Re: Close to final Credentials CG Mission — need to add phrase on “long-term” credentials from Kim Hamilton Duffy on 2017-08-12 (public-credentials@w3.org from August 2017)

From: Kim Hamilton Duffy <kim@learningmachine.com>
Date: Sat, 12 Aug 2017 00:19:21 +0000
To: David Chadwick <D.W.Chadwick@kent.ac.uk>, public-credentials@w3.org
Message-ID: <CAB=TY85pG0a+0mPmHsqDLSmoknUZVFN9h+Bo3Z=O-Asir+QyQQ@mail.gmail.com>
Thanks so much David.

All -- to summarize, we are down to 3 issues, which are described in the
final mission draft (on the last page)
1. Whether to mention "bearer credentials"
2. Whether to mention "proof of existence"
3. Whether to include reference to long-lived credentials

#3 is the issue I raised, and I'm personally fine relaxing that, as long as
some reference to recipient-centric approaches is present. I could imagine
this being covered by "bearer credentials", but that has the issue David
mentioned.

We'll schedule 10 minutes during the next call to wrap up these issues and
move forward with a mission statement.

Thanks,
Kim

On Fri, Aug 11, 2017 at 12:47 AM David Chadwick <D.W.Chadwick@kent.ac.uk>
wrote:

> Hi Kim
>
> On 11/08/2017 03:54, Kim Hamilton Duffy wrote:
> > Hi David,
> > The final proposed paragraph is on the very last page of the google doc.
>
> thanks, I must have missed it last time
>
> > I looked at your comment and I'm not sure where it would fit into the
> > current draft, which is significantly shortened. We're not listing types
> > of credentials/claims (as in the context where your comment appeared).
> > Please have a look and add your comment if you think the current draft
> > needs to call out group membership.
>
> I agree that it is no longer needed.
>
> >
> > Some questions:
> > 1. Bearer credentials: what are some positive disadvantages?
>
> they can be stolen, copied and used by anyone who gets a copy of them.
>
> > It's
> > possible we picked a bad phrase here. Our intent was to emphasize that
> > the approaches enable recipient consent/empowerment
>
> the new phrase is much better.
>
> > 2. About longevity: I agree it's extremely challenging. The goal here is
> > to emphasize that the approaches we are considering get us closer to
> > that goal (e.g. blockchain), but brushes over many details and caveats.
>
> there is already a whole lot of research about the longevity of
> digitally signed documents that should remain valid long after the
> original crypto is broken or the issuer no longer exists. So I don't
> think we want to stray into that topic in the VC work.
>
>
> >
> > To expand on that, we wanted the mission statement to be brief, and
> > sometimes we erred on the side of being more aspirational than exact. We
> > could probably avoid this tradeoff with more iterations, but I think
> > many are wanting to wrap this up and switch to (at least) a better
> > mission statement than what we currently have.
> >
> > For that reason, I'd be fine dropping my request to work in "longevity"
> > because that could be also viewed as a factor in enabling
> > recipient-centric credentials (at least in some scenarios...I encounter
> > this in EDU very frequently).
>
> I have added a comment that user control (aka user centric) is missing
> from the current mission statement and should be included
>
> regards
>
> David
>
> >
> > Thanks,
> > Kim
> >
> > On Wed, Aug 9, 2017 at 3:06 AM David Chadwick <D.W.Chadwick@kent.ac.uk
> > <mailto:D.W.Chadwick@kent.ac.uk>> wrote:
> >
> >     Hi Chris
> >
> >     It all depends upon what you call long lived. PKI certificates can
> last
> >     20 years or so, and these already exist on the web, so I would not
> say
> >     that it is particularly unique to VCs to have long lived credentials.
> >
> >     However, proving that a credential is still valid after the issuer no
> >     longer exists is clearly a challenge. Even more so, if the issuer
> went
> >     out of business suddenly and did not make any provisions for VC
> >     validation after its demise.
> >
> >     Finally on the topic of bearer credentials, I would not shout so
> loudly
> >     about them, as I think they have positive disadvantages and should
> not
> >     be championed in our work.
> >
> >     regards
> >
> >     David
> >
> >     On 08/08/2017 18:54, Christopher Allen wrote:
> >     > By the end of the call today we had a good discussion and an
> improved
> >     > proposal for mission statement:
> >     >
> >     >
> >
> https://docs.google.com/document/d/1kxm6yGnGAVgNTLMYft_cz2zW3c1AE8uSCy4i5A6OhG8/edit?usp=sharing
> >     >
> >     >     “The mission of the Credentials Community Group is to explore
> the
> >     >     creation, storage, presentation, and verification of
> >     credentials. We
> >     >     focus on a verifiable credential (a set of claims) created by
> an
> >     >     issuer about a subject—a person, group, or thing—and seek
> >     solutions
> >     >     inclusive of approaches such as: self-sovereign identity;
> >     >     presentation of proofs by the bearer; data minimization; and
> >     >     centralized, federated, and decentralized registry and identity
> >     >     systems. Our tasks include drafting and incubating Internet
> >     >     specifications for further standardization and prototyping and
> >     >     testing reference implementations.”
> >     >
> >     >
> >     > The remaining issue was that I was hoping to incorporate a phrase
> >     about
> >     > another unique thing about our architecture — the ability to
> present
> >     > claims that are long-lived. For instance, I should be able to
> >     present a
> >     > valid claim that I was legally married 25 years ago, even if the
> >     issuer
> >     > has rotated or revoked their keys since. This is possible with
> >     proof of
> >     > existence and dated key rotation/revocation registries.  It should
> be
> >     > possible for me to prove that I graduated from college, even if
> >     colleges
> >     > have changed names, merged, etc., name systems and degree changes,
> for
> >     > as long as the claim was not fraudulent.
> >     >
> >     > That, and the bearer instrument side of our work, offers something
> >     > unique and compelling about our architecture, and also ties us
> >     into the
> >     > newer possibilities offered by blockchain systems.
> >     >
> >     > If you would like to discuss this, or other issues with the mission
> >     > statement, please reply to this email. If you have ideas on how to
> >     > specific change that in the above mission statement, submit the
> change
> >     > as a suggestion to the google doc above.
> >     >
> >     > Thanks!
> >     >
> >     > — Christopher Allen
> >
> > --
> > Kim Hamilton Duffy
> > Principal Engineer | Learning Machine + MIT Media Lab
> > Co-chair W3C Credentials Community Group
> > 400 Main Street Building E19-732, Cambridge, MA 02139
> > 12001 N. Central Expy, Suite 1025, Dallas, TX 75243
> >
> > kim@learningmachine.com <mailto:kim@learningmachine.com> | kimhd@mit.edu
> > <mailto:kimhd@mit.edu>
> > 425-652-0150 <(425)%20652-0150> | LearningMachine.com
> >
>
-- 
Kim Hamilton Duffy
Principal Engineer | Learning Machine + MIT Media Lab
Co-chair W3C Credentials Community Group
400 Main Street Building E19-732, Cambridge, MA 02139
12001 N. Central Expy, Suite 1025, Dallas, TX 75243

kim@learningmachine.com | kimhd@mit.edu
425-652-0150 | LearningMachine.com
Received on Saturday, 12 August 2017 00:19:57 UTC