[MINUTES] W3C Credentials CG Call - 2021-01-13 12pm ET from W3C CCG Chairs on 2021-01-14 (public-credentials@w3.org from January 2021)

From: W3C CCG Chairs <w3c.ccg@gmail.com>
Date: Thu, 14 Jan 2021 11:59:38 -0800 (PST)
Message-ID: <6000a2aa.1c69fb81.2f798.5d0a@mx.google.com>

Thanks to Amy Guy for scribing this week! The minutes
for this week's Credentials CG telecon are now available:

https://w3c-ccg.github.io/meetings/2021-01-13

Full text of the discussion follows for W3C archival purposes.
Audio from the meeting is available as well (link provided below).

----------------------------------------------------------------
Credentials CG Telecon Minutes for 2021-01-13

Agenda:
https://lists.w3.org/Archives/Public/public-credentials/2021Jan/0018.html
Topics:
1. Intros
2. Open community items
3. Election charter
4. OCAPs/zCAPs
Organizer:
Heather Vescent and Wayne Chang and Kim Hamilton Duffy
Scribe:
Amy Guy
Present:
Heather Vescent, Adrian Gropper, Amy Guy, Phil Archer, Kaliya
Young, Manu Sporny, Alan Karp, Ryan Grant, Dave Longley, Justin
Richer, Joe Andrieu, Wayne Chang, Dmitri Zagidulin, Marty Reed,
Ted Thibodeau, Taylor Kendall, Drummond Reed, Daniel Hardman,
Mandy Venebles, Erica Connell, Chris Webber, David Chadwick, Sam
Smith
Audio:
https://w3c-ccg.github.io/meetings/2021-01-13/audio.ogg

Amy Guy is scribing.

Topic: Intros

Heather Vescent: Anyone new who would like to introduce
themselves?
Alan Karp: I've been doing capabilities since I reinvented them
in 1996 and I want to make sure we get it right, because when
newbies start to use them there are plenty of mistakes that can
be made
Mandy Venebles: I work at digital bazaar and I'm interested in
getting to know what this group is all about
Chris Webber: I worked on the zcap-ld spec with mark miller, I'm
currently independent, I have worked with digital bazaar in the
past
... I've been involved in this community since about 2017, and
also had involvement in the work on DID stuff and the verifiable
credentials spec, though not as heavily as others in this group
Heather Vescent: Great to see you back
... anyone else?

Topic: Open community items

Heather Vescent:
https://github.com/w3c-ccg/community/issues?q=is%3Aopen+is%3Aissue+label%3A%22action%3A+review+next%22
Heather Vescent: One I want to talk about
Heather Vescent: #142:
Https://github.com/w3c-ccg/community/issues/142
... issue 142 which is updating the CCG licenses
... part of some of the cleanup of making sure all of the repos
in the ccg are using the official approved ccg license
... ken did a lot of work earlier to make sure we knew exactly
what those licenses needed to be and then before the end of the
year i went through and manually updated many
... all with a few exceptions
... and tried to make a comment, you can see the exceptions
Heather Vescent: License exceptions:
https://github.com/w3c-ccg/community/issues/142#issuecomment-751925176
... there are 5 repos that had other licenses associated with
them so we're trying to clean those up
... a lot are LDS ones
... if you are working on those can you take a look at the
issues list? I've put an issue in those repos to be able to get
approval because they already have a license, we need to follow
proper protocol that everyone working on the repo agrees to move
over to CCG licenses
... as I was doing this cleanup there were a lot of top level
linked data repos and one of the things i'd like to have a
conversation about moving forward is can we have general linked
data folder and all these methods of doing them can go underneath
them? to clean up the repo structure of the CCG
Manu Sporny: We should probably have a more in depth
conversationa bout it, I understand the desire to organise
everything under one repo, the issue has to do with IPR issues
between the different methods
... while they're all linked data security related, some crypto
suites have very different maturity, timelines, and the IPR stuff
around it gets potentially confusing. We should talk about it a
bit more
... I'm concerned about putting it all in one
Heather Vescent: That makes sense
... we can put this up as an issue in an upcoming meeting. It's
on my list, but after the election

Topic: Election charter

Wayne Chang: We need to decide what constitutes membership and
have better language to be more inclusive of people who
contribute to work items but are busy for a few months
... perhaps there is a requirement for meeting attendance, but
you could do fewer meetings if you actively contribute to work
items, we can have balance
... will be ready by the end of the week
Heather Vescent: We'll have updated language to share, then
leave a week for feedback and commentary, then after the
community has accepted it we can kick off the election timeline
... we should expect to get that charter data through email on
the list?
Wayne Chang: Yep

