draft charter for a 
  payments architecture, that the interest group is happy with by 
  end of next week. At that point, in terms of process, the staff 
  will review it, go over resource allocation, etc. There will be a 
  membership review and a typical slowdown in August. I think 
  having a charter that the IG is happy with in mid June would have 
  its first F2F in Oct 2015. It takes a couple of weeks before the 
  group launches because of the advisory committee. It's feasible 
  to get a draft committee together in August/Sept and have work 
  start in November. Yes, that's feasible, there's the issue of the 
  summer slowdown (US summer slowdown).
Richard Varn:  This is Richard Varn with ETS. I've been working 
  on identity security/management, for ~30 years now. I wanted to 
  provide a perspective on that there's a real synergy between 
  healthcare/educational credentials. I also work with [missed] 
  retail federation to work on this. I bring a lot of different 
  perspectives. I think to the extent possible, we would want the 
  standards and components we use in healthcare and educationat KYC 
  in the financial industry. We'd want it to be common, largely, 
  and extensible where needed.
Ian Jacobs:  I think where we can get broad consensus on a common 
  standard is only benefits. In our particular case, the 
  Credentials CG, as a community, has been discussing this for 
  quite some time and the payments industry has not. And we need to 
  get up to speed, basically, at which point there's a lot of good 
  will to seek a common solution without saying what it is, but 
  seeking it is our daily bread at W3C, so I don't hear any 
  pushback on that.
Richard Varn:  Here are some of the issues why we haven't moved 
  quickly as a group, society. The people that are the custodians 
  of records that are accepted broadly ... I would say the bear 
  anonymous use, by and large, of credentials... the people who 
  manage the records are document and paper based, there are few 
  standards that they all follow, and we need to use them as a 
  point of reference for all tehse different systems and it's 
  difficult to get them to help. That's one problem. On the ID 
  site. On the money side, there are a lot of financial industry 
  conflicts, GOTR stuff. So many people have strong interest in how 
  that works they don't want to be disadvantaged. The third issue 
  has been the overlap with privacy, security, access, and use. 
  That's where you end up with a discussion we've been having here, 
  for example with short term anonymous credentials that go away 
  quickly, etc. And you have to have discussions with privacy 
  advocates, etc. Those are some of the backend problems we have to 
  address, even if we have common capabilities, etc. there is a lot 
  of drag that pulls us back. In the education/healthcare area, I'm 
  excited that a lot of the same problems can be addressed in the 
  same way and mroe people in those industries are aligned to help 
  each other vs. in other industries they are adversaries. The 
  interest in solving the problems are well aligned and what we can 
  get done there can offer potential common solutions that people 
  can ride on in other things.
Richard Varn:  To be able to go somewhere else in the same 
  organization even helps ("we're doing this with driver's 
  licenses, let's do it with birth records").
Richard Varn:  While education/healthcare may actually help lead 
  the way to a more common, quicker standardization method.
Gregg Kellogg: +1 To what Richard said
Eric Korb:  I'd like to dovetail some of the things he's talking 
  about with regards to work in the healthcare industry and 
  banking. We're starting to see the emergence of healthcare 
  banking. Banks can do their healthcare and insurance payments 
  now. As it gets broader ...
Eric Korb:  Credentials will get even more important.
Eric Korb:  We're seeing credentialing in the issuer and 
  fulfiller of the prescription -- and that ties into payments with 
  the person at the counter.
Eric Korb:  Those things could be validated at the point of sale, 
  etc. banking and healthcare merging.
Eric Korb:  I think other overlaps with education are well 
  documented. Everything starts with education. Everything else is 
  heartbeat, so on, that we don't want to put on the internet so we 
  need robots to handle our ID. We need to validate robots that are 
  working on our behalf and credentials need to be validated on 
  those claims and typically those claims are based on our 
  education or other things about us we've achieved.
Eric Korb: Also, I'd add that students pay their tution almost 
  exclusively online.
Eric Korb: Plus, gov't student loans are tramsmitted 
  electronically.
