W3C home > Mailing lists > Public > public-credentials@w3.org > January 2022

Re: FedId CG at W3C and GNAP

From: Adrian Gropper <agropper@healthurl.com>
Date: Sun, 9 Jan 2022 17:15:55 -0500
Message-ID: <CANYRo8hqeyd40_hU8RFJpAZGcFLfizJTdHiKvO765uT_1BZiXA@mail.gmail.com>
To: Mike Prorock <mprorock@mesur.io>
Cc: Melvin Carvalho <melvincarvalho@gmail.com>, Bob Wyman <bob@wyman.us>, Steve Magennis <steve.e.magennis@gmail.com>, Orie Steele <orie@transmute.industries>, Justin P Richer <jricher@mit.edu>, "W3C Credentials CG (Public List)" <public-credentials@w3.org>
Mike,

The chairs control the agenda as well as my participation in CCG, in the
sense that I will leave the group if requested.

I'm doing the best I can in my role. The chairs control the agenda
over discussion of the "dual use" aspects of our protocol work. GNAP, DIDs
and VCs will succeed regardless.

Adrian



On Sun, Jan 9, 2022 at 4:22 PM Mike Prorock <mprorock@mesur.io> wrote:

> Adrian,
> I appreciate your dedication to this topic.  I do wish to note that there
> are two different things going on:
> 1) How much should we as a CG define and discuss elements related to human
> rights, ethics, and other topics
> 2) GNAP as related to CCG work items
>
> Quite a few of us have no interest in GNAP at this current time or view it
> as distracting from existing protocols that we have to get things working
> with based on wide market adoption before we do anything else.
> This does not mean that GNAP is not potentially useful, etc, just calling
> out that now might not be the best time to continually insist on GNAP
> adoption when many participants have to support OAuth for business reasons.
>
> It would probably be helpful to avoid conflating the two.  Items related
> to item one above, for which we have good guidance on via TAG, that can be
> expanded on for items specific to digital credentials should be agnostic to
> specific technologies to get the most value over time.  Item two above, is
> inherently related to a specific set of existing or proposed protocols and
> other technical specifications that can be assessed by item one.
>
> Mike Prorock
> CTO, Founder
> https://mesur.io/
>
>
>
> On Sun, Jan 9, 2022 at 3:35 PM Adrian Gropper <agropper@healthurl.com>
> wrote:
>
>> Thanks, Melvin, for raising consensus as the motive of SDOs. Human
>> rights, as in the Universal Declaration of Human Rights, can be considered
>> a consensus at least to the extent "universal" is a meaningful qualifier.
>>
>> My point is that the consensus around a dual use technology has to be
>> driven by recognizing, popularizing, and mitigating the risks of a
>> technology.
>>
>> I'm dismayed with the tone of "Inserting your preferred non-technical
>> ethical agenda...". And the implication of "vector for dissent"
>> implies consensus can be achieved by excluding dissenters.
>>
>> In my attempt to achieve consensus, I am proposing that W3C introduce
>> GNAP as a mitigation of risks presented by the dual-use nature of
>> standardized digital credentials. We can debate the dual-use label. We can
>> debate the alternatives to GNAP as a mitigation.
>>
>> This seems very different to me than the discussion of TAG
>> ethical principles or climate change because we can argue that the DID spec
>> already includes adequate mitigation for climate change.
>>
>> I hope.
>>
>> Adrian
>>
>> On Sun, Jan 9, 2022 at 11:02 AM Melvin Carvalho <melvincarvalho@gmail.com>
>> wrote:
>>
>>>
>>>
>>> On Sun, 9 Jan 2022 at 01:26, Adrian Gropper <agropper@healthurl.com>
>>> wrote:
>>>
>>>> The W3C TAG Ethical Web Principles and Bob's distinction are too
>>>> general to inform specific decisions for an engineer like: "Should I
>>>> participate in the FedId CG or GNAP?" or "Should VC-API consider GNAP a
>>>> MUST or a MAY"? or "Should W3C Presentation Exchange be based on IETF Rich
>>>> Authorization Requests?" in cases where the engineer has the ability to
