W3C home > Mailing lists > Public > public-credentials@w3.org > August 2017

Re: Close to final Credentials CG Mission — need to add phrase on “long-term” credentials

From: Kim Hamilton <kimdhamilton@gmail.com>
Date: Sat, 12 Aug 2017 19:06:11 +0000
Message-ID: <CAFmmOze42is0D-szHX-+RmcaAPxguhpiEJW=zr2=qGCP6T9DpA@mail.gmail.com>
To: David Chadwick <D.W.Chadwick@kent.ac.uk>, Kim Hamilton Duffy <kim@learningmachine.com>, public-credentials@w3.org
About:

  2. Whether to mention "proof of existence"

Our current draft mentions proof of existence in this context:

and seek solutions inclusive of approaches such as: self-sovereign
identity; presentation of proofs by the bearer; data minimization; proof of
existence; and centralized, federated, and decentralized registry and
identity systems.

Christopher's comment about this from yesterday is below. In my discussion
with him, he seemed inclined to remove the phrase "proof of existence" from
the above list. (He's on vacation now, so may not be able to respond
himself)

PoE is a tactic supporting a solution. The others listed here are
solutions, but the tactics are not included.


On Sat, Aug 12, 2017 at 2:24 AM David Chadwick <D.W.Chadwick@kent.ac.uk>
wrote:

>
>
> On 12/08/2017 01:19, Kim Hamilton Duffy wrote:
> > Thanks so much David.
> >
> > All -- to summarize, we are down to 3 issues, which are described in the
> > final mission draft (on the last page)
> > 1. Whether to mention "bearer credentials"
>
> The current text "presentation of proofs by the bearer" does not imply
> bearer credentials to me, but rather "presentation of proofs by the
> holder who is not the subject of the credentials".
>
> So I think the current text is fine. With a bearer credential, no proof
> is needed, since the mere fact that the presenter has the credential is
> sufficient in of itself (aka the possession of money).
>
> > 2. Whether to mention "proof of existence"
>
> Can you explain what you mean by this please. It is not clear to me.
>
> > 3. Whether to include reference to long-lived credentials
>
> Having text that says something like 'a credential can be short or long
> lived' is fine. But having text like 'verification of extremely long
> lived credentials e.g. 50 years old or more, is within scope of the CG'
> would not be fine in my opinion as this now strays into a whole new
> topic area.
>
> regards
>
> David
>
>
> >
> > #3 is the issue I raised, and I'm personally fine relaxing that, as long
> > as some reference to recipient-centric approaches is present. I could
> > imagine this being covered by "bearer credentials", but that has the
> > issue David mentioned.
> >
> > We'll schedule 10 minutes during the next call to wrap up these issues
> > and move forward with a mission statement.
> >
> > Thanks,
> > Kim
> >
> > On Fri, Aug 11, 2017 at 12:47 AM David Chadwick <D.W.Chadwick@kent.ac.uk
> > <mailto:D.W.Chadwick@kent.ac.uk>> wrote:
> >
> >     Hi Kim
> >
> >     On 11/08/2017 03:54, Kim Hamilton Duffy wrote:
> >     > Hi David,
> >     > The final proposed paragraph is on the very last page of the
> >     google doc.
> >
> >     thanks, I must have missed it last time
> >
> >     > I looked at your comment and I'm not sure where it would fit into
> the
> >     > current draft, which is significantly shortened. We're not listing
> >     types
> >     > of credentials/claims (as in the context where your comment
> appeared).
> >     > Please have a look and add your comment if you think the current
> draft
> >     > needs to call out group membership.
> >
> >     I agree that it is no longer needed.
> >
> >     >
> >     > Some questions:
> >     > 1. Bearer credentials: what are some positive disadvantages?
> >
> >     they can be stolen, copied and used by anyone who gets a copy of
> them.
> >
> >     > It's
> >     > possible we picked a bad phrase here. Our intent was to emphasize
> that
> >     > the approaches enable recipient consent/empowerment
> >
> >     the new phrase is much better.
> >
> >     > 2. About longevity: I agree it's extremely challenging. The goal
> >     here is
> >     > to emphasize that the approaches we are considering get us closer
> to
> >     > that goal (e.g. blockchain), but brushes over many details and
> >     caveats.
> >
> >     there is already a whole lot of research about the longevity of
> >     digitally signed documents that should remain valid long after the
> >     original crypto is broken or the issuer no longer exists. So I don't
> >     think we want to stray into that topic in the VC work.
> >
> >
> >     >
> >     > To expand on that, we wanted the mission statement to be brief, and
> >     > sometimes we erred on the side of being more aspirational than
> >     exact. We
> >     > could probably avoid this tradeoff with more iterations, but I
> think
> >     > many are wanting to wrap this up and switch to (at least) a better
> >     > mission statement than what we currently have.
> >     >
> >     > For that reason, I'd be fine dropping my request to work in
> >     "longevity"
> >     > because that could be also viewed as a factor in enabling
> >     > recipient-centric credentials (at least in some scenarios...I
> >     encounter
> >     > this in EDU very frequently).
> >
> >     I have added a comment that user control (aka user centric) is
> missing
> >     from the current mission statement and should be included
> >
> >     regards
> >
> >     David
> >
> >     >
> >     > Thanks,
> >     > Kim
> >     >
> >     > On Wed, Aug 9, 2017 at 3:06 AM David Chadwick
> >     <D.W.Chadwick@kent.ac.uk <mailto:D.W.Chadwick@kent.ac.uk>
> >     > <mailto:D.W.Chadwick@kent.ac.uk <mailto:D.W.Chadwick@kent.ac.uk>>>
> >     wrote:
> >     >
> >     >     Hi Chris
> >     >
> >     >     It all depends upon what you call long lived. PKI certificates
> >     can last
> >     >     20 years or so, and these already exist on the web, so I would
> >     not say
> >     >     that it is particularly unique to VCs to have long lived
> >     credentials.
> >     >
> >     >     However, proving that a credential is still valid after the
> >     issuer no
> >     >     longer exists is clearly a challenge. Even more so, if the
> >     issuer went
> >     >     out of business suddenly and did not make any provisions for VC
> >     >     validation after its demise.
> >     >
> >     >     Finally on the topic of bearer credentials, I would not shout
> >     so loudly
> >     >     about them, as I think they have positive disadvantages and
> >     should not
> >     >     be championed in our work.
> >     >
> >     >     regards
> >     >
> >     >     David
> >     >
> >     >     On 08/08/2017 18:54, Christopher Allen wrote:
> >     >     > By the end of the call today we had a good discussion and an
> >     improved
> >     >     > proposal for mission statement:
> >     >     >
> >     >     >
> >     >
> >
> https://docs.google.com/document/d/1kxm6yGnGAVgNTLMYft_cz2zW3c1AE8uSCy4i5A6OhG8/edit?usp=sharing
> >     >     >
> >     >     >     “The mission of the Credentials Community Group is to
> >     explore the
> >     >     >     creation, storage, presentation, and verification of
> >     >     credentials. We
> >     >     >     focus on a verifiable credential (a set of claims)
> >     created by an
> >     >     >     issuer about a subject—a person, group, or thing—and seek
> >     >     solutions
> >     >     >     inclusive of approaches such as: self-sovereign identity;
> >     >     >     presentation of proofs by the bearer; data minimization;
> and
> >     >     >     centralized, federated, and decentralized registry and
> >     identity
> >     >     >     systems. Our tasks include drafting and incubating
> Internet
> >     >     >     specifications for further standardization and
> >     prototyping and
> >     >     >     testing reference implementations.”
> >     >     >
> >     >     >
> >     >     > The remaining issue was that I was hoping to incorporate a
> >     phrase
> >     >     about
> >     >     > another unique thing about our architecture — the ability to
> >     present
> >     >     > claims that are long-lived. For instance, I should be able to
> >     >     present a
> >     >     > valid claim that I was legally married 25 years ago, even if
> the
> >     >     issuer
> >     >     > has rotated or revoked their keys since. This is possible
> with
> >     >     proof of
> >     >     > existence and dated key rotation/revocation registries.  It
> >     should be
> >     >     > possible for me to prove that I graduated from college, even
> if
> >     >     colleges
> >     >     > have changed names, merged, etc., name systems and degree
> >     changes, for
> >     >     > as long as the claim was not fraudulent.
> >     >     >
> >     >     > That, and the bearer instrument side of our work, offers
> >     something
> >     >     > unique and compelling about our architecture, and also ties
> us
> >     >     into the
> >     >     > newer possibilities offered by blockchain systems.
> >     >     >
> >     >     > If you would like to discuss this, or other issues with the
> >     mission
> >     >     > statement, please reply to this email. If you have ideas on
> >     how to
> >     >     > specific change that in the above mission statement, submit
> >     the change
> >     >     > as a suggestion to the google doc above.
> >     >     >
> >     >     > Thanks!
> >     >     >
> >     >     > — Christopher Allen
> >     >
> >     > --
> >     > Kim Hamilton Duffy
> >     > Principal Engineer | Learning Machine + MIT Media Lab
> >     > Co-chair W3C Credentials Community Group
> >     > 400 Main Street Building E19-732, Cambridge, MA 02139
> >     > 12001 N. Central Expy, Suite 1025, Dallas, TX 75243
> >     >
> >     > kim@learningmachine.com <mailto:kim@learningmachine.com>
> >     <mailto:kim@learningmachine.com <mailto:kim@learningmachine.com>> |
> >     kimhd@mit.edu <mailto:kimhd@mit.edu>
> >     > <mailto:kimhd@mit.edu <mailto:kimhd@mit.edu>>
> >     > 425-652-0150 <(425)%20652-0150> <tel:(425)%20652-0150> |
> LearningMachine.com
> >     >
> >
> > --
> > Kim Hamilton Duffy
> > Principal Engineer | Learning Machine + MIT Media Lab
> > Co-chair W3C Credentials Community Group
> > 400 Main Street Building E19-732, Cambridge, MA 02139
> > 12001 N. Central Expy, Suite 1025, Dallas, TX 75243
> >
> > kim@learningmachine.com <mailto:kim@learningmachine.com> | kimhd@mit.edu
> > <mailto:kimhd@mit.edu>
> > 425-652-0150 <(425)%20652-0150> | LearningMachine.com
> >
>
>
Received on Saturday, 12 August 2017 19:06:54 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:24:45 UTC