Verifiable Claims Telecon Minutes for 2017-02-21

Thanks to Manu Sporny for scribing this week! The minutes
for this week's Verifiable Claims telecon are now available:

http://w3c.github.io/vctf/meetings/2017-02-21/

Full text of the discussion follows for W3C archival purposes.
Audio from the meeting is available as well (link provided below).

----------------------------------------------------------------
Verifiable Claims Telecon Minutes for 2017-02-21

Agenda:
  https://lists.w3.org/Archives/Public/public-credentials/2017Feb/0028.html
Topics:
  1. Introduction to Sean Bohan
  2. Status of WG Creation
  3. Action Item Review
  4. Face to Face Meetings
  5. Requirements
  6. Correlatability of Usage Patterns
  7. Primary or Secondary Subject
Organizer:
  Richard Varn
Scribe:
  Manu Sporny
Present:
  Richard Varn, Manu Sporny, Sean Bohan, Jonathan Holt, Eric Korb, 
  Christopher Allen, Joe Andrieu, Shane McCarron, David Ezell, Joe 
  Kaplan, Gregg Kellogg, Adam Lake, David I. Lehn, Rob Trainer, 
  Nathan George, Adam Migus, Matthew Larson
Audio:
  http://w3c.github.io/vctf/meetings/2017-02-21/audio.ogg

Manu Sporny is scribing.
Richard Varn:  Any updates/changes to agenda?
Richard Varn:  We have discussions related to correlatability 
  today.

Topic: Introduction to Sean Bohan

Sean Bohan:  Recently joined Evernym, Nathan and I have been 
  talking about VCTF. Thanks for having me.
Richard Varn:  Anyone else that's new?
Silence, no other changes to Agenda.

Topic: Status of WG Creation

Manu Sporny:  No updates from W3C, but there will be some 
  discussions about Verifiable Claims at WWW2017, in Perth, 
  Australia.
Richard Varn:  We're not goign to be sending anyone since this 
  isn't an "official W3C WG" yet.

Topic: Action Item Review

Jonathan Holt: I did want to finish the discussion from last week 
  regarding subject of the verifiable claim.
Action Items here: 
  https://docs.google.com/spreadsheets/d/1XIRn3VltrK_Dxqz0VyDxPi265sW47EMSKVKUXmMkI70/edit#gid=0
Manu Sporny:  Github repo for the Verifiable Claims Playground is 
  done, initial playground deployed here: 
  https://w3c-vc.github.io/playground/
Jonathan Holt: Nice!  strong work!
Sean Bohan:  Nice work
Manu Sporny:  The site is very preliminary, but it's there. It 
  needs more work. There is a Web of Trust, Over 21, and Person use 
  case.
Manu Sporny:  Does data normalization, visualization, and digital 
  signatures.
Eric Korb: Manu, why is LinkedDataSignature2015 not implemented?
Manu Sporny:  Eric, it was
Eric Korb: Oh, that's RSA.  thx.

Topic: Face to Face Meetings

Richard Varn:  Face to face meeting opportunities here - 
  https://docs.google.com/spreadsheets/d/19Ndqc5pLsTu2ZmP4Wy7OlMOmskQFHPh28sMjW3ugsww/edit#gid=0
Christopher Allen: Registration for #RebootingWebOfTrust is up 
  now at https://rwot_paris_april2017.eventbrite.fr
Richard Varn:  We may be looking at June
Richard Varn:  We have two choices in Mountain View, San Antonio 
  is good as well. Please add more meetings. We're taking this off 
  the Agenda for the future. We want to make sure people know where 
  it is, please add to the list from now on.

