W3C home > Mailing lists > Public > public-credentials@w3.org > November 2018

[MINUTES] W3C Credentials CG Call - 2018-11-13 12pm ET

From: <kim@learningmachine.com>
Date: Fri, 16 Nov 2018 19:03:10 -0800
Message-Id: <1542423790562.0.42412@Kims-MacBook-Pro.local>
To: Credentials CG <public-credentials@w3.org>
Thanks to Manu Sporny and Dmitri Zagidulin for scribing this week! The minutes
for this week's Credentials CG telecon are now available:


Full text of the discussion follows for W3C archival purposes.
Audio from the meeting is available as well (link provided below).

Credentials CG Telecon Minutes for 2018-11-13

  1. Introductions and Reintroductions
  2. Announcements
  3. Action Items
  4. Work Items
  5. DID Unique Selling Proposition
  Kim Hamilton Duffy and Joe Andrieu and Christopher Allen
  Manu Sporny and Dmitri Zagidulin
  Jeff Orgel, Bohdan Andriyiv, Dmitri Zagidulin, Christopher Allen, 
  Joe Andrieu, Manu Sporny, Dave Longley, Ted Thibodeau, Heather 
  Vescent, Michaela Casaldi, Brent Zundel, Ryan Grant, Ganesh 
  Annan, Ken Ebert, Jonathan Holt, Kim Hamilton Duffy, Moses Ma, 
  Kaliya Young, Dan Burnett, Andrew Hughes, Drummond Reed, Chris 

Michaela Casaldi: Present +
Christopher Allen: Scribe list: 
Manu Sporny is scribing.
Dmitri Zagidulin: *Manu: I can scribe!*
Dmitri Zagidulin is scribing.
<Start of call / IRC instructions>
Agenda review, intros, announcements, progress reports
Manu Sporny: 
Manu Sporny:  Just a heads up, the Strong Authentication & 
  Identity Workshop
  … the application deadline closes in 3 days
  … so if you havent submitted a position statement, hurry up
Jonathan Holt: +Present

Topic: Introductions and Reintroductions

Christopher Allen:  Do we have anybody new?
Christopher Allen:  Ok, re-introductions
  … gannan?
Ganesh Annan:  Hi, I'm Ganesh Annan, I'm a dev at Digital Bazaar,
  … I'm also part of the VCWG, here to learn & work with new 
Christopher Allen: https://w3c-ccg.github.io/announcements/
Christopher Allen:  Thank you. we have a number of upcoming 
  … here it is in IRC. in particular, there is the Strong Auth & 
  Identity Workshop in Redmond,

Topic: Announcements

  … which Manu mentioned earlier, happens in Dec 10-11,
Manu Sporny: I like the compactness of the new page.
  … I suspect a number of us will be there, we'll have a chance 
  to pitch DIDs as a solution to other working groups at W3C
  … in prep for our official request to become a working group at 
  the beginning of the year
Christopher Allen: http://weboftrust.info
  … second one is Rebooting Web of Trust, Feb 27-Mar 3 2019, 
  location TBD
  … we're hoping to make a decision re location by end of the 
  … we're hoping either that event or the Sept event will be in 
Christopher Allen: https://www.internetidentityworkshop.com/
Moses Ma: If it's in europe, we need lots of advance warning
  … finally, we have the Internet Identity Workshop, Apr 30-May 
Bohdan Andriyiv: +1 For Europe!
  … where we'll have a lot of people from this group
Moses Ma: Also, I can help organize an event in europe
*Manu: yesss! me too*
Christopher Allen:  Any other announcements?
Moses Ma: Would amsterdam work?
  … just a little more on Europe, we've heard requests for 
  Berlin. also Zurich and ..?
Moses Ma: I might be able to get some space donated for this?
  … we'll know more later
Heather Vescent: OK, that's fine.
Heather Vescent: Q_
Brentz: I was wondering, for those who submitted applications / 
  position statements for the workshop,
  … when will we hear back?
Manu Sporny:  Excellent question, we don't know yet
Kaliya Young: We have room for up to 70
  … if you've submitted a paper, you're almost certainly going to 
  be invited
Kaliya Young: Currently at 45 submitted
  … we're behind on getting back to people
Kaliya Young: If it is "in range" you will likely get invite
Kaliya Young: So buy your plane ticket
Dan Burnett: This is very bad for travel booking
  … likely you'll hear about it after this Fri, which is a week 
  or so before the event
  … but I would just assume - if you submitted both of those 
  things, you're probably in
Christopher Allen:  That's both the registration, and an email 
  with your position statement
Christopher Allen: 