Topic: OCAPs/zCAPs

Kaliya Young: I'm excited that we're having this conversation
... I knew that in starting the thread that it would go
somewhere and it's great to see this is where it is
... before we get going I want to say one of the things I do is
listen to the conversaiton across a wide range of the community
... I was worried that some folks were going to go off and
invent / create something new to solve problems that another part
of the community had already been working on
... I want to invite collaboration sooner rather than later
... I want to start off by having Alan explain what an object
capability is so we baseline for all those listening who dont'
know
Alan Karp: A capability or an OCAP is an unforgeable,
transferable, permission to use the thing it designates
... it combines designation with authorization
Kaliya Young: Often it's contrasted with another security model
known as an access control list (ACL)
Alan Karp: An ACL specifically separates designation from
authorization. When you make a request you prove your
identity/role/attributes and the system looks up among your
permissions if one of them matches the request you're making and
then it will allow it
... searching over all of your permissions is the fatal flaw in
ACLs
Kaliya Young: Questions related to understanding what we're
talking about
David Chadwick: "The fatal flaw" - I would say it's a major
benefit as well
... it might be a flaw to some, but to others it's a benefit to
have a level of indirection between the assignment and
presentation and gaining access
Chris Webber: It might also be useful to frame how this has come
up in this community
... which is that at the time of the zcap-ld spec, there was
already another spec in this space
... it's come up whether there ought to be two specs. The other
is the verifiable credentails spec
... which is about claims that x says y about z
... it's largely about information provenance
... it's completely possible to build an authority system on
top of claims about identities
... and when you do that you'll notice it resembles strongly
alan's description of the ACL system
... there have been some, the concerns from the ocap
perspective about why we want them separate, it is valuable ot be
able to describe claims about what has happened, properties about
identities, so VC makes sense
... the risk is you want to have a couple of thing specifically
separated
... one is that you could accidentally end up building your
system such that it has the vulnerabilities that ACLs have of
ambient authority and confused deputies
... the second thing is that there are the zcap-ld spec is very
specific and limited in the kind of terminology it permits
... it includes a way to hook into things like an arbiter
deciding whether something should happen, but does not have the
space for attaching some other information other than here is who
we give it out to and here are the caveats on which it is valid
... which can be viewed in a programmatic way
... and here is an invocation making use of one of those
capabilities
... a reason to bring this up is that one of the debates is how
would you encode something such as the ...
Kaliya Young: I was just trying to have people ask really basic
questions about what are we talking about
Alan Karp: To respond to David, chris mentioned the real flaw
with ACLs is the confused deputy vulnerability that is
unavoidable
... and you don't lose that separation, that feature you get
with ACLs, because you can use the ACL to decide what capability
to grant to someone
... all your structure for role/attribute based access control
is valid, it's when you use it that matters
... you use it when you want to grant the authority, not when
someone wants to use one
Kaliya Young: I hope folks have grasped the core aspects
<manu> omg, I'm so happy this call is happening.
Dave Longley: +1 And another way of putting it is that
capabilities provide an *additional* abstraction on top of a
role-based system, it doesn't take away
Daniel Hardman: We needed a general mechanism to explain how all
vcs can explain where data came from
... authorization data is one kind, and you can use it to
construct a chain of delegation
... which is a feature you need with ocap type things
... and also use it to say, you're a small mom&pop employer
with 5 employees but when you creeate an employee credential for
them you insert the name of th employee in the credential and you
want to say I got this data off their passport
... so the name has a greater reputation associated with it
than just your reputation as a mom&pop business that nobody has
heard of
... attaching provenance to that kind of claim, and about
claims about authority, felt like the same problem
Sam Smith: I'm trying to solve the automated reasoning problem
in a decentralized world where information flows between
disparate entities
... security guarantees about that information require cross
entity flow
... the mechanism for enabling that means i need to be able to
securely attribute information thorughotu the system
... when you use the term verifiable in VCs, people understand
it means verify the authenticity, but most people think it means
verify the accuracy or veracity of the data in the credential
... but what we really want is secure attribution
... if i think about automated reasoning, it's satisfaction,
goals and constraints in order to make a decision, to take action
... so I want to provenance all of the information that i use
because the info comes from a sauce that is not authentic I can't
trust it
