- From: <msporny@digitalbazaar.com>
- Date: Tue, 14 Feb 2017 12:23:52 -0500
- To: Web Payments IG <public-webpayments-ig@w3.org>, Credentials CG <public-credentials@w3.org>
Thanks to Dave Longley for scribing this week! The minutes
for this week's Verifiable Claims telecon are now available:
http://w3c.github.io/vctf/meetings/2017-02-14/
Full text of the discussion follows for W3C archival purposes.
Audio from the meeting is available as well (link provided below).
----------------------------------------------------------------
Verifiable Claims Telecon Minutes for 2017-02-14
Agenda:
https://lists.w3.org/Archives/Public/public-credentials/2017Feb/0023.html
Topics:
1. Introduction to Abbas Ali from R3
2. Status of Verifiable Claims WG Creation
3. Sandbox for the implementers to work on
4. Action Item Review
5. Face to Face Meeting Opportunities
6. Portable Reputation Kit
Action Items:
1. Manu to create github repo for Verifiable Claims Playground.
2. Christopher Allen to introduce Portable Reputation Toolkit
use cases (first party vs. second party claims)
Organizer:
Manu Sporny
Scribe:
Dave Longley
Present:
Dave Longley, Matt Stone, Manu Sporny, Richard Varn, Jonathan
Holt, Christopher Allen, Abbas Ali, David Ezell, Nathan George,
John Tibbetts, Joe Andrieu, Adrian Gropper, Rob Trainer, David I.
Lehn, Adam Lake, Eric Korb, Matthew Larson
Audio:
http://w3c.github.io/vctf/meetings/2017-02-14/audio.ogg
Dave Longley is scribing.
Matt Stone: Our agenda for today:
https://lists.w3.org/Archives/Public/public-credentials/2017Feb/0023.html
Manu Sporny: +1 To Agenda...
Matt Stone: Any changes to the agenda?
Richard Varn: +1 On agenda
Jonathan Holt: +1, But quick review of 1-5
Christopher Allen: I'd like to talk about some questions related
to the portable reputation kit and being able to talk about
evidence or the source of your attribution in some fashion. The
main thing I want to figure out is if it's a future item, not
figure out how to do it.
Christopher Allen: It's fairly short so add as convenient.
Matt Stone: Let's throw it in around #3.
Christopher Allen: Great.
Matt Stone: Any other changes?
None
Manu Sporny: Yeah, we have at least one, maybe two new people
today.
Manu Sporny: Getting intros would be good.
Topic: Introduction to Abbas Ali from R3
Abbas Ali: I just joined, this is my first call. I work at a
company called R3, we're a distributed ledger tech company
focusing on financial services. Looking at KYC on our Corda
platform.
Abbas Ali: Based in NY, looking at using the work you've done
around Verifiable Claims for use in product and curious to learn
more.
Matt Stone: Great, welcome to the group.
Abbas Ali: Thanks.
Topic: Status of Verifiable Claims WG Creation
Matt Stone: Status of the VCWG?
Manu Sporny: It's still slow going, mostly because W3C staff are
trying to work through some of the formal objections, but ...
Dave Raggett is pretty much on the case. For those that don't
know him, he's been involved with W3C from the beginning,
author/lead editor of HTML4. Wrote a good response on the current
state of affairs that was very fair. Been emailing behind the
scenes to deal with the sticking points. As the weeks go on the
formal objections are being whittled away at. Still no idea when
the group will be created but it should be real soon now.
Matt Stone: Is addressing the formal objections ... is there a
process for the objectors to say "Ok" or does W3C just make a
decision and moves on?
Manu Sporny: W3CM just makes a decision and moves on, they
modify the charter to address the objections and there's nothing
in the process to allow new objections to be raised. They get
addressed in the charter and you move on. In general, there has
been far too much support for the group to not start it (my
personal view); most votes in support for any work at W3C.
Manu Sporny: We had a handful of large orgs dig their wheels in
and say "Don't start the work, full stop." Those types of
objections take more time to deal with, they didn't outline what
would make them happy.
Manu Sporny: We're good for the most part.
Nathan George: +1
Matt Stone: Phil had made a couple of edits to the charter some
weeks ago and called out privacy as an issue. Recognizing that
was the topic of some of the objections. I'm not sure who's seen
that, he edited the charter directly. He called out U-Prove as a
technology to look at. From the chairs, we were a little
uncomfortable with the language that was put in and we're working
to use some alternative content and positioning so we're not
going down the path of naming a tech like U-Prove.
