W3C home > Mailing lists > Public > public-credentials@w3.org > September 2017

[MINUTES] W3C Credentials CG Call - 2017-09-05 12pm ET

From: <msporny@digitalbazaar.com>
Date: Tue, 12 Sep 2017 10:22:47 -0400
Message-Id: <1505226167719.0.12112@zoe>
To: Credentials CG <public-credentials@w3.org>
Thanks to Manu Sporny for scribing this week! The minutes
for this week's Credentials CG telecon are now available:


Full text of the discussion follows for W3C archival purposes.
Audio from the meeting is available as well (link provided below).

Credentials CG Telecon Minutes for 2017-09-03

  1. Agenda Review
  2. Introductions / Re-introductions
  3. Action Item Review
  4. ActivityPub and Mastadon
  5. DID Specification
  Kim Hamilton Duffy and Christopher Allen
  Manu Sporny
  Kim Hamilton Duffy, Manu Sporny, Christopher Allen, Andrew 
  Hughes, Lionel Wolberger, Moses Ma, Dave Longley, Chris Webber, 
  Nathan George, Ryan Grant, Mike Lodder, Adam Sobieski, David I. 
  Lehn, Frederico Sportini

Kim Hamilton Duffy: 
Kim Hamilton Duffy: Scribe list: https://goo.gl/WVHuDh
Manu Sporny is scribing.
Kim Hamilton Duffy: IRC chat: 

Topic: Agenda Review

Kim Hamilton Duffy:  Action item status, then update on 
  ActivityPub and Mastadon, then DID spec issues updates/reviews.
Christopher Allen:  This month we're leading up to RWoT... so 
  we're going to be concentrating the next couple of meetings on 
  items that are under development/consideration at RWoT... 
  particularly, DIDs.
Christopher Allen:  If there is anything else that folks would 
  like to cover, please let us know.

Topic: Introductions / Re-introductions

Kim Hamilton Duffy:  Andrew Hughes, please reintroduce yourself
Andrew Hughes:  Hi, Andrew - do a lot of work in Kantara 
  Initiative, looking at new ways of using things like 
  Deccentralized Identifiers as a way of general purpose 
  identification on the Internet.

Topic: Action Item Review

Kim Hamilton Duffy:  Round robin to let us know how things are 
Kim Hamilton Duffy:  We'll skip Joe and DavidC because they're 
  not on the call. We'll get on to DIDs later in this call.
Kim Hamilton Duffy:  Data minimization? 
Lionel Wolberger:  No progress on my side... 
Christopher Allen:  I'll send information that I sent to Kim on 
  Friday... pairs of things to talk about things - pairs 
Lionel Wolberger:  Let's use RWoT as an anchor so we can build 
  inventory and run a session at RWoT on this topic.
Kim Hamilton Duffy:  Finish propagating new name and mission 
  statement - mission is out, people are being notified at W3C. 
  Asking for feedback from W3C-types - mission s tatement is on CCG 
  web page... good after final email notifications go out.
Manu Sporny:  I think it was to contact NYTimes,etc. and I failed 
  to do that, but it's on my TODO list, I'll get to it at some 
  point. [scribe assist by Dave Longley]
Kim Hamilton Duffy:  TPAC - any updates there?
Christopher Allen:  It's an agenda item coming up real fast - 
  they need to know if we're interested in speaking soon.
Christopher Allen:  We can talk in VCWG - we could talk to entire 
Moses Ma:  Manu, can you send out Fake News email to get folks 
Kim Hamilton Duffy: Kim scribing for Manu
Manu Sporny:  3 Opportunities for TPAC [scribe assist by Kim 
  Hamilton Duffy]
Kim Hamilton Duffy: ...1. Weds entire community gets together. 10 
  minutes to say what you're trying to do. Be careful. Need to 
  coordinate with VC group to make sure unified message. 300-400 
  pppl in room. no time for details
Kim Hamilton Duffy: ...2. Run a breakout session. ~1 hour. more 
  thorough update on where things are
Kim Hamilton Duffy: ...Used in the past to convince other members 
  of approach
Kim Hamilton Duffy: ...Longer forum; 20-50 ppl in general
Kim Hamilton Duffy: 3. Thurs/Fri many will be in VCWG. Talk to 
  chairs to stake out time to talk about next steps.
Kim Hamilton Duffy: ...Indicate where we're heading
Kim Hamilton Duffy: ...If we can do all 3 that's best
Dave Longley: 
Dave Longley:  Quick update on credential handler API - it's 
  coming along - polyfill implementation coming on nicely. Demo 
  seems to be working on Edge, Firefox, Chrome, etc. It probably 
  doens't work in Safari - looking for feedback - link to 
  Credential Handler API repo is here:
Dave Longley: https://github.com/w3c-ccg/credential-handler-api
Dave Longley:  Looking for feedback on shape of API
Kim Hamilton Duffy:  The Chairs will talk about TPAC.

