[MINUTES] W3C CCG Credentials CG Call - 2024-11-26 from CCG Minutes Bot on 2024-12-02 (public-credentials@w3.org from December 2024)

From: CCG Minutes Bot <minutes@w3c-ccg.org>
Date: Mon, 02 Dec 2024 17:19:12 +0000
To: public-credentials@w3.org
Message-ID: <babead31-29f5-b5a8-4309-9f7ff1418633@w3c-ccg.org>

Thanks to Our Robot Overlords and Our Robot Overlords for scribing this week!

The transcript for the call is now available here:

https://w3c-ccg.github.io/meetings/2024-11-26/

Full text of the discussion follows for W3C archival purposes.
Audio of the meeting is available at the following location:

https://w3c-ccg.github.io/meetings/2024-11-26/audio.ogg

A video recording is also available at:

https://meet.w3c-ccg.org/archives/w3c-ccg-weekly-2024-11-26.mp4

----------------------------------------------------------------
W3C CCG Weekly Teleconference Transcript for 2024-11-26

Agenda:
https://www.w3.org/Search/Mail/Public/advanced_search?hdr-1-name=subject&hdr-1-query=%5BAGENDA&period_month=Nov&period_year=2024&index-grp=Public__FULL&index-type=t&type-index=public-credentials&resultsperpage=20&sortby=date
Organizer:
Harrison Tang, Kimberly Linson, Will Abramson
Scribe:
Our Robot Overlords and Our Robot Overlords
Present:
Chevan Nanayakkara, Heather Flanagan, Harrison Tang, Kaliya
Young, Rashmi Siravara, Erica Connell, Greg Natran, Vanessa, Sam
Smith, Joe Andrieu, Nis Jespersen , Olvis E. Gil Ríos, Will
Abramson, Phil Long, Dmitri Zagidulin, Kimberly Linson, Chandi
Cumaranatunge, Manu Sporny, TallTed // Ted Thibodeau (he/him)
(OpenLinkSw.com), Jennie M, Savita, Leo, David, David Chadwick,
bumblefudge (afk), bf, Tom S, Kerri Lemoie, Adam Bradley