Matt Stone: Richard Varn had put together a note we'll send out
in the next day or tomorrow on that topic with some the language
we like better that's in this area.
Christopher Allen: This is something I would definitely like to
take a look at in the sense that I agree and I think it's a
requirement that we are able to support selective disclosure
approached and future proof ourselves, but it's very very unclear
which ones are the appropriate ones to use. And even exactly how
what will be required of us to even have that flexibility. There
are a number of approaches where U-Prove is more of the more
interesting ones because it's been around a while but it also
says it's been around a while and it hasn't gotten momentum and
there have been improvements in this area since then.
Matt Stone: I think the way we're positioning the content in the
charter is that we don't want to pick a winner and U-Prove has
been around a while and hasn't won and we shouldn't call it out
in the charter.
Matt Stone: This will be a topic over the next year or so as we
build the spec.
Richard Varn: This is what we are considering saying: It will
further include privacy impact and mitigation in the design and
development of the use cases, requirements, and specifications.
Varn quotes from the charter.
Varn quotes from notes.
Manu Sporny: We want to be open and transparent but we need to
make sure we keep member-confidential discussions confidential so
we can't say more here.
Manu Sporny: +1 To getting back to just the mailing list.
Matt Stone: I'm adding another topic; our agenda today goes out
to a W3C mailing list and some individuals. I'd like to just get
back to that being just a list. If you're one of the ones that's
outside of the list, please join the group and the mailing list
and reach out to us off line if you don't so we know why you
haven't.
Topic: Sandbox for the implementers to work on
Matt Stone: In other projects like JSON-LD there is a sandbox
online where you can submit docs and validate them in real time.
We've had some discussions about that for VC and I know the
acclaim team has a VC example and we are looking for a way to
test it.
Matt Stone: Implementers want to make sure they are producing
the right stuff.
Matt Stone: I'd like to get some thinking about it and some
volunteers for putting something like that online.
Christopher Allen: I've commissioned and contracted with Noah
(and one other) -- and had them do some work with bitcoin
signatures and to begin work on a VC playground. They are doing
it as they can at this point. I've also been talking with Markus
Sabello who did one for XDI and that's some Java playground --
there's some work there and I welcome other participation and
hopefully multilanguage.
Manu Sporny: This is something that the group desperately needs.
The good news is that there has been some recent revamp to the
JSON-LD playground integrating bitcoin signatures with Harlan and
Noah and that's great. There's an initiative for further digital
signature work and there's a playground for them. Christopher and
Noah are working on Linked Data Signatures for the bitcoin curve
and Digital Bazaar is working on some stuff with Javascript and
python implementations and Gregg Kellogg is working on a Ruby
implementation potentially. And others have worked on various
playgrounds. We have all the ingredients coming together, someone
just has to sit down and do the work. It only took one person a
weekend or two to do the first cut of a playground, so not a lot
of work. It's something we really need to do, we at least have
the base libraries to have a VC playground with RSA and bitcoin
curve signatures. Just a matter of getting a team together and
working on code for a week.
Matt Stone: Should we make, in the github, VCTF repo, a
playground project or series of projects and collect the code
there?
Manu Sporny: Yes, and we could publish through github pages
that's the playground and it would let us manage and contribute
to it through github. We know how to do all that stuff and it's a
good way to do it. We can get Christopher, Noah, Harlan, etc.
everyone working on that, hosted on github. We should have a
separate repo and I can create that if folks are ok with that on
the call today. The other thing we want to do that Christopher
mentioned is having a repo for VC and we want the spec to support
education, financial, healthcare, etc. and collect examples of
claims so we can put those in and use them.
Manu Sporny: I don't know where those go (in the playground or a
separate place) that's another topic to discuss. If the group
wants this, we can move to put it together.
Matt Stone: +1
John Tibbetts: +1
Christopher Allen: +1
Matt Stone: +1 To make playground on github
Dave Longley: +1
Nathan George: +1 From me as well
Jonathan Holt: +1
ACTION: Manu to create github repo for Verifiable Claims
Playground.
Matt Stone: Christopher if you're looking for other volunteers,
I think we have some Ruby skills on the Acclaim team so we may be
able to contribute there. I'm not sure how to engage.
Christopher Allen: Maybe an implementers mailing list, just for
people who are focused on writing the code and sharing. One of my
main things is ... as I'm talking with various customers and such
and we need as many languages as we possibly can that serve
enterprise and Ruby is definitely one of them.
Matt Stone: I like the idea of an implementers mailing list.
