Verifiable Claims Telecon Minutes for 2016-01-28

From: <msporny@digitalbazaar.com>
Date: Thu, 28 Jan 2016 17:49:52 -0500
To: Web Payments IG <public-webpayments-ig@w3.org>, Credentials CG <public-credentials@w3.org>
Message-Id: <1454021392367.0.1238@zoe>

Thanks to Dave Longley for scribing this week! The minutes
for this week's Verifiable Claims telecon are now available:

http://w3c.github.io/vctf/meetings/2016-01-28/

Full text of the discussion follows for W3C archival purposes.
Audio from the meeting is available as well (link provided below).

----------------------------------------------------------------
Verifiable Claims Telecon Minutes for 2016-01-28

Agenda:
https://lists.w3.org/Archives/Public/public-webpayments-ig/2016Jan/0063.html
Topics:
1. Problem Statement
2. Stakeholders and Benefits
3. SAML, Oauth, OpenID Connect, and JOSE
4. Important Work Items
5. Best Location for Standards Work
Organizer:
Manu Sporny
Scribe:
Dave Longley
Present:
Dave Longley, Manu Sporny, Christopher Allen, David I. Lehn
Audio:
http://w3c.github.io/vctf/meetings/2016-01-28/audio.ogg

Dave Longley is scribing.
Manu Sporny: Thank you joining us, Christopher. We're really
looking forward to getting your input on this VCTF work.
Manu Sporny: Just to be clear we are minuting the call and
recording the audio.
Christopher Allen: You have my permission.
Manu Sporny: Let's start with a quick introduction -- we'll be
sharing this with multiple groups at W3C. Background and self,
etc.
Christopher Allen: I've been involved with online communities
since the early 80's. I was one CompuServe, head of the computer
international consulting association ... consulting board on
there, I had hosted a number of BBSes, I published the first BBS
for the Mac and the first Mac interface for a online community.
Christopher Allen: I was also involved with early pre-internet
methodology for transmitting information including [missed] which
is like news today but it's a p2p protocol. So we can talk about
how we did that back in the 80s, it's not new. In the late 80s I
was involved in [missed] involving the technological consensus
with database architectures and such and the human problem and
the core of what I wanted to work on for the next 25 years. I
came out with my first product and people didn't trust it so I
entered into crypto. I was involved groundfloor with RSA and its
algorithm and involved in its privacy efforts and [variety of
crypto tools] in the early 90s. That ultimately set the stage for
writing the reference implementation for SSL and then later
leading the standards effort for TLS 1.0 at the IETF.
Christopher Allen: I was the editor along with Tim Dierks for
the standard and ran the online communities, mailing list, for
all practical purposes I was the defacto director of that working
group and we published version 1.0 of the standard in '97 and
today it's the most widely deployed security standard, [stats on
business]. Early architecture decisions we made proved to be
solid like perfect forward secrecy which was something that was
in the spec early on, it's only been implemented in the last
couple years. Not only used to secure the Web it's used to secure
other standards ... the ports I registered for doing SSL email
later TLS with email, Google reported last year 60% of all
outgoing email was secured by TLS and 50% incoming. Which is in
great excess of anything secured by SMIME or SFTP anything.
Christopher Allen: In the last 10 years I've been an Angel
investor, involved in various online communities, in particular
in the mobile community. In the crypto field I did some work at
Certicom and did smart signatures and smart contracts but it was
too early, in the last few years I've been bringing those skills
back to secure android platform and most recently I've been doing
stuff in the blockchain with secure engines of trust in the last
yera, including teaching in university and doing consulting for
big and small. I've been working on OASIS standards to help XDI
move to blockchain.
Manu Sporny: Awesome, that was a fantastic intro to you and
that's why we're so interested in hearing from you. We think
you're uniquely qualified to talk to -- about this problem space,
if it should be solved, how you'd solve it, etc.

