W3C home > Mailing lists > Public > public-credentials@w3.org > August 2017

Re: Close to final Credentials CG Mission — need to add phrase on “long-term” credentials

From: David Chadwick <D.W.Chadwick@kent.ac.uk>
Date: Sat, 12 Aug 2017 10:22:37 +0100
To: Kim Hamilton Duffy <kim@learningmachine.com>, public-credentials@w3.org
Message-ID: <56a22c27-a5e6-465f-8475-5099f0458e51@kent.ac.uk>


On 12/08/2017 01:19, Kim Hamilton Duffy wrote:
> Thanks so much David.
> 
> All -- to summarize, we are down to 3 issues, which are described in the
> final mission draft (on the last page)
> 1. Whether to mention "bearer credentials"

The current text "presentation of proofs by the bearer" does not imply
bearer credentials to me, but rather "presentation of proofs by the
holder who is not the subject of the credentials".

So I think the current text is fine. With a bearer credential, no proof
is needed, since the mere fact that the presenter has the credential is
sufficient in of itself (aka the possession of money).

> 2. Whether to mention "proof of existence"

Can you explain what you mean by this please. It is not clear to me.

> 3. Whether to include reference to long-lived credentials

Having text that says something like 'a credential can be short or long
lived' is fine. But having text like 'verification of extremely long
lived credentials e.g. 50 years old or more, is within scope of the CG'
would not be fine in my opinion as this now strays into a whole new
topic area.