Topic: Action Items

Christopher Allen:  Ok, we're gonna move on to Action Items
Christopher Allen: 
Christopher Allen: 
  … these are our current action items
  … at this point, all of these have been assigned, aside from 
  the JWK CryptoSuite specs
Kim Hamilton Duffy: All, please type present+ if you've not 
  … this has been an ongoing concern, a lot of people want to us 
  to use JWK,
  … if we're gonna do that, we need somebody to make a proposal
Christopher Allen: https://github.com/w3c-ccg/community/issues/18
Kim Hamilton Duffy: I thought that's going through the VCWG 
Kim Hamilton Duffy: Ah I see, nm
Christopher Allen:  Kim: no, I don't think this is a WG thing, 
  they can't make decisions about signature systems
Dmitri Zagidulin:  I was going to ask about CBOR-based key 
  notation instead of JWK - but that may be getting off topic. 
  [scribe assist by Manu Sporny]
Christopher Allen:  Anyhow, it's still an open issue, still 
  unassigned, so I'm concerned
  … and maybe we should also open an issue about COSE
  … would be great to have a formal proposal for that
  … manu, can you add those?
Manu Sporny:  Yep, will add those
Christopher Allen: 

Topic: Work Items

Christopher Allen:  Continuing on to Work Items
  … we have a large number of items, and progress is a bit slow 
  at the moment, focusing on DIDs and such
  … I want to make sure nobody has announcements/changes in the 
  last couple of weeks
  … any changes?

