Verifiable Claims Telecon Minutes for 2016-08-16

From: <msporny@digitalbazaar.com>
Date: Tue, 16 Aug 2016 12:37:47 -0400
To: Web Payments IG <public-webpayments-ig@w3.org>, Credentials CG <public-credentials@w3.org>
Message-Id: <1471365467500.0.24443@zoe>

Thanks to Dave Longley for scribing this week! The minutes
for this week's Verifiable Claims telecon are now available:

http://w3c.github.io/vctf/meetings/2016-08-16/

Full text of the discussion follows for W3C archival purposes.
Audio from the meeting is available as well (link provided below).

----------------------------------------------------------------
Verifiable Claims Telecon Minutes for 2016-08-16

Agenda:
https://lists.w3.org/Archives/Public/public-webpayments-ig/2016Aug/0013.html
Topics:
1. Introduction to Bob Burke, Koupon Media
2. Introduction to Adrian Gropper, HealthURL
3. Verifiable Claims Face-to-Face at IIW
4. Verifiable Claims RC-2 Draft Charter
5. IPFS and Verifiable Claims
Organizer:
Manu Sporny
Scribe:
Dave Longley
Present:
Dave Longley, Manu Sporny, Adrian Gropper, Bob Burke, Richard
Varn, Gregg Kellogg, Dan Burnett, Tim Holborn, Dave Crocker,
Kerri Lemoie, Matt Stone, Shane McCarron, David Chadwick, David
Ezell, David I. Lehn, Mark Cherbaka, Adam Lake, Colleen Kennedy,
Matthew Larson, Les Chasen, Eric Korb
Audio:
http://w3c.github.io/vctf/meetings/2016-08-16/audio.ogg

Dave Longley is scribing.
Manu goes over agenda.
Manu Sporny: We have a new participant in the group joining for
the first time today from KouponMedia.
Manu Sporny: We had a nice meeting with Bob in San Jose last
week.
Manu Sporny: We'll do an intro to him at the beginning of the
call. Any other additions to the agenda?
Adrian Gropper: I've joined the call as well.
Manu Sporny: Ok, great, we'd like an intro to you as well after
Bob.

Topic: Introduction to Bob Burke, Koupon Media

Bob Burke: Hello everyone, pleasure to be here, I appreciate all
the work done here. I'm CTO of KouponMedia, been doing digital
offers space for over 5 years now. Interest in VC is an
opportunity for digital offers. We find a lot of clients are
interested in apps and the mobile web experience and VC help
there.

Topic: Introduction to Adrian Gropper, HealthURL

Adrian Gropper: I am a full time volunteer CTO of a non-profit
called Patient Privacy Rights for the past 4 years or so. My
focus is on self-sovereign tech for managing private info.
Adrian Gropper: I'm a long time contributed to user management
authorization work out of the pantara group and the helped start
UMA under OpenID foundation.
Adrian Gropper: All based on OpenID Connect and OAuth, I'm
trying to put together a demo on all these things and how they
fit together under the W3C community model.

