W3C home > Mailing lists > Public > public-credentials@w3.org > May 2015

Credentials CG Telecon Minutes for 2015-05-26

From: <msporny@digitalbazaar.com>
Date: Tue, 26 May 2015 15:45:19 -0400
Message-Id: <1432669519222.0.17250@zoe>
To: Credentials CG <public-credentials@w3.org>
Thanks to Sunny Lee for scribing this week! The minutes
for this week's Credentials CG telecon are now available:


Full text of the discussion follows for W3C archival purposes.
Audio from the meeting is available as well (link provided below).

Credentials Community Group Telecon Minutes for 2015-05-26

  1. Recruiting document (non-W3C member)
  2. Introduction to James and Arto
  3. Graph Normalization Update
  4. Recruiting W3C Members
  5. Credential Management API Extension (update)
  6. Use Cases
  Manu Sporny
  Sunny Lee
  Sunny Lee, Manu Sporny, Brian Sletten, Nate Otto, James Anderson, 
  Arto Bendiken, Gregg Kellogg, Dave Longley, Richard Varn, Kerri 
  Lemoie, David I. Lehn, Evgeny Vinogradov, Laura Fowler, Eric 
  Korb, Rob Trainer

Sunny Lee is scribing.
Manu Sporny:  Our agenda for today - Discussion around recruiting 
Manu Sporny:  Brian put together straw
Manu Sporny:  Update on cred mgmt api
Manu Sporny:  Graph normalization update, any other updates to 

Topic: Recruiting document (non-W3C member)

Manu Sporny: 
Brian Sletten:  Extrapolated from points richard made
  ...wanted to create narrative around why this is interesting
Brian Sletten:  Need for credentials, that w3c shoud take lead 
  and support community group that would lead into working group
Brian Sletten:  Wanted to get material out there that we can turn 
  into tight outward facing doc
Manu Sporny:  Thank you for putting that together
Manu Sporny:  Next step to put some headers on it
Nate Otto: Thanks, bsletten_ for making this happen. Always 
  easier to move forward when you have some text together.
Manu Sporny:  May want to shuffle order around a tiny bit
Manu Sporny:  What richard said last week is in a different 
  order, that ordering might work better
Manu Sporny:  But core of the content is in there, @richard can 
  you put this in the ordering you think might be more effective?
Manu Sporny:  Has anyone else been able to take a look at the doc 
Manu Sporny:  Any feedback or input?
James Anderson:  Concern is understanding implications
Manu Sporny:  We should 've done an intro for you
Manu Sporny:  If you and arto can provide a brief intro shortly 
Manu Sporny:  We have 2 new joiners: laura fowler
Manu Sporny:  Any other feedback for bsletten_ ?
Nate Otto: I'll take a read through this week and put in any 
  comments I might have.
Manu Sporny:  Bsletten_ maybe you and i can chat about what the 
  headings should be and general narrative
Manu Sporny:  Think 80% is there, rest is shuffling and trying to 
  tighten the narrative up
Manu Sporny:  Anything else on recruiting doc for non w3c members 
  before next agenda item?

Topic: Introduction to James and Arto

James Anderson:  We are a RDF cloud storage service
  ...have been operating for several years providng turn key, 
  sparkle and various services
James Anderson:  To add to james, storage architecture is based 
  on content addressable design
  ...ultimately it's all about hashes for us.
Manu Sporny:  Thanks for the intro. very very interested in the 
  same thing. the hashes are necessary.
Manu Sporny:  If we're going to express things in linked data 
  need to sign it
Manu Sporny:  Hashing data is vitally important to the work we're 
  doing. we have over the past, created hashing algorithm that very 
  closely mirrors the research paper that greg just pointed us to. 
  which is great since we have been operating under assumption that 
  there is sound math behind it.
Gregg Kellogg: 
Manu Sporny:  We were proven correct. shows we've been on the 
  right path. this is aiden hogan's work.
Manu Sporny:  Getting rdf graph normalization has been a 
  challenge at w3c, they don't understand the underpinning work 
  isn't there yet.
Manu Sporny:  Assumption that signature mechanism is already in 
Manu Sporny:  Really interested in having james and arto in this 
  group since you have deep domain expertise
Manu Sporny:  Does this work align with what you've thought?
Arto Bendiken:  Yes wev'e been discussing with greg too.
Manu Sporny:  Any qs for Arto and James before next topic?
Manu Sporny:  You said that oyu're doing content addressable 
  data, which is fantastic, do you have your own normalization 
  algorithm you're using and if so is it public?
Arto Bendiken:  We've been relaying on published work, dont' have 
  anything on our own. We hope to publish more this year. Think 
  this group would be a great venue for that.
Manu Sporny:  Are you working with david booth?
James Anderson:  Not working directly with David Booth