Manu Sporny: This is the implementers discussion and mailing
list. W3C likes to have discussions and code grounded stuff, etc.
this is that group.
Matt Stone: So move away from philosophy and into implementation
soon.
Manu Sporny: Yes.
Matt Stone: Anything more on the playground?
Nothing
Topic: Action Item Review
Matt Stone: Running action items:
https://docs.google.com/spreadsheets/d/1XIRn3VltrK_Dxqz0VyDxPi265sW47EMSKVKUXmMkI70/edit#gid=0
Manu Sporny: I think everyone should be able to see the task
list (my personal opinion).
Manu Sporny: Anyone with the link can access and comment.
Joe Andrieu: I closed the one that was mine (1/31), I just want
to make sure I understood the use case. I wasn't clear if this
was meant to be an ongoing thing where I keep updating issues as
we keep going.
Joe Andrieu: https://github.com/opencreds/vc-use-cases/issues/38
Joe Andrieu: The language in the action is very open; I
understood the action to be able the specific notes for that
meeting.
Manu Sporny: I think you did the right thing but this is a good
example of an issue where it's unclear when it's closed. This is
a note to folks that raise issues, make sure the issue you raise
is actionable and we know when it needs to be closed.
Matt Stone: That's a good reminder, evidence of success and know
"when we're done".
Matt Stone: If we got this content in the use case document,
then we should close the issue in github as well and stop
tracking it there as well.
Joe Andrieu: I'd like to clarify; I took the action item to
about getting my notes from the meeting. I would not have closed
it if the issue was done.
Manu Sporny: +1 To closing issues quickly, we don't want issues
standing out there for a long time.
Matt Stone: If we get to the point where an issue in github can
be closed, I'd like to. We have a long list of issues already
running, some have quite a lot of activity on them and others
don't.
Matt Stone: Let's drive towrads getting issues closed.
Manu Sporny: (As long as the issue has been resolved, of course)
Joe Andrieu: I think this action item is closed, I don't think
the issue is closed.
Joe Andrieu: The issue
https://github.com/opencreds/vc-use-cases/issues/38 still
deserves some work
Matt Stone: Ok.
Matt Stone: That's fine, as we see activity on the issue ... in
our chair meetings we'll add new action items and discussion
topics. That's ok to me.
Joe Andrieu: Ok, great.
Joe Andrieu: There was an action I took last week that I haven't
made much progress yet but I just added to the list.
Matt Stone: I'd like to move on through the rest of the agenda,
I don't think we'll get through everything today.
Topic: Face to Face Meeting Opportunities
Matt Stone: I sent a note out last week for F2F activities.
Matt Stone:
https://docs.google.com/spreadsheets/d/19Ndqc5pLsTu2ZmP4Wy7OlMOmskQFHPh28sMjW3ugsww/edit#gid=0
Matt Stone: We don't have a F2F scheduled; we're on hold until
the WG is created before we can book that. We'll go to this list
when the WG is created to see if there's a convenient event we
can coordinate with. If you have any others that you can add,
that would be great.
Christopher Allen: RWoT on April 19th will be discussing VC
implementations. It is a work item at that group. It's not a
recommendation as far as an official F2F, but if you're
interested in VC and want to meet other implementers it's an
important part of the gruop.
Matt Stone: Anyone else planning on going to Paris for that?
Manu Sporny: DB is going.
Adrian Gropper: I'm going
Joe Andrieu: I'll also be there
Jonathan Holt: I'm trying to.
Matt Stone: We'll look for an update on that, sounds like a
great opportunity.
Topic: Portable Reputation Kit
Christopher Allen: There are two different things that have
emerged that may be related or not. The first has to do with ...
it feels that there's two classes of broad classes of assertions.
I've run into this multiple times now. The first class of
assertion has to do with somebody who has total authority over
something. The simple example is twitter as an org has total
authority over the fact that I hold `@ChristopherA`, it's theirs.
That's different from say, keybase, who says that Christopher has
possession of `@ChristopherA`, but we're not the party that has
ultimate control of that.
Christopher Allen: This has come up in other cases, there's a
company in Paris that will be at RwoT that basically has the
right to be able to create VC based on some French databases.
They themselves are not the controllers of the data, they are
just allowed to say "Yes, this person is associated with this
data and we've validated it second hand."
Nathan George: So perhaps the idea of an authority vs a notary?
Christopher Allen: That's one area. The reason I bring up the
Portable Reputation Kit is that they ran into something similar.
