- From: Stuart Sutton <sasutton@dublincore.net>
- Date: Wed, 11 Nov 2015 03:36:24 -0600
- To: Manu Sporny <msporny@digitalbazaar.com>
- Cc: Credentials CG <public-credentials@w3.org>
- Message-ID: <CAK74qRspL_Yo1BJoUJp7Ef69tPcwJ2jCytRNSr2C9TVqxoWWPA@mail.gmail.com>
Manu, my aplogies for missing the call and your briefing; but, thanks to the excellent scribing, it is clear for me that the position you have framed to extend an explicit, open invitation to those opposed to attend a CG meeting and present their points of opposition is a quite appropriate position to take. I've not been on the CG long, but I see no evidence so far that opposing thoughts would not be fully considered. Manu, I also firmly agree with your statement "that the work should not stop if they don't show." Stuart On Tue, Nov 10, 2015 at 12:25 PM, <msporny@digitalbazaar.com> wrote: > Thanks to Dave Longley for scribing this week! The minutes > for this week's Credentials CG telecon are now available: > > http://opencreds.org/minutes/2015-11-10/ > > Full text of the discussion follows for W3C archival purposes. > Audio from the meeting is available as well (link provided below). > > ---------------------------------------------------------------- > Credentials Community Group Telecon Minutes for 2015-11-10 > > Agenda: > > https://lists.w3.org/Archives/Public/public-credentials/2015Nov/0014.html > Topics: > 1. Credentials Task Force in WPIG Update > 2. Tasks for Credentials CG > 3. Linked Data Fast Track WG Update > Organizer: > Manu Sporny > Scribe: > Dave Longley > Present: > Dave Longley, Manu Sporny, Henry Story, Laura Fowler, Rebecca > Simmons, Brian Sletten, Gregg Kellogg, Nate Otto, Eric Korb, John > Tibbetts, Chris Webber > Audio: > http://opencreds.org/minutes/2015-11-10/audio.ogg > > Dave Longley is scribing. > Manu Sporny: Last week we talked about what happened at W3C > TPAC. The good news is that the Web Payments IG wants to do > something around Credentials; we're trying to figure out where to > do the work and where to write the charter and tie up loose ends. > Manu Sporny: There's an action item on me to propose a way > forward for Credentials at W3C. We made a proposal; it had mixed > feedback. We'll discuss that. We'll also be assigning tasks to > folks. We'll give an update on our discussion with the SoLiD team > as well. We chatted a bit with TimBL on the HTTP signatures stuff > as well. > Henry Story: Ah cool, interested about hearing the discussion on > SoLiD > Manu Sporny: Anything else we need to cover today? > > Topic: Credentials Task Force in WPIG Update > > Manu Sporny: > > https://www.w3.org/Payments/IG/wiki/Main_Page/ProposalsQ42015/Credentials > Manu Sporny: We have made some modifications to the proposal as > a result of the call yesterday. I'll review what was proposed and > then talk next steps. > Manu Sporny: The goal is to determine whether or not a W3C > Working Group should be created. The outcome of this task force > will either be a charter for the W3C member to vote on to start > the work or it's going to be a finding that we should not do the > work at W3C. Clearly, the people in this group would like to see > it started at W3C. There are some other people who feel the world > isn't ready to see this work start. > Manu Sporny: A lot of the proposal is based on the survey we > did. 58 orgs filled it out; how they view a proper credential > ecosystem. We had them rate capabilities. We kept it data driven > and so it was difficult for people who are against the work to > argue against. > Manu Sporny: > > https://www.w3.org/Payments/IG/wiki/Main_Page/ProposalsQ42015/Credentials#Concerns > Manu Sporny: There were a number of concerns that were raised. > The concerns were added to the wiki. > Manu Sporny: Some of those concerns are questions we need to > answer. Some of them we are in no position to answer. "What is > the jurisdictional scope of a credential and how are they > regulated?" Way too early to answer but it was raised as a > question to answer at some point. > Manu Sporny: In general, the IG said "Yes, we should do > something about this and this proposal isn't offbase." Only +1's > to say we should proceed with the work. The pushback was where > the work would happen. > Manu Sporny: The proposal was that this group (this CG) would > just shift gears and work on the questions. > Manu Sporny: There was almost immediate objection to that. > Because there are people (some of whom we know, and some of whom > we don't know) that feel that we don't have a neutral forum here. > Meaning, we've worked on technology like the Open Badges stuff, > technical implementations have been discussed and because of > that, this group isn't neutral. > Henry Story: Argh. > Manu Sporny: A request was made for another group to be made > that can't