Topic: Verifiable Claims Face-to-Face at IIW

Manu Sporny: Welcome Bob and Adrian to the group. We're hoping
this will be very useful for what you're trying to do.
Manu Sporny: We reached out to the folks that run II workshop
and had a good conversation with them to co-locate or getting
space around those days at IIW ... maybe before or after.
Manu Sporny: http://www.internetidentityworkshop.com/
Manu Sporny: Those discussions are still on-going but it's
looking like we're going to meet in October and have our first
F2F then.
Manu Sporny: Loosely, just to recap, there's a meeting of the
rebooting Web of Trust Workshop the previous week to IIW. We
think that it's going to be RWoTW and then VC F2F and then IIW.
Manu Sporny: That would sandwich us in the middle or we might
move it to the end of IIW and co-locate with them, we're still
working through the details but this is our only chance to meet
this year and co-locate.
Richard Varn: Dates please? :)
Kerri Lemoie:
https://www.eventbrite.com/e/internet-identity-workshop-xxiii-23-2016b-tickets-25853411249
Dave Longley: It would be 25-27 October for IIW.
Manu Sporny: We're trying to do RWoT 18-20
Manu Sporny: So around 21-22 or 27-28 (roughly).
Manu Sporny: If we go later we lose a couple of folks, Nate,
Dan, etc.
Dave Longley: I'll be missing regardless, maybe remote access, I
don't know.
Manu Sporny: So those are the dates we're playing with.
Gregg Kellogg: +1 For end of IIW
Manu Sporny: 20-21, 21-22, Or 27-28.
Manu Sporny: Of October.
Manu Sporny: Regardless if we don't co-locate with IIW then
we'll have a big session there.
Dan Burnett: +1 Before IIW
Tim Holborn: Apart from the more centralized versions, the
alternatives appear to be blockchain or biometrics, protecting
self-sovereignty by computational horsepower ... other things,
like IPFS look like a social mechanism for protection. I'm
wondering if pointing out that distinction is a good idea.
Manu Sporny: That's the third agenda topic today.
Manu Sporny: We'll definitely get to it in the agenda today.
Gregg Kellogg: People are probably coming from out of town for
both RWoT and IIW but probably more for IIW and taking onto IIW
may get more participation. That might encourage more adoption.
Myself I'm not available at all during RWoT week.
Manu Sporny: Unfortunately, it's always the case we're going to
lose key people with any dates we pick.
Manu Sporny: Anything else on IIW/F2F?