Topic: Graph Normalization Update

Gregg Kellogg:  What i know about james and arto's work which is 
  true of other rdf sparkle type stores, they make use of 
  persistent stable identifier blank nodes they use within system 
  that allows you to serialize and deserialize
Gregg Kellogg:  One way to creaet skolemn ids, rdf 1.1 notion is 
  create a uri, so you can reliably get back and forth between 
  something well known and something that is blanks
  ...whereas the noramlization tendsn to solve this problem 
  outside of any context of storing or making these blank nodes 
  stable. different approaches to dealing with problems with domain 
  well known or not
Gregg Kellogg:  Workign on normalization doc that desribed this 
  use case, if blank node identifiers are stable you can do 
  reasonable diff
  ...as dlongley pointed out in his response, many cases in which 
  it won'nt work
Dave Longley: 
Gregg Kellogg:  If there was some way to limit algorithm to least 
  number of statements required to create stable signature and that 
  were done in reliable way, that might be better but that's just 
Manu Sporny:  Rest of the folks on the call that have never 
  talked about rdf normalization your eyes are probably glazed over
Manu Sporny:  Gkellogg is saying a bunch of very important 
  things. This work is incredibly technical in nature
  ...rdf graph normalization stuff itself. right people to work 
  on it are gkellogg dlongley james and Arto, we're trying to get 
  w3c to create separate group
Manu Sporny:  This is super low level work with very specific 
  skillset, we're trying to create a separate group to work on this 
  to discuss issues gkellogg just brought up and focus on that with 
  the right people in the room
Manu Sporny:  Before we move on, moved graph normalization up on 
Gregg Kellogg: http://json-ld.github.io/normalization/spec/
Gregg Kellogg:  The spec has a new home
Gregg Kellogg:  Have made changes, originally lived in jsonld.org 
  repo along with other jsonld docs
Gregg Kellogg:  Now in same org for lack of a better place but 
  separate normalization repo which includes spec and test cases 
  and home for other things going forward.
Gregg Kellogg:  What you see when you look at spec, it's 
  relatively unchanged except uses new capabilities of respec and 
  did some renaming. have separate branch to work on use cases and 
  general motivations, would like to walk through examples of how 
  algorithm work and restate algorithm in more normative language
Gregg Kellogg:  Quite a lot of work to do. think it needs to 
  rapidly move into different form. this exceeds bandwidth for this 
Gregg Kellogg:  Maybe have parallel set of calls as this 
Manu Sporny:  Thank you very much for this work.
Dave Longley: +1 To all of gregg's work
Manu Sporny:  Moving this out of jsonld is the right thing to do
Nate Otto: Thanks for advancing normalization in code, gkellogg!
Manu Sporny:  As far as where we continue the discussion, trying 
  to get feedback from phil on what we should be doing
Manu Sporny:  Maybe gkellogg you and i can work on phil. have 
  another call with w3x mgmt today, will probably be more 
  aggressive in advocating for separate group
Manu Sporny:  Generally they've been supportive of creating such 
  a group. convincing the w3c membership to create the group is a 
  fairly monumental task. need to have pow wow with phil and maybe 
  security folks and maybe other linked data folks at w3c if they 
  can fast track some of this work
Manu Sporny:  Anything else?
Gregg Kellogg:  Have own implementaion of this algorithm that 
  passes the test. thanks so much dlongley for your help. have 
  identified issues in 2012 version of the graph normalization
Gregg Kellogg:  Haven't heard if results we're now using for 
  dataset normalization matches up with dave's work.
  ...it works, it's now stable
Dave Longley:  Haven' had the chance to update to 2015 or make 
  that an option it's not a lot of work, just need to put aside 
  some time.
Manu Sporny:  We have 2 interoepratble implementations. this is 
Manu Sporny:  Anything else?
Manu Sporny:  Have one more recruiting thing i forgot to mention
Manu Sporny:  Gkellogg whta do you think next steps are?
Manu Sporny:   We need to figure out where we might want to move 
  this work other than the credentials group
Gregg Kellogg:  There is plenty of evidence given the volumen of 
  mail on the normalization topic. this list as well as semantic 
  web that there is broad interest in this. there is previous work 
  but none has resulted in a spec.
  ... Tim Berners-Lee has chimed in with his own work
Gregg Kellogg:  We'd benefit from more collaborator in a 
  dedicated form.
Gregg Kellogg:  Do think we need to fast track something like 
  this going through