talk about the technology; and only talk about > capabilities. > Manu Sporny: Speaking as an individual, this is fantastically > frustrating because we strive to be very neutral in this group > and have a good track record of doing so. This group started out > with use cases and no particular technology focus. We had two > input specs. We didn't have a strong technical view, etc. we did > discussions, found data, worked from there. There are people are > saying (again, people we don't know who they are) that we aren't > neutral and that they weren't involved. These people didn't join > the work a year or so ago but now they are saying that their > views weren't taken into account. We have identified a number of > people that we *do* know and we've been talking with them and > asking them to discuss things with us and that's great and is not > an issue. The problem is the people who are only talking through > W3C staff and we can't talk to them directly ... and the only > solution seems to be creating a new group that is filled with the > same people in this group, plus a few more, and that can't talk > about technology solutions. > Manu Sporny: Please provide your input ... do you support a new > Community Group focused only on capabilities and writing, no > tech, etc. We need to hear opinions from this group. > Henry Story: If I look at the Linked Data Protocol group, which > was headed by IBM. They had implementations, they had a lot of > people, they had narrowed down the technology and the specifics > and a proposal put forward. This seems suspicious to me; I don't > know the process all that mutch, but it seems a bit weird. > Henry Story: I'd like to speak with Arnaud and see what he said. > I think you just need 20 members or some percentage to get people > on board. The danger is if you get too many people on board then > it's too general and becomes hard to succeed. That's me from an > outsider's perspective. > Henry Story: You have more understanding, Manu, of the politics. > Manu Sporny: I think you're right in that it's strange. I think > there's a fair degree of misunderstanding. There is a mismatch > between what we're trying to do and what people think we're doing > here. Let me try and draw where the various points of confusion > are. I think there's a misunderstanding on what we're working on. > Like we're working on authentication protocols like FIDO. We're > absolutely not doing that here. The tech we're using here could > be used with authentication but that's not what we're primarily > pushing here. > Manu Sporny: So there's confusion and objection over that. > Manu Sporny: There's also confusion over where this group > started. This group started with "we need to have verifiable > claims/attributes" and we called them credentials and we were > open to anyone to come and discuss at length. > Manu Sporny: I think one problem is that there is some work > going on at IETF that is similar; that group had already started > and was already charted and once chartered they really push their > world view. For example JOSE. There's nothing wrong with that > there's a good technical implementation that fits their use > cases. But their use cases aren't our use cases. And some people > looked at this work and thought "nothing needs to be done." Now a > year later, we have another group at W3C are backing doing work > with Credentials. Now that other group is objecting because there > would be two technical specs that conflict with one another. > There are some things in common but I think the OpenID Connect, > OAuth, IETF folks think there is more overlap than there is. For > example, with the digital signature stuff, the JOSE folks are > looking at that and saying "The Open Credentials folks are coming > up with a new signature format" but they don't understand Linked > Data; they aren't looking at the technology and they are just > saying "We should just try to use their stuff before doing > something new" without understanding that we already tried that. > The mistake we made was not better documenting that effort. > Manu Sporny: There are a couple of places where there is > confusion: authentication vs. authorization, etc. and there are > objections that our group is trying to do something that has been > done before. There are people that don't understand the > technology and some say we need to slow the process so people can > understand that. > Henry Story: Yep makes sense > Manu Sporny: I think those are the politics being played but I > don't think any of it is mean spirited, I just think it's people > who aren't familiar with the work we're trying to do and jumping > to conclusions. And then those people talk to W3C staff and say > "You are on the brink of doing work that's being done elsewhere" > And W3C doesn't want