Manu Sporny:  I think deployment is well care before the horse, 
  however, Richard has been doing this for 30 years, Eric has been 
  getting this stuff deployed and we can see what needs to be done 
  for deployment and we know why past deployments have failed in 
  the financial institutions. And many of that is because sharing 
  KYC, to a certain degree, has been seen as a disadvantage. 
  Education/healthcare has seen credentials as a big help, don't 
  know if we can see that up to recently at least with financial 
  industry. Richard and Eric has said you need a willing 
  coalition/set of orgs to go and deploy this technology and get it 
  adopted. Education primarily and the healthcare sector want to do 
  deployments. The financial industry may jump on the bandwagon but 
  aren't the first players.
Eric Korb:  Financial payments made by students, I know Xerox, a 
  major part of their business is collecting funds/tuition. 
  Education being a big part of state economy, would benefit from 
  credentials in payment space.
Ian Jacobs:  I'm hearing a couple of different threads in the 
  conversation. One thread seems to be that, as industries converge 
  and the Web serves as a bridge between multiple industries, the 
  value of a common standard goes up. We're in strong agreement on 
  that. It's helpful to hear those use cases that cross the 
  boundaries among the different industries.
Ian Jacobs:  The second thread is how to strategically address 
  the desire of the education/healthcare community and credential 
  CG and how to move forward and how to address the use cases and 
  the alignment of that and how to leverage the commonality in the 
  work.
Ian Jacobs:  I'm happy to engage with you in that conversation, 
  but I don't think that's the one we need to have today. My job is 
  to find out what the payments industry needs, it's therefore 
  premature to think of a strategy that doesn't involve the 
  payments folks. In my role, we need the payments people involved.
Richard Varn:  I hope you weren't thinking we didn't want them 
  involved.
Ian Jacobs:  No.
Ian Jacobs:  Not that.
Richard Varn:  Yeah, we need them. We need payments and identity 
  to work correctly. We've been waiting a long time. We want to see 
  that advance. We just think they can advance better together.
Ian Jacobs:  I apologize for the blinders I have on... my limited 
  perspective is having a valuable and informed discussion on 
  identity and credential needs. I need to hear more from you in 
  historic pitfalls in what has been tried and how this work takes 
  those into account and is different. For example, Richard/Eric 
  said that the banks may resist change, is that something that is 
  going to doom in the IG to failure or there's simply lessons 
  learned so we can be sure to take the economics into account in 
  our discussions so even with competing interests we can be 
  explicit about them or even better find corresponding benefits 
  for interested parties. Also, who is stepping up from the Web 
  community for the particular approach being taken by the CG? It's 
  possible even to have... to split the conversation to have the 
  functionality we need and we're all in agreement in that, but it 
  may be harder to get agreement on a particular solution because 
  we have different communities within W3C like SemWeb who may want 
  JSON-LD but that may be in conflict with the broader community.
Ian Jacobs:  Those are all things I want to hear and get us on 
  the same page.
Ian Jacobs: [Ian understands that mosaic of credentials will 
  paint a picture of identity]
Richard Varn:  I was going to add that the one part of this about 
  this that overlaps in the Identity space is the collection of 
  credentials. In the way a wallet provides a set of evidence about 
  who someone is, credentials does that, there's going to be a 
  diversity of opinion on ways people will do that, we'd have one 
  very hard to crack token and maybe people want that but that's 
  unlikely and other people want to do more diverse things. We want 
  to have credentials that are difficult to fake because they are 
  based on a whole portfolio of things that are based on industries 
  that issued them etc. (missed some)
Manu Sporny:  So why have these other credentialing mechanisms 
  failed? There are a lot of broad ID mechanisms like 
  OpenID/Connect, and those have failed to address these use cases 
  because they don't carry high-stakes credentials; they can 
  establish you have an account with facebook but they are 
  incapable of expressing information like citizenship, proof of 
  age, etc. We have technologies that are fairly naive about the 
  information they carry. They have attributes that are 
  self-asserted, not countersigned by trusted authorities/issuers. 
