Verifiable Claims Telecon Minutes for 2017-02-14

Thanks to Dave Longley for scribing this week! The minutes
for this week's Verifiable Claims telecon are now available:

http://w3c.github.io/vctf/meetings/2017-02-14/

Full text of the discussion follows for W3C archival purposes.
Audio from the meeting is available as well (link provided below).

----------------------------------------------------------------
Verifiable Claims Telecon Minutes for 2017-02-14

Agenda:
  https://lists.w3.org/Archives/Public/public-credentials/2017Feb/0023.html
Topics:
  1. Introduction to Abbas Ali from R3
  2. Status of Verifiable Claims WG Creation
  3. Sandbox for the implementers to work on
  4. Action Item Review
  5. Face to Face Meeting Opportunities
  6. Portable Reputation Kit
Action Items:
  1. Manu to create github repo for Verifiable Claims Playground.
  2. Christopher Allen to introduce Portable Reputation Toolkit 
    use cases (first party vs. second party claims)
Organizer:
  Manu Sporny
Scribe:
  Dave Longley
Present:
  Dave Longley, Matt Stone, Manu Sporny, Richard Varn, Jonathan 
  Holt, Christopher Allen, Abbas Ali, David Ezell, Nathan George, 
  John Tibbetts, Joe Andrieu, Adrian Gropper, Rob Trainer, David I. 
  Lehn, Adam Lake, Eric Korb, Matthew Larson
Audio:
  http://w3c.github.io/vctf/meetings/2017-02-14/audio.ogg

Dave Longley is scribing.
Matt Stone: Our agenda for today: 
  https://lists.w3.org/Archives/Public/public-credentials/2017Feb/0023.html
Manu Sporny: +1 To Agenda...
Matt Stone:  Any changes to the agenda?
Richard Varn: +1 On agenda
Jonathan Holt: +1, But quick review of 1-5
Christopher Allen:  I'd like to talk about some questions related 
  to the portable reputation kit and being able to talk about 
  evidence or the source of your attribution in some fashion. The 
  main thing I want to figure out is if it's a future item, not 
  figure out how to do it.
Christopher Allen:  It's fairly short so add as convenient.
Matt Stone:  Let's throw it in around #3.
Christopher Allen:  Great.
Matt Stone:  Any other changes?
None
Manu Sporny:  Yeah, we have at least one, maybe two new people 
  today.
Manu Sporny:  Getting intros would be good.

Topic: Introduction to Abbas Ali from R3

Abbas Ali:  I just joined, this is my first call. I work at a 
  company called R3, we're a distributed ledger tech company 
  focusing on financial services. Looking at KYC on our Corda 
  platform.
Abbas Ali:  Based in NY, looking at using the work you've done 
  around Verifiable Claims for use in product and curious to learn 
  more.
Matt Stone:  Great, welcome to the group.
Abbas Ali:  Thanks.