to do that and says we need to document > what's different. > Rebecca Simmons: What you said makes sense, but as an outsider > it's hard to say what needs to be done. > Henry Story: It would be itneresting to have a document to show > how what you are doing goes beyond jose, for example. > Manu Sporny: If we can answer all of the criticisms and make > everyone happy then we can create a charter and go forward with > the work. > Henry Story: I have some ideas, of how it goes beyond, but it is > interesting to know it. > Brian Sletten: If we create a new CG, what's to stop them from > throwing up obstacles to that CG? > Manu Sporny: One primary question for this group: Do we want to > push back and say "This CG you are proposing is the same thing > we've already done. We'd rather have the people who are objecting > make themselves known and join us and have the discussion in > public." the other choice is "We'll create a new CG that doesn't > talk technology at all and just talks capabilities and that group > is going to go out and focus these people who are having issues > and document their objections." > Manu Sporny: Or there might be another option? Thoughts from the > group? > Gregg Kellogg: It seems clear that this is just a mechanism to > push through their own agenda to overwhelm a new group. Even > though technology discussions are off the table there I can see > how it would be phrased to push one tech over another. It seems > like a big scheme to me. I do think that the work we've done over > the last year is exactly what a new group would do. I'd like to > know what would be in front of a new CG that would be different > that might then lead to a different outcome; otherwise it's a lot > of wasted effort of a lot of people's time for no good reason > other than to satisfy a powerful minority that seems frustrated. > Henry Story: That makes sense to try to find out what these > people want. > Manu Sporny: To go back to Henry's point, you only need 20-25 > member companies to say this work should start; but that is only > after getting W3C Management approval. They have to agree there > is consensus around what to work on. Right now ... I thought it > was there, positive feedback from CEO and some staff contacts, > but the person in charge of making the decision is unconvinced. > We want to reach out to that person to find out what would > convince them. I believe it's down to one person that is holding > the process up. > Manu Sporny: I think the general point that the W3C staff > members in the IG were making was that, "yes, we realize that > this is somewhat annoying, but you need to create a neutral > playing field. If a group of people are saying there isn't a > neutral field, you need to create one so they'll come in." One > proposal is to create a new CG with the same calls and time as > this one (just replace it) but tightly focus that group around > the creation of a charter and answering the questions around what > needs to be done. > Manu Sporny: So there are maybe 8 people, at most, that we need > to interview. We can say it has to be on the record and public on > what needs to be done. Once we get all those interviews out of > the way, we will clear those interviews with the W3C staff who > are saying people are objecting; we'll get a list from them and > interview those people, clearly document those concerns, etc. and > then hope that the argument that those people feel they aren't > being heard is addressed. > Manu Sporny: The other approach is that we have way more than 20 > orgs that want to start this work. > Manu Sporny: We could, instead, and say "If you want something > else done, you have to propose something. Everyone can't just > stop because someone feels there's some nebulous better solution > out there... if you feel it's out there, propose it so the group > can talk about it." > Dave Longley: It would be an option to invite them to this > group. I know they don't think this group is a natural fit. We're > going to bring together the same group of people w/ other people. > Could we invite them specifically? [scribe assist by Manu Sporny] > Dave Longley: Make it a more formal invitation to those that > have concerns - we want them to talk about concerns - we want > this to be a neutral group. [scribe assist by Manu Sporny] > Manu Sporny: I proposed that and they said "It doesn't matter, > they don't think you have a neutral group so they won't > participate." > Manu Sporny: So we could say "ok, fine, people seem to think > this isn't a neutral group, so let's just create a new group." > But we'd have all the same people like you said, with a new group > name. We'd just be going through new mailing list and set up and > all that. > Manu Sporny: I believe that the W3C staff wants to hear from the > rest