... so regardless of its accuracy, if i can't attribute it, i
shouldn't include it in my decision making process
... the whole idea of building security attributed provenance
is a super semantic, a baseline for a decentralized world
... it requires some form of chaining
... if you're provanancing information and doing decision
making you'll likely have not a chain but a tree or a graph
... an attribution graph
David Chadwick: I think it's possible for confused deputy to
apply to capabilities
Kaliya Young: We'll get to the middle of the conversation!
... trying not to go into the weeds, trying to support folks
not in the original conversation
... a lot of people did not read 40,000 words and follow the
whole thing
Chris Webber: I have a response to the checking of information
and provenance chains.. it relates to one of the emails.. but it
does go into the weeds
Kaliya Young: Let's wait for the weeds
... I know manu didn't chime in much, so I'd love to hear from
manu what you would like our audience to understand about it
Manu Sporny: Largely it's a conversation that has been going on
for a very long time. nearing decades.
... and there are various people here approaching a set of
problems from different perspectives which is really good
... I'm really happy we're talking about this together
... i'm concerned about it's very easy to get lost in the weeds
... and leave a whole bunch of people behind when you're
talking about the intricacies about what's better and what allows
you to do more
... there are a whole bunch of different use case that need to
be looked at an analysed
... everyone here has good intentions and wants to solve these
problems in the best way
... everyone is operating from good faith
... nobody sees this set of discussions as a we're going to
pick A or B. like there's an epic struggle. it's not that
... and that there are going to be people who win or lose
... one of the strengths of the community is that you let many
flowers bloom and see how that stuff happens in th emarket
... the main thing here is to make sure that folks are well
aware of the concerns in all approaches
<alan_karp> Kaliya, I'd like to avoid discussing whether or not
to use ocaps and focus on using VCs for ocaps.
... before we go forward
Alan Karp: I think this meeting will do better if we avoid the
question of whether or not to use ocaps, and focus on the thread
which is whether VCs are the right vehicle for ocaps
Kaliya Young: I'd love to hear from the main protagonists in the
thread talk about what the conversation was and where it got to
Chris Webber: I think it's worthwhile trying to be illustrative
of the differences
... the classic VC example is a drivers license
... we can imagine those used in a car driving scenario
... another way we can think about things is whether or not how
we can tell how far a car has been driven and how much gas is in
the car
... you would look at the odometer and the fuel guage
... that would be a VC type approach. the fuel guage says x the
odometer says y
... you're making a judgment about whether to trust the fuel
guage and the odometer
... they could be lying
... it's now the person who has received the VC who has the
information
... one thing that is curios about certificate style
capabilities is by encoding them as data we can replay time in a
way that we can see what happened to find out what has occurred
... a different way to find out the gas and mileage is take
your timelord friends blue box, travel back to when the car rolls
of the lot and watch every time th e person starts driving and
refuels the tank
... and calculate it up to that moment
... you could use a playback to find out the current state of
the car
... ohmigosh you have this information about what has occurred
anyway
... that's another thing that contributes to the feeling that
these are the same things
... one of the things is reflective. one is about what they
believe to be true, and one is about th ething is happening
Alan Karp: My view of the discussion
... I understand the discussion it's whether to have a separate
standard for ocaps or include ocaps in the vc standard
... and the concerns that chris has raised are very valid
... as the discussion went on the real point is there is a lot
of boilerplate
... how you sign, define namespaces
... a lot of that can be reused
... so the concern is that if we combine two things that may
have very different primary use cases we'll ahve overlapping
confusion
... as the discussion went on we got down the point where we
can have a type
... and they use different feeds
... as it got down the only discussion was is that difference a
should or a must
... I'm in favour of MUST
Sam Smith: I haven't been following the latest stuff
... based on what alan just said, the discussion is about
should ocaps be a separate spec or in VCs, that's a different
quesiton than what started the discussion
... I want to be clear that we may be on two different planes
now
... the original point of the discussion was is there a way to
securely provenance data where the provanence uses a chaining
semantic
... it doesn't matter what the data is
... as daniel said if I'm chaining things there is a tendency
to chain authorizations as long as i can chain anything else
... is there a home for a chaining semantic?
... if we have a chaining semantic for credentials, where would
that home be?
... my hypothesis is the correct home for a chaining semantic,
because there are many use cases that have nothing to do with
authorization, where should that home be
