PDS/IdH/EDV Discussion - Suggested proposals and clarifications (was Re: PDS/IdH/EDV Discussion - 2019-11-22 Minutes)

Hi all, you should have received an invite by now for the Personal Data
Stores Superfriends call for Dec 6th at 1pm ET. As a reminder, this is
not a free form discussion, it's focused time to drive to consensus on
specific proposals.

In an attempt to prepare for that call, here are a few proposals that we
could try to drive to consensus as well as a few clarifications for
points made on the last call that were preventing us from coming to
consensus.

PROPOSAL: The Identity Hubs and Encrypted Data Vaults documents will
be used as use case, requirements, and technical input for
the collaborative effort. The DID Comm, UMA, and OAuth2 work will
continue in parallel and are acknowledged as important related work that
might influence the direction of the collaborative effort.

PROPOSAL: The intent is to eventually standardize the W3C-specific work
-- at a minimum, data models, syntax, CRUD API, and a minimum viable
HTTP-based interface -- at W3C under W3C's Royalty-Free Patent policy.
Regular Task Force calls will be hosted under the W3C Credentials
Community Group under the aforementioned IPR policy.

The reasoning behind these proposals is clarified below, for those that
have the time and motivation to read about the details. Responses are
encouraged so we can try to get to consensus more quickly on the call
next week.

--------------------------------

There was some confusion during the last call that I'll try to highlight
and clarify so that the next call goes a bit more smoothly and with the
hope that we can get to closure on where to have regular meetings and
under which IPR policy. Here were the points of confusion/contention:

1. The work item being proposed for standardization is not clear and
   therefore where it should be incubated isn't clear.
2. DIF provides more protection against companies that may try to
   disrupt the standardization effort.
3. DIF policies enable things to easily be incubated at DIF and moved to
   W3C.

------------------------------

> The work item being proposed for standardization is not clear and 
> therefore where it should be incubated isn't clear.

There is only one work item being proposed for pre-standardization. It's
some yet-to-be finalized combination of the Identity Hubs and Encrypted
Data Vaults documents:

https://github.com/decentralized-identity/identity-hub/blob/master/explainer.md
https://digitalbazaar.github.io/encrypted-data-vaults/

That is it. All other items, such as DIDComm, remain in their respective
communities and groups. Yes, we may talk about UMA, DIDComm, and other
work items, but they are not DIRECTLY a part of what is being proposed.
What is being proposed is much more narrow (only the two specifications
above and only the parts of those specifications that the group came to
consensus on during the last call).

------------------------------

> DIF provides more protection against companies that may try to 
> disrupt the standardization effort.

Google and Facebook were named directly as organizations that would be
actively hostile to the PDS/IdH/EDV work and a reason why the work
shouldn't be done at W3C or IETF.

For DIF to provide more protection against companies attempting to
disrupt the standardization effort, it would have to have policies in
place (and the membership support) to prevent such a thing from
happening. So, the question becomes how would DIF be able to prevent
large organizations from disrupting the work? Not allow them to join DIF?

We do have multiple data points of large organizations throwing their
weight around at W3C and IETF. One of those large organizations *is* a
DIF member and actively attacked the Verifiable Credentials work and
the DID work. While that member seems to be behaving now, there is
nothing that would prevent that from happening at DIF.

The reality of standards is that there is nothing to prevent large
organizations from joining a standards effort and throwing their weight
around. The only protection against that is a cohesive community of
member organizations that can push back (by stating that they will
implement a given specification, even if the large organization says
that they will not).

DIF is more susceptible to this sort of attack than W3C or IETF because
it has never dealt with this sort of thing and it's membership numbers
aren't as great as W3C or IETF. W3C and IETF often deal with this sort
of thing - there are processes in place to mitigate this sort of behaviour.

------------------------------

> DIF policies enable things to easily be incubated at DIF and moved
> to W3C.

If this is true, then it doesn't matter where the work is incubated.

We do know that the PDS/IdH/EDV work could start in a W3C CCG next week
if we agreed to that (an initial spec exists under W3C IPR and many of
us are already members of the W3C CCG). So, starting and transition
costs are already paid. It was not clear that this is true for DIF. The
trepidation is that we'd be testing this approach with PDS/IdH/EDV for
the first time and because it's the first time, we're bound to hit snags
that will slow the work down.

So, the only thing that needs to be done is for DIF to produce proof
that they can provide the same things as the W3C CCG, which means:

* Membership in the PDS/IdH/EDV group MUST be accessible to the general
  public at no cost to fully participate.
* The PDS/IdH/EDV group MUST do its work in the open and record work
  products (meeting transcriptions, specs, notes) on a publicly
  accessible and archived website. It should clearly articulate where
  the work products will go and who will do the work to make that
  happen.
* The PDS/IdH/EDV group MUST keep transcriptions of every meeting so
  that those not able to attend and those with accessibility needs
  can follow the conversation.
* The PDS/IdH/EDV group MUST be be covered by an IPR policy that does
  not require IPR sign-off to be repeated once transferred to W3C/IETF.
  While it has been asserted that this is true, W3C legal counsel has
  not weighed in on that assertion, and that needs to happen.

The first three are easy - we just need the DIF Executive Director to
make a legally binding statement to that effect. The last one may take
time, but needs to happen so we don't hit a snag half way through.

If all of that can be done on an acceptable time frame to the
communities participating, then we might be able to achieve consensus
from the group during the call next week.

-- manu

-- 
Manu Sporny (skype: msporny, twitter: manusporny)
Founder/CEO - Digital Bazaar, Inc.
blog: Veres One Decentralized Identifier Blockchain Launches
https://tinyurl.com/veres-one-launches

Received on Friday, 29 November 2019 21:09:11 UTC