They want these reputation statements and such where various
parties could evaluate the evidence in different ways. Someone is
making a claim then someone is making an eval of that claim. They
separated the assertion from the eval and had the ability to link
the evidence. "Here's the proof outside my assertion and where to
go for that."
Christopher Allen: I didn't want to solve that problem in that
short time. Is this out of scope, is it something I've missed
somewhere in the spec or what?
Manu Sporny: Two things, first is to point out how this has
parallels with the education use cases. Like, you have orgs that
could verify a transcript aren't the ones that issued it. Orgs
can verify they checked a driver's license, but they didn't issue
it. It's a very important use case and class of use cases that
spans a variety of industries.
Manu Sporny: The second point is that the way the current spec
tries to address this is that the signer asserting something,
based on out of band knowledge you can know if they are the data
provider or just a verifier of it. THat's a bad way of doing it
and we should be semantically clear about what is being said.
From DB's perspective this is very much in scope and if we can
have a cross industry way of doing it it would be fantastic.
Jonathan Holt: The challenge is that the self-assert, and you
say who is allowed to revoke it, you're setting yourself up for
trouble. Within the claim you can validate and say "here's a list
of public keys that could revoke this" ... I understand the
dilemma, that's just more of a comment than a question.
Adrian Gropper: This is a very important thing to deal with. In
the healthcare use case we have the medical society as a well
known place to verify a credential. The issue here is that the
medical society isn't issuing the license. The medical society
doesn't want to assume the liability necessarily because there's
a licensed professional involved, the doctor/prescriber that
carries all the liability. That's exactly the issue we're talking
about here very clearly laid out and I also agree the revocation
responsbility has to be factored in. We have this separation
where is there a well known place that's the equivalent of a CA
in the old world and how do they transfer and not take the
responsibility away from the user, in this case the prescriber.
Christopher Allen: Any one have thoughts on the evidence and
evaluation side of it?
Matt Stone: Before we jump into that I had a quick question.
Matt Stone: Sounds like we have several use cases that imply or
explicitly have this need. In terms of our terminology with
issuer/holder/repo/service provider, how does the responsibility
fall? Are we talking about a service provider that is working as
an agent of the issuer? That is verifying these credentials on
behalf of the issuer? How does this fit into our architecture
more generically speaking?
Christopher Allen: I've been pondering this for a while, twitter
is an easy case to understand. Other examples in OAuth. A party
being able to verify that a particular value is ... somebody had
possession of something at the time of oauth/or editing at
twitter/ at the time of editing a DNS record. Later they can
revoke it later if they noticed it has changed. Twitter who is
the ultimate authority. There is going to be a lot of stuff in
the transition, there will be people like twitter, small
companies, governments, there will be people that [missed].
Christopher Allen: I don't know what the right word is ...
"first party and second party" claims is the best I've come up
with so far.
Jonathan Holt: In Medicine. I can make a self claim that I am
licensed in TN and Board Certified by the American Board of
Internal Medicine. The TTP, the American Board of Medical
Specialties aggregates the certs of daughter boards, but they
themselves won't ever revoke a cert, they only point to the
source of truth. So the issue is how does the State of TN sign
my VC and add the ability to attest that they work with certain
TTP the ability to revoke. My point[CUT]
Jonathan Holt: Revocation list needs to be in the signature.
Christopher Allen: Revoking is a different thing. It's not
necessarily twitter's public key in the second party ... you're
checking to see if the second party has run into any kinds of
things.
Matt Stone: Maybe we should take an action item... something
that's an explicit use case or a set of requirements that refer
to the use cases we've already identified. That requirements doc
has been going pretty quickly. Can we get someone to take a
requirements+use cases with this idea in mind and suggest a use
case or a requirement that would address it?
Jonathan Holt: We have an issue about revocation.
Nathan George: The trouble with having primary vs secondary
authorities is that it needs some type of centralized registry or
inventory of which entities have such authority which creates an
interesting set of governance issues.
Christopher Allen: But it's not just about revocation.
Christopher Allen: Not specific to revocation, it impacts it. It
may apply to all use cases.
ACTION: Christopher Allen to introduce Portable Reputation
Toolkit use cases (first party vs. second party claims)
Matt Stone: It sounds like it's a blend of endorsement and
delegation.
Christopher Allen: Maybe, you could say there's a third
category. I directly absolutely control this data and this
authority and then there's somebody I've given agency to do so
and then there's just somebody that's validated it.
Jonathan Holt: I'd be happy to contribute to the medical cred
claims.
Matt Stone: Ok, I think we're out of time.
Received on Tuesday, 14 February 2017 17:24:21 UTC