Topic: ActivityPub and Mastadon

Chris Webber: https://www.w3.org/TR/activitypub/#Overview
Chris Webber:  ActivityPub is a standard that W3C has been 
  working on for a while - SocialWG is working on it - federated 
  social networking system. I fyou want to build alternative to 
  YouTube, Flickr, Twitter, etc., you can use these APIs to build 
  stuff out - it includes a client/server protocol to build mobile 
  and desktop applications to talk to server. 
Chris Webber:  For this group, the server-to-server model is more 
  interesting. It uses a Linked Data model - it's passing around 
  JSON-LD using ActivityStreams as the vocabulary for the system. 
  It's been building off of other systems doing stuff in this space 
  - oStatus, pubsubhubbub, etc. It's a new protocol - it's 
  currently at Candidate Rec at W3C.
Chris Webber: https://joinmastodon.org/
Chris Webber:  What's exciting at the moment is that Mastadon is 
  rolling this out as their main federation protocol.
Chris Webber: https://octodon.social/@webber
Chris Webber: https://mastodon.social/@gargron
Chris Webber:  What's neat about Mastadon is that you can see 
  that both of us have been speaking to each other, even though 
  we're on completely different servers. What's exciting about them 
Chris Webber: 
Chris Webber:  Mastadon has nearly one million registered users - 
  they are using Linked Data, JSON-LD, etc. It ties in 
  ideologically with this group, more decentralized alignment...
Chris Webber:  I wrote a paper for Rebooting Web of Trust, in 
  that paper I go through a few different ways how we can integrate 
  the work this group is doing and what that group is doing. At 
  present, ActivityPub isn't very self-sovereign... it's hard to 
  move to new nodes... 
Chris Webber:  ActivityPub doesn't specify why you should use 
  Linked Data Signatures, but there is a good reason to adopt, so 
  in the paper I describe how ActivityPub and this group align. 
  Adding public keys and linked data signatures to ensure messages 
  that pass through network are from who they say they are.
Chris Webber:  ActivityPub does still rely on DNS and SSL certs, 
  so there is still a core bit of centralization there - but it may 
  be exciting with the work on DIDs, if we could open up those 
  possibilities to more decentralized mechanisms.
Chris Webber:  It would enable users to be more self-sovereign 
  and move between different instances - we could transition from a 
  federated model to a more decentralized, more peer-to-peer model. 
  If public keys are on every actors profile, you're building a web 
  of trust into the system w/o users realizing it - follow confirm 
  connections, could be building a loose web of trust.
Chris Webber:  I think that's exciting.
Chris Webber:  The very day after writing the paper, Eugene wrote 
  a PR for Linked Data Signatures support - which is great.
Christopher Allen:  More specific to the Mastadon community, what 
  would it take to get them to participate in RWoT?
Christopher Allen:  With the goal of moving toward a DPKI - where 
  is the low hanging fruit? Is it JSON-LD, is it Verifiable Claims? 
  Is it Bitcoin, Ethereum? 
Chris Webber:  One thing I've noticed with Mastadon is that it's 
  very practical. The move from oStatus to a more Linked Data 
  system using JSON-LD was for a practical purpose... they wanted 
  to do private messages. The adoption of HTTP SIgnatures and 
  Linked data signatures was for practical purposes (message 
  forwarding with integrity)
Chris Webber:  I posted this paper to the Mastadon network - 
  folks said they're interested, can get folks to add to RWoT
Chris Webber:  One of the pain points is moving to different 
  providers. Right now, you have to destroy history to move... but 
  we could potentially help people move more easily with use of 
  more decentralized identifiers.
Kim Hamilton Duffy:  In terms of decentralized identifiers - are 
  there any approaches that you've been leaning toward already? 
  What is the lowest hanging fruit DID providers?
Chris Webber:  There are some people that are aware of DIDs... 
  but people seem to want to avoid too much computational burn. 
  That is a lot of computation burn in Bitcoin... I've talked w/ 
