W3C home > Mailing lists > Public > public-credentials@w3.org > January 2022

Re: FedId CG at W3C and GNAP

From: Melvin Carvalho <melvincarvalho@gmail.com>
Date: Mon, 10 Jan 2022 11:57:37 +0100
Message-ID: <CAKaEYhL2ezjoQDUZ2k0bXfXL5gZyg_AcBi5-Zm+1ATMTVcAKWw@mail.gmail.com>
To: Adrian Gropper <agropper@healthurl.com>
Cc: Bob Wyman <bob@wyman.us>, Steve Magennis <steve.e.magennis@gmail.com>, Orie Steele <orie@transmute.industries>, Justin P Richer <jricher@mit.edu>, "W3C Credentials CG (Public List)" <public-credentials@w3.org>
On Sun, 9 Jan 2022 at 21:33, Adrian Gropper <agropper@healthurl.com> wrote:

> Thanks, Melvin, for raising consensus as the motive of SDOs. Human rights,
> as in the Universal Declaration of Human Rights, can be considered a
> consensus at least to the extent "universal" is a meaningful qualifier.
>
> My point is that the consensus around a dual use technology has to be
> driven by recognizing, popularizing, and mitigating the risks of a
> technology.
>
> I'm dismayed with the tone of "Inserting your preferred non-technical
> ethical agenda...". And the implication of "vector for dissent"
> implies consensus can be achieved by excluding dissenters.
>

Thanks for pointing this out

Wrote the note quickly, tone would have been better served in 3rd person,
will aim for that in future :)

Dissent is not excluded, it's important, as it provides a safety net.
Normally the aim is to satisfy dissent and legitimate objections.

However, top-down ethics need to be limited to things that have near
universal agreement, to be useful


