Verifiable Claims Telecon Minutes for 2016-04-05

Thanks to Dave Longley for scribing this week! The minutes
for this week's Verifiable Claims telecon are now available:

http://w3c.github.io/vctf/meetings/2016-04-05/

Full text of the discussion follows for W3C archival purposes.
Audio from the meeting is available as well (link provided below).

----------------------------------------------------------------
Verifiable Claims Telecon Minutes for 2016-04-05

Agenda:
  https://lists.w3.org/Archives/Public/public-webpayments-ig/2016Apr/0006.html
Topics:
  1. Introduction to Christopher Allen
  2. Blockchain Interest in Identity Credentials
  3. Review of Questionnaire
  4. Charter Review To Date
  5. Options Moving Forward
Organizer:
  Manu Sporny
Scribe:
  Dave Longley
Present:
  Dave Longley, Shane McCarron, Manu Sporny, Christopher Allen, 
  Carla Casilli, Matt Stone, Peter Hofman, Gregg Kellogg, David I. 
  Lehn, Bill DeLorenzo, Colleen Kennedy, Jason Weaver, Rob Trainer
Audio:
  http://w3c.github.io/vctf/meetings/2016-04-05/audio.ogg

Dave Longley is scribing.
Manu Sporny:  So we've had some concerning feedback on the 
  charter and without mentioning it too specifically, we'd like to 
  get some feedback from everyone here on that as best we can and 
  we'll be discussing our strategy moving forward to get the 
  charter to the next stage.
Christopher Allen:  I'd like to briefly explain what the bitcoin 
  and blockchain community are thinking about in this space.
Manu Sporny:  Yes, let's do a brief intro to you and some of your 
  background and if you can launch into who you're representing at 
  W3C and talk about blockchain that would be great.

Topic: Introduction to Christopher Allen

Christopher Allen:  My name is Christopher Allen, probably best 
  known for leading the IETF effort to make SSL and TLS 1.0 a 
  standard. That was a 4-5 year process to get through and today is 
  largest deployed security standard in the world. Involved in a 
  lot of different things, smart contracts, CTO of Certicom, mobile 
  dev, all kinds of interesting things. Most recently in the last 
  two years, I've been involved in the bitcoin/blockchain area.

Topic: Blockchain Interest in Identity Credentials

Manu Sporny: http://id2020summit.org/
Christopher Allen:  I've been hired by Blockstream to lead their 
  standards efforts and to do research into specific initiatives. 
  One of them is to work on decentralized ID. For the past year 
  I've been working on XDI which is an OASIS standard, making it a 
  decentralized protocol rather than centralized. We produced a 
  strawman last Oct and moving forward. They presented their ideas 
  to get a SBIR grant. DB has also submitted research proposals and 
  they also won an SBIR and I'm helping with that as well. At UN 
  I'm working on self-sovereign identity ... around issues human 
  rights, refugees, digital identity. I'm very passionate about 
  decentralized identity and I don't know how to do it without 
  blockchain technologies.
Manu Sporny: 
  https://github.com/bitcoin/bips/blob/master/bip-0070.mediawiki
Manu Sporny: 
  https://github.com/bitcoin/bips/blob/master/bip-0075.mediawiki
Christopher Allen:  I've come to W3C around the verifiable 
  identities and what you call user-centric and we call 
  self-sovereign identity is exactly what we need to have for the 
  blockchain community. We have BIP-70 which is a standard, it's 
  roughly equivalent to a Web Payments standard, someone looked at 
  it and said they are 80% similar. BIP-75 (?) helps you share 
  credential information. Particularly useful when you have to 
  report things for large transactions. It's not a KYC but a "I'm 
  transferring more than $10K worth of value and have to report 
  that." We want to do that with confidentiality and in no way do 
  we want that info to connect to the actual funds transferred etc. 
  We're creating a private channel and sending credentials. X.509 
  is a problem here it makes us uncomfortable and we'd like to see 
  verifiable credentials used to replace X.509 in a more 
  decentralized way. We want to reconcile BIP-70 with Web Payments 
  and Confidential Channels to Web Payments and we'd love to see 
  verifiable credentials/claims, something very much in that 
  direction for a variety of future work.
Christopher Allen: http://www.ID2020.org
Christopher Allen: Conference at UN http://www.ID2020summit.org
Manu Sporny:  So hopefully people understand from that that we're 
  gaining interest from a number of other industries, payments and 
  education involved, hopefully some national gov'ts will be 
  joining us soon can't talk too much about it yet. Showing the 
  work we're doing is quite interesting to people who are feeling 
  the pain of a lack of credentials on the Web.
Manu Sporny:  Any other additions to the agenda?
None