Topic: Verifiable Claims RC-2 Draft Charter

Manu Sporny: One more thing -- we're looking for folks to put in
some money to help sponsor food and stuff like that for people.
We may need money for a venue, my hope is that SpecOps may put
some in and we want other orgs to help out. We're co-locating so
not that expensive, a couple thousand dollars. Please contribute
if you have the means to do so.
Manu Sporny:
https://lists.w3.org/Archives/Public/public-credentials/2016Aug/0019.html
Manu Sporny: Wendy Seltzer from W3C management team got back to
us with a list of changes she wanted. We responded to everything
and made some concessions in the charter without hopefully
violating what we're trying to accomplish here.
Manu Sporny: We sent that out a little more than a week ago,
havne't heard back yet, in a holding pattern waiting to hear from
W3CM and Microsoft.
Manu Sporny: Hopefully, Shane, when you talk with Google you can
pass this by them as well.
Manu Sporny:
http://w3c.github.io/webpayments-ig/VCTF/charter/rc-2-diff.html
Manu Sporny: Here's a diff marked copy in IRC.
Manu Sporny: It contains the changes that we've made.
Manu Sporny: The main feedback she had was around scope; wanted
to keep it under control. We were talking about transacting
claims in the charter but we weren't planning on standardizing
anything for that in the WG.
Manu Sporny: In the worst case the group might believe it was
chartered to work on a protocol when it's not. We changed words
like "transact" with "express" etc.
Manu Sporny: We're not proposing to do a protocol in this WG.
Manu Sporny:
http://w3c.github.io/webpayments-ig/VCTF/charter/rc-2-diff.html#problem
Manu Sporny: She said we can't promise that what we do will be
widely used so we struck that. In the problem statement is the
biggest change to the charter.
Manu Sporny: There are two conflicting things we're trying to
reconcile: ... there's a general desire from the CCG and the VCTF
to identify a fairly broad problem. We've gone to great lengths
to get consensus on the problem statement. THe problem with this
is that Wendy and MS found issue with it because it sounds like
we're going to try and solve the *entire* problem statement in
the first cut. The yellow text clarifies that the problem
statement provides motivation for the work but the WG scope is
more narrow. So then we list all the things that are out of
scope.
Manu Sporny: For example, protocol is out of scope. A creation
of a self-sovereign ecosystem requires more work than what's in
the charter ... and that's out of scope. Then they said they
wanted us to focus on use cases that had participants in the
group. If we work on something for the automotive industry and we
have no one in the group from that sector we don't focus there.
Instead, we focus on cases for people in the group, like retail,
education, etc.
Manu Sporny: We can't insist that what we're coming up with will
work for industries that aren't in the group.
Manu Sporny: The final thing we say there is that, while the
scope is narrow, the group should not prevent the broader problem
from being solved (keeping the broader problem in mind,
basically).
Manu Sporny: Are people ok with this, does it go too far, etc.?
Tim Holborn: What happens if, through the dev of the work, and
new stakeholders become interested ... are we able to amend?
Tim Holborn: Pending some trigger, if X parties join, etc.?
Manu Sporny: Absolutely, I understand what you're saying. The
third bullet point says will focus on WG participants, it doesn't
say anything about when they join.
Manu Sporny: If we get 5 companies joining from some industry
half way through, that should be in scope.
Tim Holborn: Do we need to add something about onboarding, so
that opportunity is made clear?
Manu Sporny: Let's hear from the group.
Adrian Gropper: We're not saying enough about what
self-sovereignty means relative to the participants and the
scope. For example, when you say education and payments, when you
narrow it to that as opposed to healthcare for example, we're
losing the concept that professional societies that represent ...
like doctors, lawyers, representing both of these groups are much
more interested in self-sovereignty than industrial participants.
I think we can't just focus on industrial contributors out of
say, institutional contributors, like educaitonal, automotive,
that have to deal with that issue.
Dan Burnett: We need to do whatever gets the group created for
now. As long as we participants maintain our understanding of
what is meant by the charter we can do the work we need to do.
Let's modify the charter as little as we can get away with for
now.
Dave Longley: The obvious danger of working on changing the
targets when someone new shows up is that it can destabilize the
process. It can be a non-terminating process as well. The usual
way of dealing with new people joining is to educate them offline
so they don't interrupt the flow. To the extent that people join
with new goals that aren't addressed it makes sense to stop and
think about changing and expanding goals vs. reorienting goals.
If there's a sense that the current goals have a reasonable
degree of core benefit ... then when someone new comes in will
just be adding not asking for changes.
Dave Crocker: Usually, and hopefully and in this case, you can
defer adding things and what this does is to build up a wish list
for V2.
Manu Sporny: Right.
Manu Sporny: Usually the way this happens is that large industry
participants drive the work at W3C. There's a disconnect ... at
least I have observed a disconnect from what is good for society
and what the industry participants want to accomplish and when
they collide it's the organizations that are doing
implementations that have massive numbers of people using their
systems that tend to work out. There's a great example of this
happening in the Web Payments WG right now. The WPCG did a lot of
work to put specs into place, design an ecosystem, etc. and that
ecosystem is definitely not being implemented in a way that CG
wanted to have happen. And the people in this group and in the
VCTF could potentially be in that same position. If we say that
