W3C home > Mailing lists > Public > public-credentials@w3.org > June 2015

Credentials CG Telecon Minutes for 2015-06-30

From: <msporny@digitalbazaar.com>
Date: Tue, 30 Jun 2015 15:36:33 -0400
Message-Id: <1435692993912.0.9189@zoe>
To: Credentials CG <public-credentials@w3.org>
Thanks to Gregg Kellogg for scribing this week! The minutes
for this week's Credentials CG telecon are now available:


Full text of the discussion follows for W3C archival purposes.
Audio from the meeting is available as well (link provided below).

Credentials Community Group Telecon Minutes for 2015-06-30

  1. Credentials WG Plan
  2. Introductions of New Members
  3. Recruiting
  Manu Sporny
  Gregg Kellogg
  Gregg Kellogg, Manu Sporny, Richard Varn, Nate Otto, Eric Korb, 
  Matt Collier, Christoph Dorn, Jim Goodell, Brian Sletten, Sunny 
  Lee, Rob Trainer

Gregg Kellogg is scribing.
Manu Sporny:  On agenda, update to WG plan, recruiting, and maybe 
  DIDs discussion.

Topic: Credentials WG Plan

Manu Sporny:  I had a discussion with W3C Staff last week, and 
  the payments IG had a discussion on Monday.
  … Due to feedback in round-table and W3C got after F2F meeting 
  … A number of people came back saying they didn’t intend for it 
  to be struck.
  … We have a go-ahead for pitching a WG to W3C.
  … W3CM would like to see a list of organizations that are 
  committed to joining the work if it gets started at W3C. We have 
  a list started, but we need more organizations interested.
Manu Sporny:  They’ve looked at the list in Credentials CG and 
  would like to see more representatives from a broader set of 
  … They’d like to see about 30 organizations before they’re 
  comfortable with proposing a new WG to W3CM.
  … There are a number of back-channel discussions working 
  against us, particularly from the security community.
  … Unfortunately, they’re not coming here, but are voicing 
  directly to W3CM.
  … There are 2 blog posts/papers they’d like to see us put 
  together to counter these arguments.
  … 1) What makes this credentials approach different from the 
  last 15 years of approaches that have failed: SAML, OpenID 
  Connect, …
  … 2) Define where W3C can add value. Why should the work be 
  done at W3C vs IETF/OASIS/ISO?
  … The Payments IG will wait for us to put this strategy 
  together, in concert with some W3C Staff, to put together a 
  proposal that will be a sell to W3CM.
  … Also joining will be some banking and finance, where were 
  taken aback by what happened at the Payments IG F2F.
  … That puts us in a better possition than a week or so ago, but 
  still not where we want to be.
Richard Varn:  What would be the timeline for deciding yes/no, 
  and where?
Nate Otto: Are the concerns shared specifically about security 
  and privacy? Was there anything specific that was critiqued about 
  the suggested technical approach in this CG?
Manu Sporny:  The question will be does W3CM feel comfortable 
  proposing a draft charter to the membership in August? That would 
  be the most agressive thing that can happen.
  … We may still be able to have our first meeting at TPAC.
  … Less agressive would be September, which would be too late 
  for TPAC. We’d probably try to have a meeting there anyway. That 
  would drive more people into the group.
  … Or, we can’t do it at all :(
Nate Otto:  Were concerns from security and privacy related 
  directly to that?
Manu Sporny:  I don’t think the loudest critics really understand 
  what we’re trying to do.
  … “I don’t think it’s a good idea to create an identifier that 
  can be used across multiple websites”, for example.
Nate Otto: Oh, like an email address . ;)
  … There is privacy push-back; they’d rather see bearer 
  … Also against using an email address.
  … I think this group cares very deeply about privacy, and we 
  want to be sure we are as privacy enhancing as possible, without 
  gutting the core use case.
Nate Otto: +1 To being as privacy-enhancing as possible without 
  gutting the core use case.
  … The other thing is security: “why aren’t you guys using JOSE 
  for using signatures, why propose a new mechanism?”
  … Thinks we’re trying to end-around the security community with 
  LD-Signatures, and trying to go around JOSE.
  … It’s not that, but they’re quite focused on JOSE, and don’t 
  have spare-bandwidth to look at LD-Signatures. Clearly we’ll get 
  a good security review.
Nate Otto:  Working in the badges community, we have concerns as 
  well. Is it possible to put the genie back in the bottle.
Eric Korb: +1
  … Eventually we’ll need a high-level security review, but we 
  could always go back to JOSE if LD-Signatures won’t work. We’ll 
  work with the security community to make sure we have a valid 
Manu Sporny:  ALso, note that LD-Signatures is not inventing new 
  cryptographic methods. The problem is that the statements are 
  coming from someone who doesn’t understand this. We’re simply 
  re-using RSA, eliptic curve, …
  … The new thing is the normalization and message structure of 
  the signature.
  … Once security folks at the F2F understood this, they thought 
  it would be straight-forward.
Eric Korb:  The idea of signing the credentials, is it critically 
  important, or is it an option?
  … The badge aliance is mostly doing hosted credentials, and 
  signing isn’t as important.
  … Can we make this optional?
Manu Sporny:  Sure, they don’t need to be signed. There can be 
  other ways of validating.
  … If an open badges badge has an alternate way of validating, 
  that mechanism could be used.
  … Signatures are for hard cases like financial use cases.
Eric Korb: +1
  … Other industries don’t have the same high-stakes 
  … IF you recieve a signed credential, you don’t even have to 
  validate it.
Eric Korb:  An reciever should validate, if it needs to. If it’s 
  not there, and you don’t mind it not being there, you should be 
  able to use it.
Richard Varn:  We should probably be exploring a parallel path, 
  in case the W3C doesn’t work out.
Manu Sporny:  I have some concerns over sending mixed messages if 
  approaching both W3C and IMS Global.
  … We may want to take IMS Global guys aside to discuss them as 
  an alternative.
Eric Korb:  I don’t think it’s an either/or, it’s a “please join 
  the work”
Richard Varn:  There’s an opportuinty for IMSG to bring some new 
  things to the table. It’s getting them to associate the work 
  they’re going to do anyway with the W3C initiative.
  … It could grow into a broader standards effort if we don’t get 
  anywhere with the W3C.
Eric Korb: The project we currrently working on is eTranscript to 
  be demoed at educause
Manu Sporny:  This group is focusing on recruiting. I have an 
  action to write up 2 blog posts about what’s different about what 
  we’re doing.