>
> In my attempt to achieve consensus, I am proposing that W3C introduce GNAP
> as a mitigation of risks presented by the dual-use nature of standardized
> digital credentials. We can debate the dual-use label. We can debate the
> alternatives to GNAP as a mitigation.
>
> This seems very different to me than the discussion of TAG
> ethical principles or climate change because we can argue that the DID spec
> already includes adequate mitigation for climate change.
>
> I hope.
>
> Adrian
>
> On Sun, Jan 9, 2022 at 11:02 AM Melvin Carvalho <melvincarvalho@gmail.com>
> wrote:
>
>>
>>
>> On Sun, 9 Jan 2022 at 01:26, Adrian Gropper <agropper@healthurl.com>
>> wrote:
>>
>>> The W3C TAG Ethical Web Principles and Bob's distinction are too general
>>> to inform specific decisions for an engineer like: "Should I participate in
>>> the FedId CG or GNAP?" or "Should VC-API consider GNAP a MUST or a MAY"? or
>>> "Should W3C Presentation Exchange be based on IETF Rich Authorization
>>> Requests?" in cases where the engineer has the ability to make such
>>> decisions without risking their family's welfare. In cases where the
>>> engineer is not constrained by finance, decisions such as the above are a
>>> lot like religion, IMHO.
>>>
>>> I see standardized digital credentials as an example of a "dual-use
>>> technology". Nuclear, gene editing, and AI are other examples of
>>> dual-use technology. Each of these has obvious serious risks to humanity
>>> and consequently to human rights.  As engineers we need to recognize the
>>> risks, explain them for non-engineers to understand, and propose the
>>> mitigations required for any dual-use technology. Call that ethics if you
>>> want.
>>>
>>> Is there any other choice?
>>>
>>
>> Religions tend to involve a divinity.  Ideologies less so.
>>
>> Everything is uneticial from someone's point of view, or something's
>> point of view.
>>
>> So you should stick to things that are uncontroversial.  e.g. that the
>> web should aim to be inclusive to those with disabilities
>>
>> Inserting your preferred non-technical ethical agenda into standards work
>> e.g. trying to reduce climate change, is just a vector for dissent, when
>> standards bodies are trying to achieve consensus
>>
>>
>>>
>>> - Adrian
>>>
>>>
>>>
>>> On Sat, Jan 8, 2022 at 5:58 PM Bob Wyman <bob@wyman.us> wrote:
>>>
>>>> Adrian Gropper wrote:
>>>>
>>>>> "Human rights are like wht has been said of pornography: "You know it
>>>>> when you see it." Ethics are like art."
>>>>
>>>> I find that distinction to be rather unhelpful. Given that, I'd like to
>>>> make an attempt to offer my own distinction:
>>>>
>>>> Ethics involve a systemization of rules for how one ought to behave. On
>>>> the other hand, rights are entitlements which constrain behavior. Ethics
>>>> teaches you what you should do, while rights limit what you may do or
>>>> require that which you must do.
>>>>
>>>> The Stanford Encyclopedia of Philosophy
>>>> <https://plato.stanford.edu/entries/rights/>says that
>>>>
>>>>> "Rights are entitlements (not) to perform certain actions, or (not) to
>>>>> be in certain states; or entitlements that others (not) perform certain
>>>>> actions or (not) be in certain states."
>>>>
>>>> This definition shows the conflict between rights and ethics. For
>>>> instance: Someone who follows a utilitarian or consequentialist ethics
>>>> might measure the goodness of some behavior only in terms of its
>>>> consequences. Such an individual might believe that an action is "good" if
>>>> it results in an increase in aggregate societal welfare. Thus, a
>>>> utilitarian might support censoring the speech of one who espouses a
>>>> particularly unpopular belief since reducing conflict in public discourse
>>>> would be a good thing. On the other hand, if one accepts there to be a
>>>> right to "freedom of opinion and expression," as in the Universal
>>>> Declaration of Human Right's Article 19
>>>> <https://www.un.org/en/about-us/universal-declaration-of-human-rights#:~:text=Article%2019,regardless%20of%20frontiers.>,
>>>> then, even though censorship may be considered by some to be ethical, it
>>>> should still be seen as the violation of a right.
>>>>
>>>> Most frequently, we talk about ethics when discussing the behavior of
>>>> individuals or non-governmental groups such as corporations. Rights are
>>>> most frequently discussed in the context of the actions or duties of states
>>>> or other governments. Standards groups are a bit odd since they fall
>>>> somewhere in between these two categories. Standards groups aren't
>>>> "governments," yet they perform what is essentially a legislative function
>>>> even though they don't have access to either the executive or judicial
>>>> powers that are enjoyed by states.
>>>>
>>>> A standards group needs to be aware that even if they do their best to
>>>> ensure that rights are respected in the "legislation" which is the
>>>> standards they develop, it will often be possible for people to follow
>>>> standards while violating or endangering rights. For instance, if a
>>>> standards group accepts, as many others have, that Article 19's declaration
>>>> of a right to "freedom of opinion and expression" implies a "right to
>>>> anonymity," then that standards group might ensure that it doesn't require
>>>> that key-pairs used to sign statements must be issued via certificates that
>>>> are linked to individuals' verified identity. Nonetheless, as long as
>>>> key-pair certificates are supported, it must be recognized that at least
>>>> some of them will, in fact, provide a means to link signatures to
>>>> individuals whether or not that linkage is desired by those individuals. I
>>>> suggest that the standards group will have done its job if it ensures that
>>>> anonymity is possible while also warning, perhaps in a "Rights
>>>> Considerations" section, that certain means of complying with the standard
>>>> could or would endanger anonymity. Ideally, when given a choice between
>>>> adopting two means of satisfying a single requirement, the standards group
>>>> would select that means which presents the least known risks to rights.