Topic: DID Unique Selling Proposition

Christopher Allen:  Ok, not seeing anything, so let's move on to 
  the core of our discussion, which is
  … the DID unique selling proposition
Ryan Grant: Digital Contract Design is trying to investigate our 
  position on JWT and JSON-LD, and stuck on understanding the Open 
  World assumption.  We are looking for examples.
  … a number of us have had experience over the last couple of 
  months in talking to each other, getting into the details,
  … but somewhere along the way, we've lost track of 
  … we got some feedback from a couple of groups / committees, 
  one was from the w3c Architecture Group,
Manu Sporny:  They were asking, how is this (the DID spec) going 
  to help regular people?
Christopher Allen:  I updated my slides on DIDs, so I'm hoping 
  that's become clearer, but I hope we can make more progress on 
  … anybody else recently have experience on explaining DIDs, 
  what the problems you encountered were, etc?
Jonathan Holt:  I'm on the ABMS
  … the struggle they're dealing with - it's about key management
  … who manages the keys, in an organization?
Heather Vescent: All - I'm not sure how to bring this up, or if 
  it's not appropriate, but Kaliya and I address a lot of this 
  stuff in our report. We don't have to re-invent this information. 
  We just need to support ways to make it widely available.
Christopher Allen:  Right, so we definitely want to address that 
  question sooner rather than later
Christopher Allen:  Next is manu
Manu Sporny:  I agree with Jonathan,
  … I'm coming at it from another angle
Jonathan Holt: ABMS (American Board of Medical Specialties )
  … fundamentally, many of these organizations (such as the 
  federal government), do not want to be in the business of 
  managing identifiers
  … they end up being responsible for that anyway,
  … because everybody decides that the gov't should do it, so now 
  they become a target, a honeypot
  … so if we wanted to hone in on a main advantage for DIDs,
  … they tend to be different per vertical,
  … but the one common thing that we've found is that - the 
  organization just does not want to be responsible for minting 
  … and DIDs are are new type of identifier, where they don't 
  have to manage it, but they still get nice cryptographic 
Ryan Grant:  Over the last week, I've been working on a threat 
  model using DIDs
  … and we found that it was hard to understand
  … the data model of the application without extending the 
  future use of the system
Andrew Hughes: I have a question: does ‘the world’ know why the 
  Certificate Authority model of x.509 certificate management is 
  … into Verifiable Claims
  … that made several things in our threat model make sense
Manu Sporny: Achughes, probably not :)
Drummond Reed:  I want to second that
  … I tried multiple explanations over time, but I've migrated 
  entirely to starting with VCs (I call them just "credentials")
Manu Sporny: Achughes, I don't think people really understand the 
  "weakest link" problem of the CA system.
  … and the case for digital creds is strong and intuitive for 
  many people
Manu Sporny:  We might be making a bad assumption that ‘the 
  world’ knows what we all believe is ‘bad’ about centralized 
  management of keys [scribe assist by Andrew Hughes]
  … and then back into the need for a decentralized identifier
  … so that just seems to flow nicely, work pretty well
Christopher Allen: 
Christopher Allen:  My recent experience in talking about borders
  … I found it resonated with smaller countries' governments
  … also companies across borders, etc
Dan Burnett: I have found that I can explain DIDs just fine, but 
  the 'so what' question only gets answered with VCs.
  … the basic argument is: we're more and more part of an 
  international world, and changing rules, and parties, and levels
  … and all the models of centralized hierarchy do not work 
  … so they appreciated the border thng
  … this worked in Switzerland, Taiwan, Malta
  … it may not work in the heart of the US, but that's certainly 
  a part of it
Kim Hamilton Duffy:  Per Learning Machines, leading with VCs 
  makes it a lot easier
  … explaining that a VC is like a degree, it's a long-term 
  credential, hopefully for the entire lifetime
Dan Burnett: Not ownership.  Control!
  … so then key management comes up, so then we get into DIDs
  … various implementations may not have this or that feature,
  … so this works well, but it limits it to an audience that buys 
  into the idea of cryptographic ownership/control
Joe Andrieu:  I tried to get Tzviya to chime in
  … she presented DIDs internally
  … and the first question was - what about key management?
Joe Andrieu: A. digital credentials separated from login 
  management B. for subject: no longer dependent on credential 
  issuer for verification C. for issuer: no longer need to manage 
  user name & password for credentials
  … (tried to get Tzviya to chime in)
Kaliya Young: Key MANAGEMENT Is a huge issue - we should be 
  having intensive focus on solving this....and stop hand waving. 