Topic: Requirements

Requirements for the group's work: 
  https://docs.google.com/document/d/1tCKHSTFhhGgu4rVDJe4VM2QoCQcNRvx7tNku1Mg8p5Q/edit
Richard Varn:  Make sure that your industry or interest is well 
  represented there.
Richard Varn:  That is what the group is going to prioritize in 
  the near future, and if there isn't a requirement listed on 
  there, it'll be hard to get the requirement added later once we 
  get rolling.
Richard Varn:  Any questions on requirements list?
Manu Sporny:  Make sure you get your requirements added to the 
  list. If you don't, we may not be able to prioritize your work.
Richard Varn:  For example, how is PII protected, what's the 
  requirement there? How can you find people that have claims, 
  assuming they want to be found.
Richard Varn:  We may want to know how credentials are being used 
  by customer, for example, education industry.
Richard Varn:  Badge Alliance, IMS Global, don't know if all of 
  those have been brought in.
Joe Andrieu:  I need to go through this, will respond to the 
  list, especially w/ Refugee Crisis. Question about process, don't 
  we keep working on these?
Manu Sporny:  Yes, but we need a list of requirements now, and 
  then prioritize.
Christopher Allen:  Don't we need to analyze use cases, then get 
  requirements, pick use case per week, have people read use case 
  in advance per week or something.
Christopher Allen:  Given what seems to be happening, charter and 
  purpose, requirements that we can't define. Like, requirement 
  that this stuff can be encrypted, but that's not part of our 
  charter, our charter is the data format, not the signature 
  mechanism, not anti-correlation mechanism, we need to divide up 
  some of the requirements.
Christopher Allen:  We need to make sure we pass upstream, in 
  order for VC to function, it needs requirements X, Y, and Z, from 
  systems that they exist in.
Richard Varn:  We have discussed this, the use cases should 
  individually inform the generic, we don't have use case for every 
  possible use of this. We need to make sure we don't gather unique 
  things, more broadly capturable things.
Richard Varn:  We want to incorporate, leave placeholders for 
  stuff that may be out of scope, but call it out.
Richard Varn:  The model has to reflect the importance of this 
  stuff, point to areas that need further work.
Jonathan Holt:  Thinking along the line wrt. revoking the claim, 
  primary subject, comment is tangential - the ability to refute 
  the claim - example is "I have to be a triple board certified 
  position", certified in pediatrics, oncology... has to do with 
  the requirements.
Richard Varn: Manu need to focus on the needs of the implementer 
  and not focus too much on the use cases
Shane McCarron: +1 To doing concrete things
Richard Varn: ChristopherA there is a lot of stuff like searching 
  for claims that is out of scope and we have a long list of those 
  that are needed for the system to work that are out of scope.  
  Need to say here are requirements that are not ours but we need 
  to be able to work with them
Christopher Allen:  I can understand the desire to implement, but 
  I do have a concern, there are a lot of things that are needed in 
  order to do what we need to do. Things like protocols, requesting 
  or searching for claims - those are out of scope. 
  Anti-correlation methods out of scope, signatures out of scope, 
  timestamps out of scope, long list of things for the system to 
  work that are out of scope. We need to be able to say - in order 
  to implement these data standards external to the group, here are 
  things that need to happen. There are certain things we could do 
  improperly/without forethought, that could make things more 
  correlatable.
Christopher Allen:  I don't know what the process is to 
  differentiate these categories.
Richard Varn: Manu  put them all in and we will move them to a 
  section that says others are dealing with it, not us, later
Christopher Allen:  I'm more worried about the protocol work 
  items that are outside of the group, we should be able to get 
  data format done quickly.
Jonathan Holt: It would also be good to make some definitions