self-sovereign is really important to us and we care about
identifier portability and we want to onboard new work as new
participants come on ... and we'll have two or three very large
technology companies join that disagree with the general
direction.
Manu Sporny: There's very little that can be written into a
charter that can prevent that from happening at W3C.
Manu Sporny: So ... you can recharter the group with new,
expanded scope, but typically they are done once the charter is
written.
Manu Sporny: We don't many healthcare companies or NGOs talking
about citizen rights, etc. so that's where we are.
Tim Holborn: The charter goes out to 2018 and the Web develops
so quickly ... when large companies push the world in a
particular direction and things change very rapidly. A large
number of opinions have been expressed on this call. I think
setting some boundaries on engaging people effectively to bring
them to the table would be good.
Manu Sporny: If you can think of a sentence to put in th
echarter to address that, that would be helpful, but my
experience is that it's really hard to control that.
Manu Sporny: We need to be able to convey people are welcome.
Tim Holborn: There are a variety of stakeholders that can be
positively impacted by this work over time. Between October and
2018 ... is a fair chunk of time and a lot can happen. Locking in
the stakeholders now ... it's less than ideal.
Tim Holborn: Without the means to be able to scale is
unfortunate.
Tim Holborn: Lastly, with regard to self-sovereign identifiers.
VC is very much about what an org says about you. The idea of
having an identity on the Web is different ... and some of the
WebDHT like work addressed some of those works. I understand the
merits and I'm a believer of the human-centric Web but I do have
concerns about the terminology of self-sovereign as opposed to
what may become a digital magna carta, etc. I see that as a
separate issue. WIthin that I think there's an opportunity for
the CG to collaborate with other groups and incubate within CGs.
Tim Holborn: That's a very separate thing from how orgs may
engage in the WG charter. Does that make sense?
Kerri Lemoie: Agree that verifiable claims could be considered
separate from identity yet verifiable claims are dependent on
verifiable identity.
Manu Sporny: I think so. Let's take the definition discussion
and move that to later in the agenda and focus this on the
charter.
Manu Sporny: I'm hearing the charter is too limiting with
respect to the use cases that we're outlining.
Manu Sporny: I think I'm hearing that correctly, is that right?
Adrian Gropper: Yes.
Tim Holborn: I would say, for the status quo, it's quite
reasonable, but if it continues to get more momentum it may get
out of date.
Manu Sporny: What Dave Crocker said is important to note, the
orgs want the scope locked in when it goes out. If the scope
changes the orgs may have to withdraw from the WG and this has to
do with patent requirements and other legal things wrt W3C. A
change in scope while the WG is operating and that's a big red
flag for orgs. They tend to vote against WGs with those problems.
Manu Sporny: Hinting that the scope could change will invite
formal objections -- that's my expectation. That would change MS
from being ok to objecting because they don't know what they are
signing up to.
Tim Holborn: I think that's a very fair concern. Maybe some
mechanism for scope to be locked in and onboarding language.
Manu Sporny: That mechanism is a rechartering.
Manu Sporny: If 20 companies join the group from other industry
then that's a good reason to recharter or as Dave Crocker said,
it's good for version 2.
Manu Sporny: We can say the current work can't prevent version 2
wish list from happening. But very valid points from you and
Adrian.
Manu Sporny: Would be good to see some language to summarize
this discussion and address it.
Manu Sporny: Any other questions on the problem statement or
what's been changed there? That's the biggest change.
Manu Sporny:
http://w3c.github.io/webpayments-ig/VCTF/charter/rc-2-diff.html#goals
Manu Sporny: We say we're going to focus on claims wrt the use
cases document. We now say we're going to say this work has to
cut across at least two industries, previously we said "several",
was too broad.
Manu Sporny: It's fine if we have even more participating.
Manu Sporny: Rest of the changes play with language mostly,
"broad" to "broader", for instance
Adrian Gropper: When we do this with respect to industries --
there are two kinds, regulated through licensed professionals and
regulated at the corporate level. I don't know if we can capture
this aspect in the charter because it's fundamental. The entire
reason for VC is to deal with regulatory practice and if we don't
recognize that some industries ... 99% of money spent in
healthcare is spent by licensed professional not corporation then
I think we'll get lost. It might look like it works for payments.
My experience with [] if you use education that way you don't
make a lot of progress because education is very squishy.
Payments are narrow and not privacy and regulatory intensive. I
just want to point out that point about industrial perspective
vs. licensed professional as a regulatory foundation.
Manu Sporny: So I think we make that distinction in our use
cases which we point to in our charter.
Manu Sporny: We have a number of medical use cases in here.
Manu Sporny:
http://w3c.github.io/webpayments-ig/VCTF/use-cases/#professional-credentials
Matt Stone: We use "regulatory credentials" as a term to describe
the credentials that serve non-commercial/governmental needs.
Tim Holborn: +Q
Manu Sporny: It's certainly not out of scope and we point to
medical use cases in the use cases document. You used a phrase
that sounds like we could easily put it into charter. Corporate
creds vs. licensing professionals ... if you could think of some
language to put into the charter for that that would be good. If
we expand from payments and education to payments, education, and
healthcare ... the problem is we will only have two healthcare
orgs saying they'll participate in the WG. Other W3C members will
want to see more like 5.
Manu Sporny: I think the vast majority of people in the group