Topic: Problem Statement

Manu Sporny: What we're trying to do during this call is get
your thoughts about what we've written so far, user-centric vs.
service-centric, is there a problem to be solved, where should
the work be done, etc.
Manu Sporny: http://w3c.github.io/vctf/#problem
Manu Sporny: http://w3c.github.io/vctf/#design-approaches
Manu Sporny: What we're trying to do is ... the main gist of the
way we're stating the problem here is that we're talking about
user-centric design. We're asserting there is no widely
user-centric standard for expressing verifiable claims, via the
Web and there's a desire to create such an ecosystem. We've tried
to define was user-centric means through talking about what some
of the design ramifications are. For example ...
Manu Sporny: A service-centric system would be like facebook,
twitter, etc.
Christopher Allen: Right, I'm very familiar with this movement,
as far as calling it user-centric was really pushed in the late
90s early 00s, augmenting the social network, the early thing ...
I've been part of the IIW community pretty much from the
beginning. The core of the ... problem, my alignment is with it
being about user-centric. It's been co-opted a little bit, but
I've been moving increasing into "self-sovereign" as the
key-phrase for this. Which is a little distinct from
user-centric. But clearly the same territory. I think ti's
important for a variety of reason. There's an innate power
imbalance in our society where individual power severely hampered
by the financial power and the legal authority of other parties.
Going back to the US constitution, how do you enable the
individual to balance that power around authorities.
Christopher Allen: The natural power of aggregation of financial
authority, etc. we need forms of everything from the class action
lawsuit, etc. to overcome these kinds of natural aggregation and
network effects that happen in system.s
Christopher Allen: We have to balance those natural powers with
powers that are for the user. That's where the self-sovereign is
a bit stronger and why I value that myself. Clearly, the world in
the last few years has been going ...
Christopher Allen: We moved to centralized structures and we had
problems there and then out to decentralized and we had problems
there and then back to centralized and we're in the middle of a
centralized surge. Facebook, etc. Governmental powers wanting to
do things. I'm not a libertarian, I don't consider myself a
cryptoanarchist or anything, but I do believe in balance.
Christopher Allen: That clearly is part of my motivation with
being involved in these decentralized techs that are finally
possible today. They haven't won. Banks, etc. are looking at this
as something they need to investigate. At this point there is no
proven example there.
Christopher Allen: Walking through this, user-centric is the
first thing that I do, I am also very ... I think the space of
verifiable claims and attestations is a very important sweet
spot. Interop is very powerful. We've talked about
service-centric architectures mean that people who lose their
facebook relationship for whatever reason lose years of identity
and reputation and history with their peers.
Christopher Allen: If you go by the individual definition of
social network individuals own their own social network, it
shouldn't be owned by a service. Lock in and fragility or the
opposite of it like resilience is important. Standards that cut
across industries, clearly, we have a lot of issues in the
area... I'm a big fan of privacy I write a lot about it but if
you look at a lot of things and how they are legislated like
HIPAA, they enforce a man in the middle. Which is the antithesis
of what cryptographers want to avoid but it's mandated by the
legislation. That has to do with the centrality of things again.
Christopher Allen: Maybe they'll come up a little later in this
discussion, but I also want to look at things from a crypto
perspective and in order to prevent things like correlation, to
allow for certain kinds of privacy things mandated in the EU or
.... you can't do some of these without designing from a
self-sovereign perspective from the bottom. It *has* to be done
that way from a crypto perspective, I can't see how you can do it
the other way. You can have wonderful policies about how all of
this can work what can be shared and you can enforce them by
policy and then have things like "more Jews died in Holland in
WWII as a percentage of population vs. Germany" because policy
respected them but then things changed. So just because policy
works today doesn't mean it won't fail in the future. Building
things on human rights privacy is good but policy is based on
economic rights sometimes. The European style rights privacy
can't be solved by a service centric perspective, at least I
don't know how to do it, it can only be solved from a
user-centric perspective. 30+ years working in this community.
Manu Sporny: Do you think we're in the right ballpark then ...
with our assertions about user-centric systems. If we were to do
one thing that would be creating this self-sovereign approach for
verifiable claims would that be a worthwhile endeavor?
Christopher Allen: Yes. The only thing missing seems to be
policy and maybe more crypto.
Manu Sporny: In way way do you feel it's missing? We point out
this needs to involve crypto, it's not a policy based solution
we're searching for it's a crypto-based solution?
Christopher Allen: Yeah, and I dont' see that in the problem
statement.
Christopher Allen: Nothing talks about that enough.
Manu Sporny: Ok, I think that's just fundamental assumption
we're making but we should point out that that's how we intend to
address some of that in the problem statement. We were asked not
to propose solutions but to just identify the problem -- and let
the solutions come out in the actual work later.
Christopher Allen: You're not mentioning it at all and you will
have to be diving into it. Even if you don't talk about it ...
maybe they are more principles, a couple of principles are
necessary to say, we've already talked about self-sovereign, but
maybe add to that something along the lines of minimum-disclosure
required to interact. Which might include methods like [missed].
We don't know .. it's a hard problem space, we want to encourage
minimum exposure but we want to enable business interactions and
cooperation. So what is the minimum necessary to do so and not go
beyond it. Today it's all or none.
Manu Sporny: We will try to work that in. Where should that go?
Christopher Allen: Maybe as a "principles" type of thing.
Manu Sporny: Any other concerns over the problem statmeent?
Christopher Allen: Nope.
Christopher Allen: Again another principle is the [missed]
Manu Sporny: The area of correlation
Christopher Allen: The area of correlation.
Manu Sporny: So I feel like we've covered user vs. service
centric design. User-centric being a better way to address the
problem.
Manu Sporny: That's a fair statement?
Christopher Allen: Yes, there are things in user-centric design
that make it harder for large orgs to do certain things but they
have more money and power, and I consider that an acceptable
balance.

