Re: Different Verifiable Credential protocols? (was: Re: Please vote to approve/disapprove the new charter)

I don't want the group to dismiss your concerns.

I want you to open work items that address your concerns, and invite
collaboration to address them in the W3C.

I think the scope of the working group is such that all your concerns can
be addressed, assuming there were work items created to address them.

As a newer W3C member, it's possible I'm a bit biased by the wikipedia
definition for world wide web.

"The World Wide Web (WWW), commonly known as the Web, is an information
system where documents and other web resources are identified by Uniform
Resource Locators (URLs, such as https://www.example.com/), which may be
interlinked by hypertext, and are accessible over the Internet. The
resources of the WWW are transferred via the Hypertext Transfer Protocol
(HTTP) and may be accessed by users by a software application called a web
browser and are published by a software application called a web server."

https://en.wikipedia.org/wiki/World_Wide_Web

Integrating emerging technology with legacy systems is a core part of
technology modernization, just because some people want to focus on that
part, doesn't mean that those same people can't also work on wholesale
replacing of legacy systems...

For example, I personally work on did:elem a blockchain based DID Method,
and also on did:web and did:key... Part of why I work on did:web is that
some potential adopters of verifiable credentials want to use only existing
(legacy) technologies for their identifier infrastructure, but they also
want to use new emerging standards.

There are pro's and con's for every technology, I work on many things which
I think are not perfect, GPG is an example... I don't love key servers...
but GPG is still used to sign git commit messages and software
distributions... I feel similar about HTTP, it has issues... but it also
has lots of users... who I want to support.

I also want to support the things you care about, such as DIDComm, Aries,
Indy, ZKPs, etc... Are there any work items in the W3C that you can point
me to, today where I can learn more about these technologies and how they
are interoperable / work with the scope defined in the current charter?

For example, I think it would be really helpful to provide better
definitions for:

CLSignature2019, CLCredentialDefinition2019
I'd be happy to help with that, or otherwise suring up the relationship
between W3C Documentation, VC Data Model and CL Signatures.

OS




On Fri, Apr 10, 2020 at 12:33 PM Daniel Hardman <daniel.hardman@evernym.com>
wrote:

> @Orie:
>
> I am not "attacking HTTP and Web Technologies" or "objecting to HTTP and
> Web Technologies," nor am I "frustrated that a large number of W3C members
> love working on web technologies." Web technologies are great. I'm using
> them right now as I process my email and browse away. (BTW, would you feel
> welcomed by such language, if you felt it described your behavior unfairly?)
>
> In some cases I *am* "objecting to the standardization of Web and HTTP
> APIs for the VC Data Model." My objection is to the assumption that we
> should have one solution for HTTP, and a different and later solution for
> everything else. My argument has been that bifurcating the problems this
> way does not deliver solutions faster to enterprises, but it does
> marginalize the developing world and enthrone strongly connected enterprise
> servers in a power position (how many private individuals are going to run
> a web server to host the standard verifier API we're working on?).
>
> It sounds like you want the group to dismiss my concern and buy into your
> preferred assumption, and that you feel the need to "be blunt" that my
> concern isn't resonating: "different communities have different
> priorities... This is the W3C." That is the opposite answer to my question
> from the one you and Manu implied when you said the scope was super
> inclusive. And this is the very question I raised about the charter. If my
> concern doesn't resonate, that's *totally fine* -- just tell me I'm
> worried about something that's out of scope, and I'll go quiet. But don't
> simultaneously claim the group wants to think about everything, and then
> take me to task for insisting that we think broader than HTTP. It feels
> unreasonable to try to have it both ways.
>
> @Nikos
>
> I agree that Indy is ZKP-centric, but please notice that I didn't bring up
> Indy or the poison pill of ZKPs, anywhere in the thread. Bringing such
> things into the discussion is a way to create a straw-man version of what
> I'm saying, and then get everyone to dismiss it by association.
>
> I also didn't bring up Aries in general, but rather 2 specific RFCs. Those
> RFCs are not Indy-dependent, and they say so. They describe a workflow that
> works over HTTP as well as bluetooth, email, and sneakernet. And they
> describe credential usage patterns that apply to any VC type at all. If
> you've studied them and had a frustrating experience, I apologize. That
> would be a fair reason not to like them, but not a fair reason to ignore
> them if Orie's broader scope is really the intent of the group.
>
> On Fri, Apr 10, 2020 at 10:47 AM Orie Steele <orie@transmute.industries>
> wrote:
>
>> Daniel,
>>
>> I suspect that you may be frustrated that a large number of W3C members
>> love working on web technologies, different communities have different
>> priorities... This is the W3C.
>>
>> At this point I need to be blunt... constantly objecting to the
>> standardization of Web and HTTP APIs for the VC Data Model and DID harms
>> the adoption of DIDs and VCs by Enterprises and Governments, paying
>> customers of many of the members of the W3C...
>>
>> We need HTTP and Web support for DIDs and VCs in order to ensure they are
>> usable, today... we might also need gRPC, ZKPs, or JOSE... but we for sure
>> need HTTP and Web. In terms of priorities, I believe HTTP and Web
>> technologies are more important for the group to establish consensus and
>> interoperability around first, because they already have significant
>> investment from our (the communities) customers...
>>
>> We are in a post cloud era... companies have just finished investing
>> millions of dollars in centralized IAM, VPC, migration from on-prem to
>> cloud, integration of on prem and cloud... Microsoft, Google, Apple... all
>> have cloud storage services, cloud based identity systems... public http
>> APIs.... they are represented in the W3C, some of us are trying to support
>> them, their browsers, and the millions of people who use their browsers.
>>
>> There is a difference between believing in gRPC and ProtoBuff's
>> superiority and objecting to work items that use HTTP and the Web as a
>> starting point.... and it's very frustrating for those of us who want to
>> work together on HTTP and web technologies under the World Wide Web
>> Consortium (W3C).
>>
>> DIDComm is being standardized at the DIF, I think that's probably a major
>> reason why it's not actively discussed here... feel free to propose it as a
>> W3C CCG work item, or
>> https://github.com/hyperledger/aries-rfcs/tree/master/features/0036-issue-credential
>> or
>> https://github.com/hyperledger/aries-rfcs/tree/master/features/0037-present-proof ...
>> they appear to be dependent on DIDComm, but I'm sure there is a way to
>> create a work item for VC Data Model over DIDComm in W3C and leave DIDComm
>> in DIF.... assuming the IPR policy for aries-rfcs is compatible with such
>> an approach.
>>
>> "Let's quit claiming that the asymmetric security model of standard HTTPS
>> deployments is consistent with the decentralized ethos of DID-based
>> security. "
>>
>> This is completely false and harmful to the DID and VC ecosystem.
>>
>> https://devcenter.heroku.com/articles/ssl-certificate-self
>>
>> "For apps with controlled distribution this warning can be avoided by
>> creating your own authority certificate and adding it to your users’
>> browsers."
>>
>> Q: What is the difference between telling a browser to trust a
>> certificate, and telling a person to trust a did / did method?
>> A: Browsers support HTTP and Certificates, not DIDs and VCs.
>>
>> If we want browsers to support DIDs and VCs, attacking HTTP and Web
>> Technologies is the last thing we should be doing.
>>
>> Please stop objecting to HTTP and Web Technologies, and work items at the
>> W3C that attempt to prioritize support for these.
>>
>> Please create work items that reflect the things you want the group to
>> focus on, and request that people contribute to those work items.