of this group. If they don't hear from the rest of the > people in this CG, and no one else speaks up, their counter > argument is going to be that it's just Digital Bazaar's opinion, > not the groups. > Manu Sporny: Gregg and Henry spoke up but we need more people to > voice their opinions on where they want this group to go. > Manu Sporny: If we say people can just join this group the > counter argument will be that they won't join because it's not a > neutral group. If we have people in this group clearly saying we > should either "Create a new group" or "No, same people would > join." > Nate Otto: Without all the context, I think creating a new group > would be more work for uncertain gains. > Brian Sletten: If we create a new group and they don't come ... > procedurally what is our response? At some point they are just > doing a denial of service attack. > Eric Korb: Why is the onus on us to do this work? How do we > substantiate their claims? > Manu Sporny: Procedurally, we'd have to write a new charter, get > approval of the charter, create the group via W3C CG process, > create new mailing list, new IRC channel, etc. About a week. Once > we do all that it would be all of us on the call again, but > hopefully 4-5 more people. > Brian Sletten: If they still don't show up, what then? > Manu Sporny: It helps if we can say there are some folks in the > group that believe this won't help. > Brian Sletten: At some point you need to be out in the open, you > can't just hide behind anonymity and try to stop work that other > people are working on. > John Tibbetts: We've done a lot of homework over the last few > years and months, including the survey. It's time to start > talking about the technology issues. Talking about the technology > helps you think about the problem; it's time to be doing that. I > think we need to push back on that. > John Tibbetts: We need to get on with it. > Eric Korb: So, lets object to their work! > Manu Sporny: Eric asks "How do we substantiate their claims?" > This is asymmetric. We do a lot of work to answer a concern and > then there's an objection that says "No you didn't cover this > other thing." This is coming from someone who cares about > privacy/security, which is good, but they don't have a company > that depends on the tech, they aren't going to deploy it, etc -- > lower priority. One of the problems with that is that we went out > and documented a bunch of the stuff we've been saying here in > this group and doing an enormous amount of work which has moved > things forward a bit, but not far enough. The onus is on us > because we want to do something; all anyone else has to do is > just object. One reason the onus has continued to be on us is > because we've been very receptive to questions and concerns of > people outside this group. It is getting to the point where we're > wondering when we've done enough work. > Manu Sporny: Eric, we can't object to their work because some of > them aren't doing any, and others of them aren't working on the > problems we're working on. They are just objecting to our work > because they think we're working on the same stuff, but we're > not. > Nate Otto: I have found this group to have some members who have > clear ideas about a technical direction to proceed in, but that > those people are very open to making sure that we are building > the right technology and formulating our use cases properly. We > hope this effort moves forward. (Nate Otto, Director, Badge > Alliance) > Eric Korb: Manu, thx > Manu Sporny: The only work out there to "object" to would be > things like OpenID Connect/OAuth/SAML/etc, but we don't even > necessarily object to those technologies, some of them may work > for their use cases, etc -- this again has to do with the > misunderstandings. SAML and OpenID Connect doesn't work for our > use cases, and that's the issue. There is work we're doing like > the expression of a digital credential, there is no work out > there that is as extensive as we've done. There are things like > "here's how you can express an email address or a name" but > there's no work about cryptographically verifiable claims like > education credentials, doctor's licenses, where people work, etc. > That is being proposed/created by this group. > Chris Webber: So I'll speak up mainly so that I am on the record. > For me, this work is very important because in order to really > see federation succeed, I think we need to have clear > authorization systems and methods of verifying that communication > has come from one place to another. We've already seen this in > the ActivityPump spec, where we are basically forced to keep > record of conversation forever in order so that clients can > verify its source. > Chris Webber: This is bad if you are concerned with