Topic: Stakeholders and Benefits

Manu Sporny: http://w3c.github.io/vctf/#benefits
Christopher Allen: I can live with this, every time I hit
"consumers" I understand you're trying to handle the naming here
... whenever I hit "consumers" I keep wishing it was another
word.
Manu Sporny: Do you understand what the term refers to?
Consumers of credentials, walmart, target, whatever.
Christopher Allen: Absolutely.
Manu Sporny: Let's go through the ecosystem and hear your
thoughts on it. Issuers issue credentials, holders receive them
put them in a digital wallet on their phone in the cloud,
wherever, they pick where they want to store it.
Christopher Allen: Issuers is great, definition is solid. The
only thing obviously missing is that if we talk about human
trust, when it manifests itself in an enterprise there is a lot
of p2p trust ... I have a relationship with Joe at the powerbar
company because we've been doing business for a long time
together and he's his org have impressed me.
Christopher Allen: There's a little "only these big issuers"
whereas I'm interested in the former CTO of PGP being able to
issue a statement about working with me in the standards industry
vs. verisign ... google almost banned them in Chrome because they
were miss handled ... which is a better credential?
Manu Sporny: Right.
Manu Sporny: We want to enable individuals to self-assert and
for orgs as well, it's not any harder. Want to cover all of it.
Christopher Allen: What we've heard from Brad Hill is that he
doesn't see how that ecosystem could scale with that sort of
trust where trust is at the peer-level and it would fall under
its own weight.
Christopher Allen: It does have to be constrained by recipes
more than it is by the size. If you look at PGP, trusting is
often over-interpreted, but fundamentally, do I believe that the
party at the other end has properly generated a public+private
keypair. That's all it really means. The problem is ... that's
not what it really says and it's not precise enough. If the
recipe could be what it really is instead of a broader
interpretation of what it actually means that would be much
better. All of these things that got interpreted into what a PGP
credential meant ... that's when it breaks. Having some good
recipes that are very precise as to their nomenclature and the
rules for that ... that can be done and can scale. Allowing
anyone to make a weird, reputation claim in a not-well reputation
claim in a weird area that's madness and there's no way to scale
that.
Manu Sporny: One person said that one person said that what
we're looking at are islands of interoperability here (David
Chadwick).
Manu Sporny: Orgs like in the education industry could have
their own vocab, etc.
Christopher Allen: There's a fifth category, that's all over the
place in the real world. The accreditation ... I don't get
diploma from that body but it affects my degree. And having a
recipe for multiple bodies is better... that's a "recipe" that
you have these types of things. Having a fifth pipe where people
are creating these types of recipes are important, a good thing.
A recipe for US healthcare and things because of HIPAA and those
are different from EU things.
Manu Sporny: With these four players in the ecosystem -- and
those other mechanisms that you just described, does the
ecosystem make sense to you?
Manu Sporny: Where there can be many of each of these actors in
the ecosystem?
Christopher Allen: Yes. With the thing ... the old word was
Relying Party for consumers, I agree "consumers" is better than
"relying party" but I'm uncomfortable with it. When you're trying
to communicate ... it crosses into the people side of the
equation. Are they followers, clientèle, or what.
Manu Sporny: We'll mark that and take it back to the group to
look at a better name.
Christopher Allen: I also appreciate the difference between an
issuer and a curator. I wrote a lot about ratings systems in my
blog and on collective choice... including in one of our own
ratings systems we got demonstrably better ratings [missed]. If
you look at that tech there's a big difference between a rating
and a ranking. Issuers are in the same space as rating and
ranking requires a lot more and that's where your curators are.
They have a very different role in saying "someone's credit
rating is greater than that of someone else's" as opposed to
"this person has great credit with VISA, their card has already
been paid on top." That's a different thing from a curation of a
lot of different ratings together. I think that's important and
curators may ... because of their power and because in order to
do some of their stuff they have to correlate things they may
have to have stricter requirements in many ways than issuers.
Manu Sporny: One of things we talk about when we talk about
curators ... there are of course some tech proposals on the
table, and one says the curator should not be able to track where
you're using your credentials (from the consumers), if it can
figure that out then it can build a very strong profile of your
behavior and what you're doing and we're senstive to that and
trying to build that into the protocol.
Christopher Allen: That's also where the power is and to a
certain extent the money. If you look at this from "who benefits
from it", the curators and consumers are benefitting the most I
think. In many ways, issuers are customers ... to a certain
extent, serving the community but also users, they can charge a
user for an ID, which is very different from a curator who can
force someone to do something.