>>>> make such decisions without risking their family's welfare. In cases where
>>>> the engineer is not constrained by finance, decisions such as the above are
>>>> a lot like religion, IMHO.
>>>>
>>>> I see standardized digital credentials as an example of a "dual-use
>>>> technology". Nuclear, gene editing, and AI are other examples of
>>>> dual-use technology. Each of these has obvious serious risks to humanity
>>>> and consequently to human rights.  As engineers we need to recognize the
>>>> risks, explain them for non-engineers to understand, and propose the
>>>> mitigations required for any dual-use technology. Call that ethics if you
>>>> want.
>>>>
>>>> Is there any other choice?
>>>>
>>>
>>> Religions tend to involve a divinity.  Ideologies less so.
>>>
>>> Everything is uneticial from someone's point of view, or something's
>>> point of view.
>>>
>>> So you should stick to things that are uncontroversial.  e.g. that the
>>> web should aim to be inclusive to those with disabilities
>>>
>>> Inserting your preferred non-technical ethical agenda into standards
>>> work e.g. trying to reduce climate change, is just a vector for dissent,
>>> when standards bodies are trying to achieve consensus
>>>
>>>
>>>>
>>>> - Adrian
>>>>
>>>>
>>>>
>>>> On Sat, Jan 8, 2022 at 5:58 PM Bob Wyman <bob@wyman.us> wrote:
>>>>
>>>>> Adrian Gropper wrote:
>>>>>
>>>>>> "Human rights are like wht has been said of pornography: "You know it
>>>>>> when you see it." Ethics are like art."
>>>>>
>>>>> I find that distinction to be rather unhelpful. Given that, I'd like
>>>>> to make an attempt to offer my own distinction:
>>>>>
>>>>> Ethics involve a systemization of rules for how one ought to behave.
>>>>> On the other hand, rights are entitlements which constrain behavior. Ethics
>>>>> teaches you what you should do, while rights limit what you may do or
>>>>> require that which you must do.
>>>>>
>>>>> The Stanford Encyclopedia of Philosophy
>>>>> <https://plato.stanford.edu/entries/rights/>says that
>>>>>
>>>>>> "Rights are entitlements (not) to perform certain actions, or (not)
>>>>>> to be in certain states; or entitlements that others (not) perform certain
>>>>>> actions or (not) be in certain states."
>>>>>
>>>>> This definition shows the conflict between rights and ethics. For
>>>>> instance: Someone who follows a utilitarian or consequentialist ethics
>>>>> might measure the goodness of some behavior only in terms of its
>>>>> consequences. Such an individual might believe that an action is "good" if
>>>>> it results in an increase in aggregate societal welfare. Thus, a
>>>>> utilitarian might support censoring the speech of one who espouses a
>>>>> particularly unpopular belief since reducing conflict in public discourse
>>>>> would be a good thing. On the other hand, if one accepts there to be a
>>>>> right to "freedom of opinion and expression," as in the Universal
>>>>> Declaration of Human Right's Article 19
>>>>> <https://www.un.org/en/about-us/universal-declaration-of-human-rights#:~:text=Article%2019,regardless%20of%20frontiers.>,
>>>>> then, even though censorship may be considered by some to be ethical, it
>>>>> should still be seen as the violation of a right.
>>>>>
>>>>> Most frequently, we talk about ethics when discussing the behavior of
>>>>> individuals or non-governmental groups such as corporations. Rights are
>>>>> most frequently discussed in the context of the actions or duties of states
>>>>> or other governments. Standards groups are a bit odd since they fall
>>>>> somewhere in between these two categories. Standards groups aren't
>>>>> "governments," yet they perform what is essentially a legislative function
>>>>> even though they don't have access to either the executive or judicial
>>>>> powers that are enjoyed by states.
>>>>>
>>>>> A standards group needs to be aware that even if they do their best to
