- From: Melvin Carvalho <melvincarvalho@gmail.com>
- Date: Fri, 11 Mar 2016 06:30:17 +0100
- To: John Tibbetts <john.tibbetts@kinexis.com>
- Cc: Manu Sporny <msporny@digitalbazaar.com>, W3C Credentials Community Group <public-credentials@w3.org>
- Message-ID: <CAKaEYhL4wbeD2fW1SxwbeOUAJsZb1+LfLBaR8hKeEWoDHVUWDQ@mail.gmail.com>
On 11 March 2016 at 02:40, John Tibbetts <john.tibbetts@kinexis.com> wrote: > I’ve reviewed the Working Group Charter and, with a couple of minor > exceptions, think it’s a very creditable document. It’s amazing to me how > quickly this group’s deliverables have evolved even with half the troupe > out sick. > > I have two comments: > > Section 2. Goals > > I was skeptical at first about Ian’s suggestion of making these points > more goal-like. But I now realize that was a failure of imagination on my > part. I now see that they are a big improvement. (Manu says he’ll do some > word-smoothing over the weekend, but with that it’s an impressive set). > > However there’s one other point that might strengthen the goals. Since > the Problem Statement explicitly includes the point about cross-industry > interoperability shouldn’t there be a goal that makes some assertion like: > Supporting extensible vocabularies that can serve the need of a variety of > industries. > > My wording here is somewhat anemic but the sense of this is that this goal > would address the capabilities that earlier on, in the ‘Retrospective' blog > post, we categorized as ‘Extensible Data Model’, or slightly differently, > ‘Decentralized Vocabulary’. It seems that we ought to have some goal in > this section that addresses these issues. > > > Section 3.2. Security and Privacy Considerations > > I wonder if we shouldn’t slightly soften this sentence: "Protection of the > privacy of all participants in a credentials ecosystem is essential to > maintaining the trust that credential systems are dependent upon to > function.”. I’m saying we should tone this down a mite for W3C political > reasons. Think of it this way: there are a lot of folks out there who put > a lot of trust in OpenID Connect even though it’s a basic premise of this > group that we can do a lot better with Privacy. So an OIDC advocate might > read this sentence as saying: if you can’t provide privacy of all > participants your credential system isn't trustworthy. I’ll leave it to > those in our group who are more politically astute to judge whether this is > a vulnerability or just my imagination. > +1 soften. It is slightly political but it shouldnt be political, it should be more balanced and technical -- I was chatting with a distinguished engineer at the IETF meet and the feeling is that we can do better here in the standards world. In general, much like the TSA in airports, we've gone a bit too far with security paranoia in some areas, identity being the main one. And not far enough with other security items such as privacy, encryption and tracking. > > > Very nice job gang. > > John > > > > >
Received on Friday, 11 March 2016 05:30:48 UTC