  What is the plan? for realz?
  … and for the issuer, they no longer need to manage 
  identifiers, like manu said
Andrew Hughes:  I don't think I've heard a good explanation as to 
  why not some other universal id scheme, like DNS or certificates 
  — why are they bad?
  … what problem is DIDs trying to solve?
  … why is "decentralized" better?
Kim Hamilton Duffy: Cwebber2 described this brilliantly at last 
  year's TPAC
In order to be useful, why do the identifiers have to be 
  … why not use an existing centralized identification scheme, 
  that everyone is using?
Christopher Allen:  I really appreciated Kaliya's presentation at 
  … the beginning had a nice way of leading into — there are just 
  too many identifiers
Christopher Allen:  Now, whether or not DIDs solve that 
  particular problem, is an open question
Andrew Hughes: X/<static>/identifiers for things are needed/
Manu Sporny:  I've been hearing lots of good things about 
  Kaliya's presentation at MyData
  … I feel she nailed it, as far as intro
  … the thing I went on the queue for: these identifiers, they 
  seem like a hot potato,
  … nobody wants them. Gov't does not want to manage them, it's a 
  giant money pit
Kaliya Young: Here is the video - 
  … it's just something they need to achieve some secondary 
  thing. they don't care about identifiers themselves
  … so then the issue becomes, who will? A foundation or 
  … many foundations are like, we're not going to trust a 
  for-profit company,
Kaliya Young: Here is another shorter one that i did at New 
  America for the Future of Property Rights - 
Dave Longley: Centralized IDs introduce a third party in the 
  middle of a relationship that is otherwise unnecessary ... 
  decentralized IDs also more accurately represent entities as they 
  exist in the natural world: they have independent existence.
  … and a nonprofit company may have trouble being funded to 
  manage this for a long time
  … so, nobody wants to manage identifiers, but they all want to 
  depend on them
  … and then there's the subject of - DIDs give you nice 
  cryptographic properties, service discovery mechanisms,
  … and they become an interesting avenue that people may not 
  have pursued already
Andrew Hughes: I think the ‘hot potato’ explanation is a good one 
  when contrasted with the ‘corporate control of identifiers is 
  bad’ - that for me is a powerful argument
  … we've tried all those things before (government issued, 
  corporate issued, etc), and it hasn't addressed many of the 
Dmitri Zagidulin:  On the subject of DIDs, in order to have 
  universal identifiers, you need two things 1) format of URL, and 
  2) format of payload. [scribe assist by Manu Sporny]
Dmitri Zagidulin:  DIDs are a nice standard for the format of the 
  payload. [scribe assist by Manu Sporny]
Dmitri Zagidulin:  Someone needed to standardize what the JSON 
  object needed to look like - service endpoints, public keys, 
  you're going to need something like that regardless of what you 
  come up with. [scribe assist by Manu Sporny]
Drummond Reed: +1 To DIDs extending, not competing, with other 
Dmitri Zagidulin:  The URLs themselves -- it's important to note 
  that it's not in competition... it's a superset - they can work 
  w/ traditional URLs, but they can also work with these new 
  ledgers. [scribe assist by Manu Sporny]
Drummond Reed:  Yeah, I agree with that point, DIDs don't 
  compete, they're a new type of identifiers
  … when I first got exposed to the acronym DID, it was from 
  verbiage that Manu and Longley had written
Dan Burnett: New URL scheme == new identifiers
  … and I love the way they captured it - every identifier that's 
  currently in use, globally available over the internet - they're 
Dave Longley: "Every identifier you've ever had on the Web is 
  controlled by someone else"
  … once you stop paying, it's gone, so that's unacceptable from 
  a security and privacy perspective
  … so that's one thing that I mention, theyre not rented, 
  they're permanent identifiers
  … and I'm not familiar with any other alternatives
Dan Burnett: The "You don't control any of your other 
  identifiers" argument is the one that I use, too.  Every single 
  one can be taken away from you.
Christopher Allen:  Another thing that I haven't heard is talking 
  about vendor lock-in
Manu Sporny: Identitywoman, re: key management - I think we're 
  still trying to figure it out -- I mean, there are theories and 
  implementations, but this stuff hasn't been out long enough to 
  truly understand what this looks like in the hands of the masses 
  (other than Signal/WhatsApp-style key management)
  … for example, take Linked In, who has this nice API for a long 
  … but then soon deprecated it, so it ruined the ecosystem
Dan Burnett:  I was ggonna challenge Manu a bit, re problems with 
  existing identifiers
  … the question I have is really whether the key management 
  issue for DIDs will end up the same type of hot potato
Drummond Reed:  I completely disagree that key management 
  requires another party to get involved