... if it's the VC spec, the discussion is over
... and it's a different discussion to say what do we use that
chaining semantic for?
... something about open loops
... what cwebber2 said is getting at the distinction
... if' I'm doing open loop decision processes such as an event
sourcing high volume application, I want to use a different
sematnic than a closed loop reflective process
... you say I have to be ocap like / closed loop like, then I
can't do certain things when I'm doing an open loop decision
making model
... there are advantages to both but they're not the same and
you can't make one be the other
... they are fundamentally incompatible
... I want to do open loop decision processes with VCs and i
need a chaining semantic
... is VC the right place to put a chaining semantic?
... if not, VCs are uninteresting to me
... has nothing to do with ocaps
Adrian Gropper: I cannot understand anything that is being said
so far today
... I see this discussion only in the discussion in the context
of authorization
... I've worked on a set of slides which kaliya and others have
seen
... to try and figure out the role of authorization in the
broader context of what you're talking about
... I cannot detach this conversation from the protocols
involved in authorization
... but I'll keep listening, even though I am completely lost
<jim_stclair> Great point @agropper
David Chadwick: I can bring historical perspective
... my feeling is that VCs are an evolution of the original
ECMA attribute certificat model in the 1990s which was followed
by x509
... i had discussions with Alan in 2011 about this
... when we implemented the x509 attribute cert infra
... at that time we agreed they can act as capabilities as well
... when alan started today he said an ocap is an unforgeable
transferable permission
... it is an authorization token
... you can use VCs to do both
... when he said we've got to the point of saying we should
identify with the type, I agree
... and it should be a MUST
... and if we indicate in the type we've potentially solved the
problem
Dmitri Zagidulin: Echo that one way to think about VCs vs
capabilities is at least the way zcap spec is constructed, they
are a profle of a VC
... a specialised credential used for authorization
... I am curious about the thing sam brought up, whether
chaining semantics belong in VCs as a first class mechanism
David Chadwick: +1 To specialised
... I'd like to hear more about what open reasoning is
Chris Webber: Something alan said about it being a type issue
... worthwhile noting that alan and orie were on a call, orie
had put together a demonstration of how to layer zcaps to augment
VCs
... through that conversation part of the thing was a lot of
these properties look very similar so could we reuse them
... that's a positive conversation to have
... if we can reuse properties if they are behaving the same
across both i see no reason not to
... if there's a way they are behaving differently we can use a
different property
... let's reuse the ones we can
... sounded like increasing consensus on that
... on what type is chosen? I think the important thing is
that since the use of verifiable credentials vs the use of zcaps
or ocaps are very different, because zcaps have a specific
algorithm that includes the caveats mechanism, whcih is different
that VCs are
... and that there are additional properties you may want to
attach to a VC that should not apply to whether or not to accept
a capability invocation as valid
... this is important because you want to be able to reply
everything and end up in the same state which might not happen
otherwise
... i agree there is an opportunity for collaboration where we
can reduce the friction between to two
... if we reuse properties, but have two types that are not
included at the same time
... and the mechanisms used for both are two different
algorithms
Alan Karp: Chaining is absolutely critical for ocaps
... there's a difference in the provenance
... after the provenance that matters is the root of the
delegation chain in ocaps
... I expect the prov of each step matters in what sam is
interested in
... one difference is in revocation
... in claims type vcs you don't know who is going to look at
the thing to decide if it's important
... in ocaps you do
... revocation in ocaps is simply telling the resources, the
verifier, don't honour this thing any more
... you need something more like a CRL (Certificate Revocation
List) for the claims
... it's awful. If you don't know how is going to look at the
cert you have to have some means to find out it's revoked
<agropper> What Alan just said is an example why I can't see
detaching the cap from the protocol.
Manu Sporny: Jumping high on the stack, people are seeing why
it's so difficult to have this conversation
... it's hard to outline the differences without getting into
the weeds
... you can do authorisation using both mechanisms, and you can
chain using both mechanisms
... the core issue is using a hammer to drive in a screw
... that is the difference
... it's basically wrong tool for the wrong job
... the folks that are saying zcaps are really doing something
different that what vcs are doing
... there is an algorithmic difference
... what is being said is I know you're holding a screw and
you're trying to use a hammer to drive the screw in, you should
use a screwdriver
... you'll get the job done but that thing is not going to be
very strong
... you've damaged something by doing that
... if there's one thing folks can take away, you can do all of