Topic: Status of Verifiable Claims WG Creation

Matt Stone:  Status of the VCWG?
Manu Sporny:  It's still slow going, mostly because W3C staff are 
  trying to work through some of the formal objections, but ... 
  Dave Raggett is pretty much on the case. For those that don't 
  know him, he's been involved with W3C from the beginning, 
  author/lead editor of HTML4. Wrote a good response on the current 
  state of affairs that was very fair. Been emailing behind the 
  scenes to deal with the sticking points. As the weeks go on the 
  formal objections are being whittled away at. Still no idea when 
  the group will be created but it should be real soon now.
Matt Stone:  Is addressing the formal objections ... is there a 
  process for the objectors to say "Ok" or does W3C just make a 
  decision and moves on?
Manu Sporny:  W3CM just makes a decision and moves on, they 
  modify the charter to address the objections and there's nothing 
  in the process to allow new objections to be raised. They get 
  addressed in the charter and you move on. In general, there has 
  been far too much support for the group to not start it (my 
  personal view); most votes in support for any work at W3C.
Manu Sporny:  We had a handful of large orgs dig their wheels in 
  and say "Don't start the work, full stop." Those types of 
  objections take more time to deal with, they didn't outline what 
  would make them happy.
Manu Sporny:  We're good for the most part.
Nathan George: +1
Matt Stone:  Phil had made a couple of edits to the charter some 
  weeks ago and called out privacy as an issue. Recognizing that 
  was the topic of some of the objections. I'm not sure who's seen 
  that, he edited the charter directly. He called out U-Prove as a 
  technology to look at. From the chairs, we were a little 
  uncomfortable with the language that was put in and we're working 
  to use some alternative content and positioning so we're not 
  going down the path of naming a tech like U-Prove.
Matt Stone:  Richard Varn had put together a note we'll send out 
  in the next day or tomorrow on that topic with some the language 
  we like better that's in this area.
Christopher Allen:  This is something I would definitely like to 
  take a look at in the sense that I agree and I think it's a 
  requirement that we are able to support selective disclosure 
  approached and future proof ourselves, but it's very very unclear 
  which ones are the appropriate ones to use. And even exactly how 
  what will be required of us to even have that flexibility. There 
  are a number of approaches where U-Prove is more of the more 
  interesting ones because it's been around a while but it also 
  says it's been around a while and it hasn't gotten momentum and 
  there have been improvements in this area since then.
Matt Stone:  I think the way we're positioning the content in the 
  charter is that we don't want to pick a winner and U-Prove has 
  been around a while and hasn't won and we shouldn't call it out 
  in the charter.
Matt Stone:  This will be a topic over the next year or so as we 
  build the spec.
Richard Varn: This is what we are considering saying:  It will 
  further include privacy impact and mitigation in the design and 
  development of the use cases, requirements, and specifications.
Varn quotes from the charter.
Varn quotes from notes.
Manu Sporny:  We want to be open and transparent but we need to 
  make sure we keep member-confidential discussions confidential so 
  we can't say more here.
Manu Sporny: +1 To getting back to just the mailing list.
Matt Stone:  I'm adding another topic; our agenda today goes out 
  to a W3C mailing list and some individuals. I'd like to just get 
  back to that being just a list. If you're one of the ones that's 
  outside of the list, please join the group and the mailing list 
  and reach out to us off line if you don't so we know why you 
  haven't.

Topic: Sandbox for the implementers to work on

Matt Stone:  In other projects like JSON-LD there is a sandbox 
  online where you can submit docs and validate them in real time. 
  We've had some discussions about that for VC and I know the 
  acclaim team has a VC example and we are looking for a way to 
  test it.
Matt Stone:  Implementers want to make sure they are producing 
  the right stuff.
Matt Stone:  I'd like to get some thinking about it and some 
  volunteers for putting something like that online.
Christopher Allen:  I've commissioned and contracted with Noah 
  (and one other) -- and had them do some work with bitcoin 
  signatures and to begin work on a VC playground. They are doing 
  it as they can at this point. I've also been talking with Markus 
  Sabello who did one for XDI and that's some Java playground -- 
  there's some work there and I welcome other participation and 
  hopefully multilanguage.
Manu Sporny:  This is something that the group desperately needs. 
  The good news is that there has been some recent revamp to the 
  JSON-LD playground integrating bitcoin signatures with Harlan and 
  Noah and that's great. There's an initiative for further digital 
  signature work and there's a playground for them. Christopher and 
  Noah are working on Linked Data Signatures for the bitcoin curve 
  and Digital Bazaar is working on some stuff with Javascript and 
  python implementations and Gregg Kellogg is working on a Ruby 
  implementation potentially. And others have worked on various 
  playgrounds. We have all the ingredients coming together, someone 
  just has to sit down and do the work. It only took one person a 
  weekend or two to do the first cut of a playground, so not a lot 
  of work. It's something we really need to do, we at least have 
  the base libraries to have a VC playground with RSA and bitcoin 
  curve signatures. Just a matter of getting a team together and 
  working on code for a week.
Matt Stone:  Should we make, in the github, VCTF repo, a 
  playground project or series of projects and collect the code 
  there?
Manu Sporny:  Yes, and we could publish through github pages 
  that's the playground and it would let us manage and contribute 
  to it through github. We know how to do all that stuff and it's a 
  good way to do it. We can get Christopher, Noah, Harlan, etc. 
  everyone working on that, hosted on github. We should have a 
  separate repo and I can create that if folks are ok with that on 
  the call today. The other thing we want to do  that Christopher 
  mentioned is having a repo for VC and we want the spec to support 
  education, financial, healthcare, etc. and collect examples of 
  claims so we can put those in and use them.
Manu Sporny:  I don't know where those go (in the playground or a 
  separate place) that's another topic to discuss. If the group 
  wants this, we can move to put it together.
Matt Stone: +1
John Tibbetts: +1
Christopher Allen: +1
Matt Stone: +1 To make playground on github
Dave Longley: +1
Nathan George: +1 From me as well
Jonathan Holt: +1