>>>>> ensure that rights are respected in the "legislation" which is the
>>>>> standards they develop, it will often be possible for people to follow
>>>>> standards while violating or endangering rights. For instance, if a
>>>>> standards group accepts, as many others have, that Article 19's declaration
>>>>> of a right to "freedom of opinion and expression" implies a "right to
>>>>> anonymity," then that standards group might ensure that it doesn't require
>>>>> that key-pairs used to sign statements must be issued via certificates that
>>>>> are linked to individuals' verified identity. Nonetheless, as long as
>>>>> key-pair certificates are supported, it must be recognized that at least
>>>>> some of them will, in fact, provide a means to link signatures to
>>>>> individuals whether or not that linkage is desired by those individuals. I
>>>>> suggest that the standards group will have done its job if it ensures that
>>>>> anonymity is possible while also warning, perhaps in a "Rights
>>>>> Considerations" section, that certain means of complying with the standard
>>>>> could or would endanger anonymity. Ideally, when given a choice between
>>>>> adopting two means of satisfying a single requirement, the standards group
>>>>> would select that means which presents the least known risks to rights.
>>>>>
>>>>> Is any of that useful?
>>>>>
>>>>> bob wyman
>>>>>
>>>>>
>>>>> On Sat, Jan 8, 2022 at 12:11 PM Adrian Gropper <agropper@healthurl.com>
>>>>> wrote:
>>>>>
>>>>>> Yes, Steve: "Perhaps it is that human rights can be a more tangible
>>>>>> endeavor (better suited to standards work) whereas ethics is more of a
>>>>>> philosophical pursuit?"
>>>>>>
>>>>>> Although my career as an engineer and entrepreneur is similar to most
>>>>>> of my colleagues in standards work, I have now spent over a decade as a
>>>>>> full-time volunteer advocate with _dozens_ of tech standards groups and
>>>>>> health tech policy forums. Almost without exception, the SDOs are designed
>>>>>> for regulatory capture of the policy forums. It's an investment by a funded
>>>>>> entity to influence policy for profit just like a lobbyist would be, only
>>>>>> with engineers. Yes, I'm oversimplifying to make a point but I will be
>>>>>> happy to respond to counter-examples.
>>>>>>
>>>>>> Human rights are like wht has been said of pornography: "You know it
>>>>>> when you see it." Ethics are like art. SDO discussion threads, for example,
>>>>>> don't take kindly to mentions of "motive". Statements like the one I just
>>>>>> made about regulatory capture are obviously motive and, if I had directed
>>>>>> that to an individual, folks would let me know.
>>>>>>
>>>>>> Ethics, in my experience, are like motives in the SDO context. They
>>>>>> may or may not be relevant but need not be questioned. Writing about ethics
>>>>>> in an SDO is as useful as discussing religion.
>>>>>>
>>>>>> Adrian
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Sat, Jan 8, 2022 at 11:47 AM <steve.e.magennis@gmail.com> wrote:
>>>>>>
>>>>>>> Adrian,
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On a number of recent threads you have highlighted a bold contrast
>>>>>>> between the concept of human rights and that of ethics. I have always
>>>>>>> thought of human rights as something that emerges (or at least tries to
>>>>>>> emerge) out of the ethics held by society so I’m having trouble
>>>>>>> understanding your statements of comparison (e.g. why dealing with the
>>>>>>> issue in this thread is a matter of one but not the other). Could you humor
>>>>>>> me and unpack your definitions a bit. I’d really like to better understand
>>>>>>> your point. Perhaps it is that human rights can be a more tangible endeavor
>>>>>>> (better suited to standards work) whereas ethics is more of a philosophical
>>>>>>> pursuit?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Thanks & apologies for the digression
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> -S
