- From: <msporny@digitalbazaar.com>
- Date: Tue, 26 May 2015 15:45:19 -0400
- To: Credentials CG <public-credentials@w3.org>
Thanks to Sunny Lee for scribing this week! The minutes for this week's Credentials CG telecon are now available: http://opencreds.org/minutes/2015-05-26/ Full text of the discussion follows for W3C archival purposes. Audio from the meeting is available as well (link provided below). ---------------------------------------------------------------- Credentials Community Group Telecon Minutes for 2015-05-26 Agenda: https://lists.w3.org/Archives/Public/public-credentials/2015May/0030.html Topics: 1. Recruiting document (non-W3C member) 2. Introduction to James and Arto 3. Graph Normalization Update 4. Recruiting W3C Members 5. Credential Management API Extension (update) 6. Use Cases Organizer: Manu Sporny Scribe: Sunny Lee Present: Sunny Lee, Manu Sporny, Brian Sletten, Nate Otto, James Anderson, Arto Bendiken, Gregg Kellogg, Dave Longley, Richard Varn, Kerri Lemoie, David I. Lehn, Evgeny Vinogradov, Laura Fowler, Eric Korb, Rob Trainer Audio: http://opencreds.org/minutes/2015-05-26/audio.ogg Sunny Lee is scribing. Manu Sporny: Our agenda for today - Discussion around recruiting doc Manu Sporny: Brian put together straw Manu Sporny: Update on cred mgmt api Manu Sporny: Graph normalization update, any other updates to agenda. Topic: Recruiting document (non-W3C member) Manu Sporny: https://docs.google.com/document/d/1sIMtVYYCeMeuunv-4gsVsldGlWJZ1RyjmnxOVJEjXiE/edit Brian Sletten: Extrapolated from points richard made ...wanted to create narrative around why this is interesting Brian Sletten: Need for credentials, that w3c shoud take lead and support community group that would lead into working group Brian Sletten: Wanted to get material out there that we can turn into tight outward facing doc Manu Sporny: Thank you for putting that together Manu Sporny: Next step to put some headers on it Nate Otto: Thanks, bsletten_ for making this happen. Always easier to move forward when you have some text together. Manu Sporny: May want to shuffle order around a tiny bit Manu Sporny: What richard said last week is in a different order, that ordering might work better Manu Sporny: But core of the content is in there, @richard can you put this in the ordering you think might be more effective? Manu Sporny: Has anyone else been able to take a look at the doc yet? Manu Sporny: Any feedback or input? James Anderson: Concern is understanding implications Manu Sporny: We should 've done an intro for you Manu Sporny: If you and arto can provide a brief intro shortly after Manu Sporny: We have 2 new joiners: laura fowler Manu Sporny: Any other feedback for bsletten_ ? Nate Otto: I'll take a read through this week and put in any comments I might have. Manu Sporny: Bsletten_ maybe you and i can chat about what the headings should be and general narrative Manu Sporny: Think 80% is there, rest is shuffling and trying to tighten the narrative up Manu Sporny: Anything else on recruiting doc for non w3c members before next agenda item? Topic: Introduction to James and Arto James Anderson: We are a RDF cloud storage service ...have been operating for several years providng turn key, sparkle and various services James Anderson: To add to james, storage architecture is based on content addressable design ...ultimately it's all about hashes for us. Manu Sporny: Thanks for the intro. very very interested in the same thing. the hashes are necessary. Manu Sporny: If we're going to express things in linked data need to sign it Manu Sporny: Hashing data is vitally important to the work we're doing. we have over the past, created hashing algorithm that very closely mirrors the research paper that greg just pointed us to. which is great since we have been operating under assumption that there is sound math behind it. Gregg Kellogg: http://aidanhogan.com/docs/skolems_blank_nodes_www.pdf Manu Sporny: We were proven correct. shows we've been on the right path. this is aiden hogan's work. Manu Sporny: Getting rdf graph normalization has been a challenge at w3c, they don't understand the underpinning work isn't there yet. Manu Sporny: Assumption that signature mechanism is already in place. Manu Sporny: Really interested in having james and arto in this group since you have deep domain expertise Manu Sporny: Does this work align with what