  … the whole thing behind DKMS is that keys are controlled by 
  their owner
  … but there's no necessity for a third party
Jonathan Holt: +1 Can be totally self sovereign
Drummond Reed: DKMS reference: http://bit.ly/dkmsv3
Christopher Allen:  I want to address something somebody said 
  earlier, which is, we need a DID Document, whether the identifier 
  is centralized or not
  … and somebody mentioned that therre aren't any 
  individually-owned ones, and there were,
  … CIDs, cryptographic identifiers, like PGP, Tor etc
Dan Burnett: Drummond, my comment was not about what is 
  technically possible, rather about how the average person will 
  end up using them.  It's an issue I see in the blockchain 
  industry I'm in in general.
Drummond Reed: Also, there hasn't been any mention yet of the key 
  rotation, key recovery, and service discovery benefits of DIDs.
  … and the problem with them was - they could not be easily 
Moses Ma: Q
  … whereas DIDs potentially allow you to retain the identifier 
  through key changes, updates
Dmitri Zagidulin:  Just wanted to also mention Heather and 
  Kaliya's report on Decentralized Ecosystem - they give a very 
  accessible introduction there, good selling points there. [scribe 
  assist by Manu Sporny]
Drummond Reed: +1
Manu Sporny:  I wanted to translate some of the great discussion 
  happening today into written prose
  … the w3c technical architecture group had asked us
  … to say some subset of the discussion of today's call, in 
  written form
  … it's slightly frustrating since we've written a Primer 
  already, but it's not quite enough, they want to understand how 
  an everyday person will benefit from DIDs, in a short form
Joe Andrieu: 
  … so I'm wondering, who in the community will take that action 
  … so, who is interested?
Drummond Reed: I too think the DID Primer is pretty good.
Moses Ma:  Hi everybody
  … we're writing a paper about the use of DIDs and Credentials 
  in STOs (security token offerings)
  … and I'd like to get some reviews on it. send me an email
Dan Burnett: I will help too
Joe Andrieu:  I posted a link to "About Explainers",
  … but if there are other folks who want to get involved, I'll 
  take the lead, but I would love assistance
Christopher Allen:  Ok, let's move to the next section, which is 
  - writing down the questions that people ask
  … the raw common questions that we get, to make sure we have 
  … we're gonna try to get through that in the next 10 mins or 
  so, and maybe next week we can look into a draft explainer
  … I'm not sure what the best way to do a draft FAQ
*ChristopherA: maybe we start a Google Doc?*
Joe Andrieu:  What I was hoping for on this call (and we got some 
  of it), is to ask - what are the common questions?
  … so, not necessarily a full FAQ, but just - let's start with a 
  list of questions
Kaliya Young: Key Management!!!
Joe Andrieu:  Ok, let me go get that google doc started
Manu Sporny:  Just to echo what Kaliya said on IRC, key 
  management does come up,
  … but in our experience, customers don't even know what key 
  management is or why it's a problem
Moses Ma: So if you have time to review my white paper on DIDs 
  and STOs, please send me a note?
  … we often ship software that shields users from key 
  management, it's hidden from them
Kaliya Young: The key management people bring up when I present 
  is the key management by the Individual.
Kaliya Young: Not by the "issuing party"
  … let me step back. when we try to explain DIDs and VCs,
  … it's always in a very specific context, to a specific 
  customer problem
  … when we engage with tech teams, they only have a superficial 
  knowledge of decentralized tech, and they don't know or care
  … they only care that addresses their problem, and that it has 
  had security vetting
Kim Hamilton Duffy: +1 On that
  … it does happen, at a certain level, that at some point we get 
  handed off to someone who truly does understand this stuff in 
  … and then there's a whole slew of questions, like - what are 
  the economics of the ledger
Dan Burnett: Yep
  … what happens if the governance structure of the ledger falls 
Joe Andrieu: 
  … what happens in case of device loss?
Joe Andrieu: For recording questions
  … so yes, we get key mgmt questions, but most of the other 
  questions are about economic and governance models
Dave Longley: "Who is the audience?"
  … but those questions are only people who are interested in 
  this in-depth, they are not typical of most customers
  … like Google Docs — you don't care about the details 
  underneath, you just use them, or not
Ryan Grant: True but i used to trust Google differently than i do 
  now, and people ask me.
Christopher Allen:  Ok, so, I'm gonna bring something to the 
  … Heather and Kaliya both claim that they have in their report 
  answers to a lot fo these questions
  … but it's a commercial report, and they would like 
  … I don't think the community is in a place where we can buy 
  out the whole report
  … so my question is - can the community pay a small amount to 