  Manu about more fit-for-purpose solutions, where that concern 
  isn't as strong, maybe build DIDs on top of DHTs (even though I 
  know some aren't excited about that route).
Chris Webber:  We are  going to have to prototype and build those 
  types of systems before we can say for sure. If we end up having 
  Mastadon adopting DIDs, we'd have a lot of smaller nodes 
  generating identifiers. We'd have to assume that smaller nodes 
  can participate in the system - where lots of identifiers 
  wouldn't bog down the system too badly. That's the gut feeling 
  I've gotten from bringing these spaces together.
Christopher Allen:  To comment on the computational load - that 
  load is only on creation of identity and identifiers - validating 
  is very quick. The first time they're creating an identity, there 
  may be a delay - a guardian relationship may be with first node, 
  but you can move to self-sovereign when you move the first time. 
Christopher Allen:  More specific to some short term goals, if 
  there are some people that are influential - could be persuaded 
  to check out RWoT, I'd be glad to send them a personal invite to 
  get them invovled. Just need to know who those people are.
Chris Webber:  To be clear, I wasn't trying to downplay Bitcoin, 
  just letting folks know the feedback I've gotten back.
Christopher Allen:  With many of these systems, you can't have 
  instant gratification, can't login instantly, etc. We may not 
  want 1 million DIDs, only 200K need to be decentralized - so it 
  may be a scaling thing - you only need a DID when you need to go 
  completely self-sovereign or need to transfer.
Nathan George:  DIDs make it possible to isolate your identity, 
  so separation of work life and political life. Can context of 
  identity be changed based on DIDs? Are you interested in 
  collaboration there?
Chris Webber:  I think you're talking about people being able to 
  have multiple identities - is that correct?
Nathan George:  Multiple identities is one way to think about it, 
  private conversations w/ some groups is another potential. 
  Current social networks don't give you much choice between fully 
  private or fully public.
Chris Webber:  One of the things that Diaspora innovated on was 
  "social groups" - Google+ adopted that with Circles... don't know 
  if that had as much success as folks though... but the way 
  ActivityPub addresses it is - email style addressing - you can 
  to, cc, bcc to send messages - give an array of participants, but 
  you can also give a collection as a recipient. So you can have 
  groups that you or someone else curate.
Chris Webber:  You can have a "just friends" collection
Chris Webber:  When you submit a post to your followers, every 
  user has a followers collection which is an activity streams 
  collection - so, one way you can tie in DIDs is to make one of 
  those collections controlled by a DID. There are two different 
  ways you can look at this...
Chris Webber:  You can have DIDs for each aspect of your life, or 
  you can have DIDs in each collection of actors.
Nathan George:  Yes, great intro, thank you.
Chris Webber: https://www.w3.org/TR/activitypub/#Overview
Manu Sporny:  Thanks you, Chris. We know of and are big fans of 
  the socialWG work. From a corp standpoint, we look at DIDs and 
  the social Web protocols as the foundational layer for a number 
  of interesting products in the future. Products where people own 
  their data and identity. [scribe assist by Dave Longley]
Manu Sporny:  They are freely able to exchange in legal economic 
  activity. A lot of the work with the SocialWG helps with 
  messaging with machine-to-machine and person-to-person. DIDs make 
  the data more portable and people know about the Web Payments 
  work going on. These technologies work well together and we 
  expect them to converge. [scribe assist by Dave Longley]
Manu Sporny:  Chris mentioned Mastodon being one potential 
  adopter of this tech, our company is already building the social 
  messaging stuff into our core platform. Dave can talk more about 
  that if desired. It's not theoretical, it's practical, strong for 
  profit reasons for implementing these decentralized techs. 
  [scribe assist by Dave Longley]
Kim Hamilton Duffy:  Great, thanks for the overview