ACTION: Manu to create github repo for Verifiable Claims 
  Playground.

Matt Stone:  Christopher if you're looking for other volunteers, 
  I think we have some Ruby skills on the Acclaim team so we may be 
  able to contribute there. I'm not sure how to engage.
Christopher Allen:  Maybe an implementers mailing list, just for 
  people who are focused on writing the code and sharing. One of my 
  main things is ... as I'm talking with various customers and such 
  and we need as many languages as we possibly can that serve 
  enterprise and Ruby is definitely one of them.
Matt Stone:  I like the idea of an implementers mailing list.
Manu Sporny:  This is the implementers discussion and mailing 
  list. W3C likes to have discussions and code grounded stuff, etc. 
  this is that group.
Matt Stone:  So move away from philosophy and into implementation 
  soon.
Manu Sporny:  Yes.
Matt Stone:  Anything more on the playground?
Nothing

Topic: Action Item Review

Matt Stone: Running action items: 
  https://docs.google.com/spreadsheets/d/1XIRn3VltrK_Dxqz0VyDxPi265sW47EMSKVKUXmMkI70/edit#gid=0
Manu Sporny:  I think everyone should be able to see the task 
  list (my personal opinion).
Manu Sporny:  Anyone with the link can access and comment.
Joe Andrieu:  I closed the one that was mine (1/31), I just want 
  to make sure I understood the use case. I wasn't clear if this 
  was meant to be an ongoing thing where I keep updating issues as 
  we keep going.
Joe Andrieu:  https://github.com/opencreds/vc-use-cases/issues/38
Joe Andrieu:  The language in the action is very open; I 
  understood the action to be able the specific notes for that 
  meeting.
Manu Sporny:  I think you did the right thing but this is a good 
  example of an issue where it's unclear when it's closed. This is 
  a note to folks that raise issues, make sure the issue you raise 
  is actionable and we know when it needs to be closed.
Matt Stone:  That's a good reminder, evidence of success and know 
  "when we're done".
Matt Stone:  If we got this content in the use case document, 
  then we should close the issue in github as well and stop 
  tracking it there as well.
Joe Andrieu:  I'd like to clarify; I took the action item to 
  about getting my notes from the meeting. I would not have closed 
  it if the issue was done.
Manu Sporny: +1 To closing issues quickly, we don't want issues 
  standing out there for a long time.
Matt Stone:  If we get to the point where an issue in github can 
  be closed, I'd like to. We have a long list of issues already 
  running, some have quite a lot of activity on them and others 
  don't.
Matt Stone:  Let's drive towrads getting issues closed.
Manu Sporny: (As long as the issue has been resolved, of course)
Joe Andrieu:  I think this action item is closed, I don't think 
  the issue is closed.
Joe Andrieu: The issue 
  https://github.com/opencreds/vc-use-cases/issues/38 still 
  deserves some work
Matt Stone:  Ok.
Matt Stone:  That's fine, as we see activity on the issue ... in 
  our chair meetings we'll add new action items and discussion 
  topics. That's ok to me.
Joe Andrieu:  Ok, great.
Joe Andrieu:  There was an action I took last week that I haven't 
  made much progress yet but I just added to the list.
Matt Stone:  I'd like to move on through the rest of the agenda, 
  I don't think we'll get through everything today.