privacy. > Henry Story: Though you need to be careful about authorization. > Eric Korb: +1 Nate > Chris Webber: Right > Chris Webber: Authentication and credentials are one of the > notoriously hardest parts to get working right in federated > systems. I have a lot of confidence in the members of this group > to think things through well. > Manu Sporny: So I'm going to play devil's advocate here; W3C > staff would channel these other people and say "Yes, but, you > need a clear set of use cases and you need buy in around that set > of use cases and you need to talk about capabilities before you > talking about specs or anything of that nature." > Manu Sporny: I can take the minutes from today and push back. > The group can say "We'd like to just do the interviews in the > group and talk about it with them." > Manu Sporny: It seems like there is consensus around the group > that "creating a new CG wouldn't address the issues". People feel > that they aren't being heard so let's bring them in and listen to > them and write down those concerns... and maybe from that we can > figure out if people think they are being heard or if we need a > new group." > Eric Korb: +1 Chris > Manu Sporny: I think we have high attendance in these calls > because we've really tried to be open and transparent. > Dave Longley: I second the notion to figure out if the group is > neutral - why don't people come to the group and receive their > concerns - why don't we just try that instead of assuming this > group is not neutral. They should come and try out the group - > that hasn't even happened yet. The people that have these > concerns haven't even come to the group to try it out. Let's give > it a shot. If a new group needs to be created, so be it. [scribe > assist by Manu Sporny] > Dave Longley: I would expect that we'd give them a warm welcome > and address their concerns. [scribe assist by Manu Sporny] > Eric Korb: +1 Dlongley > Henry Story: +1 I agree. I am new to the group, and it feels very > friendly here. > Manu Sporny: So I think consensus is that we should invite > people who have concerns and we can spend 30 mins to 1 hour with > them and clearly document their concerns and how they'd like to > proceed. Once we've done that, we could talk to them and ask if > they feel that they are being listened to. > Chris Webber: Yes, I've experienced a lot of patience and > thoughtful consideration with my questions here :) > Manu Sporny: Then we can see where we are at that point. So > let's not start a new group and instead invite people here and > see what they have to say and we'll document and circle back > around and see if they feel heard. If they are, there's no need > to create a new group. > John Tibbetts: I support the work in this group because it takes > a higher-level semantic viewpoint for web security; that is, a > concept of credential, rather than just focussing on the > lower-level flows and protocols...This is what we need for the > more semantically rich credentials to support something like an > electronic transcript. John Tibbetts, IMS Global Chief Product > Architect. > Dave Longley: +1 To that proposal > Henry Story: And I think the other is to speak about the size of > the members support > Brian Sletten: I think the other part of the response would be > to just find out what the exact objections are that are keeping > us from moving forward. If they don't act in good faith, what is > our recourse? > Henry Story: ( I don't actually know how big the support is being > new to this group ) > Manu Sporny: Yes, to get that before we proceed. We want it to > be clear to us that we aren't wasting our time and so it's clear > to the others what is happening if they don't participate in the > discussion. > Manu Sporny: Eric, if they dont' show, we need to clearly > negotiate what happens in that case. I'm going to strongly assert > that the work should not stop if they don't show. We've got a > number of people around the table that want the work to proceed; > we don't want it held hostage by people who won't discuss. > Eric Korb: As CEO of Accreditrust, I echo Nate Otto's comments, > "I have found this group to have some members who have clear > ideas about a technical direction to proceed in, but that those > people are very open to making sure that we are building the > right technology and formulating our use cases properly." > Manu Sporny: There's already enough member support to approve a > charter and the hope is that it's growing. > Manu Sporny: We have 44 organizations saying "Yes, we want this > problem solved", 17 of them are W3C members, 7 of them are > non-members that would join, and 16 of them are sitting on the > fence. > Eric Korb: I also support the opinions of JohnTib, "I support the > work in this group because it takes a higher-level