Topic: DID Specification

Kim Hamilton Duffy:  We are tracking a lot of issues now for the 
  DID spec - Christopher, do you want to walk through Entity 
  Profile discussion?
Christopher Allen:  In the spec, there is an implied concept of 
  entity information that is a composite of all of the Linked Data 
  and many signatures that all combine into a large JSON-LD object 
  that is an individuals representation of what they know about an 
Christopher Allen:  This has been implied by the spec, but few 
  implementations demonstrate this in a way that make people 
  realize that there is a structure here. Also, how do you keep all 
  of this in memory when you have many different types of 
  signatures signed by other entities. There can be many things 
  signed in parts.
Christopher Allen:  How can we being to make this more prominent 
  - you have it in memory, not in Javascript... how do you look at 
  this entity and get people to understand one person's entity may 
  be different from another person's identity? Because of different 
Christopher Allen:  You may not have a complete description of 
  the entity.
Christopher Allen:  How do we start talking about this next level 
  higher object - summary of a DID, DDO, Verifiable Claims 
  associated with those objects... and DIDs/DDOs about those 
Kim Hamilton Duffy:  As I moved BTCR more toward what was 
  outlined in Veres One... in this DID spec, what is the role of 
  whether it is addressing the Verifiable Claims ecosystem?
Kim Hamilton Duffy: 
Kim Hamilton Duffy:  In the previous thread, there is a 
  discussion about Minimum Viable DID spec, I had some questions 
  about DID spec V1 is meant to just cover authenticating as a DID 
  and updating the DDO, or do we want to walk through some broader 
  verifiable claims scenarios
Kim Hamilton Duffy:  It seems like we want to talk about broader 
  interaction of DIDs in that ecosystem. Just comment/question.
Manu Sporny:  I'll attempt to outline the current thinking. It's 
  really easy to get wrapped around the axle when talking big 
  picture, especially when talking the technical implementation of 
  the big picture. [scribe assist by Dave Longley]
Kim Hamilton Duffy: Ach manu
Lionel Wolberger: Add me to q pls?
Manu Sporny:  DID spec should do minimum viable [scribe assist by 
  Kim Hamilton Duffy]
Kim Hamilton Duffy: ...Auth as DID, update DDO
Manu Sporny:  What we've found in our org, to get clarity, is to 
  break the problem down into bite size chunks. The chunks we have 
  right now are basically: the DID spec, which at least from our 
  standpoint should do the minimal viable thing. How do you 
  authenticate as a DID and how do you update the DDO. [scribe 
  assist by Dave Longley]
Manu Sporny:  Taking a first pass at that. In parallel in the VC 
  work we are talking about making assertions and composing them 
  together and so on. That work should be independent of the 
  identifier used. However, when you put the DID stuff together 
  with the VC stuff you get additional really interesting 
  properties. [scribe assist by Dave Longley]
Manu Sporny:  Like fully portable claims, moving from one wallet 
  to another. Guardianship over identities, etc. The ability to 
  compose all these decentralized things together. Christopher's 
  questions revolve around what the ecosystem looks like when all 
  the pieces come together. [scribe assist by Dave Longley]
Manu Sporny:  And I think he's saying that we should think about 
  how all these things fit together in the ecosystem we want to 
  create. The concern is that, until we've really created a solid 
  foundation for these other specs we can get wrapped up having the 
  higher level discussion for quite a while. [scribe assist by Dave 
Manu Sporny:  This isn't a proposal that one way is better than 
  the other, I think we'll have to iterate and bounce back and 
  forth between the two. [scribe assist by Dave Longley]
Manu Sporny:  I think in next 6-9 months we'll be doing 
  iterations on DID and VC specs and then we see if it works. If it 
  doesn't work we'll use that info to feed it back in and address 
  the higher level problems. All that said, we've been doing that 