you've thought? Arto Bendiken: Yes wev'e been discussing with greg too. Manu Sporny: Any qs for Arto and James before next topic? Manu Sporny: You said that oyu're doing content addressable data, which is fantastic, do you have your own normalization algorithm you're using and if so is it public? Arto Bendiken: We've been relaying on published work, dont' have anything on our own. We hope to publish more this year. Think this group would be a great venue for that. Manu Sporny: Are you working with david booth? James Anderson: Not working directly with David Booth Topic: Graph Normalization Update Gregg Kellogg: What i know about james and arto's work which is true of other rdf sparkle type stores, they make use of persistent stable identifier blank nodes they use within system that allows you to serialize and deserialize Gregg Kellogg: One way to creaet skolemn ids, rdf 1.1 notion is create a uri, so you can reliably get back and forth between something well known and something that is blanks ...whereas the noramlization tendsn to solve this problem outside of any context of storing or making these blank nodes stable. different approaches to dealing with problems with domain well known or not Gregg Kellogg: Workign on normalization doc that desribed this use case, if blank node identifiers are stable you can do reasonable diff ...as dlongley pointed out in his response, many cases in which it won'nt work Dave Longley: https://lists.w3.org/Archives/Public/public-credentials/2015May/0032.html Gregg Kellogg: If there was some way to limit algorithm to least number of statements required to create stable signature and that were done in reliable way, that might be better but that's just speculation Manu Sporny: Rest of the folks on the call that have never talked about rdf normalization your eyes are probably glazed over Manu Sporny: Gkellogg is saying a bunch of very important things. This work is incredibly technical in nature ...rdf graph normalization stuff itself. right people to work on it are gkellogg dlongley james and Arto, we're trying to get w3c to create separate group Manu Sporny: This is super low level work with very specific skillset, we're trying to create a separate group to work on this to discuss issues gkellogg just brought up and focus on that with the right people in the room Manu Sporny: Before we move on, moved graph normalization up on agenda, Gregg Kellogg: http://json-ld.github.io/normalization/spec/ Gregg Kellogg: The spec has a new home Gregg Kellogg: Have made changes, originally lived in jsonld.org repo along with other jsonld docs Gregg Kellogg: Now in same org for lack of a better place but separate normalization repo which includes spec and test cases and home for other things going forward. Gregg Kellogg: What you see when you look at spec, it's relatively unchanged except uses new capabilities of respec and did some renaming. have separate branch to work on use cases and general motivations, would like to walk through examples of how algorithm work and restate algorithm in more normative language Gregg Kellogg: Quite a lot of work to do. think it needs to rapidly move into different form. this exceeds bandwidth for this group Gregg Kellogg: Maybe have parallel set of calls as this advances. Manu Sporny: Thank you very much for this work. Dave Longley: +1 To all of gregg's work Manu Sporny: Moving this out of jsonld is the right thing to do Nate Otto: Thanks for advancing normalization in code, gkellogg! Manu Sporny: As far as where we continue the discussion, trying to get feedback from phil on what we should be doing Manu Sporny: Maybe gkellogg you and i can work on phil. have another call with w3x mgmt today, will probably be more aggressive in advocating for separate group Manu Sporny: Generally they've been supportive of creating such a group. convincing the w3c membership to create the group is a fairly monumental task. need to have pow wow with phil and maybe security folks and maybe other linked data folks at w3c if they can fast track some of this work Manu Sporny: Anything else? Gregg Kellogg: Have own implementaion of this algorithm that passes the test. thanks so much dlongley for your help. have identified issues in 2012 version of the graph normalization Gregg Kellogg: Haven't heard if results we're now using for dataset normalization matches up with dave's work. ...it works, it's