Topic: Review of Questionnaire

Manu Sporny:  We have an editor's draft of a charter and use 
  cases, FAQ, final report, for VC that we're asking for feedback 
  on. We're going to be circulating a questionnaire.
Manu Sporny: Questionnaire for feedback on Verifiable Claims 
  Editors Draft Charter: http://goo.gl/forms/8aQ0UPDPDo
Manu Sporny:  If folks haven't had a chance to review it, please 
  respond with feedback.
Manu Sporny:  The question we're asking people is "Does the 
  charter look good to you, and if not, what needs changing? And if 
  it looks good, will you actually join the WG?"
Manu Sporny:  That's the key question. Is anyone going to object 
  -- and if you don't object, will you actually join and put 
  resources into the WG?
Manu Sporny:  We have ~50 orgs to circulate the charter to and 
  get feedback.
Manu Sporny:  If folks have had time to review the questionnaire, 
  does anyone have any comments/concerns about it?
Christopher Allen:  I answered it yesterday and I felt like, 
  compared to earlier charters, I felt that there was some watering 
  down on user-centric, self-sovereign stuff I care about but I 
  felt I could live with it and move forward.
Manu Sporny:  That wasn't the intent, we tried to keep it in 
  there.
Christopher Allen:  I agree it's in there, I just felt that it 
  was becoming a smaller piece, but I'm fine with it. I can't 
  compromise on that piece.
Carla Casilli: Wondering if we should include a question about, 
  if you are a W3C member and would participate, how many people 
  from your oganization would be able to contribute to the work?
Manu Sporny:  I think no one wants to compromise on that in this 
  group. This group has been about that from the beginning, it's 
  what differentiates it from OpenID Connect, SAML, existing 
  technologies.
Christopher Allen: In my case at last 1.0+ FTE engineers
Manu Sporny:  If others feel like we've accidentally watered it 
  down we want to change it, so that's good feedback.
Christopher Allen:  BlockStream would probably put in multiple 
  engineers but equivalent to 1.0 FTE.
Manu Sporny: WebDHT proposal: 
  http://opencreds.org/specs/source/webdht/
Matt Stone:  The balance between focusing on identity and claims, 
  etc. is important. [missed]
Matt Stone: +1 On ChristopherA contribution :)
Christopher Allen:  I want to be able to add selective disclosure 
  -- I've got a cryptographer looking into several things there. 
  That's not a requirement in the group, but we're taking it a 
  notch up. This isn't necessarily something big banks are going to 
  jump in feet first, there's some entrenched momentum. But we 
  think we can get hearts/minds of dev community and signing a 
  file, allowing delegation, allowing code coverage, different 
  types of reputation, "i put 20 hours of security review into 
  build X and found a flaw" those kinds of statements get the dev 
  community interested. And because of the blockchain hype (to be 
  honest) we have some small countries interested in the work.
Christopher Allen:  This allows us to roll some of this stuff out 
  in PoCs and such. Figuring out a strategy from small to the big, 
  feels like ... the results of some of the pushback we're getting 
  from the big.
Manu Sporny:  If you're on this call, please feel out that 
  questionnaire.
Shane McCarron: Remember that it is okay to lobby your friends 
  too
Manu Sporny:  The way we get this work started is if 25 orgs 
  commit to putting someone into the WG and even more that will 
  commit to supporting the work even if they can't get someone into 
  the WG. Please get them to me by 3pm today.
Christopher Allen: +1 For adding number FTE to survey
Manu Sporny:  "Them" meaning any feedback to the questionnaire 
  (any changes) because we'll be sending it out at 5pm or so.
Manu Sporny:  To 50 orgs, and also, please spread the word.
Shane McCarron: (Manu means 5pm eastern time)
Manu Sporny:  I'm a -1 to putting FTE in the survey, we just want 
  to know if they are going to send someone. That's good enough, we 
  don't need an exact number right now, want to keep the 
  questionnaire simple.
Christopher Allen:  I was at hyperledger meeting -- they are 
  talking about these types of things, OASIS XDI is, there's a W3C 
  blockchain community that is skirting around some of these 
  issues. I just wanted people to be aware that there's a desire in 
  some communities they may not be aware of VC/credentials, but 
  there are people to recruit.
Manu Sporny:  One way to do that is to point them at this 
  questionnaire. If you know of an org that isn't participating 
  regularly in this group, please ping them.
Manu Sporny:  The charter and use cases are hopefully a good 
  intro to what we want to do.
Shane McCarron: IDPF would have interest here.  RIAA.  CTA.