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> *From:* Adrian Gropper <agropper@healthurl.com>
>>>>>>> *Sent:* Friday, January 7, 2022 12:42 PM
>>>>>>> *To:* Orie Steele <orie@transmute.industries>
>>>>>>> *Cc:* Justin P Richer <jricher@mit.edu>; W3C Credentials CG (Public
>>>>>>> List) <public-credentials@w3.org>
>>>>>>> *Subject:* Re: FedId CG at W3C and GNAP
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Thanks, Orie for starting this important thread. I will defer the
>>>>>>> technical comments entirely to Justin and others.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> From my perspective, the failure of SIOP in the wild needs to be
>>>>>>> understood and rectified whether it involves GNAP or not. I tried to
>>>>>>> participate in FedId CG from this perspective but quickly realized that
>>>>>>> they really were only scoped to federated cases and trying to introduce
>>>>>>> self-sovereign perspective in that CG would be torture for all involved.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> I would also hope that Sam Smith contributes to this thread. His
>>>>>>> perspective on decentralization seems important.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> The other thing I've been trying to understand in the context of
>>>>>>> self-sovereign authentication is biometrics.
>>>>>>>
>>>>>>>    - Facial recognition is almost free and works well enough to be
>>>>>>>    entirely passive and ambient for many use-cases. Like
>>>>>>>    license plate scanners for people. Not necessarily a good thing.
>>>>>>>    - Iris biometrics work even better and with appropriate hardware
>>>>>>>    can be almost passive. How do we control that in a DID context?
>>>>>>>    - Palm biometrics (as introduced by Amazon) are less passive and
>>>>>>>    somewhat expensive but could also enter widespread use.
>>>>>>>    - Local biometrics like Apple FaceID is already used to
>>>>>>>    authenticate into Apple Wallet. Will it be used as an ankle bracelet
>>>>>>>    analog? The answer seems to be yes, because that's how Apple Watch is used
>>>>>>>    to interact with the wallet.
>>>>>>>    - DNA readers get cheaper all the time...
>>>>>>>
>>>>>>> Notice also that dealing with these issues is a matter of human
>>>>>>> rights, not ethics.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> I think self-sovereign authentication might be a worthwhile CCG work
>>>>>>> item.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> - Adrian
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On Fri, Jan 7, 2022 at 3:22 PM Orie Steele <
>>>>>>> orie@transmute.industries> wrote:
>>>>>>>
>>>>>>> I asked them whether they considered GNAP via slack.
>>>>>>>
>>>>>>> https://w3ccommunity.slack.com/archives/C02355QUL73/p1641585415001900
>>>>>>>
>>>>>>> They are chartered here: https://fedidcg.github.io/
>>>>>>>
>>>>>>> To look at AuthN that breaks when browser primitives are removed.
>>>>>>>
>>>>>>> They are currently focused on OIDC, SAML, WS-Fed.
>>>>>>>
>>>>>>> The reason I asked them was in relation to the questions we have
>>>>>>> discussed regarding "What can GNAP replace".
>>>>>>>
>>>>>>> Clearly GNAP can replace OAuth, but I think you both have now
>>>>>>> confirmed that GNAP does not replace OIDC, or federated identity...
>>>>>>>
>>>>>>> I am confirming this one more time, just in case I got that wrong.
>>>>>>>
>>>>>>> Has there yet been discussion on what some kind of OIDC built on
>>>>>>> GNAP instead of OAuth would look like?.
>>>>>>>
>>>>>>> OS
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>>
>>>>>>> *ORIE STEELE*
>>>>>>>
>>>>>>> Chief Technical Officer
>>>>>>>
>>>>>>> www.transmute.industries
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> <https://www.transmute.industries/>
>>>>>>>
>>>>>>> ᐧ
>>>>>>>
>>>>>>>
Received on Sunday, 9 January 2022 22:16:24 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:25:28 UTC