- From: Alex Jackl <alex@bardicsystems.com>
- Date: Wed, 11 Nov 2015 09:21:56 -0500
- To: Stuart Sutton <sasutton@dublincore.net>
- Cc: Manu Sporny <msporny@digitalbazaar.com>, Credentials CG <public-credentials@w3.org>
- Message-ID: <CAGHXJigYSinFGEwQPKzhj1ifT1_GLqS3rS+G7SLKi0yGs_906g@mail.gmail.com>
My apologies for missing the call this week. I will be in attendance at our next call. I second Stuart's thoughts. On Wednesday, November 11, 2015, Stuart Sutton <sasutton@dublincore.net> wrote: > Manu, my aplogies for missing the call and your briefing; but, thanks to > the excellent scribing, it is clear for me that the position you have > framed to extend an explicit, open invitation to those opposed to attend a > CG meeting and present their points of opposition is a quite appropriate > position to take. I've not been on the CG long, but I see no evidence so > far that opposing thoughts would not be fully considered. > > Manu, I also firmly agree with your statement "that the work should not > stop if they don't show." > > Stuart > > On Tue, Nov 10, 2015 at 12:25 PM, <msporny@digitalbazaar.com > <javascript:_e(%7B%7D,'cvml','msporny@digitalbazaar.com');>> wrote: > >> Thanks to Dave Longley for scribing this week! The minutes >> for this week's Credentials CG telecon are now available: >> >> http://opencreds.org/minutes/2015-11-10/ >> >> Full text of the discussion follows for W3C archival purposes. >> Audio from the meeting is available as well (link provided below). >> >> ---------------------------------------------------------------- >> Credentials Community Group Telecon Minutes for 2015-11-10 >> >> Agenda: >> >> https://lists.w3.org/Archives/Public/public-credentials/2015Nov/0014.html >> Topics: >> 1. Credentials Task Force in WPIG Update >> 2. Tasks for Credentials CG >> 3. Linked Data Fast Track WG Update >> Organizer: >> Manu Sporny >> Scribe: >> Dave Longley >> Present: >> Dave Longley, Manu Sporny, Henry Story, Laura Fowler, Rebecca >> Simmons, Brian Sletten, Gregg Kellogg, Nate Otto, Eric Korb, John >> Tibbetts, Chris Webber >> Audio: >> http://opencreds.org/minutes/2015-11-10/audio.ogg >> >> Dave Longley is scribing. >> Manu Sporny: Last week we talked about what happened at W3C >> TPAC. The good news is that the Web Payments IG wants to do >> something around Credentials; we're trying to figure out where to >> do the work and where to write the charter and tie up loose ends. >> Manu Sporny: There's an action item on me to propose a way >> forward for Credentials at W3C. We made a proposal; it had mixed >> feedback. We'll discuss that. We'll also be assigning tasks to >> folks. We'll give an update on our discussion with the SoLiD team >> as well. We chatted a bit with TimBL on the HTTP signatures stuff >> as well. >> Henry Story: Ah cool, interested about hearing the discussion on >> SoLiD >> Manu Sporny: Anything else we need to cover today? >> >> Topic: Credentials Task Force in WPIG Update >> >> Manu Sporny: >> >> https://www.w3.org/Payments/IG/wiki/Main_Page/ProposalsQ42015/Credentials >> Manu Sporny: We have made some modifications to the proposal as >> a result of the call yesterday. I'll review what was proposed and >> then talk next steps. >> Manu Sporny: The goal is to determine whether or not a W3C >> Working Group should be created. The outcome of this task force >> will either be a charter for the W3C member to vote on to start >> the work or it's going to be a finding that we should not do the >> work at W3C. Clearly, the people in this group would like to see >> it started at W3C. There are some other people who feel the world >> isn't ready to see this work start. >> Manu Sporny: A lot of the proposal is based on the survey we >> did. 58 orgs filled it out; how they view a proper credential >> ecosystem. We had them rate capabilities. We kept it data driven >> and so it was difficult for people who are against the work to >> argue against. >> Manu Sporny: >> >> https://www..w3.org/Payments/IG/wiki/Main_Page/ProposalsQ42015/Credentials#Concerns >> <https://www.w3.org/Payments/IG/wiki/Main_Page/ProposalsQ42015/Credentials#Concerns> >> Manu Sporny: There were a number of concerns that were raised. >> The concerns were added to the wiki. >> Manu Sporny: Some of those concerns are questions we need to >> answer. Some of them we are in no position to answer. "What is >> the jurisdictional scope of a credential and how are they >> regulated?" Way too early to answer but it was raised as a >> question to answer at some point. >> Manu Sporny: In general, the IG said "Yes, we should do >> something about this and this proposal isn't offbase." Only +1's >> to say we should proceed with the work. The pushback was where >> the work would happen. >> Manu Sporny: The proposal was that this group (this CG) would >> just shift gears and work on the questions. >> Manu Sporny: There was almost immediate objection to that. >> Because there are people (some of whom we know, and some of whom >> we don't