Topic: Charter Review To Date

Manu Sporny:  A number of us went to the W3C AC meeting in Boston 
  a couple weeks ago. We talked with large orgs and people 
  concerned about the charter and alleviated concerns there. We got 
  some good input from W3C TAG and that was going fairly well.
Manu Sporny:  We have since received feedback through the AC 
  forum. The AC is 400 individuals with reps from orgs members. And 
  charter reviews can happen on the AC forum and we got responses 
  back from two very large orgs.
Manu Sporny:  Both of them gave mixed feedback. These are two out 
  of 400 that have provided feedback. The responses fit into a 
  couple of themes.
Manu Sporny:  The first theme has to do with the orgs feeling 
  work is being done elsewhere, like at ISO. The problem with the 
  ISO stuff is that we can't see it because it's $80K or $180K or 
  something a year to see it. Through a liaison relationship we're 
  going to try and see that stuff. To be clear, the Web is not 
  powered by ISO standards, but they are related. They did not 
  point at OpenID/SAML, they said that the data format stuff is 
  happening at ISO so W3C shouldn't do the work.
Manu Sporny:  The second theme was some skepticism that W3C won't 
  staff the work. W3C staff is spread thin these days, we've 
  suggested hiring a W3C fellow to do it.
Manu Sporny:  More feedback was that they weren't hearing from 
  any orgs with skin in the game. No one from this group responded 
  and that silence was viewed as indifference.
Shane McCarron: I wrote a blog post about this... 
  https://www.spec-ops.io/blog/investing-and-being-invested-standards
Manu Sporny:  If you are in this group and you are a W3C member 
  and you did not respond to that W3C AC post for the review of 
  this charter *please* make sure you respond, get your AC rep to 
  respond.
Christopher Allen:  I officially joined today, so if you can 
  point me where to respond or who to respond.
Manu Sporny: Request for informal AC review of charter: 
  https://lists.w3.org/Archives/Member/w3c-ac-forum/2016JanMar/0081.html
Manu Sporny:  What you said in the Credentials CG and Web 
  Payments IG was great but the AC forum folks won't see it. They 
  are fantastically involved and for larger orgs they are in a lot 
  of WGs. Anyway, what you said was great it just needs to get in 
  front of these other orgs.
Manu Sporny:  So second theme was they weren't hearing support. I 
  think people in this group are thinking that it should be 
  obvious, because they've been in here for years that you support 
  the work, but none of the other AC members know that.
Manu Sporny:  So please respond so that they know.
Manu Sporny:  The third theme was a bit frustrating because we've 
  been asked multiple times not to presuppose a solution by W3C 
  staff and a couple member orgs -- to not push any particular 
  agenda. You could argue that the Credentials CG has an agenda, we 
  have a particular design and some nascent specs. We got feedback 
  from W3C members that the correct way to this stuff is twitter, 
  facebook login, google plus, etc.
Manu Sporny:  We're saying that we're going to create a data 
  format/syntax that works and not work on protocols but we'll 
  figure that out in the WG.
Manu Sporny:  Now we're being told by other orgs that we have to, 
  instead, do the opposite, and take a position, have some spec 
  input and say what the one true way of doing this is. And they've 
  said to go back an incubate for 6 mo-year (etc) and come back 
  with a proposal.
Manu Sporny:  Those are the themes we're hearing, but to 
  underscore, this is just from two member companies out of 400.
Shane McCarron:  I don't want anyone here to take the feedback 
  he's relaying the wrong way. One person made a comment and that 
  comment is very different from the comments we've been hearing. 
  We haven't gotten that feedback to date. The good news is that we 
  have an answer ... we have been incubating for years. We can say 
  that.
Shane McCarron:  We can also say we didn't bring that forward 
  because of X, Y, Z. Not blame anyone/cast aspersions, but we can 
  go ahead and say this stuff and we can even move forward if 
  there's just one member objecting -- we just need to respond. We 
  can still move forward.
Matt Stone:  This is more a question maybe tactics. If you want 
  ... I just read the email again asking for an informal review of 
  the charter. I looked at this and we're one of the authors and 
  giving continuous feedback here in the group. Where do you want 
  feedback, what's the most bang for the buck?
Manu Sporny:  The best bang for the buck would be to respond to 
  the notion that there aren't big orgs with skin in the game. 
  Pearson is a great counter example to that argument.
Carla Casilli: Are either of the two orgs that provided feedback 
  part of the ISO work? Is there a possible conflict of interest?
Manu Sporny:  Responding directly to that and saying why you're 
  participating and so on and saying that in the AC forum would go 
  a long way in countering that argument.