  for 4 years. We feel that the general architecture we have now is 
  valid. And that's why we're trying to nail things down a bit 
  more. [scribe assist by Dave Longley]
Manu Sporny:  So we can do implementations in code across 
  multiple ledgers and validate it working in production. [scribe 
  assist by Dave Longley]
Manu Sporny:  Digital Bazaar's thinking is to nail these things 
  down for testing in pilots or in production to make sure use 
  cases are met. [scribe assist by Dave Longley]
Lionel Wolberger:  That was a good lead in to what I wanted to 
  ask - to achieve interop, the standards will have to guide people 
  with how to format identifiers. 
Lionel Wolberger:  Can we point to a standard for location? GPS? 
  How do we point to standards for expressing that?
Lionel Wolberger:  Have we figured out all of the data 
  serialization issues?
Dave Longley: IMO, URI is spec for the "identifier" ... more 
  specific data can be a vocabulary discussion
Christopher Allen:  Yes, JSON-LD is built to deal w/ 
  serialization and canonicalization - we do have ways to do that.
Christopher Allen:  How do you have a unique identifier? 
  Legitimately claim ownership on - uniqueness - self-sovereign, 
  etc. Right to update. Identifier that you control. 
Christopher Allen:  That is mostly a DID - it can point to DDO, 
  which can contain additional information about an identifier. 
  Self-sovereign verifiable claim - I call myself ChristopherA - 
  unique to me as a root... I call myself christopherA - who I call 
  kimhd is Kim. If people want to put in Verifiable Claims from 
  different authorities that have more "realness", they're welcome 
  to - participation only thing - prove that you're at a location, 
  various standards to prove how to do that. I think we've met all 
  of your base requirements, Lionel.
Christopher Allen:  In the DID v1.0 draft that was posted, we 
  predefined proofs to update, proofs to control, we had some 
  language there - but were arbitrarily saying "these categories", 
  in the new DDO thing, we're doing more capabilities based... but 
  will have world expert on capabilities... here are what those 
  proofs can do, etc. We're discussing how to do that right now.
Lionel Wolberger:  Linked data enables you to create, share, 
  reuse vocabularies at Web scale -- they define the semantics for 
  whatever it is you want to express ... that includes "location" 
  or whatever else, there are various linked data vocabs people are 
  or have created, for example schema.org [scribe assist by Dave 
Christopher Allen:  Thing I'm wondering - last rev of this, we 
  still don't have an issuer version of this...
Dave Longley: But regarding identifiers specifically, all we need 
  is "URI" ... and a DID is a URI.
Lionel Wolberger:  Thanks, I followed what you said - a claim 
  that you're Christopher - when do we say that's Unicode. Do we 
  have definitions for how name/location are represented?
Christopher Allen:  There are representations - schema.org - can 
  be unicode, that's relatively solid.
Christopher Allen:  Internationalization is covered, variety of 
  signature formats - we're adding more to them, but there is a 
  whole discussion around more kinds of signature formats than we 
  do right now, not a problem, working on it.
Christopher Allen:  When you come to WoT vs. "Real Name", that's 
  a credential - that's naturally centralized... I claim I'm 
  ChristopherA - and you accept that or not... or you accept DMV.
Dave Longley: https://www.w3.org/TR/json-ld/ <--spec for 
  expressing linked data as JSON-LD
Christopher Allen:  That is a claim, it's doable with our 
Christopher Allen:  I want to understand why Longley and Manu 
  removed issuer key...
Kim Hamilton Duffy:  We have a hard stop in a few minutes, we 
  have a full DID conversation next week.
Ryan Grant:  I put a link to Veres One DID Method spec - I think 
  the names "writeAuthorization" and "authenticatoinCredential" are 
  great... had a bit of discussion w/ Manu about naming ...
Kim Hamilton Duffy: Have to go. bye
Mike Lodder: +1
Ryan Grant:  The good thing that I see is to generealize 
  guardianship, the bad thing is mixing what goes into a DDO and 