know) that feel that we don't have a neutral forum here. >> Meaning, we've worked on technology like the Open Badges stuff, >> technical implementations have been discussed and because of >> that, this group isn't neutral. >> Henry Story: Argh. >> Manu Sporny: A request was made for another group to be made >> that can't talk about the technology; and only talk about >> capabilities. >> Manu Sporny: Speaking as an individual, this is fantastically >> frustrating because we strive to be very neutral in this group >> and have a good track record of doing so. This group started out >> with use cases and no particular technology focus. We had two >> input specs. We didn't have a strong technical view, etc. we did >> discussions, found data, worked from there. There are people are >> saying (again, people we don't know who they are) that we aren't >> neutral and that they weren't involved. These people didn't join >> the work a year or so ago but now they are saying that their >> views weren't taken into account. We have identified a number of >> people that we *do* know and we've been talking with them and >> asking them to discuss things with us and that's great and is not >> an issue. The problem is the people who are only talking through >> W3C staff and we can't talk to them directly ... and the only >> solution seems to be creating a new group that is filled with the >> same people in this group, plus a few more, and that can't talk >> about technology solutions. >> Manu Sporny: Please provide your input ... do you support a new >> Community Group focused only on capabilities and writing, no >> tech, etc. We need to hear opinions from this group. >> Henry Story: If I look at the Linked Data Protocol group, which >> was headed by IBM. They had implementations, they had a lot of >> people, they had narrowed down the technology and the specifics >> and a proposal put forward. This seems suspicious to me; I don't >> know the process all that mutch, but it seems a bit weird. >> Henry Story: I'd like to speak with Arnaud and see what he said. >> I think you just need 20 members or some percentage to get people >> on board. The danger is if you get too many people on board then >> it's too general and becomes hard to succeed. That's me from an >> outsider's perspective. >> Henry Story: You have more understanding, Manu, of the politics. >> Manu Sporny: I think you're right in that it's strange. I think >> there's a fair degree of misunderstanding. There is a mismatch >> between what we're trying to do and what people think we're doing >> here. Let me try and draw where the various points of confusion >> are. I think there's a misunderstanding on what we're working on. >> Like we're working on authentication protocols like FIDO. We're >> absolutely not doing that here. The tech we're using here could >> be used with authentication but that's not what we're primarily >> pushing here. >> Manu Sporny: So there's confusion and objection over that. >> Manu Sporny: There's also confusion over where this group >> started. This group started with "we need to have verifiable >> claims/attributes" and we called them credentials and we were >> open to anyone to come and discuss at length. >> Manu Sporny: I think one problem is that there is some work >> going on at IETF that is similar; that group had already started >> and was already charted and once chartered they really push their >> world view. For example JOSE. There's nothing wrong with that >> there's a good technical implementation that fits their use >> cases. But their use cases aren't our use cases. And some people >> looked at this work and thought "nothing needs to be done." Now a >> year later, we have another group at W3C are backing doing work >> with Credentials. Now that other group is objecting because there >> would be two technical specs that conflict with one another. >> There are some things in common but I think the OpenID Connect, >> OAuth, IETF folks think there is more overlap than there is. For >> example, with the digital signature stuff, the JOSE folks are >> looking at that and saying "The Open Credentials folks are coming >> up with a new signature format" but they don't understand Linked >> Data; they aren't looking at the technology and they are just >> saying "We should just try to use their stuff before doing >> something new" without understanding that we already tried that.. >> The mistake we made was not better documenting that effort. >> Manu Sporny: There are a couple of places where there is >> confusion: authentication vs. authorization, etc. and there are >> objections that our group is trying to do something that has been >> done before. There are people that don't understand the >> technology and some say we need to slow the process so people can >> understand that. >> Henry Story: Yep makes sense >> Manu Sporny: I think those are the politics being played but I >> don't think any of it is mean spirited, I just think it's people >> who aren't familiar with the work we're trying to do and jumping >> to conclusions. And then those people talk to W3C staff and say >> "You are on the brink of doing work that's being done elsewhere" >> And W3C doesn't want to do that and says we need to document >> what's different. >> Rebecca Simmons: What you said makes sense, but as an outsider >> it's hard to say what needs to be done. >> Henry Story: It would be itneresting to have a document to show >> how what you are doing goes beyond jose, for example. >> Manu Sporny: If we can answer all of the criticisms and make >> everyone happy then we can create a charter and go forward with >> the work. >> Henry Story: I have some ideas, of how it goes beyond, but it is >> interesting to know it. >> Brian Sletten: If we create a new CG, what's to stop them from >> throwing up obstacles to that CG? >> Manu Sporny: One primary question for this group: Do we want to >> push back and say "This CG you are proposing is the same thing >> we've already done. We'd rather have the people who are objecting >> make themselves known and join us and have the discussion in >> public." the other choice is "We'll create a new CG that doesn't >> talk technology at all and just talks capabilities and that group >> is going to go out and focus these people who are having issues >> and document their objections." >> Manu Sporny: Or there might be another option? Thoughts from the >> group? >> Gregg Kellogg: It seems clear that this is just a mechanism to >> push through their own agenda to overwhelm a new group. Even >> though technology discussions are off the table there I can see >> how it would be phrased to push one tech over another. It seems >> like a big scheme to me. I do think that the work we've done over >> the last year is exactly what a new group would do. I'd like to >> know what would be in front of a new CG that would be different >> that might then lead to a different outcome; otherwise it's a lot >> of wasted effort of a lot of people's time for no good reason >> other than to satisfy a powerful minority that seems frustrated. >> Henry Story: That makes sense to try to find out what these >> people want. >> Manu Sporny: To go back to Henry's point, you only need 20-25 >> member companies to say this work should start; but that is only >> after getting W3C Management approval. They have to agree there >> is consensus around what to work on. Right now ... I thought it >> was there, positive feedback from CEO and some staff contacts, >> but the person in charge of making the decision is unconvinced. >> We want to reach out to that person to find out what would >> convince them. I believe it's down to one person that is holding >> the process up. >> Manu Sporny: I think the general point that the W3C staff >> members in the IG were making was that, "yes, we realize that >> this is somewhat annoying, but you need to create a neutral >> playing field. If a group of people are saying there isn't a >> neutral field, you need to create one so they'll come in." One >> proposal is to create a new CG with the same calls and time as >> this one (just replace it) but tightly focus that group around >> the creation of a charter and answering the questions around what >> needs to be done. >> Manu Sporny: So there are maybe 8 people, at most, that we need >> to interview. We can say it has to be on the record and public on >> what needs to be done. Once we get all those interviews out of >> the way, we will clear those interviews with the W3C staff who >> are saying people are objecting; we'll get a list from them and >> interview those people, clearly document those concerns, etc. and >> then hope that the argument that those people feel they aren't >> being heard is addressed. >> Manu Sporny: The other approach is that we have way more than 20 >> orgs that want to start this work. >> Manu Sporny: We could, instead, and say "If you want something >> else done, you have to propose something. Everyone can't just >> stop because someone feels there's some nebulous better solution >> out there... if you feel it's out there, propose it so the group >> can talk about it." >> Dave Longley: It would be an option to invite them to this >> group. I know they don't think this group is a natural fit. We're >> going to bring together the same group of people w/ other people. >> Could we invite them specifically? [scribe assist by Manu Sporny] >> Dave Longley: Make it a more formal invitation to those that >> have concerns - we want them to talk about concerns - we want >> this to be a neutral group. [scribe assist by Manu Sporny] >> Manu Sporny: I proposed that and they said "It doesn't matter, >> they don't think you have a neutral group so they won't >> participate." >> Manu Sporny: So we could say "ok, fine, people seem to think >> this isn't a neutral group, so let's just create a new group.." >> But we'd have all the same people like you said, with a new group >> name. We'd just be going