- From: Melvin Carvalho <melvincarvalho@gmail.com>
- Date: Tue, 26 Jan 2016 16:31:45 +0100
- To: Manu Sporny <msporny@digitalbazaar.com>
- Cc: Web Payments IG <public-webpayments-ig@w3.org>, Credentials Community Group <public-credentials@w3.org>, Henry Story <henry.story@bblfish.net>
- Message-ID: <CAKaEYh+3kf3gBN-QCx-ONhgJbVaAoLWDexT1XwP_Z0yTLs3j4w@mail.gmail.com>
On 25 January 2016 at 21:34, Manu Sporny <msporny@digitalbazaar.com> wrote: > This is input from Harry Halpin (in his personal capacity) on the > Verifiable Claims work at W3C: > I followed the link presented and found the comment: "(Henry Story) also attacked three other people in similar ways during the Working Group. Folks like that lack the basic social skills and humility to work in a Working Group or collaborative effort of any kind." -- Harry Halpin Whether or not it's true (I dont think is), I find this completely inappropriate. Henry has made valued contributions to the LDP WG and other groups at the W3C. > > > ---------- Forwarded message ---------- > From: Harry Halpin <hhalpin@w3.org> > To: "Hodges, Jeff" <jeff.hodges@paypal.com>, Manu Sporny < > msporny@digitalbazaar.com>, Brad Hill <hillbrad@fb.com>, Dick Hardt < > dick@amazon.com>, "Karen O'Donoghue" <odonoghue@isoc.org>, Tony Arcieri < > bascule@gmail.com>, David Chadwick <d.w.chadwick@kent.ac.uk>, David > Singer <singer@apple.com>, Mike Schwartz <mike@gluu.org>, Christopher > Allen <ChristopherA@lifewithalacrity.com> > Cc: > Date: Tue, 19 Jan 2016 22:17:59 -0500 > Subject: Re: Verifiable Claims and W3C > I'm also swamped. I might second Jeff's response. > > 1) Don't ignore previous work: "Verifiable claims" are shipped around > rather constantly by OAuth and OAuth-based systems such as OpenID Connect. > While OpenID still hasn't quite worked out, there are probably more OAuth > transactions than Visa transactions. So I wouldn't throw out OAuth and > re-design. A user-centric approach doesn't have to ignore OAuth in favor of > a failed Mozilla Personae appraoch, but can make it easier for people to > run their own instances with increased privacy and security. > > 2) Don't repeat mistakes of PGP by pushing amateur crypto: WebID+TLS and > the key work coming out of the Credentials CG seems to have ignored the > fate of PGP, i.e. key management is not something people can do > successfully. I would avoid a one-key per user multi-origin paradigm. As > FIDO does correctly, aim for key derivation on a per origin basis and try > to understand (as I saw RDF folks sometimes get wrong) that the same key > should not be used for signatures and encryption, and not the same key used > again and again. Keys *will* have to be upgraded to larger key sizes and as > we seem tumult around elliptic and post-quantum transitions. Privacy and > security are hard, and any effort should incubate with these goals and the > right expertise in mind. > > 3) There's no real need to invent a new syntax Simply put, I'd ship claims > around using JSON Web Tokens. Even if one wants to ship RDF around, I'd > stick to well-defined IETF standards for transporting claims around: JSON > Web Tokens with JSON Web Signatures rather than re-invent the wheel. JWKs > are also supported by the WebCrypto API. RDF can be shipped around using > JSON-LD with a JWT. The W3C should not be in the business of making > competing 'standards' to already completed IETF work unless there's a real > gap analysis. > > That being said, if previous work can be taken into account, I'm sure a > more pragmatic way to a user-centric eco-system would be possible. However, > let's build > > Another option is to scope down and aim at a particular problem domain, > for example a uniform vocabulary for educational credentials. Throwing out > privacy and security concerns for high value use-cases like banking is a > non-starter, as should be obvious. > > Here's myself and Blaine Cook giving an entertaining overview in a video > called "Ten Years of Social Standards Failure" although I'm sure others on > this list could also chime in with equally entertaining stories. Everyone > is doing this work for the right reasons, but let's not repeat mistakes of > past! > > https://www.youtube.com/watch?v=BOLIuBr_2uM > > cheers, > harry > > > cheers, > harry > > > On 01/19/2016 08:46 PM, Hodges, Jeff wrote: > > [ dropped payments IG as I'm not a subscriber ] > > thanks for the invite, however I must offer apologies — I am totally > soaked of late work-wise. All I have time to do is scrawl some > off-top-of-head comments (these are only my