>>
>> Things that I know you care about that I would love to help contribute to
>> that could be worked on in the W3C:
>>
>> - ZKP Proof Representations that work with ledgers other than Indy.
>> - DIDComm over HTTP
>> - QRCode / Offline / Compressed VC Representations
>>
>> If you have a work item which you want supported, feel free to email me
>> or raise it on the W3C CCG call so we can discuss it.
>>
>> OS
>>
>>
>>
>>
>>
>> On Fri, Apr 10, 2020 at 10:42 AM Daniel Hardman <
>> daniel.hardman@evernym.com> wrote:
>>
>>> Manu and Orie:
>>>
>>> The question isn't the theoretical definition or possibilities. It's the
>>> mindset of the group.
>>>
>>> I have repeatedly tried to get the group to think beyond HTTP, and
>>> encountered friction. If the group wants to adopt the broader definition,
>>> that's fine. But let's really adopt it. Let's not say the scope is really
>>> broad, but turn around and view most of our interesting topics (EDV, CHAPI,
>>> polyfills, issuer API, verifier API) through HTTP lenses, as if it's okay
>>> to have one standard for HTTP, and then we can get around to the other
>>> transports later, or with separate standards. Let's quit proposing to
>>> describe our standards with Swagger docs. Let's quit thinking that
>>> synchronous request-response is adequate to model our interactions. Let's
>>> quit ignoring Aries RFC 0036 and 0037, which provide a format-independent,
>>> standards-compatible means to exchange credentials that is HTTP compatible
>>> but not HTTP dependent. Let's quit claiming that the asymmetric security
>>> model of standard HTTPS deployments is consistent with the decentralized
>>> ethos of DID-based security. Let's quit treating DIDComm as an irrelevancy.
>>> Etc.
>>>
>>> On Fri, Apr 10, 2020 at 9:26 AM Orie Steele <orie@transmute.industries>
>>> wrote:
>>>
>>>> +1 If you want to see a demo of a progressive web application, which
>>>> can be installed on your mobile home screen, works offline, and uses a
>>>> camera to scan QR Codes, and can sign and verify see:
>>>>
>>>> https://did-key.web.app/
>>>>
>>>> I've been experimenting with using service workers to intercept
>>>> requests for webkms, so that webkms can be run fully in browser, with
>>>> software isolation for keys... it's totally hacky, but gives you an idea of
>>>> just how powerful PWAs can be:
>>>>
>>>> https://github.com/OR13/react-pwa
>>>>
>>>> And here is a P2P implementation of the Game of Go, built with OrbitDB
>>>> / IPFS / WebRTC...
>>>>
>>>> https://g0.or13.io/
>>>>
>>>> Using Web RTC Rendezvous servers are particularly interesting to
>>>> consider wrt VCs / DIDs... because you can show up on a web page (as is the
>>>> case with the go demo), announce yourself as an identifier, and then
>>>> immediately switch to e2e encrypted communication between peers... I don't
>>>> have a demo of that with dids, but it's on my weekend project list for a
>>>> couple months...
>>>>
>>>> OS
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On Fri, Apr 10, 2020 at 10:06 AM Manu Sporny <msporny@digitalbazaar.com>
>>>> wrote:
>>>>
>>>>> On 4/10/20 10:31 AM, Daniel Hardman wrote:
>>>>> > Should we understand by this that presenting credentials via QR code,
>>>>> > via BlueTooth/NFC, via sneakernet, and so forth is out of scope?
>>>>>
>>>>> I'll note that Web-browsers can get access to the camera phone and scan
>>>>> QR Codes:
>>>>>
>>>>> https://github.com/schmich/instascan
>>>>>
>>>>> and Web Bluetooth is released in many of the latest/popular browsers:
>>>>>
>>>>> https://caniuse.com/#feat=web-bluetooth
>>>>>
>>>>> ... and WebNFC just went into Origin trials in Chrome:
>>>>>
>>>>>
>>>>> https://developers.chrome.com/origintrials/#/view_trial/236438980436951041
>>>>>
>>>>> There continues to be confusion around the colloquial use of the word
>>>>> "Web", which among developers, is mired in the historical protocol that
>>>>> spawned the Web -- HTTP. The colloquial use is often outdated and
>>>>> wrong.
>>>>>
>>>>> The W3C is about the "Web Platform", which is not limited to HTTP.
>>>>> Wikipedia has a decent definition here:
>>>>>
>>>>> https://en.wikipedia.org/wiki/Web_platform
>>>>>
>>>>> ... but here are the other protocols that are not HTTP that are viewed
>>>>> as being part of the Web platform:
>>>>>
>>>>> * TLS
>>>>> * Geolocation (and by extension, the Global Positioning System,
>>>>>   protocols and data formats)
>>>>> * Web Sockets (which are not HTTP!)
>>>>> * Web Of Things (IoT, CoAP, etc.)
>>>>> * WebRTC (and a whole bunch of IETF specs on signalling
>>>>>   and media encoding/transmission protocols)
>>>>> * Web Bluetooth (Bluetooth and its data formats and protocols)
>>>>> * NFC (again, data formats and protocols)
>>>>> * Media Capture API (audio and video formats and protocols)
>>>>>
>>>>> The W3C is not solely about HTTP, and you learn that pretty quickly
>>>>> when
>>>>> you go to a W3C Technical Plenary, or participate in various standards
>>>>> groups at W3C. I understand that it's difficult for many to participate
>>>>> in that way. Fundamentally, the Web Platform is a bridging technology,
>>>>> connecting all of these disparate data formats and protocols into a
>>>>> cohesive application development environment.
>>>>>
>>>>> So communication of Verifiable Credentials over NFC, Bluetooth, WebRTC,
>>>>> Web Sockets, QR Codes... IMHO, all very much in scope.
>>>>>
>>>>> -- manu
>>>>>
>>>>> --
>>>>> Manu Sporny - https://www.linkedin.com/in/manusporny/
>>>>> Founder/CEO - Digital Bazaar, Inc.
>>>>> blog: Veres One Decentralized Identifier Blockchain Launches
>>>>> https://tinyurl.com/veres-one-launches
>>>>>
>>>>>
>>>>
>>>> --
>>>> *ORIE STEELE*
>>>> Chief Technical Officer
>>>> www.transmute.industries
>>>>
>>>> <https://www.transmute.industries>
>>>>
>>>
>>
>> --
>> *ORIE STEELE*
>> Chief Technical Officer
>> www.transmute.industries
>>
>> <https://www.transmute.industries>
>>
>

-- 
*ORIE STEELE*
Chief Technical Officer
www.transmute.industries

<https://www.transmute.industries>