Topic: Introductions of New Members

Eric Korb: IMS Global Project 
Matt Collier:  Working with Digital Bazaar on this and 
Christoph Dorn:  I work independently. My focus is on software 
  tooling. I’m interested in creating an open prototype embodying 
  the specs and staying up to date, and allow people to on-board 
Jim Goodell:  I’m with Quality Information Partners, we’ve been 
  working on common education standards. I’m interested form 
  education- and workforce- credientials cases.
Eric Korb: Welcome all!

Topic: Recruiting

Manu Sporny: 
Manu Sporny:  I’ll get a list by EOD to eric and richard with W3C 
  members who have not yet responded.
  … Last week we had said it might be a better strategy for 
  people to construct their own introductions and try to bring 
  people on board.
  … I’d like folks to commit to contact new large W3C members.
Eric Korb:  I’ve started on Parchment, but haven’t yet reached 
  out awaiting dodumentation.
  … I wanted to be sure we had an agreed upon common message.
Manu Sporny:  We’re backing off on that. There’s the executive 
Manu Sporny: Open Credentials Executive Summary: 
Manu Sporny:  We’re transitioning over to “hard asks”; you should 
  have everythign you need to make the initial contact/ask.
Manu Sporny:  Eric, I have you against Accreditrust, Credly, 
  Scrip-Safe and Iq4.
  … (More discussions of assignments captured in document)
Nate Otto: Discendum Oy
Nate Otto: DigitalME
Manu Sporny:  What W3C really wants to know is if new 
  organizations will become members. That’s the main thing they 
  need to see.
  … Mozilla is in a strange place; the people at the F2F were 
  pretty much opposed to what we’re doing.
  … If David Barron doesn’t feel that Mozilla should be involved, 
  they won’t be.
Nate Otto:  They’re involved with the Badge Alliance, though.
  … They’re committed to supporting badges going forward.
Manu Sporny:  The key would be to get that person from Mozilla 
  involved in the work.
  … We’ve been hearing from people not involved in the work at 
  Mozilla speaking out.
Manu Sporny:  We have the Merchant Advisory Group that said 
  they’d join. The contact person is from Walmart, which is great.
Brian Sletten: Manu, Is NACS on the list?
Manu Sporny:  We have strong connects with NACS, Veriphone, and 
Received on Tuesday, 30 June 2015 19:36:57 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 19:17:46 UTC