<harrison_tang> Heather, can you hear us? I think you are on
mute
<heather_flanagan> I don't hear you . Dang it!
<harrison_tang> can you hear us now?
<harrison_tang> heather, you might want to rejoin and check your
browser permissions
<harrison_tang> i'll start the admin stuff first
Our Robot Overlords are scribing.
Harrison_Tang: Hi everyone uh welcome to this week's uh w3c she
meeting so today we're very excited to have Heather a friend
again uh here to talk about feather identity working groups
update Heather actually cultures that group so they're very
excited to see what uh February identity working group uh has
been working on.
<heather_flanagan> Boo! Still not getting sound. Let me try a
different browser
Harrison_Tang: Now before we start I just want to quickly uh do
the administrative stuff uh first of all just want to uh have a
quick reminder on the code of ethics and professional conduct uh
that's make sure that we have respectful uh constructive
conversations I I know most recently in the past 2 days there has
been some email threat um flying around uh I just I by the way I
just want to make a quick note uh I will send out um.
Harrison_Tang: Response in the next 4 or 5 hours as a culture uh
to uh address the issue uh but just want to uh quickly remind
everyone that w3c ccgg is open inclusive form uh that uh
encourages everybody to uh voice incubate and discuss identity
related ideas uh we do want to welcome uh different communities
uh updates and uh Communications and uh developments uh so we
want to continue to encourage people doing that.
Harrison_Tang: um you know.
Harrison_Tang: Have disagreements or certain uh issues that they
want to raise feel free to uh reach out to any any of the
cultures you know just want to make sure that uh we ensure uh.
Harrison_Tang: Psychologically safe environment where people can
actually uh talk about and share their honest opinions ideas uh I
don't think uh it's a great uh to actually uh point out issues
especially when the people are just sharing their perspectives
and bringing other developments and news from other cross uh
other related identity uh community so just want to make a quick
note um.
<heather_flanagan> VICTORY IS MINE!
Harrison_Tang: Quick note on oh Heather we can see you now great.
Harrison_Tang: Um a quick note on intellectual property I think
we can hear you too um so anyone can participate in these calls
however also the contributions to any ccg work items must be a
member of the ccg with full IPR agreements signed um if you have
any questions about the w3c account or Community contributed
license agreement uh feel free to uh reach out to any of the
cultures.
Harrison_Tang: Please note that these meetings are public uh and
the automatically recorded and transcribed uh we will uh try to
publish the meeting minutes audio recordings and video recordings
in the next day or 2.
Harrison_Tang: We use GT chat uh to cue the speakers during the
call as well as to take minutes so you can type in Q Plus to get
yourself to the queue or cue minus and.
Harrison_Tang: All right uh just want to get to the introductions
and reintroduction so if you're new to the community or you
haven't been active and want to re-engage.
Harrison_Tang: Feel free to just unmute and uh introduce yourself
uh or just type in Q Plus either way is fine.
Harrison_Tang: All right uh everyone will have plenty of
opportunities because this is our regular segments so if you're
feeling a little bit shy today feel free to uh just unmute uh or
next signed our open discussions I'll start calling out people
all right uh announcements and reminders any announcements and or
reminders money please.
Manu Sporny: Yeah uh just to um uh the first 1 is that uh as uh
folks have seen on the mailing list uh the uh ccg diff um uh
trust over IP uh and Iota communities are exploring did method
standardization um and uh the next uh 1 of those meetings uh they
won't be 1 this week uh but the following week uh so the week of
December uh 4th um at 12 pm eastern time uh will be the next diff
did methods uh standardization incubation uh meeting um there is
some there's a post from Kim Duffy about how you can join that
group and participate um so that's item 1 uh item 2 is uh as a
part of that work uh we are trying to collect uh goals and
requirements for did methods stand.
Manu Sporny:
https://lists.w3.org/Archives/Public/public-credentials/2024Nov/0036.html
Manu Sporny:
https://github.com/decentralized-identity/did-methods/issues/10
Manu Sporny: Uh there is an email Thread about there where
people are kind of uh putting in their gson requirements for did
method standardization uh into the thread so feel free to join in
that thread and contribute your own ideas uh there um or if you
are uh more familiar with GitHub uh there is a uh GitHub link uh
where you could directly contribute uh your goals and
requirements uh for did method standardization uh that's it for
me.
Harrison_Tang: Thank you man.
Kaliya Young: Um I wanted to share with folks that um in um.
Kaliya Young: Early March March 4th and 5th.
Kaliya Young: The digital identity unconference Europe is
hosting a 2-day event um.
Kaliya Young: Called dice ecosystems really focused on bringing.
Kaliya Young: Uh folks who are building identity ecosystems in
Europe together um and it's designed so you can fly in.
Kaliya Young: Uh on the first day and fly out on the second day
so you only have to spend 1 Night in a hotel um we created this
event because there was Community demand to meet sooner than a
year from our last event um and we hope this can be helpful in.
Kaliya Young: Uh catalyzing ecosystem connections and uh
interoperability.
Kaliya Young: So I'll put a link in the chat for that.
Harrison_Tang: Thank you Clea.
Harrison_Tang: Any other announcements.
Harrison_Tang: So uh as uh like a will and I and Kimberly have
sharing the last 2 meetings uh we're going to uh open up a
nomination for the w3c credentials communities groups of culture
position um and I just sent out a formal email to Kickstart that
process uh but before that just want to give a quick shout out to
Kimberly for her great work and contributions to this community
you know like uh I think the culture terms like 3 years so she's
not leaving us she's just graduating right graduations are part
of a life and our Journeys so I just want to quick quick shout
out to Kimberly for her great work um and Kimberly you might do
you want to share share some few words.
<dmitri_zagidulin> thank you Kimberly!!
<manu_sporny> Thank you Kimberly -- you've been an awesome
community co-Chair!
Kimberly Linson: Sure thanks Harrison this has been an
incredible um experience for me and I'm I'm so grateful for it um
this has been really for for much of the 3 years at my dedicated
learning our um I come every week and have the opportunity to.
Kimberly Linson: Dig deeper into the technologic Tech into my
technological side um which is not something I get to do uh every
day at work so I I really appreciate it I've appreciated um the
warmth and and just sort of common um goal I think we're all
centered around uh really interesting and exciting goals and uh
I've I've enjoyed watching the success in progress of the
community along the way and I think this.
Kimberly Linson: Felt 5 years ago like very nent technology and
is now becoming more and more mainstream I think we're starting
to see that the real flywheel of business opportunity coming into
play and so.
Kimberly Linson: It's been an exciting time to be a a co-chair
and I appreciate Harrison and uh will so very much and I know you