through new mailing list and set up and >> all that. >> Manu Sporny: I believe that the W3C staff wants to hear from the >> rest of this group. If they don't hear from the rest of the >> people in this CG, and no one else speaks up, their counter >> argument is going to be that it's just Digital Bazaar's opinion, >> not the groups. >> Manu Sporny: Gregg and Henry spoke up but we need more people to >> voice their opinions on where they want this group to go. >> Manu Sporny: If we say people can just join this group the >> counter argument will be that they won't join because it's not a >> neutral group. If we have people in this group clearly saying we >> should either "Create a new group" or "No, same people would >> join." >> Nate Otto: Without all the context, I think creating a new group >> would be more work for uncertain gains. >> Brian Sletten: If we create a new group and they don't come ... >> procedurally what is our response? At some point they are just >> doing a denial of service attack. >> Eric Korb: Why is the onus on us to do this work? How do we >> substantiate their claims? >> Manu Sporny: Procedurally, we'd have to write a new charter, get >> approval of the charter, create the group via W3C CG process, >> create new mailing list, new IRC channel, etc. About a week. Once >> we do all that it would be all of us on the call again, but >> hopefully 4-5 more people. >> Brian Sletten: If they still don't show up, what then? >> Manu Sporny: It helps if we can say there are some folks in the >> group that believe this won't help. >> Brian Sletten: At some point you need to be out in the open, you >> can't just hide behind anonymity and try to stop work that other >> people are working on. >> John Tibbetts: We've done a lot of homework over the last few >> years and months, including the survey. It's time to start >> talking about the technology issues. Talking about the technology >> helps you think about the problem; it's time to be doing that. I >> think we need to push back on that. >> John Tibbetts: We need to get on with it. >> Eric Korb: So, lets object to their work! >> Manu Sporny: Eric asks "How do we substantiate their claims?" >> This is asymmetric. We do a lot of work to answer a concern and >> then there's an objection that says "No you didn't cover this >> other thing." This is coming from someone who cares about >> privacy/security, which is good, but they don't have a company >> that depends on the tech, they aren't going to deploy it, etc -- >> lower priority. One of the problems with that is that we went out >> and documented a bunch of the stuff we've been saying here in >> this group and doing an enormous amount of work which has moved >> things forward a bit, but not far enough. The onus is on us >> because we want to do something; all anyone else has to do is >> just object. One reason the onus has continued to be on us is >> because we've been very receptive to questions and concerns of >> people outside this group. It is getting to the point where we're >> wondering when we've done enough work. >> Manu Sporny: Eric, we can't object to their work because some of >> them aren't doing any, and others of them aren't working on the >> problems we're working on. They are just objecting to our work >> because they think we're working on the same stuff, but we're >> not. >> Nate Otto: I have found this group to have some members who have >> clear ideas about a technical direction to proceed in, but that >> those people are very open to making sure that we are building >> the right technology and formulating our use cases properly. We >> hope this effort moves forward. (Nate Otto, Director, Badge >> Alliance) >> Eric Korb: Manu, thx >> Manu Sporny: The only work out there to "object" to would be >> things like OpenID Connect/OAuth/SAML/etc, but we don't even >> necessarily object to those technologies, some of them may work >> for their use cases, etc -- this again has to do with the >> misunderstandings. SAML and OpenID Connect doesn't work for our >> use cases, and that's the issue. There is work we're doing like >> the expression of a digital credential, there is no work out >> there that is as extensive as we've done. There are things like >> "here's how you can express an email address or a name" but >> there's no work about cryptographically verifiable claims like >> education credentials, doctor's licenses, where people work, etc.. >> That is being proposed/created by this group. >> Chris Webber: So I'll speak up mainly so that I am on the record. >> For me, this work is very important because in order to really >> see federation succeed, I think we need to have clear >> authorization systems and methods of verifying that communication >> has come from one place to another. We've already seen this in >> the ActivityPump spec, where we are basically forced to keep >> record of conversation forever in order so that clients can >> verify its source. >> Chris Webber: This is bad