  Heather and Kaliya, to maybe put together a primer, with a link 
  to the larger report
Kaliya Young: Why isn't the community in a place to buy out the 
  report - seems like there are some pretty big corporations at 
  this table
Dan Burnett: Bounties!
  … so, do we want to talk about passing the hat? would Heather 
  and Kaliya be interested?
Kaliya Young: IBM, HTC, Microsoft
Heather Vescent: Also, the big companies pay for DEVELOPERS and 
Heather Vescent:  I'm listening to this conversation,
  … increasingly frustrated.
  … this is the challenge that we have working together
  … this is an ongoing challenge we have in this community
  … I'm watching these large organizations, they have money 
  behind initiatives, and the reason Kaliya and I wrote this 
  … was that we saw the need for all of these questions being 
  … and we took our own initiative and did it.
  … but we're not in a privileged position, like the authors of 
  that German blockchain organization, that have dayjobs
  … these companies, they will make so much money on these new 
  … I hear this conversation, where you're trying to get everyone 
  to work together on these questions, and we spent so much time on 
  that already,
  … and had it reviewed by three different technologists
  … and we don't want to paywall it, but we want to be 
Christopher Allen:  We're very sympathetic, and want to solve the 
  … in the room, a lot of the big companies, IBM etc, are not 
  … we have trouble getting them to attend, etc
  … but the people currently in the room are not able to help 
  out. I wish we could, but it's not happening,
  … let's find a strategy that might help in some other way
  … maybe a shorter description / explainer, with a link to the 
  full report?
  … we want to solve this problem for everybody.
Kaliya Young: Clear communication about this technology IS 
  currently the limiting factor for adoption
Christopher Allen:  We do have a URL to the FAQ / question list
Christopher Allen: Questions doc is 
Kaliya Young: Clear communication takes effort, time, expertise 
  and therefore money
Christopher Allen:  I agree, Kaliya and Heather
  … it's a problem, I don't know how to solve it.
Manu Sporny: I'd suggest that "production technology" is also a 
  gating factor.
Kaliya Young: The way one solves it is to find the $ to 
  compensate the communicators
Kim Hamilton Duffy:  I feel like we have brought this up a few 
  … and it's not clear what a working model is
  … when we bring it up, we risk… I don't know, I don't think 
  we're making progress in talking about how to solve it
  … I'm curious - what is a model that Kaliya and Heather would 
  … maybe we're proposing things that work in the developer 
  community, but not in this case
Heather Vescent:  We were approached.. wait, to back up.
  … everyone has an opinion on how we should do things
  … we chased 5 different models, we want to make it accessible 
  and available
  … and none of those has succeeded
  … in our conversations, everyone has an idea of how you should 
  do it
  … and I've spent so much time chasing the viability of 
  different models, when all I want to do,
  … is that I want to release this content we spent so much time 
  on, that I know you and your clients will benefit from
  … but I can't, the last time I did that, I was exploited. I'm 
  traumatized by this now
  … I want it to be accessible and available
  … but I don't know what's going to work.
  … I don't want to volunteer for more stuff. I want to leverage 
  what we've got.
Christopher Allen:  I want to make sure, a) you know that we 
  appreciated the problem
  … manu has experienced very similar problems
Heather Vescent: Right - so why don't we work together to ensure 
  this doesn't happen. Why can't we work together to solve this 
  problems for us all?
  … I don't think it's personal. it's an industry-wide problem, a 
  tech problem
  … I don't know how to solve it.
Manu Sporny: I think the issue is that we don't know /how/ to 
  solve the problem, heathervescent.
Jonathan Holt: Is there a link to purchase the report?
Christopher Allen:  I'd like to move forward to the next thing
  … if you could put a link to the report
  … I've pitched it a few times to people.
  … I'd certainly like to see it happen. I'd like to see us all 
  do well.
Manu Sporny: +1 To wanting to see us all do well.
Christopher Allen:  Ok, closing comments?
  … we'll focus on pain points next week
  … we need to be able to put this explainer document, it'll have 
  to be open source, go onto various mailing lists
  … we can't progress without writing up some of this stuff
  … it doesn't need to be the full report. we just need a 2-4 
  page thing, that's better than the current DID Primer
  … anyone else?
Moses Ma: Thanks for being visionary and see y'all next time! 
  … ok, nobody else on the queue. everybody, thank you for your 
  stories today
  … look forward to working with you in the next few weeks
  … thank you, bye
Received on Saturday, 17 November 2018 03:03:51 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:24:50 UTC