Topic: Recruiting W3C Members

Manu Sporny:  Spent better part of last week sending out, went 
  through 400 w3c members
Manu Sporny:  Picked out those that would be influenced by our 
  work and sent them collateral
Manu Sporny:  We've got 140 orgs that we're waiting to hear back 
  from, a number of them have responded, most in an positive way.
Manu Sporny:  Questions?

Topic: Credential Management API Extension (update)

Manu Sporny:  I forget when that went out, was that last 
  thursday? did we takl about th eproposal
Manu Sporny: 
Dave Longley:  Think we gave everyone access to the 
  doc...actually not sure
Dave Longley:  This is the doc that we wrote about details about 
  extension of cred mgmt api
  ...gotten some comments back from Mike West
Dave Longley:  We'll have to get on a call with him soon
Manu Sporny:  In general he seems interested in what we're trying 
  to say
Manu Sporny:  Feeling positive about workign with him
Manu Sporny:  Same origin means only website browser api should 
  only be the website they are on
Manu Sporny:  If you're on google shouldn't be able to reach over 
  to yahoo and reach over and get data and send over to google
Manu Sporny:  CORS, javascript files, break this model
Manu Sporny:  In general security model for web is same origin, 
  so we're getting pushback
Manu Sporny:  X created on website A, stored on website B, 
  delivered on website 3
elf Pavlik: http://www.w3.org/TR/cors/
Manu Sporny:  Biggest pushback is over same origin cross origin 
  issue, think we can make good arguments against cross origin.
Manu Sporny:  Mainly because that's how things function in the 
  real world. think there are good set of arguments against cross 
Manu Sporny:  2Nd biggest pushback: why is this any different 
  than OAuth and SAML
Manu Sporny:  OpenID connect is superprovide centric, meaning 
  works well with google, twiter
Manu Sporny:  Respons to SAML, tried and failed, number of 
  deficiencies come from using xml, not really following 
  architecture of the web, while it does work, not successful in 
  being deployed
Manu Sporny:  But need to formalize those reponses and put in 
  blog post or paper
Manu Sporny:  Questions on cred mgmt api?
  ...who is this speaking?
Manu Sporny:  There are about 15 things we care about in 
  securitng cross origin. this makes everyoen really nervous. 
  you've mentioend 2 of them. one is there are 300 certificate 
  authorities, including us govt and china
Manu Sporny:  And us allows certificates that allow snooping. not 
  secure from that perspective, the other perspective it that there 
  are other places it might be ok to not be secure. If you're 
  loading a page in cascading style sheet
  ...if someone injects in there, they might mess up your 
  stylesheet, but not that high stakes.
Manu Sporny:  There are people that use css to do things. someone 
  can use css or javascript timers to read exactly what you'er 
  looking at with an enormous amount of accuracy
Manu Sporny:  Security on the web is broken in specific ways but 
  in the ways it's broken fairly well known what the attacks are
Richard Varn:  Understand what you'er saying
Manu Sporny:  Short of it is: if you want to do cross origin, 
  that's great, you're going to create an enormous amount of work 
  and we'd rather not do tht work because we're not convinced the 
  upside is that great.
Manu Sporny:  The way we can express it is protocol agnostic
Manu Sporny:  Think we're not going to be able to propose 
  something solid
Arto Bendiken:  Expect web is primary use cases, have seen other 
  important channels emerging. very interesting in crypto currency
Manu Sporny:  They're actually reusing jsonld for ipfs for 
  content addressable stuff. have experimental proofs on how it can 
Manu Sporny:  How will these protocols integrate with the web or 
  run in parallel with the web. don't think we can resovle these 
  before we create credential group