if you are concerned with privacy. >> Henry Story: Though you need to be careful about authorization. >> Eric Korb: +1 Nate >> Chris Webber: Right >> Chris Webber: Authentication and credentials are one of the >> notoriously hardest parts to get working right in federated >> systems. I have a lot of confidence in the members of this group >> to think things through well. >> Manu Sporny: So I'm going to play devil's advocate here; W3C >> staff would channel these other people and say "Yes, but, you >> need a clear set of use cases and you need buy in around that set >> of use cases and you need to talk about capabilities before you >> talking about specs or anything of that nature." >> Manu Sporny: I can take the minutes from today and push back. >> The group can say "We'd like to just do the interviews in the >> group and talk about it with them." >> Manu Sporny: It seems like there is consensus around the group >> that "creating a new CG wouldn't address the issues". People feel >> that they aren't being heard so let's bring them in and listen to >> them and write down those concerns... and maybe from that we can >> figure out if people think they are being heard or if we need a >> new group." >> Eric Korb: +1 Chris >> Manu Sporny: I think we have high attendance in these calls >> because we've really tried to be open and transparent. >> Dave Longley: I second the notion to figure out if the group is >> neutral - why don't people come to the group and receive their >> concerns - why don't we just try that instead of assuming this >> group is not neutral. They should come and try out the group - >> that hasn't even happened yet. The people that have these >> concerns haven't even come to the group to try it out. Let's give >> it a shot. If a new group needs to be created, so be it. [scribe >> assist by Manu Sporny] >> Dave Longley: I would expect that we'd give them a warm welcome >> and address their concerns. [scribe assist by Manu Sporny] >> Eric Korb: +1 Dlongley >> Henry Story: +1 I agree. I am new to the group, and it feels very >> friendly here. >> Manu Sporny: So I think consensus is that we should invite >> people who have concerns and we can spend 30 mins to 1 hour with >> them and clearly document their concerns and how they'd like to >> proceed. Once we've done that, we could talk to them and ask if >> they feel that they are being listened to. >> Chris Webber: Yes, I've experienced a lot of patience and >> thoughtful consideration with my questions here :) >> Manu Sporny: Then we can see where we are at that point. So >> let's not start a new group and instead invite people here and >> see what they have to say and we'll document and circle back >> around and see if they feel heard. If they are, there's no need >> to create a new group. >> John Tibbetts: I support the work in this group because it takes >> a higher-level semantic viewpoint for web security; that is, a >> concept of credential, rather than just focussing on the >> lower-level flows and protocols...This is what we need for the >> more semantically rich credentials to support something like an >> electronic transcript. John Tibbetts, IMS Global Chief Product >> Architect. >> Dave Longley: +1 To that proposal >> Henry Story: And I think the other is to speak about the size of >> the members support >> Brian Sletten: I think the other part of the response would be >> to just find out what the exact objections are that are keeping >> us from moving forward. If they don't act in good faith, what is >> our recourse? >> Henry Story: ( I don't actually know how big the support is being >> new to this group ) >> Manu Sporny: Yes, to get that before we proceed. We want it to >> be clear to us that we aren't wasting our time and so it's clear >> to the others what is happening if they don't participate in the >> discussion. >> Manu Sporny: Eric, if they dont' show, we need to clearly >> negotiate what happens in that case. I'm going to strongly assert >> that the work should not stop if they don't show. We've got a >> number of people around the table that want the work to proceed; >> we don't want it held hostage by people who won't discuss. >> Eric Korb: As CEO of Accreditrust, I echo Nate Otto's comments, >> "I have found this group to have some members who have clear >> ideas about a technical direction to proceed in, but that those >> people are very open to making sure that we are building the >> right technology and formulating our use cases properly." >> Manu Sporny: There's already enough member support to approve a >> charter and the hope is that it's growing. >> Manu Sporny: We have 44 organizations saying "Yes, we want this >> problem solved", 17 of them are W3C members, 7 of them are >> non-members that would join, and 16 of them are sitting on the >> fence. >> Eric Korb: I also support the opinions of JohnTib, "I support the >> work in this group because it takes a higher-level semantic >> viewpoint for web security; that is, a