agree with you. This tech will be used across many industries of
different types and we have to think about that to ensure it
works.
Manu Sporny: Can you think of some language to use in the
charter to address those concerns?
Adrian Gropper: Yes, absolutely.
Tim Holborn: Medical creds are fairly high-stakes. I'd love to
see a world where signatures are send across the Web ... for
tissue samples, etc. That's particular high-stakes data. Another
possible alternatives is civics. Is there's a use case where you
are looking at the sorts of things that you need in medicine but
not such high-stakes data. You want to see the tech proven out
fairly well.
Manu Sporny:
http://w3c.github.io/webpayments-ig/VCTF/use-cases/#legal-identity
Manu Sporny: As far as use cases are concerned, we talk about
legal identity.
Manu Sporny: And we talk about things like refugee crisis use
cases, digital driving licenses, we do have some lower-stakes use
cases in there.
Manu Sporny: Don't know if that addresses it.
Tim Holborn: Healthcare is pretty serious. To be able to go into
that industry you really need all ducks in a row. Technically, to
be able to example it in an industry where it is working ... less
direct, some of the refugee things ... other areas where you have
similar businesses but isn't as life threatening.
Tim Holborn: I'm wondering if we can achieve the same outcome
for healthcare using a related industry with lower stakes.
Manu Sporny: I think with all of these use cases there are cases
that aren't as high-stakes. Like prefilling a medical form with a
proof of residence/address credential, that's lower stakes. Or an
educational credential that says you've done a weekend course. I
think we have those. If you look at the use cases that drive the
large orgs to want to use it are the high stakes. Lots of
money/risk on the line. Clearly those orgs are going to go
through a multi-year process vetting this technolgoy and while
they are doing it we can still test it out in more low stakes
settings. The strategy is aligned with what you're suggesting.
Tim Holborn: Identifying whether or not an Uber driver had
appropriate credentials was another one.
Manu Sporny: Ok, we've gotten through the charter. Any strong
feelings/objections to the changes made, etc.?
Manu Sporny: Does anyone feel this is unworkable or they
wouldn't join the work?
Shane McCarron: It's not that I wouldn't join the work, you're
jumping through a bunch of hoops here that someone held for you,
what are the odds that the people that held up the hoops will let
things happen?
Manu Sporny: That's an important question. All we can do is do
proper due diligence and act in good faith.
Manu Sporny: At some point it will become apparent that the
people were holding the hoops up had real concerns or it was for
entertainment.
Manu Sporny: I don't think it's just for entertainment, I think
these orgs are intrigued enough to engage with us.
Manu Sporny: If it turns out we made all these concessions and
the answer is still no, then we can roll those concessions back
and go through another standards body.
Manu Sporny: We've done everything we can to act in good faith
and it's up to W3M and MS to respond to that.
David Chadwick: To remind the group and enhancing privacy and
what that meant and it was to be added to that section.
Manu Sporny: That's on me, I forgot. We will make those changes
and Dan Burnett raised some typos to fix.
Manu Sporny: David, please ping me again and make sure I get
that in there.
David Chadwick: Will do.
Adrian Gropper: +Q
David Ezell: It's a bit stronger than the people in the room --
we gave two week period for people to object and we didn't get
any objectiosn even from the companies expressing doubts. You
have IG support.
Manu Sporny: Thank you David.
Adrian Gropper: The comment about the privacy enhancing
terminology makes me want to pile on, but is a much bigger topic.
I spent 2+ years on Identity Ecosystem Steering group ... I don't
want to go into what that is, but it was a missed attempt to
introduce privacy enhancing practices on a very large scale. The
companies that we have here at W3C did not show up ... and the
general problem for dealing with cyber security issues in all
industries is an unsolved problem that MS and Google and a lot of
other organizations have not found a home for how to approach
that. All I'm saying is that the experience we're having ... I
worked for a consultant for the postal service looking at
connect.gov and postal service relative to cyber security ... we
don't have five years to do this work. To start slowly here and
see what happens 2 years after that. Becaus ewe are failing, not
just in the US, but globally, at doing the work we try to do.
Tim Holborn: +1
Manu Sporny: Hopefully it makes you feel good that privacy is
throughout the charter and we've got a specific section on it.
Manu Sporny: Scroll down to 3.2 in the charter, we have a full
section on privacy and security considerations, we call it out
specifically.
Manu Sporny: We're trying to improve upon it. That's the most we
can do in a charter and say we're going to design towards a
privacy preserving tech.
Manu Sporny: And that we're going to collaborate with other
groups on that.
Adrian Gropper: I'm trying to talk aobut how to sell our charter
to MS and Google.
Manu Sporny: Are you saying that would make it more compelling
to them?
Adrian Gropper: If we approach it from cyber security
perspective. NIST 5 years ago saw the link between privacy
enhancing and cyber security ... was the reason for the whole
project. Only orgs with narrow interest in identity management
showed up and Google and MS weren't there. We don't know enough
about their interest in the cyber security aspect and how that
relates to privacy policies, etc. It's a governance problem we're
in a position to solve that isn't being solved elsewhere.
Richard Varn: We cannot wade into cyber security in the VCTF
space without a lot of qualifiers
Manu Sporny: I don't nkow how to modify the charter to capture
what you just said. Could you write a strategy email for how the
group could react to what you just said or similar that woudl be
helpful.