personal thoughts and are not > those of my employer).. > > * the definition of a "verifiable claim" is in the eye of the beholder, > ie they're context-specific (perhaps one could say "community-specific"). > e.g. "student at Foo Univ" is arguably a "verifiable claim" in the context > of higher ed institutions participating in InCommon.org > > * there's folks who're exchanging such claims in non-trivial communities > today, eg InCommon < > https://www.incommon.org/federation/attributesummary.html>, eg the US > Govt (via PIV cards), and others I would suspect. > > * the list of user-centric "qualities" < > http://w3c.github.io/vctf/#design-approaches> is more a wishlist of > qualities (than a definition) that may or may not be realistically > achievable in practice. > > * we already have multiple data encapsulation/expression/encoding formats > & frameworks that can be used to express whatever "verifiable claims" you > desire — it's a matter of ontology development, agreement on schemas and > profiles, etc. such claims/assertions can be conveyed with whatever > protocols and message encapsulation one wishes, we already have many that > are *profilable* (meaning that if you need yet another message exchange > pattern(s), and/or message schema(s), you can specify them, without > reinventing messages, or the entire framework). Re-inventing the wheel > from the ground up is likely not necessary as there's *much* prior work > in this overall area. > > * in practice, for such large-scale decentralized technology adoption and > use, it appears that economics trumps technology, and bridging industry > silos (as described in the problem statement) will only occur if the > participants in said silos have real economic needs or there's demonstrable > economic benefits. c.f. . . . > > Economic Tussles in Federated Identity Management. > Susan Landau, Tyler Moore; Oct-2012, First Monday. > > http://www.firstmonday.org/htbin/cgiwrap/bin/ojs/index.php/fm/article/view/4254/3340 > > * the vctf pages read to me very similarly to several (many?) prior > efforts in the general "identity" space (saml, liberty, WS-*, Open*, etc) > — i can't really tell what is different about this verifiable claims effort > > * please note that FIDO is not about "identity" -- it is about > cryptographic asymetric-key-based peer-entity authentication, with > provision for multiple "user verification" modalities layered on top (eg > PIN, biometrics, whatever). It is, however, possible to compose FIDO with > your favorite flavor of federated identity management: c.f. < > http://www.slideshare.net/CloudIDSummit/cis-2015-fido-and-federation-cis-2015-could-identity-summit-hodges> > for one example approach (how it composes of course depends upon the > message flows of the "identity" framework/infrastructure one is composing > with) > > I hope this helps, > > =JeffH > > --- > On 12/20/15, 8:03 PM, "Manu Sporny" <msporny@digitalbazaar.com> wrote: > > Hi Brad, Dick, Jeff, Karen, Harry, Tony, DavidC, DavidS, Mike, and > Christopher, > > As some of you may know, there is a group of us loosely organized around > a W3C Community Group and the W3C Web Payments Interest Group that are > looking into whether or not to form a Verifiable Claims (aka > credentials, attestations) Working Group at W3C. We have a rough sketch > of what the group would be about here: > > http://w3c.github.io/vctf/ > > The group has identified each of you as a person that would be important > to interview before we make a decision on whether to create a WG or not. > Each interview would consist of you letting us know your thoughts on the > initiative (after reading the link above). We'll have some questions[1] > to guide the discussion if you're unsure about the sort of stuff we're > trying to learn from you, but feel free to pose your own interesting > questions (and answer them) during the interview. > > This is just a heads-up that we're going to be asking for some of your > time in January. We'll work around your schedule. I'll send a time > request in a separate email and we'll have a prep call (with recorded > audio for those that can't make it) in early January as well. > > -- manu > > [1] > https://www.w3.org/Payments/IG/wiki/ProposalsQ42015/VerifiableClaimsTaskForce#Open_Questions > > -- > Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny) > Founder/CEO - Digital Bazaar, Inc. > blog: Web Payments: The Architect, the Sage, and the Moral Voice > https://manu.sporny.org/2015/payments-collaboration/ > > > >
Received on Tuesday, 26 January 2016 15:32:30 UTC