Topic: SAML, Oauth, OpenID Connect, and JOSE

Manu Sporny: Agreed. Switching gears ... technologies that can
achieve this kind of ecosystem and address the problem statement.
If you were trying to build something to achieve and create this
ecosystem... some people are saying the tech already exist and
just use SAML, OAuth, OpenID Connect, etc. Do you feel those
techs can just be reused to solve this? Are there still some
fundamental techs that aren't quite there?
Christopher Allen: I've also been playing around with those same
things ... I'm uncomfortable with those things on a variety of
different levels, some of which are objective and some that are
subjective. On the objective issue side of things, I think that
in order provide for non-correlatable identifiers and things of
that nature you're going to have to use more complex crypto than
what is RSA-based single-key based CA-based architectures are of
the JOSE stack. And, they have a relatively constrained format
that makes some of those things hard. Obviously, every standard
can adapt. That's where we get to the subjective. I just find the
JOSE stack to be cumbersome and not ... I just hate the fact that
in order to both encrypt and sign something you have to actually
put the base64 of the encrypted thing in with it because the JSON
isn't consistent in how it's represented. It doesn't even have
lists. It just feels ugly to me and that's a subjective thing in
many ways.
Manu Sporny: So you don't think that the JOSE stack is suited
for an ecosystem like this?
Christopher Allen: It's very inelegant, yes. I also feel that
... I can't tell you ... can it be done? Can it be coerced,
probably, but then it will be even uglier.
Christopher Allen: Part of the problem ... switching hats to the
cryptographer hat. This was an issue with TLS way back when.
Everybody had a different algorithm and hash and MAC mechanism,
etc. They all wanted them to be able to slide in and in different
ways and combos. But auditing that from a security point of view
was *incredibly* hard. And that's kind of how I feel about JOSE.
On one hand they have some weird constraints but on the other
areas where I *want* to be constrained, they are wild. I want to
have two or three things ... or a linear growth in options rather
than an exponential growth in options and that's where JOSE is
going.
Christopher Allen: And the fact that we need it to do things
that it doesn't do now, it will only get worse. They don't do a
number of different choices, they do it all as options as woven
in and out from each other, very hard to audit.
Manu Sporny: Do you see any technologies on the horizon that can
address this type of stuff?
Christopher Allen: Part of the reason why I've tried to get
involved with the XDI standard is they are trying to address some
of this, I'm not as much of an expert in the graph technologies.
Historically graph tech have led to a lot of dead ends, but there
are some interesting things in that space to solve these types of
problems. I've liked what's been going on with JSON-LD and XDI
and the OASIS standard and I haven't quite seen the same coming
out of JOSE.
Manu Sporny: Is that with the data model or the digital
signature side of things?
Christopher Allen: With the digital signature side of things.
The area of null nodes ... whether or not you need to have all
the world's data in some kind of graph, cryptography has problems
with null nodes. When you don't know about something and you
don't want to force that nullness... is a real problem in
cryptography.
Manu Sporny: Got it. Jumping to other technologies, OpenID
Connect/SAML, could you modify those to get an elegant
user-centric system with credentials/claims expressed via them?
Christopher Allen: You *could* but the architecture tends to be
very client-server architecture where the server is the key
party. And that's just always going to make it difficult.
Manu Sporny: Is the assertion that OpenID Connect/SAML aren't
self-sovereign, etc.?
Christopher Allen: Well, they aren't. But how the different
pieces are connected together are very oriented towards the
server being persistent in ways that limit them. That doesn't
mean you can't ... it's a classic thing of it being rooted on
HTML. That's how some of these other things arose with issues
like requiring a server-centric approach to it.
Manu Sporny: I think what you're asserting is that there's
something here with the problem statement and creating this
ecosystem would be beneficial and there's no clear tech for it
today.
Christopher Allen: That's latter statement -- it's a lot harder
with the current tech. What will be most easily adapted to the
kinds of changes necessary. Limiting crypto suites ... is a
desirable approach, not only doing crypto on the server, ...
there's no reason why in TLS you don't theoretically have the
server send a credential at all, .... you can get just the same
kind of MiTM prevention by having a client send something. It's
just that in the 90s the servers were more powerful than the
client, so you tried to do all the crypto on the server. That's
not true anymore. My iphone has a cryptographic co-processor
inside it with a hardened area inside of it. Even IoT ... we're
recognizing that you need to have crypto at the leaves. We need
to design for that.