now stable Dave Longley: Haven' had the chance to update to 2015 or make that an option it's not a lot of work, just need to put aside some time. Manu Sporny: We have 2 interoepratble implementations. this is huge. Manu Sporny: Anything else? Manu Sporny: Have one more recruiting thing i forgot to mention Manu Sporny: Gkellogg whta do you think next steps are? Manu Sporny: We need to figure out where we might want to move this work other than the credentials group Gregg Kellogg: There is plenty of evidence given the volumen of mail on the normalization topic. this list as well as semantic web that there is broad interest in this. there is previous work but none has resulted in a spec. ... Tim Berners-Lee has chimed in with his own work Gregg Kellogg: We'd benefit from more collaborator in a dedicated form. Gregg Kellogg: Do think we need to fast track something like this going through Topic: Recruiting W3C Members Manu Sporny: Spent better part of last week sending out, went through 400 w3c members Manu Sporny: Picked out those that would be influenced by our work and sent them collateral Manu Sporny: We've got 140 orgs that we're waiting to hear back from, a number of them have responded, most in an positive way. Manu Sporny: Questions? Topic: Credential Management API Extension (update) Manu Sporny: I forget when that went out, was that last thursday? did we takl about th eproposal Manu Sporny: https://docs.google.com/document/d/1tI0CJ4wAKKPQacrxOmTtl_GQUBeVtbg8e1ZSXs2SWag/edit Dave Longley: Think we gave everyone access to the doc...actually not sure Dave Longley: This is the doc that we wrote about details about extension of cred mgmt api ...gotten some comments back from Mike West Dave Longley: We'll have to get on a call with him soon Manu Sporny: In general he seems interested in what we're trying to say Manu Sporny: Feeling positive about workign with him Manu Sporny: Same origin means only website browser api should only be the website they are on Manu Sporny: If you're on google shouldn't be able to reach over to yahoo and reach over and get data and send over to google Manu Sporny: CORS, javascript files, break this model Manu Sporny: In general security model for web is same origin, so we're getting pushback Manu Sporny: X created on website A, stored on website B, delivered on website 3 elf Pavlik: http://www.w3.org/TR/cors/ Manu Sporny: Biggest pushback is over same origin cross origin issue, think we can make good arguments against cross origin. Manu Sporny: Mainly because that's how things function in the real world. think there are good set of arguments against cross origin. Manu Sporny: 2Nd biggest pushback: why is this any different than OAuth and SAML Manu Sporny: OpenID connect is superprovide centric, meaning works well with google, twiter Manu Sporny: Respons to SAML, tried and failed, number of deficiencies come from using xml, not really following architecture of the web, while it does work, not successful in being deployed Manu Sporny: But need to formalize those reponses and put in blog post or paper Manu Sporny: Questions on cred mgmt api? ...who is this speaking? Manu Sporny: There are about 15 things we care about in securitng cross origin. this makes everyoen really nervous. you've mentioend 2 of them. one is there are 300 certificate authorities, including us govt and china Manu Sporny: And us allows certificates that allow snooping. not secure from that perspective, the other perspective it that there are other places it might be ok to not be secure. If you're loading a page in cascading style sheet ...if someone injects in there, they might mess up your stylesheet, but not that high stakes. Manu Sporny: There are people that use css to do things. someone can use css or javascript timers to read exactly what you'er looking at with an enormous amount of accuracy Manu Sporny: Security on the web is broken in specific ways but in the ways it's broken fairly well known what the attacks are Richard Varn: Understand what you'er saying Manu Sporny: Short of it is: if you want to do cross origin, that's great, you're going to create an enormous amount of work and we'd rather not do tht work because we're not convinced the upside is that great. Manu Sporny: The way we can express it is protocol agnostic Manu Sporny: Think we're not going to be able to propose something solid Arto Bendiken: Expect web is primary use cases, have seen other important channels emerging. very interesting in crypto currency Manu Sporny: They're actually reusing jsonld for ipfs for content addressable stuff. have experimental proofs on how it can work Manu Sporny: How will these protocols integrate with the web or run in parallel with the web. don't think we can resovle these before we create credential group Topic: Use Cases Manu Sporny: https://docs.google.com/document/d/1GySrTXAYpwa4vDPsGE3BMA42FwIAqAyLGigKuKUTGks/edit Manu Sporny: Saw kerri_lemoie and NateOtto in use cases doc. update on this? Nate Otto: Credentials use cases doc uses pretty good. added intro sentence. only new content along with minor suggestions. Nate Otto: Think it's looking fairly complete over all, just a couple questions here and there that can probably get resolved quickly Manu Sporny: Think main concern is do we think we've covered all the use cases that we want to have covered in v1.1. answering this question is what will tell us whether we can start diving in Kerri Lemoie: One area where we can use some work is revoking. Kerri Lemoie: Added motivation and we can put in some use cases there. Manu Sporny: One thing we may also do is get someone do an accessibility review. ... Paciello Group can help do a review of accessibility Manu Sporny: May not want to request review until we're done with full editorial pass Kerri_lemoie: question regarding exceptions on top of page 8 Manu Sporny: Will go through and look at all comments and try and resolve a number of them this week sincen comms is out to w3c members. Manu Sporny: What do you think next steps are? Manu Sporny: Credentials in the real world section, want to talk about workforce training, credentila operations, issuing, revoking, managing, etc. Nate Otto: Are you aiming to tell a story here? Manu Sporny: If you look at the webpayments use cases Manu Sporny: http://www.w3.org/TR/2015/WD-web-payments-use-cases-20150416/#additional-examples-of-the-payment-phases Manu Sporny: There's example of really tight stories. payments are a bit easier to talk about it since payments have a flow. but it's just a one sentence description of what's done rather than longer narratives. Manu Sporny: What does a professional license look like when used on the web. we want to keep the narratives short and tight for each operation Nate Otto: Do you think any of that will be redundant with the previous section? Manu Sporny: We would take this and weave it into a story or we can use a completely different story. we don't really talk about driver's license in the use cases. Manu Sporny: Can tell a story of the driver's license througouth the entire use cases, issuing, managing, revoking. Nate Otto: Will put some time this week. Manu Sporny: The other thing that's been really helpful is, web payments group is 3 - 4 months ahead of us, that's helped lay out a clear path for us. Manu Sporny: After use cases now workign on requirements derived from use cases, and capabilities required by web platform to make use cases a reailty. use cases are broad, capabilities are broad, then road map is specific. Manu Sporny: Mentioing this to remind us that we still have a lot of work but the ordering of it feels clear. having a chat with w3c about credentinling and how we're creating the group. we're proposing to w3c mgmt how crednentails fits into the work they're doing already. Manu Sporny: Web payments group has decided credentials is vital to their work Manu Sporny: Need to coordinate with authentication group. the sooner we get through use cases etc the better positioned we are. Manu Sporny: If the cred wg charter is put to vote, it'll be spetember, when sept rolls aorund, we should have these docs doen: use cases, requirements, capabilities, roadmaps, etc. Manu Sporny: If we don't have docs done by then, we'll be in a holding pattern where an interest group tries to get the use cases done. Manu Sporny: I think getting use cases, requirements, capabilities and roadmpa is doable by september. Manu Sporny: Anything else on use cases? Manu Sporny: Anything else we should be aware of before call next week Brian Sletten: I can help with the UC docs. Manu Sporny: Kerri_lemoie NateOtto SLee_ an di will focus on use cases. Nate Otto: Thanks, all Manu Sporny: Thanks everyone Kerri Lemoie: Thanks
Received on Tuesday, 26 May 2015 19:45:42 UTC