Topic: Face to Face Meeting Opportunities

Matt Stone:  I sent a note out last week for F2F activities.
Matt Stone: 
  https://docs.google.com/spreadsheets/d/19Ndqc5pLsTu2ZmP4Wy7OlMOmskQFHPh28sMjW3ugsww/edit#gid=0
Matt Stone:  We don't have a F2F scheduled; we're on hold until 
  the WG is created before we can book that. We'll go to this list 
  when the WG is created to see if there's a convenient event we 
  can coordinate with. If you have any others that you can add, 
  that would be great.
Christopher Allen:  RWoT on April 19th will be discussing VC 
  implementations. It is a work item at that group. It's not a 
  recommendation as far as an official F2F, but if you're 
  interested in VC and want to meet other implementers it's an 
  important part of the gruop.
Matt Stone:  Anyone else planning on going to Paris for that?
Manu Sporny:  DB is going.
Adrian Gropper: I'm going
Joe Andrieu:  I'll also be there
Jonathan Holt:  I'm trying to.
Matt Stone:  We'll look for an update on that, sounds like a 
  great opportunity.

Topic: Portable Reputation Kit

Christopher Allen:  There are two different things that have 
  emerged that may be related or not. The first has to do with ... 
  it feels that there's two classes of broad classes of assertions. 
  I've run into this multiple times now. The first class of 
  assertion has to do with somebody who has total authority over 
  something. The simple example is twitter as an org has total 
  authority over the fact that I hold `@ChristopherA`, it's theirs. 
  That's different from say, keybase, who says that Christopher has 
  possession of `@ChristopherA`, but we're not the party that has 
  ultimate control of that.
Christopher Allen:  This has come up in other cases, there's a 
  company in Paris that will be at RwoT that basically has the 
  right to be able to create VC based on some French databases. 
  They themselves are not the controllers of the data, they are 
  just allowed to say "Yes, this person is associated with this 
  data and we've validated it second hand."
Nathan George: So perhaps the idea of an authority vs a notary?
Christopher Allen:  That's one area. The reason I bring up the 
  Portable Reputation Kit is that they ran into something similar. 
  They want these reputation statements and such where various 
  parties could evaluate the evidence in different ways. Someone is 
  making a claim then someone is making an eval of that claim. They 
  separated the assertion from the eval and had the ability to link 
  the evidence. "Here's the proof outside my assertion and where to 
  go for that."
Christopher Allen:  I didn't want to solve that problem in that 
  short time. Is this out of scope, is it something I've missed 
  somewhere in the spec or what?
Manu Sporny:  Two things, first is to point out how this has 
  parallels with the education use cases. Like, you have orgs that 
  could verify a transcript aren't the ones that issued it. Orgs 
  can verify they checked a driver's license, but they didn't issue 
  it. It's a very important use case and class of use cases that 
  spans a variety of industries.
Manu Sporny:  The second point is that the way the current spec 
  tries to address this is that the signer asserting something, 
  based on out of band knowledge you can know if they are the data 
  provider or just a verifier of it. THat's a bad way of doing it 
  and we should be semantically clear about what is being said. 
  From DB's perspective this is very much in scope and if we can 
  have a cross industry way of doing it it would be fantastic.
Jonathan Holt:  The challenge is that the self-assert, and you 
  say who is allowed to revoke it, you're setting yourself up for 
  trouble. Within the claim you can validate and say "here's a list 
  of public keys that could revoke this" ... I understand the 
  dilemma, that's just more of a comment than a question.
Adrian Gropper:  This is a very important thing to deal with. In 
  the healthcare use case we have the medical society as a well 
  known place to verify a credential. The issue here is that the 