Topic: Important Work Items

Manu Sporny: If this work were to start, particularly which
items are important to work on? And where should that happen?
Self-sovereign identifiers, protocols, etc. Where should those
happen? IETF, W3C? ... So what are the techs and where should
they be created?
Christopher Allen: If you start off with self-sovereign ... we
have a wallet and a key-management problem. That's very
important, I happen to be really biased towards hierarchical
trees of keys because they allows a user to have a key completely
offline that can't be stolen yet allows them to create other keys
and delegate and let them do other things. I can let my phone do
a bunch of things on my behalf, but if it's stolen I can create a
new subkey very easily. I feel like that it's a fundamental thing
to design that from the beginning to support that type of
functionality. There are other benefits you get, for instance, I
can give the company I'm renting my apartment from an identifier
-- and the company I'm getting the power from ... and give them
each a different identifier and maybe they can't correlate (maybe
a bad example because they both have my physical address). My
email provider doesn't need to know those things ... if those two
companies share information those two identifiers wouldn't let
them correlate and say "oh, this is the same party." That's a
good thing for hierarchical keys. One of things with ratings
systems in general ... a rating is only is good as the point at
which it was issued, so time is very important. The persistence
of a rating over time is important.
Christopher Allen: That needs to be built in early on.
Verifiable proofs of existence in time ... something that was
valid 10 years ago may have changed today, but if it's been
continuous over that time and never revoked then it has more
authority than what was given out today by a new issuer.
Manu Sporny: So some kind of ledger or blockchain based
mechanism or history preserving mechanism?
Christopher Allen: I'm not absolutely sure it needs to be a
ledger because it has issues of correlation and so on, but it
does need to be provable in time.
Manu Sporny: What about identifiers and formats these claims?
Manu Sporny: Are those good work items?
Christopher Allen:
http://www.lifewithalacrity.com/2005/12/systems_for_col.html
Christopher Allen: Absolutely. I see a number of good recipes
... there are human issues on recipes. Writing a good
rating/ranking system, various other kinds of systems are hard
and we need some good use cases and recipes and really understand
the problem and one of the first use cases is badges. Maybe
simply that you've completed something. Something that is less
than a degree but more than ... you've opened a webpage. That
there's been some kind of proof that you've read the document and
understood it in some fashion is a really early recipe that I
think we can design from the human issue perspective and use that
to make new recipes and more complex things.
Manu Sporny: Could you clarify what you mean by "recipe"?
Christopher Allen: As an example, there are ... you talk about a
JSON object I give you that basically says that I have rated the
paper you wrote, the blog post you wrote on a scale of 1-5 as a
3. I can prove to you that that's problematic. 5 star ratings are
a bad design, we do them repeated because people have seen them
in the past and they are used to them, but they have a number of
serious flaws. First off, a lot of people think 3 is the middle.
Well, 2.5 is the middle. There is no 2.5 stars. Due to the nature
of how you ask the question people are more likely to rate things
positively or negatively. An amazon book rating of 4 stars is the
low average. That means that your fellow buyers ... less than 50
percentile is a 4 star book. That's not obvious. People see that
as "oh that must be a good book." 4.1 or 4.2 is an average rating