concept of credential, >> rather than just focussing on the lower-level flows and >> protocols...This is what we need for the more semantically rich >> credentials to support something like an electronic transcript." >> Manu Sporny: I'm going to take what has been said in the call >> today back to W3C staff. Say that the group would like to start >> by interviewing all these folks that have not been necessarily >> supportive/critical of the work, etc and get all their thoughts >> down. And that specifically that we feel that creating a new >> group is unnecessary; that this is an open forum. People and >> their orgs can come in and we can document their concerns. >> >> Topic: Tasks for Credentials CG >> >> Manu Sporny: https://github.com/opencreds/website/issues/14 >> Manu Sporny: The more people we have on these tasks and the >> faster we can get the list done the faster we can get to a >> charter for a WG. A lot of this is documentation work. We need to >> explain our thinking around each one of these items. Will anyone >> volunteer for what's on that list? >> Brian Sletten: What's the time frame? >> Nate Otto: I can put some time in... looking >> Manu Sporny: ASAP. If we can get it all done in 4 months, we can >> potentially get a group started then. If it's 8 months, it's that >> long. >> Henry Story: My guess is that January would be the fastest any >> work can be done. >> Manu Sporny: If you say, for example, say you sign up for >> "Create a comparison between Identity Credentials and OpenID >> Connect" then you'd write a paper/blog post on that. >> Brian Sletten: I'll commit to a couple of them. >> Nate Otto: I can do one or two of the comparison blog posts at >> least. >> Manu Sporny: Just tell me offline what you're signing up for and >> I'll put your name beside it. >> Henry Story: I am still too new to this work, but I'll be >> interested to review >> Eric Korb: I updated doc >> Nate Otto: I can do both SAML and OpenID Connect. >> >> Topic: Linked Data Fast Track WG Update >> >> Manu Sporny: We demo'd the credentials work to Sir Tim Berners >> Lee's team at MIT. I know Henry is involved with that team as >> well. There is consensus to coordinate on RDF Dataset >> Normalization and Linked Data Signatures. I had a fairly in depth >> conversation with Tim about that. Right now there is a fast track >> proposal for the RDF Dataset Normalization work. We will work on >> a charter and still need 20 votes, but believe we can do it. >> There's no one pushing back, it's just a matter of writing the >> charter, get feedback, and then put in front of W3C staff and >> then membership for a vote. >> Manu Sporny: Any other concerns/comments on the direction we're >> taking over the next week or so? >> Henry Story: Is that Linked Data Fast Track _Platform_ or just >> Linked Data Fast Track? >> None >> Manu Sporny: Henry, it's really "Specification Fast Track" - one >> of the first specs might be the RDF Dataset Normalization spec. >> Henry Story: What is the Fast track thing? Is it to do with LDP >> or with Linked Data? >> Henry Story: Ah cool >> Manu Sporny: It's to do w/ general W3C process. A number of the >> member companies at W3C TPAC this year were trying to figure out >> a way to get a spec to REC faster than the 4+ year process it >> takes. >> Manu Sporny: JSON-LD made it through in 2 years. >> Manu Sporny: I think they're trying to speed it up to 1 year now. >> Henry Story: Btw. does your normalisation algorithm allow me to >> normalise rdf to disk, so as to minimize differences when someone >> edits a file? >> Manu Sporny: The idea is that you start at CR (if you have a >> fully baked spec, at least two implementations, and a test suite) >> Henry Story: Nice >> Henry Story: And here they want to do PATCH too? >> Manu Sporny: The normalization algorithm that dlongley created >> does enable you to normalize RDF to disk >> Manu Sporny: PATCH may be in a different fast track group >> Manu Sporny: We're trying to focus on something that has an >> almost guaranteed chance of success. >> Henry Story: Yes. makes sense. >> Manu Sporny: There are some that are saying that LD Patch isn't >> ready >> Manu Sporny: I don't think anyone is saying RDF Dataset >> Normalization isn't ready. >> Manu Sporny: We're just trying to reduce the number of variables >> that might create failure. >> Henry Story: ( I can imagine that it can be complex as new >> mathematical algorithms come out ) >> Manu Sporny: There are improvements that could be made (for >> example, memory consumption w/ large bnode graphs), but we have >> to cut version 1.0 at some point. >> Manu Sporny: And the solutions that the algorithm creates aren't >> wrong, we just need to seek if we have consensus since a >> standardized solution doesn't exist right now. >> >> >> >> >> > -- Alexander Jackl CEO & President, Bardic Systems, Inc. alex@bardicsystems.com P: 401.384.0566 F: 617.812.6020 http://bardicsystems.com
Received on Thursday, 12 November 2015 09:07:42 UTC