Topic: IPFS and Verifiable Claims

Manu Sporny: We don't have enough time left to talk about IPFS
and VC discussion -- will have to wait until the next call.
Manu Sporny: Tim has raised some great questions about IPFS. The
group knows quite a bit about IPFS and we've worked with Juan
Benet closely. But we don't think IPFS is a solution for WebDHT
or blockchain decentralized identifiers, etc. IPFS doesn't have
mirroring guarantees ... you can lose information on IPFS if
nodes don't keep it, not a good fit.
Tim Holborn: Vint cerf said to me today: "I am in contact with
the IPFS folks with regard to digital archiving and
preservation."
Kerri Lemoie: Badgechain is exploring IPFS for some aspects of
open badges data.
Manu Sporny: Group is looking at other techs ... flex ledger,
sovrin, badge chain, etc.
Manu Sporny: We're aware of IPFS, we don't think it's a solution
for some of the things here, but you can store some data in IPFS,
but can't give guarantees. For DID it's not a good solution, for
pseudo-anonymous badge info, it's good.
Manu Sporny: Just like badge data you can store data in any
location, hash in a blockchain, store data itself in a flex
ledger (as long as no PII), can store in IPFS -- a variety of
other storage mechanisms.
Manu Sporny: IPFS is complementary, but we don't think
replacement/implementation for the DID stuff.
Tim Holborn: I talked to Vint Cerf and he said he's in contact
with IPFS for interplanetary filesystem, etc.
Kerri Lemoie: Something to look into: https://ipdb.foundation/
It's based Bigchain db.
Kerri Lemoie: https://www.bigchaindb.com/
Tim Holborn: I'd like to see a new blockchain (current
computationally flawed), with LDP we're looking at how to create
human centric identifiers. WebDHT did a lot of that and that's
been put to one side and there's a resourcing issue. Given that
Vint Cerf is looking at it for preservation, maybe we should be
following that up, directly or indirectly via CG, etc.
Manu Sporny: Sounds like we need to have a discussion in the
group and how VC fits into these new techs.
Manu Sporny: We'll put that on the agenda for next time, sorry
for 2 minutes over, out of time.
Manu Sporny: We may not have the call next week, because we're
in a holding pattern w/W3M, but expect a call the week after
that.
Kerri Lemoie: Thanks everyone.

Received on Tuesday, 16 August 2016 16:38:12 UTC