for an amazon book. These are human sides of reputation, rating,
credentials.
Christopher Allen:
https://github.com/WebOfTrustInfo/rebooting-the-web-of-trust/blob/master/final-documents/rebranding-web-of-trust.pdf
Christopher Allen: People started doing parties together and
people felt obligated to sign other people's keys because they
were at the party with you not because you truly believed they
generated their key safely. A human factor got in the way. These
kinds of human issues are important in the design of what that
JSON object looks like.
Manu Sporny: Is there a particular set of tech at trying to
address that problem?
Manu Sporny: Or a set of design thinking around how you solve
the problem?
Christopher Allen: More the latter, but that being said,
"schemas" are powerful.
Christopher Allen: I think that's one of the things ... you have
to be careful because schemas can get in the way also, but that's
the thing that the Microformats people discovered if are
relatively consistent with something that meets the use cases you
don't need to be as precise as full-fledged RDF.
Christopher Allen: The schema was somehow more important than
perfectly described RDF. Having some good schemas ... having a
good complete discussion about "we've thought carefully about
this" and there are human factors in reputation systems and UI
issues and so forth that need to be accounted for.
Manu Sporny: I think the conclusion we've come to is that the
people who design those schemas should be very close to the
problem. If you're designing a schema for hospitals, the
hospital/community or the people building stuff for them should
figure out the schema and the human factors, it shouldn't be some
standardization body. The point being that you need to have
experts in a particular vertical to do a good job?
Christopher Allen: Right. I agree with that with the caveat that
a standards body can basically say "These are some of the steps
and perils and pitfalls that you can fall into if you're not
careful and here's our advice."
Manu Sporny: Like a best practice around creating schemas.
Christopher Allen: Yeah!
Christopher Allen: And demonstrating some of those areas that
can be done, some of the best practices, explain the behind the
scenes ... here is why we chose ... a badge is a low-hanging
fruit. I have a definition of a badge, why is it relevant, where
are their problems, how do we avoid those problems, etc.
Christopher Allen: Good lessons for you when designing your
recipe.

Topic: Best Location for Standards Work

Manu Sporny: We're out of time and we really appreciate you
staying a few extra minutes. Do you feel like W3C, IETF, OASIS,
etc can do this work?
Christopher Allen: The whole standards area. .. I would say IETF
20 years ago but not today. It's not the same it was back then. I
personally found W3C a little harder for small companies to be
involved with. It's a little bit dominated by the big browser
vendors and companies where I'd like to see a little bit broader
industry ... non-computer industry backing in there, but they
aren't there.
Christopher Allen: I only have limited exposure to OASIS, last 9
months or so. It at least enforces IP stuff and the minimums
there to make sure parties will be treated fairly. It's a little
too close to the metal there. They are doing interesting work in
crypto though. Technically it's not the IETF ... it's the IESG
that's doing more crypto stuff.
Manu Sporny: Crypto forum research folks?
Christopher Allen: Yes.
Manu Sporny: Thank you so much for your time today.
Manu Sporny: To be clear you think it's worthwhile to work on
this stuff.
Christopher Allen: Yeah.
Manu Sporny: Expressing verifiable claims and so on.
Christopher Allen: Yes.
Manu Sporny: Ok, thanks and have a great week, we'll CC you on
this!

Received on Thursday, 28 January 2016 22:50:20 UTC