>>>>
>>>> Is any of that useful?
>>>>
>>>> bob wyman
>>>>
>>>>
>>>> On Sat, Jan 8, 2022 at 12:11 PM Adrian Gropper <agropper@healthurl.com>
>>>> wrote:
>>>>
>>>>> Yes, Steve: "Perhaps it is that human rights can be a more tangible
>>>>> endeavor (better suited to standards work) whereas ethics is more of a
>>>>> philosophical pursuit?"
>>>>>
>>>>> Although my career as an engineer and entrepreneur is similar to most
>>>>> of my colleagues in standards work, I have now spent over a decade as a
>>>>> full-time volunteer advocate with _dozens_ of tech standards groups and
>>>>> health tech policy forums. Almost without exception, the SDOs are designed
>>>>> for regulatory capture of the policy forums. It's an investment by a funded
>>>>> entity to influence policy for profit just like a lobbyist would be, only
>>>>> with engineers. Yes, I'm oversimplifying to make a point but I will be
>>>>> happy to respond to counter-examples.
>>>>>
>>>>> Human rights are like wht has been said of pornography: "You know it
>>>>> when you see it." Ethics are like art. SDO discussion threads, for example,
>>>>> don't take kindly to mentions of "motive". Statements like the one I just
>>>>> made about regulatory capture are obviously motive and, if I had directed
>>>>> that to an individual, folks would let me know.
>>>>>
>>>>> Ethics, in my experience, are like motives in the SDO context. They
>>>>> may or may not be relevant but need not be questioned. Writing about ethics
>>>>> in an SDO is as useful as discussing religion.
>>>>>
>>>>> Adrian
>>>>>
>>>>>
>>>>>
>>>>> On Sat, Jan 8, 2022 at 11:47 AM <steve.e.magennis@gmail.com> wrote:
>>>>>
>>>>>> Adrian,
>>>>>>
>>>>>>
>>>>>>
>>>>>> On a number of recent threads you have highlighted a bold contrast
>>>>>> between the concept of human rights and that of ethics. I have always
>>>>>> thought of human rights as something that emerges (or at least tries to
>>>>>> emerge) out of the ethics held by society so I’m having trouble
>>>>>> understanding your statements of comparison (e.g. why dealing with the
>>>>>> issue in this thread is a matter of one but not the other). Could you humor
>>>>>> me and unpack your definitions a bit. I’d really like to better understand
>>>>>> your point. Perhaps it is that human rights can be a more tangible endeavor
>>>>>> (better suited to standards work) whereas ethics is more of a philosophical
>>>>>> pursuit?
>>>>>>
>>>>>>
>>>>>>
>>>>>> Thanks & apologies for the digression
>>>>>>
>>>>>>
>>>>>>
>>>>>> -S
>>>>>>
>>>>>>
>>>>>>
>>>>>> *From:* Adrian Gropper <agropper@healthurl.com>
>>>>>> *Sent:* Friday, January 7, 2022 12:42 PM
>>>>>> *To:* Orie Steele <orie@transmute.industries>
>>>>>> *Cc:* Justin P Richer <jricher@mit.edu>; W3C Credentials CG (Public
>>>>>> List) <public-credentials@w3.org>
>>>>>> *Subject:* Re: FedId CG at W3C and GNAP
>>>>>>
>>>>>>
>>>>>>
>>>>>> Thanks, Orie for starting this important thread. I will defer the
>>>>>> technical comments entirely to Justin and others.
>>>>>>
>>>>>>
>>>>>>
>>>>>> From my perspective, the failure of SIOP in the wild needs to be
>>>>>> understood and rectified whether it involves GNAP or not. I tried to
>>>>>> participate in FedId CG from this perspective but quickly realized that
>>>>>> they really were only scoped to federated cases and trying to introduce
>>>>>> self-sovereign perspective in that CG would be torture for all involved.
>>>>>>
>>>>>>
>>>>>>
>>>>>> I would also hope that Sam Smith contributes to this thread. His
>>>>>> perspective on decentralization seems important.
>>>>>>
>>>>>>
>>>>>>
>>>>>> The other thing I've been trying to understand in the context of
>>>>>> self-sovereign authentication is biometrics.
>>>>>>
>>>>>>    - Facial recognition is almost free and works well enough to be
>>>>>>    entirely passive and ambient for many use-cases. Like
>>>>>>    license plate scanners for people. Not necessarily a good thing.
>>>>>>    - Iris biometrics work even better and with appropriate hardware
>>>>>>    can be almost passive. How do we control that in a DID context?
>>>>>>    - Palm biometrics (as introduced by Amazon) are less passive and
>>>>>>    somewhat expensive but could also enter widespread use.
>>>>>>    - Local biometrics like Apple FaceID is already used to
>>>>>>    authenticate into Apple Wallet. Will it be used as an ankle bracelet
>>>>>>    analog? The answer seems to be yes, because that's how Apple Watch is used
>>>>>>    to interact with the wallet.
>>>>>>    - DNA readers get cheaper all the time...
>>>>>>
>>>>>> Notice also that dealing with these issues is a matter of human
>>>>>> rights, not ethics.
>>>>>>
>>>>>>
>>>>>>
>>>>>> I think self-sovereign authentication might be a worthwhile CCG work
>>>>>> item.
>>>>>>
>>>>>>
>>>>>>
>>>>>> - Adrian
>>>>>>
>>>>>>
>>>>>>
>>>>>> On Fri, Jan 7, 2022 at 3:22 PM Orie Steele <orie@transmute.industries>
>>>>>> wrote:
>>>>>>
>>>>>> I asked them whether they considered GNAP via slack.
>>>>>>
>>>>>> https://w3ccommunity.slack.com/archives/C02355QUL73/p1641585415001900
>>>>>>
>>>>>> They are chartered here: https://fedidcg.github.io/
>>>>>>
>>>>>> To look at AuthN that breaks when browser primitives are removed.
>>>>>>
>>>>>> They are currently focused on OIDC, SAML, WS-Fed.
>>>>>>
>>>>>> The reason I asked them was in relation to the questions we have
>>>>>> discussed regarding "What can GNAP replace".
>>>>>>
>>>>>> Clearly GNAP can replace OAuth, but I think you both have now
>>>>>> confirmed that GNAP does not replace OIDC, or federated identity...
>>>>>>
>>>>>> I am confirming this one more time, just in case I got that wrong.
>>>>>>
>>>>>> Has there yet been discussion on what some kind of OIDC built on GNAP
>>>>>> instead of OAuth would look like?.
>>>>>>
>>>>>> OS
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>>
>>>>>> *ORIE STEELE*
>>>>>>
>>>>>> Chief Technical Officer
>>>>>>
>>>>>> www.transmute.industries
>>>>>>
>>>>>>
>>>>>>
>>>>>> <https://www.transmute.industries/>
>>>>>>
>>>>>> ᐧ
>>>>>>
>>>>>>
Received on Monday, 10 January 2022 10:58:09 UTC

This archive was generated by hypermail 2.4.0 : Thursday, 24 March 2022 20:25:28 UTC