  We've seen this happen in healthcare and education: the solutions 
  only take one industry into account, gov't have adopted piv 
  tokens for federal security/buildings/etc. There's an entire 
  ecosystem around credentials but that's never taken into account 
  in these smaller solutions. Banking has focused on credentials 
  only for banking, and then adopted proprietary and 
  patent-encumbered tech, to get "latest greated" so that was 
  really expensive. Then the orgs that actually exchanged the 
  credentials were operating on a non-public network, so under 10K 
  orgs worldwide able to use them. They were never deemed to be 
  more broadly applicable. So different problems with previous 
  solutions. The industries tend to try and address them in a 
  fairly insular fashion and we just want to try and fix them in 
  our industry and we're sure it will propagate out to others. And 
  using proprietary and patent-encumbered tech has been a problem 
  sometimes turning out to be snake oil. I think that's over 
  simplifying it, if you look at any identity/credentialing systems 
  before now. Problems: 1. No high-stakes creds in scope when 
  building the tech out (OpenId/Connect), 2. Industry only took 
  their market vertical into account., 3. Belief that proprietary 
  tech was best, but patent-encumbered ruined scalability with 
  cost, etc.
Manu Sporny:  I think those are the primary reasons
Richard Varn:  There came as an insistence that a privacy 
  (missed) be agreed and enforced through the identity security 
  mechanisms. I've had all kinds of discussions in different 
  industries -- and trying to force identity/security/privacy all 
  through the same mechanism it doesn't have to be the same.
Ian Jacobs:  Can you say more about the particular 
  community/communities that have been involved in the development 
  of this. It is often the case that without browser awareness, it 
  becomes harder to get browser deployment. It may be that support 
  in browsers is not a key piece in the deployment of this, in 
  which case understanding that would be helpful. I don't know if 
  in the Payments case browser support is a key piece of it, etc. 
  I'd like to hear your views on the role of the browser and the 
  ... support of this.
Manu Sporny is scribing.
Dave Longley:  We've been having discussions with the WebAppSec 
  group at W3C regarding a credential management API that they've 
  been working on.
Dave Longley:  They primarily started that spec to make it easier 
  for browsers to manage passwords for people. People use a lot of 
  tools to autofill passwords. They're taking  baby steps to get 
  direct access to password manager for websites.
Dave Longley:  They're also trying to make the system extensible 
  and work with federated credentials - we saw the work happening, 
  gave feedback. They had been creating something called a 
  'credential management API' - we saw lots of overlap.
Dave Longley:  We had built out something similar - we thought 
  that if we could build a credential agent in the browser, and we 
  could hook that up to people's identity providers and we could 
  hook that back to websites. We'd like to see an API in the 
  browser to request credentials that the website needs.
Dave Longley:  We wanted the browser to go fetch the credentials 
  when asked - given permission by recipient - etc.
Dave Longley:  Ultimately, that's the role we'd like the browser 
  to play - to protect privacy of person using credentials.
Eric Korb: "Kill the password dead"
Ian Jacobs:  Back up for a sec. I understand role of credential 
  agent in the browser.
Ian Jacobs:  Is the IdP tracking you?
Dave Longley:  No, we want to prevent it from tracking you.
Dave Longley:  We want there to be a system that holds on to your 
  credentials, but they don't know who you're giving those 
  credentials to.
Dave Longley:  The other piece in the browser is providing a 
  mechanism for issuing websites to use to issue credentials via 
  the browsers.
Dave Longley:  To tie it back into credential management API - 
  API that they designed allowed websites to ask for previously 
  stored passwords or credential tokens... they had the same sort 
  of idea of how the API would work, but their current spec is very 
  narrowly focused on just the login case - primarily the password 
  case.
Dave Longley:  We'd like the scope to be broader - we see the 
  future of the Web to be a bit less about login and more about 
  having credential to get access to a particular portion of a 
  website.