  medical society isn't issuing the license. The medical society 
  doesn't want to assume the liability necessarily because there's 
  a licensed professional involved, the doctor/prescriber that 
  carries all the liability. That's exactly the issue we're talking 
  about here very clearly laid out and I also agree the revocation 
  responsbility has to be factored in. We have this separation 
  where is there a well known place that's the equivalent of a CA 
  in the old world and how do they transfer and not take the 
  responsibility away from the user, in this case the prescriber.
Christopher Allen:  Any one have thoughts on the evidence and 
  evaluation side of it?
Matt Stone:  Before we jump into that I had a quick question.
Matt Stone:  Sounds like we have several use cases that imply or 
  explicitly have this need. In terms of our terminology with 
  issuer/holder/repo/service provider, how does the responsibility 
  fall? Are we talking about a service provider that is working as 
  an agent of the issuer? That is verifying these credentials on 
  behalf of the issuer? How does this fit into our architecture 
  more generically speaking?
Christopher Allen:  I've been pondering this for a while, twitter 
  is an easy case to understand. Other examples in OAuth. A party 
  being able to verify that a particular value is ... somebody had 
  possession of something at the time of oauth/or editing at 
  twitter/ at the time of editing a DNS record. Later they can 
  revoke it later if they noticed it has changed. Twitter who is 
  the ultimate authority. There is going to be a lot of stuff in 
  the transition, there will be people like twitter, small 
  companies, governments, there will be people that [missed].
Christopher Allen:  I don't know what the right word is ... 
  "first party and second party" claims is the best I've come up 
  with so far.
Jonathan Holt: In Medicine.  I can make a self claim that I am 
  licensed in TN and Board Certified by the American Board of 
  Internal Medicine. The TTP, the American Board of Medical 
  Specialties aggregates the certs of daughter boards, but they 
  themselves won't ever revoke a cert, they only point to the 
  source of truth.  So the issue is how does the State of TN sign 
  my VC and add the ability to attest that they work with certain 
  TTP the ability to revoke. My point[CUT]
Jonathan Holt: Revocation list needs to be in the signature.
Christopher Allen:  Revoking is a different thing. It's not 
  necessarily twitter's public key in the second party ... you're 
  checking to see if the second party has run into any kinds of 
  things.
Matt Stone:  Maybe we should take an action item... something 
  that's an explicit use case or a set of requirements that refer 
  to the use cases we've already identified. That requirements doc 
  has been going pretty quickly. Can we get someone to take a 
  requirements+use cases with this idea in mind and suggest a use 
  case or a requirement that would address it?
Jonathan Holt:  We have an issue about revocation.
Nathan George: The trouble with having primary vs secondary 
  authorities is that it needs some type of centralized registry or 
  inventory of which entities have such authority which creates an 
  interesting set of governance issues.
Christopher Allen:  But it's not just about revocation.
Christopher Allen:  Not specific to revocation, it impacts it. It 
  may apply to all use cases.

ACTION: Christopher Allen to introduce Portable Reputation 
  Toolkit use cases (first party vs. second party claims)

Matt Stone:  It sounds like it's a blend of endorsement and 
  delegation.
Christopher Allen:  Maybe, you could say there's a third 
  category. I directly absolutely control this data and this 
  authority and then there's somebody I've given agency to do so 
  and then there's just somebody that's validated it.
Jonathan Holt: I'd be happy to contribute to the medical cred 
  claims.
Matt Stone:  Ok, I think we're out of time.

Received on Tuesday, 14 February 2017 17:24:21 UTC