Matt Stone:  So just reply to that email?
Manu Sporny:  Yes.
Manu Sporny:  You'll want to seek out your rep and have them do 
  it.
Matt Stone:  Got it, I'll try to get through the corporate 
  process.
Manu Sporny: The ISO work is: JTC1 SC 27 
  [http://www.iso.org/iso/iso_technical_committee?commid=45306,  
  https://en.wikipedia.org/wiki/ISO/IEC_JTC_1/SC_27]
Christopher Allen:  I just tried replying but can't yet, I'll 
  figure it out. I've got a question ... it is worthwhile 
  responding to the individual feedback? I don't know, 
  specifically, what's going on with the ISO standard or what it is 
  or what number it is. My guess is that's it's associated with 
  using attributes w/X.509 certificates. It has a centrality to it 
  that all the ISO standards have and that's a problem. Should we 
  respond to those individual things and why those things don't 
  fit?
Manu Sporny: “ISO/IEC 29191 Requirements for partially anonymous, 
  partially unlinkable authentication”, “ISO/IEC 29003 Identity 
  proofing” “WG 5 Study Period on Privacy-preserving 
  attribute-based entity authentication”.
Manu Sporny:  None of these sound like what we're doing, maybe 
  some aspects that overlap, a lot of them sound like studies, not 
  technical proposals. They said their security expert told them 
  not to participate in the work because they're already working on 
  it.
Manu Sporny:  Carla raised a good question -- are these orgs 
  participating in the ISO work and is there a conflict of 
  interest?
Manu Sporny:  I'd say yes they probably are and possible a 
  conflict of interest. I'm sure one of them is heavily involved in 
  trying to produce identity solutions. The argument used was that 
  there are plenty of standardization efforts happening in this 
  space and we don't need another one.
Christopher Allen:  I wanted to add one more thing, 
  hyperledger/IBM submitted their first proposal and some people 
  think steamrolling the process. Further investigation has shown 
  that IBM may be around membership services, which is a 
  centralized CA-like for doing blockchains and other kinds of 
  things blockchains can do and that's something they are 
  fundamentally not telling people about in their strategy with the 
  group.
Christopher Allen:  I'm wondering if there are similar things 
  here -- like entrenched centralized models for these types of 
  things, etc. It could be that some orgs are in the CA services 
  model and that's another level of conflict.
Manu Sporny:  Yeah, selling centralized identity solutions, etc 
  could be conflict of interest. But we should be careful that they 
  aren't responding according to that.
Manu Sporny:  They thought what we're trying to do is identity, 
  but we've said, time and time again we're not trying to solve 
  identity on the Web/Internet, this is just about verifiable 
  claims. But that message is being lost when reading the charter.
Manu Sporny:  So that's maybe something we have to change (spell 
  out) in the charter.
Manu Sporny:  We have 15 mins left, let's move onto how this 
  feedback changes how we work in the next 4-6 weeks. Unless there 
  are objections, I'd like to move us to that.
Christopher Allen:  Was there any objection with how Web Payments 
  fit in?
Manu Sporny:  There were two things I failed to raise -- one of 
  the large orgs wanted to know what browser vendors would need to 
  do. There was some assumption that browser vendors would have to 
  be involved and we've been careful to craft the charter so that's 
  not required but that still wasn't clear.
Shane McCarron: I don't think there is any requirement for 
  built-in user agent support in what we are attempting to specify.
Manu Sporny:  To answer your question -- the Web Payments IG 
  talked about this in the last meeting. The comments from the IG 
  were primarily that this stuff is a fundamental primitive for Web 
  Payments and faster payments, etc. And so the discussion was 
  about how the IG responds in a way that is supportive of the work 
  starting.
Christopher Allen:  I may be able to get some more Web Payments 
  members interested.
Christopher Allen:  It lets people send credentials -- and 
  there's half a dozen banks, $300M funded startups, all talking 
  around in this space. From the blockchain/cryptocurrency field 
  this is something they very much care about. They want to have a 
  transaction with someone that meets regulations but not reveal 
  who you are to third parties.
Manu Sporny:  So the Web Payments work is specifically not 
  chartered to work on that for Phase I, so we can't change that.
Manu Sporny:  But, what you could do is talk to the Web Payments 
  IG and say, for future facing work we care deeply about this and 
  it's required. Delaying start on the work is not an option. What 
  we've been asserting over the last several years is that this 
  work isn't happening elsewhere and if it is, it's not 
  user-centric/self-sovereign, but centralized. And the work being 
  proposed at W3C is not being done elsewhere and is essential to 
  education, healthcare, payments, etc. initiatives.