  trying to turn that into a Verifiable Claims database... are we 
  talking about putting a Verifiable Claim into a DDO? That doesn't 
  seem like the purpose of the DDO.
Christopher Allen:  You have to have some kind of pointer at a 
Ryan Grant:  In the language of the DID spec, that is services...
Dave Longley: The data model (if you're using JSON-LD/RDF) 
  supports doing that, but ledgers do not *have* to support it.
Manu Sporny:  We're going to have to close out the conversation, 
  this is the core part of the discussion that the group needs to 
  have and to come to grips with. The Veres One issue that was 
  raised identified what we believe to be a logical conflation in 
  the DID spec that everyone has been making (including us). The 
  feedback from BTCR made it even more clear that we need to shift 
  things around. [scribe assist by Dave Longley]
Manu Sporny:  It's not just a naming thing, it's about moving to 
  a more capabilities based model, separating concerns so we don't 
  tightly bind things that we need to. Christopher, there is no 
  "issuer thing" because we haven't focused on it, doesn't mean it 
  wont' be there in the future. We tried to focus and synthesize 
  current feedback into the core issue people are having. [scribe 
  assist by Dave Longley]
Manu Sporny:  Wanted to focus on getting the foundation right so 
  the rest of us can build on top of it. There's a certain order 
  that we think we can discuss these things so the conversation 
  doesn't go off into the weeds where lower level decisions impact 
  higher level. Where we all want to be at the end is to cover all 
  the use cases. [scribe assist by Dave Longley]
Manu Sporny:  We think we've boiled this down to its essence but 
  we need to discuss with the community -- next week's call. 
  [scribe assist by Dave Longley]
Ryan Grant:  I've read the links that I've been able to find and 
  I'm unable to understand the logic there and I should be able to 
  see a concrete example. [scribe assist by Dave Longley]
Ryan Grant:  Haven't been able to see it. [scribe assist by Dave 
Manu Sporny:  Confused deputy problem, will bring to the 
  conversation next week. [scribe assist by Dave Longley]
Ryan Grant:  I saw an urge to generalize guardianship but I was 
  unable to find other issues. [scribe assist by Dave Longley]
Manu Sporny:  Not necessarily -- I'll try to put that in the 
  issue before next week. [scribe assist by Dave Longley]
Ryan Grant:  Thanks. [scribe assist by Dave Longley]
Christopher Allen:  For the purpose of being able to issue Web of 
  Trust VCs it doesn't meet my requirements for October. [scribe 
  assist by Dave Longley]
Manu Sporny:  I think the solution to your problem is to have an 
  issuer credential in your DDO. The problem we had before is that 
  we were using a single key to do multiple different things. Need 
  to very tightly couple key purpose ... number of issues bundled 
  together. [scribe assist by Dave Longley]
Manu Sporny:  I'll try to explain that a bit more. [scribe assist 
  by Dave Longley]
Ryan Grant:  Definitely need a clearer read on that. [scribe 
  assist by Dave Longley]
Ryan Grant:  My reading of guardianship was clear. That the 
  guardian had the capability to update. The error did not exist in 
  other cases. [scribe assist by Dave Longley]
Manu Sporny:  I will type something out. [scribe assist by Dave 
Manu Sporny:  Christopher, your concern is easy to address and 
  it's an issuerCredential ... it's not in there right now but it's 
  an easier thing to do. [scribe assist by Dave Longley]
Christopher Allen:  Thanks. [scribe assist by Dave Longley]
Christopher Allen:  Kim had to logout, to recap we'll have a 
  discussion next week we'll have ethereum and blockstack 
  (hopefully), BTCR, ... talking about what requirements we're 
  missing in the latest discussion on DIDs. [scribe assist by Dave 
Ryan Grant: My reading of guardianship was that its permissions 
  were clear
Christopher Allen:  In following weeks, we need to make sure 
  bootstrapping and rebooting web of trust work well at RWoT, so 
  we'll be prepping for it until then.
Received on Tuesday, 12 September 2017 14:23:14 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:24:45 UTC