Dave Longley:  Certainly, usernames and passwords  will continue 
  to be used - but you can get more granular with community groups.
Ian Jacobs:  I know there have been questions about identity 
  management around domains - what in the conversations w/ 
  WebAppSec and w/ browser vendors specifically - was there any 
  feedback on lack of interest on this general approach?
Ian Jacobs:  Were there other questions around support or 
  reluctance around this idea.
Dave Longley:  There has been pushback - first was that the 
  WebAppSec was not chartered to deal w/ our use cases in any way. 
  We came up w/ a proposal to support generalized credential use 
  case.
Dave Longley:  The Chair of WebAppSec pushed back and questioned 
  that the API was a good for both cross-origin and same-origin 
  credentials.
Dave Longley:  Mostly people want to stay w/ same origin policy - 
  we don't want to touch that too much
Dave Longley:  This is something that needs to happen on the Web, 
  just because there is a secure way to secure certain types of 
  data. We shouldn't say we're not going to look at it.
Ian Jacobs:  So, I think that's a big hurdle. I've been hearing 
  that tracking is important in some ways, and in other cases we 
  care about privacy.
Ian Jacobs:  The default expectation on the Web - the things that 
  we enable that allow tracking is problematic.
Ian Jacobs:  So, I'm hearing two things - we want to support 
  certain use cases that require tracking, but others we want to 
  default to privacy.
Ian Jacobs:  We may need to do something about same origin vs. 
  cross origin policy.
Eric Korb: +1
Dave Longley is scribing.
Manu Sporny:  I think there's one point I want to make before we 
  hang up and that's the thing that we've found with the WebAppSec 
  group is that the charter was very narrow on the type of 
  credential they were looking at. That meant whenever we get close 
  to talking about the meat of the discussion, the charter got in 
  the way. In my personal opinion, we know that what they are 
  trying to do is not the best thing for the Web. There are 
  password managers out there, building that into the browser may 
  cause lock in problems, then Chrome shares all passwords within 
  Chrome and it's difficult to export to Firefox, etc. and that's 
  being swept under the rug. And just because we understand the 
  same origin policy very well, that doesn't mean there aren't very 
  good use cases for cross-origin credentials and there are ways to 
  secure some of that information. The problem is whenever we try 
  to have a discussion about it it gets shut down. So charters or 
  security people get nervous and it gets shutdown. So "this makes 
  me nervous, stop talking."
Ian Jacobs:  Have you scheduled a chat with the security IG or 
  TAG, etc.?
Manu Sporny:  Talking with the security group has resulted in 
  people feeling nervous and not wanting to discuss and TAG would 
  take a lot of time but it's something we have to do.
Ian Jacobs:  Raising awareness of the TAG needs to be considered 
  because some of what you have heard may be "This is how the Web 
  works for security" (I'm imagining that as something people might 
  say). And we need to check in and see if the TAG really thinks 
  that's true and we may need to push boundaries. Just like the Web 
  has moved into a place where JS has a more prominent role vs. 
  angled brackets. I think it's worth having the TAG there as an 
  architectural grounding influence. Post IG meeting, that may be 
  something to look into. With Wendy (Seltzer) she's our security 
  lead and we can discuss with her. We didn't get to the economics 
  of credentials and I imagine they are different for each industry 
  or if not what's similar? I'd like to see who would want a 
  vibrant open market for credential providers. What's the 
  expectation for gov't agencies to step up, what about people who 
  don't want to use these IDs, maybe there are countries that have 
  done IDs successfully, how will the economics work and I'm 
  particularly interested in the payments landscape.
Eric Korb: Thx Ian
Manu Sporny:  I know Richard has a tremendous amount of 
  experience in that space and hopefully we can use his time in NYC 
  to dig in deeper with that. Thank you, Ian for joining.
Manu Sporny:  We won't have a call next week because the Web 
  Payments F2F will be going on and a number of us will be there. 
  Thanks all!

Received on Tuesday, 9 June 2015 16:32:51 UTC