Topic: Options Moving Forward

Manu Sporny:  We had a bit of a discussion in the WPIG and some 
  sidebars with members in this group. The WPIG is trying to figure 
  out how to take an official position like "This is missing from 
  the Web and we need it." So we're thinking maybe the WPIG could 
  publish a "Finding" like the W3C TAG does for things that are 
  missing the Web Platform or anti-patterns in design, etc. Maybe 
  the WPIG could publish a note and say "This is what we think 
  right now." And the rest of the W3C membership could then see 
  that and that a 179 member interest group says we need to solve 
  this problem.
Manu Sporny:  That's one strategy moving forward. Another is that 
  this group isn't telling W3C what we should do. We (VCTF/CG) do 
  not want to do all the technical work right now, if you do too 
  much the membership doesn't like it. If you do too much work you 
  may not get support because it looks like a rubber stamp, and too 
  little work looks like you don't know what you're doing. So we 
  need something in the middle.
Manu Sporny:  We could split up the Identity Credentials spec 
  into two specs protocol and data format+syntax and then submit 
  the latter to show a drafty proposal.
Manu Sporny:  Then we can talk about how that solution can fit 
  into any of the protocols or into a new one.
Manu Sporny:  So maybe a month of work.
Manu Sporny:  So those are the proposals for moving forward ... 
  one we don't control, that's up to the IG.
Manu Sporny:  As far as work we can do in this group we need to 
  revise the charter and use cases based on feedback, collect more 
  feedback, but one item to add to the work is to propose a rough 
  draft for the WG to start with.
Manu Sporny:  There's really only one thing this group would need 
  to add.
Dave Longley: +1 To proposing a drafty spec on data format+syntax
Christopher Allen:  Where are the lines on the proposals? 
  Couldn't quite follow.
Shane McCarron: I think this group should be advocating with its 
  own and other AC membners to chime in on the earl;y review 
  thread.  I think that is the most helpful thing we can do for our 
  generael case.
Manu Sporny:  We have 3-4 specs that are incubating in the 
  Credentials CG/Opencreds. We've been incubating, WebDHT and the 
  Identity Credentials specs primarily.
Christopher Allen:  Specifically, referring to those two, the 
  WebDHT spec ... it needs to be solved, but it's furthest away 
  from what we need. The spec for the data format/syntax with just 
  the addition of proof of existence you could publish 
  certificates. I would concentrate more on that side of things.
Manu Sporny:  Yeah, exactly. We're not proposing WebDHT be put 
  into a WG now, it's too early. We know we need it for 
  self-sovereign identifiers, but that needs more incubation.
Manu Sporny:  We'd take the IC spec and remove the protocol bits 
  and just show data model + syntax and show how to express it.
Manu Sporny:  And that's it. And we say that's all we're going to 
  work on. We're going to propose how it could go into OpenID 
  Connect/SAML and it's up to those communities to adopt.
Shane McCarron: Doing data model in YAML?  Are you mad?
Shane McCarron: Oh... SAML
Manu Sporny:  Data format + syntax and a note on how it could 
  potentially look in those protocols.
Manu Sporny:  Shane brings up the point that we should be 
  advocating to the AC members -- please, this week, respond to the 
  AC forum.
Manu Sporny:  If you're a W3C member.
Christopher Allen:  Is anyone here going to be at the Internet 
  Identity Workshop this month?
Manu Sporny:  I think that's a no... we should chat with you a 
  bit so you could circulate these ideas at IIW. Identity Woman 
  pinged us about coming to IIW and my hope was that you and 
  Drummond could talk about it there.
Manu Sporny:  That's it for the call today, thanks all.

Received on Tuesday, 5 April 2016 21:27:00 UTC