regards

David


> 
> #3 is the issue I raised, and I'm personally fine relaxing that, as long
> as some reference to recipient-centric approaches is present. I could
> imagine this being covered by "bearer credentials", but that has the
> issue David mentioned. 
> 
> We'll schedule 10 minutes during the next call to wrap up these issues
> and move forward with a mission statement. 
> 
> Thanks,
> Kim
> 
> On Fri, Aug 11, 2017 at 12:47 AM David Chadwick <D.W.Chadwick@kent.ac.uk
> <mailto:D.W.Chadwick@kent.ac.uk>> wrote:
> 
>     Hi Kim
> 
>     On 11/08/2017 03:54, Kim Hamilton Duffy wrote:
>     > Hi David,
>     > The final proposed paragraph is on the very last page of the
>     google doc.
> 
>     thanks, I must have missed it last time
> 
>     > I looked at your comment and I'm not sure where it would fit into the
>     > current draft, which is significantly shortened. We're not listing
>     types
>     > of credentials/claims (as in the context where your comment appeared).
>     > Please have a look and add your comment if you think the current draft
>     > needs to call out group membership.
> 
>     I agree that it is no longer needed.
> 
>     >
>     > Some questions:
>     > 1. Bearer credentials: what are some positive disadvantages?
> 
>     they can be stolen, copied and used by anyone who gets a copy of them.
> 
>     > It's
>     > possible we picked a bad phrase here. Our intent was to emphasize that
>     > the approaches enable recipient consent/empowerment
> 
>     the new phrase is much better.
> 
>     > 2. About longevity: I agree it's extremely challenging. The goal
>     here is
>     > to emphasize that the approaches we are considering get us closer to
>     > that goal (e.g. blockchain), but brushes over many details and
>     caveats.
> 
>     there is already a whole lot of research about the longevity of
>     digitally signed documents that should remain valid long after the
>     original crypto is broken or the issuer no longer exists. So I don't
>     think we want to stray into that topic in the VC work.
> 
> 
>     >
>     > To expand on that, we wanted the mission statement to be brief, and
>     > sometimes we erred on the side of being more aspirational than
>     exact. We
>     > could probably avoid this tradeoff with more iterations, but I think
>     > many are wanting to wrap this up and switch to (at least) a better
>     > mission statement than what we currently have.
>     >
>     > For that reason, I'd be fine dropping my request to work in
>     "longevity"
>     > because that could be also viewed as a factor in enabling
>     > recipient-centric credentials (at least in some scenarios...I
>     encounter
>     > this in EDU very frequently).
> 
>     I have added a comment that user control (aka user centric) is missing
>     from the current mission statement and should be included
> 
>     regards
> 
>     David
> 
>     >
>     > Thanks,
>     > Kim
>     >
>     > On Wed, Aug 9, 2017 at 3:06 AM David Chadwick
>     <D.W.Chadwick@kent.ac.uk <mailto:D.W.Chadwick@kent.ac.uk>
>     > <mailto:D.W.Chadwick@kent.ac.uk <mailto:D.W.Chadwick@kent.ac.uk>>>
>     wrote:
>     >
>     >     Hi Chris
>     >
>     >     It all depends upon what you call long lived. PKI certificates
>     can last
>     >     20 years or so, and these already exist on the web, so I would
>     not say
>     >     that it is particularly unique to VCs to have long lived
>     credentials.
>     >
>     >     However, proving that a credential is still valid after the
>     issuer no
>     >     longer exists is clearly a challenge. Even more so, if the
>     issuer went
>     >     out of business suddenly and did not make any provisions for VC
>     >     validation after its demise.
>     >
>     >     Finally on the topic of bearer credentials, I would not shout
>     so loudly
>     >     about them, as I think they have positive disadvantages and
>     should not
>     >     be championed in our work.
>     >
>     >     regards
>     >
>     >     David
>     >
>     >     On 08/08/2017 18:54, Christopher Allen wrote:
>     >     > By the end of the call today we had a good discussion and an
>     improved
>     >     > proposal for mission statement:
>     >     >
>     >     >
>     >   
>      https://docs.google.com/document/d/1kxm6yGnGAVgNTLMYft_cz2zW3c1AE8uSCy4i5A6OhG8/edit?usp=sharing
>     >     >
>     >     >     “The mission of the Credentials Community Group is to
>     explore the
>     >     >     creation, storage, presentation, and verification of
>     >     credentials. We
>     >     >     focus on a verifiable credential (a set of claims)
>     created by an
>     >     >     issuer about a subject—a person, group, or thing—and seek
>     >     solutions
>     >     >     inclusive of approaches such as: self-sovereign identity;
>     >     >     presentation of proofs by the bearer; data minimization; and
>     >     >     centralized, federated, and decentralized registry and
>     identity
>     >     >     systems. Our tasks include drafting and incubating Internet
>     >     >     specifications for further standardization and
>     prototyping and
>     >     >     testing reference implementations.”
>     >     >
>     >     >
>     >     > The remaining issue was that I was hoping to incorporate a
>     phrase
>     >     about
>     >     > another unique thing about our architecture — the ability to
>     present
>     >     > claims that are long-lived. For instance, I should be able to
>     >     present a
>     >     > valid claim that I was legally married 25 years ago, even if the
>     >     issuer
>     >     > has rotated or revoked their keys since. This is possible with
>     >     proof of
>     >     > existence and dated key rotation/revocation registries.  It
>     should be
>     >     > possible for me to prove that I graduated from college, even if
>     >     colleges
>     >     > have changed names, merged, etc., name systems and degree
>     changes, for
>     >     > as long as the claim was not fraudulent.
>     >     >
>     >     > That, and the bearer instrument side of our work, offers
>     something
>     >     > unique and compelling about our architecture, and also ties us
>     >     into the
>     >     > newer possibilities offered by blockchain systems.
>     >     >
>     >     > If you would like to discuss this, or other issues with the
>     mission
>     >     > statement, please reply to this email. If you have ideas on
>     how to
>     >     > specific change that in the above mission statement, submit
>     the change
>     >     > as a suggestion to the google doc above.
>     >     >
>     >     > Thanks!
>     >     >
>     >     > — Christopher Allen
>     >
>     > --
>     > Kim Hamilton Duffy
>     > Principal Engineer | Learning Machine + MIT Media Lab
>     > Co-chair W3C Credentials Community Group
>     > 400 Main Street Building E19-732, Cambridge, MA 02139
>     > 12001 N. Central Expy, Suite 1025, Dallas, TX 75243
>     >
>     > kim@learningmachine.com <mailto:kim@learningmachine.com>
>     <mailto:kim@learningmachine.com <mailto:kim@learningmachine.com>> |
>     kimhd@mit.edu <mailto:kimhd@mit.edu>
>     > <mailto:kimhd@mit.edu <mailto:kimhd@mit.edu>>
>     > 425-652-0150 <tel:(425)%20652-0150> | LearningMachine.com
>     >
> 
> -- 
> Kim Hamilton Duffy
> Principal Engineer | Learning Machine + MIT Media Lab
> Co-chair W3C Credentials Community Group
> 400 Main Street Building E19-732, Cambridge, MA 02139
> 12001 N. Central Expy, Suite 1025, Dallas, TX 75243
> 
> kim@learningmachine.com <mailto:kim@learningmachine.com> | kimhd@mit.edu
> <mailto:kimhd@mit.edu>
> 425-652-0150 | LearningMachine.com
> 
Received on Saturday, 12 August 2017 09:23:20 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:24:45 UTC