Topic: Use Cases

Manu Sporny: 
Manu Sporny:  Saw kerri_lemoie and NateOtto in use cases doc. 
  update on this?
Nate Otto:  Credentials use cases doc uses pretty good. added 
  intro sentence. only new content along with minor suggestions.
Nate Otto:  Think it's looking fairly complete over all, just a 
  couple questions here and there that can probably get resolved 
Manu Sporny:  Think main concern is do we think we've covered all 
  the use cases that we want to have covered in v1.1. answering 
  this question is what will tell us whether we can start diving in
Kerri Lemoie:  One area where we can use some work is revoking.
Kerri Lemoie:  Added motivation and we can put in some use cases 
Manu Sporny:  One thing we may also do is get someone do an 
  accessibility review.
  ... Paciello Group can help do a review of accessibility
Manu Sporny:  May not want to request review until we're done 
  with full editorial pass
Kerri_lemoie: question regarding exceptions on top of page 8
Manu Sporny:  Will go through and look at all comments and try 
  and resolve a number of them this week sincen comms is out to w3c 
Manu Sporny:  What do you think next steps are?
Manu Sporny:  Credentials in the real world section, want to talk 
  about workforce training, credentila operations, issuing, 
  revoking, managing, etc.
Nate Otto:  Are you aiming to tell a story here?
Manu Sporny:  If you look at the webpayments use cases
Manu Sporny: 
Manu Sporny:  There's example of really tight stories. payments 
  are a bit easier to talk about it since payments have a flow. but 
  it's just a one sentence description of what's done rather than 
  longer narratives.
Manu Sporny:  What does a professional license look like when 
  used on the web. we want to keep the narratives short and tight 
  for each operation
Nate Otto:  Do you think any of that will be redundant with the 
  previous section?
Manu Sporny:  We would take this and weave it into a story or we 
  can use a completely different story. we don't really talk about 
  driver's license in the use cases.
Manu Sporny:  Can tell a story of the driver's license througouth 
  the entire use cases, issuing, managing, revoking.
Nate Otto:  Will put some time this week.
Manu Sporny:  The other thing that's been really helpful is, web 
  payments group is 3 - 4 months ahead of us, that's helped lay out 
  a clear path for us.
Manu Sporny:   After use cases now workign on requirements 
  derived from use cases, and capabilities required by web platform 
  to make use cases a reailty. use cases are broad, capabilities 
  are broad, then road map is specific.
Manu Sporny:  Mentioing this to remind us that we still have a 
  lot of work but the ordering of it feels clear. having a chat 
  with w3c about credentinling and how we're creating the group. 
  we're proposing to w3c mgmt how crednentails fits into the work 
  they're doing already.
Manu Sporny:  Web payments group has decided credentials is vital 
  to their work
Manu Sporny:  Need to coordinate with authentication group. the 
  sooner we get through use cases etc the better positioned we are.
Manu Sporny:   If the cred wg charter is put to vote, it'll be 
  spetember, when sept rolls aorund, we should have these docs 
  doen: use cases, requirements, capabilities, roadmaps, etc.
Manu Sporny:  If we don't have docs done by then, we'll be in a 
  holding pattern where an interest group tries to get the use 
  cases done.
Manu Sporny:   I think getting use cases, requirements, 
  capabilities and roadmpa is doable by september.
Manu Sporny:  Anything else on use cases?
Manu Sporny:  Anything else we should be aware of before call 
  next week
Brian Sletten: I can help with the UC docs.
Manu Sporny:  Kerri_lemoie NateOtto SLee_ an di will focus on use 
Nate Otto: Thanks, all
Manu Sporny:  Thanks everyone
Kerri Lemoie: Thanks
Received on Tuesday, 26 May 2015 19:45:42 UTC

This archive was generated by hypermail 2.3.1 : Wednesday, 11 July 2018 21:19:23 UTC