Topic: Correlatability of Usage Patterns

Richard Varn:  What do we need to fill in the data model specs, 
  we need a data model, we need proposed text, discussing this is 
  helpful. This is the end we need to achieve.
Richard Varn:  We have had some decent discussion, what does it 
  take to write the language we need to go into the data model 
  spec.
Richard Varn:  What is holding us up?
Joe Andrieu:  Part of what happened is that I looked at issue, 
  which is about a specific section, after the discussion, the 
  privacy considerations section didn't flow with what I wanted to 
  write. The scope became bigger and indigestible.
Joe Andrieu:  Who drafted that first pass? Can I understand the 
  direction?
Joe Andrieu:  What's the framing here? The task seems to be 
  suggest changes throughout 5... 
https://opencreds.github.io/vc-data-model/#identifier-based-correlation
Manu Sporny:  Focus specifically on the section in the issue 
  tracker.
Joe Kaplan:  Yes, that's helpful. My meta-concern is that this 
  may not be the best way to get this written. We had set out to 
  sign up and write a section, we aren't getting people to do that. 
  That's how I struggled with it, I can get paragraphs together. Is 
  this the right way to get them fleshed out.
Richard Varn:  We'll get this fleshed out on the next call, make 
  sure task is appropriately defined.
Richard Varn:  I know we talked a bit about this in the past, 
  correlatability required by law, are you covering both? Mandate 
  where you are focusing?
Joe Andrieu:  Even if you are trying to avoid correlatability, 
  you can be correlated via usage patterns. Because of how you use 
  it, you are being correlated.
Richard Varn:  Some of correlation of usage, you can detect 
  fraud, drug abuse, and correlatability is important.
Joe Andrieu:  That is a point that came out of prescription 
  scenario, usage pattern element, maybe I should cover that here. 
  Let me try and weave that in.
Richard Varn:  What would be required to finish this item. This 
  discussion is what's valuable, use this as a model case. Let's 
  focus on this type of work.
Jonathan Holt:  This is about potential re-identification, 
  uniquely identified, this is not unintended, it's purposefully 
  reidentification. In the issue tracker, my comment was about 
  Govenor Weld from Massachusetts. Ability to re-identify...
Jonathan Holt:  The topic is about usage patterns. Usage patterns 
  by whom?
Joe Andrieu:  There are two use cases where, in wells case, wells 
  doesn't want to be reidentified. In other case, prescription use 
  case, we need to allow for that.
Jonathan Holt:  Privacy concern is, what we perceived as 
  reidentified - false sense of security. 43 year old male from zip 
  32423, using voting registration will know how I voted in last 
  election because I bought something.
Jonathan Holt: Then, I think the Gov Weld example is good to 
  reference as an example of "usage pattern".
Manu Sporny:  Sometimes when you're correlated it's good, other 
  times it's bad, talk about both.
Richard Varn:  Sometimes it's legal to do, sometimes it's illegal 
  - you can add modifiers, surprise/disadvantage of person still 
  exposed. Other regimes that discuss this, bring those factors in, 
  what would be relevant to different cases, government may be 
  prevented, reporters might be breaking HIPAA, etc.
Richard Varn:  Legal authorization vs. non-legal usage.
Richard Varn:  Joe do you have what you need to get some language 
  together for this?
Joe Andrieu:  I think I'm good, I'll have something on Github 
  soon.
Richard Varn:  Thank you, helpful. Any comments on this type of 
  topic? 
Jonathan Holt: I also like:  "intentional" and "unintentional", 
  "not intended by the system" and "authorized" and "unauthorized"
Manu Sporny: +1 To those terms and using them in the document.

Topic: Primary or Secondary Subject

Jonathan Holt:  As a physician, there are many different 
  companies out there that monetize claims, some of those claims 
  are erroneous. Because I've worked in pediatric hospitals, they 
  infer that I'm board certified even though I'm not... more about 
  revoking claims vs. refuting. In the model, the way primary 
  identifier is used, NPI number is used. Certification matters, 
  but it's interesting because companies make money by suggesting 
  using other claims.
Christopher Allen:  There are a lot of issues here.
Christopher Allen:  I like this concept of reputation, but it's 
  companion is the other side of it, knowing more about the claims 
  themselves. Question of being able to put evidence into the 
  claim, relying on other parties.
Christopher Allen:  Noah and Harlan called it "evidence", that is 
  going to come up more. When people are not the first party to the 
  claim, but they are the only party that can issue it.
Christopher Allen:  Sometimes because of liability they can/can't 
  issue. We want to be able to model that, for people that are 
  responsible, best practice for a claim such that it allows for 
  these sorts of things to be differentiated.
Richard Varn:  We don't want to get into challenging claims, we 
  want the ability to say "refute" - we'll put it on the Agenda.
Joe Andrieu:  My first response is, reputation is a statement 
  about claims, this maps to "things that a subject must be able to 
  do".
Joe Andrieu:  We don't say that "users are allowed to do X, Y, 
  and Z in the system"
Richard Varn:  Reputation or alternative use - we need a place in 
  the data model... 
Richard Varn:  Vs. overall process.
Jonathan Holt: Issues:  1.)  Subject of the claim  2.) ability to 
  Refute 3.)  Does the entity making the claim have the authority 
  to make the claim?         I'll add my thoughts to the 
  requirements.
Christopher Allen:  Please don't put reputation on the next call, 
  in two weeks.

Received on Tuesday, 21 February 2017 18:39:21 UTC