- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Sat, 21 Nov 2015 16:57:29 -0500
- To: Credentials Community Group <public-credentials@w3.org>
Hi all,
After LOTS of socializing the proposal this week, we seem to have
general alignment among the various groups involved. Here's the proposal
as it stands right now:
https://www.w3.org/Payments/IG/wiki/Main_Page/ProposalsQ42015/VerifiableClaimsTaskForce
The full text is included below for those that would like to respond
in-line.
--------------------------------------------------------------------
Verifiable Claims Task Force PROPOSAL
Goals
Determine if a W3C Working Group should be created to standardize
technology around a verifiable claims ecosystem (aka: credentials,
attestations).
The Task Force will invite a diverse set of participants**1
into a neutral group to discuss use cases (such as enrollment) and
the problem area in general. The group will document and analyze
concerns raised in various fora around the value-add that W3C
could provide around verifiable claims that are user-centric.
**1 Participants are expected to be invited from organizations like
W3C, IETF, IMS Global, claims issuers, identity providers, claims
consumers, the Credentials CG, the general public, and a variety
of other organizations and individuals that have shown interest in
the space.
Definitions
* verifiable claim - a cryptographically non-repudiable set of
statements made by an entity about another entity.
* user-centric - a system that places people and organizations
in the center of an ecosystem. To understand more about this
design choice, read about its ramifications in the section
titled "User-Centric vs. Service-Centric Architecture".
* service-centric - a system that places services in the center
of an ecosystem. To understand more about this
design choice, read about its ramifications in the section
titled "User-Centric vs. Service-Centric Architecture".
Problem Statement
There is currently no widely used user-centric standard for
expressing and transacting verifiable claims (aka: credentials,
attestations) via the Web. Data has been gathered demonstrating a
desire to create such an interoperable ecosystem around the
expression and transmission of verifiable claims.
These problems exist today:
* In existing service-centric architectures, identity services
inject themselves into every relationship in the ecosystem.
This means users can't easily change their service provider
without losing their digital identity. This leads to vendor
lock-in, identity fragility, reduced competition in the
marketplace, and reduced privacy.
* There is no interoperable standard capable of expressing and
transmitting rich verifiable claims that cuts across
industries (e.g. finance, retail, education, and healthcare).
This leads to industry-specific solutions that are costly,
inefficient, proprietary, and inhibits users' ability to
manage their digital identities in a coherent way.
* There is no standard that makes it easy for users to assert
their qualifications to a service provider (e.g. I am a
citizen of the USA, I am a board-certified doctor, etc.).
Out of Scope
The following items have been identified as out of scope for the
Task Force.
* Making any decisions on the "correct" set of technologies to
use to solve the problem. However, discussion about
technologies that exist and how they could be applied to the
problem are in scope.
Stakeholders
* Issuers - ETS, Pearson, Walmart, Verisys, Target, NACS, New
Zealand Government, Bloomberg, IMS Global member companies
* Identity Providers / Identity Vaults - Accreditrust, Verisys,
Bill and Melinda Gates Foundation, Deutche Telekom,
* Consumers - Walmart, Target, NACS, Bloomberg, New Zealand
Government, Education Institutions (IMS Global member
companies), Financial Institutions, (customers of Issuers
today)
Task Force Operation
If formed, the WPIG Verifiable Claims Task Force will:
* be composed of representatives from the Financial, Education,
Healthcare, NGO, and Government sectors
* have individual recorded interview calls at times that work
for the interviewees
* have weekly calls starting on Tuesdays at 11am ET (but could
be rescheduled for other times that work better for
participants) on a to-be-determined teleconference bridge
* work on completing the identified deliverables
* will report its findings to the WPIG by early February
Success criteria
Either
* Clear documentation demonstrating that W3C cannot add value in
this area, or
* A well-socialized W3C Credentials Working Group charter (and
supporting documentation) that would go to a W3C AC vote.
User-Centric vs. Service-Centric Architecture
* A verifiable claims ecosystem that is [26]user-centric has the
following attributes:
+ Users are positioned in the middle between issuers and
consumers.
+ Users receive and store verifiable claims from issuers
through an agent that the issuer does not need to trust.
+ Users provide verifiable claims to consumers through an
agent that consumers needn't trust; they only need to
trust issuers.
+ Verifiable claims are associated with users, not
particular services; users can decide how to aggregate
claims and manage their own digital identities.
+ Users can control and own their own identifiers.
+ Users can control which verifiable claims to use and
when.
+ Users may freely choose and swap out the agents they
employ to help them manage and share their verifiable
claims.
+ Does not require users that share verifiable claims to
reveal the identity of the consumer to their agent or to
issuers.
* A verifiable claims ecosystem that is [27]service-centric has
the following attributes:
+ Services are positioned in the middle between issuers,
users, and consumers.
+ Users receive and store verifiable claims from issuers
through an agent that the issuer must trust, or they must
be the same entity.
+ Users provide verifiable claims to consumers through an
agent that consumers must trust.
+ Verifiable claims must be associated with services,
fracturing a user's digital identity potentially against
their desire.
+ Services control and own their user's identifiers.
+ User's verifiable claims are locked in agent silos.
+ Requires users that share verifiable claims to reveal the
identity of the consumer to their agent and issuers.
+ Consumers may have to register with user's agents to
consume verifiable claims.
Deliverables
* Recorded interviews around the problem statement with at
least: Brad Hill, Dick Hardt, Jeff Hodges, Karen O'Donahue,
Harry Halpin
* Technology comparisons between at least these existing
technologies: OpenID Connect, SAML, Identity Credentials
* A Verifiable Claims Use Cases document
* A Verifiable Claims Vision document (optional)
If W3C can add value in the space, the WPIG will produce:
* A widely socialized Verifiable Claims WG charter
* A Verifiable Claims Roadmap document (optional)
Milestones / Timelines
* 2015-11 - WPIG - Discussion of Verifiable Claims Task Force
Proposal and if all goes well, the creation of the Task Force
* 2015-12 - VCTF - Perform background research listed in
deliverables
* 2016-01 - WPIG - Start drafting charter for feedback, start
finalizing input documents to future WG
* 2016-02 - WPIG - Publish background research findings,
finalize draft charter, finalize input documents
* 2016-03 - VCTF/WPIG/CCG - Co-locate face-to-face meeting to
discuss path forward (AC review, WG creation, etc.)
-- manu
--
Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
Founder/CEO - Digital Bazaar, Inc.
blog: Web Payments: The Architect, the Sage, and the Moral Voice
https://manu.sporny.org/2015/payments-collaboration/
Received on Saturday, 21 November 2015 21:57:55 UTC