these things using either tech
... the debate is whether there's a better tool and a better
way to protect developers from making the wrong decision
Daniel Hardman: -1 To hammer and screw
<dhh> I think this is a misleading metaphor
David Chadwick: +1 To Daniel
David Chadwick: -1 To hammer and screw
Sam Smith: Alan said I have no idea what manu just referred to
because without making specific reference to what the hammer and
screw is, it doesn't help
... but what alan said about revocation is one of the core
issues between what i'm calling open loop and closed loop models
... are you going back to the source to verify whether or not
Manu Sporny: The point is that "While you can use them together,
they don't go well together" :)
... in a token oauth model, if i issue something using a set of
keys and sign with those keys
... and the token is presented back to the issuer
... if the keys have rotated, the token is automatically
revoked
... in an open loop model you need some registry, a verifiable
data registry, of revocation
... revocation isn't automatic, it requires a separate action
from the issuer
... things are valid until revoked
... what the open model allows you to do is separate your key
management chain from your issuance revocation chain
... rotation of a key doesn't automatically imply revocation of
a credential
... you can separately rotate keys and credentials are still
valid
... that's a fundamental property
Daniel Hardman: To manu's metaphor, I find it very troubling and
misleading
... I'm not just trying to deal with nails and screws
... I'm trying to deal with various other kinds of fasteners
... there are many different things I"m trying to work with and
screws (ocaps) is just one of many
... if I have to pick one tool over all of them which tool will
I use?
... you could say you don't have to pick one tool for all
... it's too early for us to introduce lots of different
standards
... at an early stage in an ecosystem you don't develop a whole
bunch of specialised tooling
... you use the tools you have to develop experience
... in 2-5 years we might have more experience to make the
finer distinction
<manu> (VCs are the hammer) -- (Authorization is the screw)
<agropper> I was hoping to hear from Justin
Kaliya Young: Vcs are the hammer and authorization is the screw
Chris Webber: As much as I'm concerned that it's critical to
separate these things, the question should be what decision
should this grop make?
... a top down decision that we have to combine these things or
not?
... if the people working on zcaps would liek them to be
separate but are interested in collaborating on trying to use the
same properties? is there any harm in that? would we benefit if
we end up taking that approach?
<samsmith> @manu The dictionary definition of credential is
synonymous with authorization. So using your metaphor means we
are taking about phillips heads vs flat head screws
Alan Karp: On manu's analogy, i think it's driving a nail with a
screwdriver, it works...
<cwebber2> the CCG is walking into a 30 year old argument
David Chadwick: Capabilities are a subset and specialisation of
VCs. The revocation further highlights that
... in vcs when you're chaining properties, anybody in the
chain can do a revocation. with capabilities only the root can.
that's a specialisation
Kaliya Young: What should this group do next?
... if folks were to use IRC to answer that question, we're not
going to solve it in 3 minutes
... I was given permission by the chairs to say we can have a
part 2
... that can be centered around the next action for this group,
and if there's clarity in that starting to sketch out a charter
... I feel like the conversation got to a place because some
parts of the community have more mutual understanding, though I
do hear there is still some confusion
... I'm grateful for everybody's participation in the
conversation and hope we can support the synergies
<cwebber2> I'm not sure we're going to solve it over 1-hour
meetings, so the real question is how to best collaborate
<alan_karp> Anyone on the chain can revoke subsequent
delegations.
<tayken> Have to hop off...BIG thanks to @Kaliya + @Amy +
Heather/chairs for managing the weeds (and doggos). Nothing worth
doing comes easy!
Manu Sporny: I believe the CCG process calls for a cage fight in
a Roman-style arena next. :P
<cwebber2> lol
<agropper> We need to be talking about protocols before we return
to data models.
Heather Vescent: From a chair perspective, for part 2 how can we
structure this conversation
... we knew it was going to be a bunch of different levels
... how can we structure it to get some productive outcomes for
the community?
Manu Sporny: What are folks afraid of?
... write down what folks are concerned about if one path is
taken over the other
... and what problems are you trying to solve? could folks help
walk through how that problem is solved using either approach
Kaliya Young: I had the impression from what Sam said, it may be
worth starting another thread specifically about the question
that you named
... we're at the top of the hour. it's over!
<cwebber2> I do have a suggestion but I guess I should throw it
to the mailing list at this time
Heather Vescent: The chairs will circle back with kaliya and
we'll figure out a process for moving forward
... No call next week
... Back on the 27th
... about Verifiable Requests
... the earliest we could pick this up is in February
... and we'll have chair election details asap
... thanks for coming!

Received on Thursday, 14 January 2021 19:59:54 UTC