semantic > viewpoint for web security; that is, a concept of credential, > rather than just focussing on the lower-level flows and > protocols...This is what we need for the more semantically rich > credentials to support something like an electronic transcript." > Manu Sporny: I'm going to take what has been said in the call > today back to W3C staff. Say that the group would like to start > by interviewing all these folks that have not been necessarily > supportive/critical of the work, etc and get all their thoughts > down. And that specifically that we feel that creating a new > group is unnecessary; that this is an open forum. People and > their orgs can come in and we can document their concerns. > > Topic: Tasks for Credentials CG > > Manu Sporny: https://github.com/opencreds/website/issues/14 > Manu Sporny: The more people we have on these tasks and the > faster we can get the list done the faster we can get to a > charter for a WG. A lot of this is documentation work. We need to > explain our thinking around each one of these items. Will anyone > volunteer for what's on that list? > Brian Sletten: What's the time frame? > Nate Otto: I can put some time in... looking > Manu Sporny: ASAP. If we can get it all done in 4 months, we can > potentially get a group started then. If it's 8 months, it's that > long. > Henry Story: My guess is that January would be the fastest any > work can be done. > Manu Sporny: If you say, for example, say you sign up for > "Create a comparison between Identity Credentials and OpenID > Connect" then you'd write a paper/blog post on that. > Brian Sletten: I'll commit to a couple of them. > Nate Otto: I can do one or two of the comparison blog posts at > least. > Manu Sporny: Just tell me offline what you're signing up for and > I'll put your name beside it. > Henry Story: I am still too new to this work, but I'll be > interested to review > Eric Korb: I updated doc > Nate Otto: I can do both SAML and OpenID Connect. > > Topic: Linked Data Fast Track WG Update > > Manu Sporny: We demo'd the credentials work to Sir Tim Berners > Lee's team at MIT. I know Henry is involved with that team as > well. There is consensus to coordinate on RDF Dataset > Normalization and Linked Data Signatures. I had a fairly in depth > conversation with Tim about that. Right now there is a fast track > proposal for the RDF Dataset Normalization work. We will work on > a charter and still need 20 votes, but believe we can do it. > There's no one pushing back, it's just a matter of writing the > charter, get feedback, and then put in front of W3C staff and > then membership for a vote. > Manu Sporny: Any other concerns/comments on the direction we're > taking over the next week or so? > Henry Story: Is that Linked Data Fast Track _Platform_ or just > Linked Data Fast Track? > None > Manu Sporny: Henry, it's really "Specification Fast Track" - one > of the first specs might be the RDF Dataset Normalization spec. > Henry Story: What is the Fast track thing? Is it to do with LDP > or with Linked Data? > Henry Story: Ah cool > Manu Sporny: It's to do w/ general W3C process. A number of the > member companies at W3C TPAC this year were trying to figure out > a way to get a spec to REC faster than the 4+ year process it > takes. > Manu Sporny: JSON-LD made it through in 2 years. > Manu Sporny: I think they're trying to speed it up to 1 year now. > Henry Story: Btw. does your normalisation algorithm allow me to > normalise rdf to disk, so as to minimize differences when someone > edits a file? > Manu Sporny: The idea is that you start at CR (if you have a > fully baked spec, at least two implementations, and a test suite) > Henry Story: Nice > Henry Story: And here they want to do PATCH too? > Manu Sporny: The normalization algorithm that dlongley created > does enable you to normalize RDF to disk > Manu Sporny: PATCH may be in a different fast track group > Manu Sporny: We're trying to focus on something that has an > almost guaranteed chance of success. > Henry Story: Yes. makes sense. > Manu Sporny: There are some that are saying that LD Patch isn't > ready > Manu Sporny: I don't think anyone is saying RDF Dataset > Normalization isn't ready. > Manu Sporny: We're just trying to reduce the number of variables > that might create failure. > Henry Story: ( I can imagine that it can be complex as new > mathematical algorithms come out ) > Manu Sporny: There are improvements that could be made (for > example, memory consumption w/ large bnode graphs), but we have > to cut version 1.0 at some point. > Manu Sporny: And the solutions that the algorithm creates aren't > wrong, we just need to seek if we have consensus since a > standardized solution doesn't exist right now. > > > > >
Received on Wednesday, 11 November 2015 09:39:28 UTC