are in good hands and and as Harrison said I'm not not going
anywhere um but I I uh I will be happily turning over the Reigns
to to someone new to give them the opportunities that I've had.
Harrison_Tang: Thank you Kimberly and by the way we didn't like
uh rehearse this so that was a very touching speech I can't
believe I literally just call on you on the Fly um but thank you
big thanks you know you have been a great help I think there's a
lot of uh work uh kind of under the hood that's happening and I'm
very uh I think all the cultures probably can say that we're all
very fortunate to have each other and help each other out so big
thanks.
Harrison_Tang: All right a quick preview of the process uh so
we're opening the election uh nominations uh today officially um
and then uh uh the nomination period will have uh will start
today and then uh end on.
Harrison_Tang: The candidates was speak at the December 10th uh
meeting the voting will open for a week from the December 10th to
the 16th will announce the election results on December 17th and
the new culture uh turn starts on January 1st January 7th uh.
Harrison_Tang: Basically the beginning of next year.
Harrison_Tang: And all the details are in the email that I just
sent out.
Harrison_Tang: All right uh last calls for announcements and
reminders.
Harrison_Tang: Any updates on the work items I know we just went
through that last week but any updates.
Harrison_Tang: All right let's get to the main agenda again very
excited to have Heather here to talk about feather identity it's
uh actually 1 of the uh topics I really really care about so the
I I'm sure I will learn quite a bit from today's uh session as
well so Heather the floor is yours.
Heather_Flanagan: let's see.
Heather_Flanagan: Oh look even sharing worked I wasn't sure if it
would or not.
Heather_Flanagan: Excellent excellent all right so for uh folks
who don't know me my name is Heather Flanagan and I wear I do
wear a lot of different hats I am an independent um contractor at
the end of the day.
Heather_Flanagan: 1 of.
Heather_Flanagan: My hats is uh the uh working group chair for
the Federated identity working group I'm also the community group
chair for the community group side of things.
Heather_Flanagan: Uh I tend to collect standards organizations a
little bit like other people collect Pokemon uh because I've also
worked extensively with the ITF I was the RFC series editor for 8
or 9 years I've uh been a member and a contractor for the open ID
Foundation I've worked with neso the national information
standards organization.
Heather_Flanagan: I worked with.
Heather_Flanagan: Ngos that are related to the uh the standard
space such as I can uh which are you know obviously the names and
numbers people as well as organizations like reads which is the
research and education Federation consortia.
Heather_Flanagan: Been the co-coordinator of that for coming up
on 9 years so.
Heather_Flanagan: Oh what all of this has in common is a lot of
work in standards and a lot of work in the identity space I'm
also the executive director for a nonprofit uh ID Pro which is a
Professional Organization for identity and access management
practitioners.
Heather_Flanagan: But what you actually want to hear about today
is okay so what's happening with identity uh in the w3c
specifically with regards to the Federated identity working group
now some of you uh have lived this journey with me for the last
few years but many of you haven't so I wanted to just give you
sort of some background as to.
Heather_Flanagan: How we got where we are today and what's
changed over time.
Heather_Flanagan: So I'm going to talk very quickly about
identity on the web I know you all have have a prospective on
that my perspective is slightly different both are correct going
to give you the origin story for the main work item for the
Federated identity uh groups uh the Federated Federation
credential manager.
Heather_Flanagan: Going to talk about how the problem space
itself has evolved over time.
Heather_Flanagan: We're going to talk about the relationship
between the FED CM API and the digital credentials API because
that's a Hot Topic right now going to talk about okay so what
does that mean for where we are today right now this moment.
Heather_Flanagan: What things were looking forward to in the uh
the topics over the next year or so.
<kaliya_identity_woman> HEre is the link to register for DICE
Ecosystems March 4-5 - https://lu.ma/DICE
Heather_Flanagan: Um so what does the w3c have to do with digital
identity well it it actually has quite a bit because when at the
end of the day the w3c has ever so much influence over.
Heather_Flanagan: User experience and the best practice for user
experience and that really drives just about everything else when
you think about broadly speaking how do people interact online
and how do they keep themselves safe how do they you know and how
do businesses keep their data safe all of this does tend to boil
down to well what choices does the user Make online.
Heather_Flanagan: The w3c is there to provide the technical
safeguards to the users and the websites I know that there's a
strong emphasis on the user component but it's important to
protect the businesses too.
Heather_Flanagan: We're trying to facilitate okay so as a user is
doing their Journey which identity do they want to use for any
given website that they're at it won't always be the same 1.
Heather_Flanagan: I come primarily from a higher education
background and in that scenario more often than not the relying
parties truly do not care who I am they care.
Heather_Flanagan: what my.
Heather_Flanagan: In fact they don't even want to know who I am
they just want to know am I a student at Stanford University am I
a faculty member at MIT um you know what am I not who am I.
Heather_Flanagan: Facilitating that is is actually I think uh 1
of the things that the w3c is helping with.
Heather_Flanagan: But it's not just us now A friend of mine Mike
pelage put this slide together which I thought was both hilarious
and very accurate when you think about who's working on digital
identity standards.
Heather_Flanagan: There's a lot going on um the ITF has its role
working with ooth uh and in cascading out of oath you have things
like the selective disclosure for Json web tokens you've got
depop you've got any number of things but you've also got
authorization work in skim.
Heather_Flanagan: You've got non-human identity in uh Whimsy
you've got supply chain efforts in skit.
Heather_Flanagan: Of course ISO is heavily involved here as well
because there you've got your M docs your mobile driver's
licenses um when this when this slide was put together uh 1801
13-5.
Heather_Flanagan: Which was like the in-person presentation was
the only 1 that had reached you know formal specification but now
they also have -7 which is remote um presentation of identity so
that's pretty interesting too.
Heather_Flanagan: you've got.
Heather_Flanagan: You've got the open ID Foundation you used to
have the uh open identity exchange which focused on trust
Frameworks but they very recently shut shut the shut uh shut
their doors.
Heather_Flanagan: You've got nist uh how much do we all love uh
863 enough that we every time they go out for a public comment we
give them thousands upon thousands of comments that they have to
resolve their most recent efforts for 8634.
Heather_Flanagan: Resulted in 2000 uh Community comments coming
in.
Heather_Flanagan: Because there's just that much about how people
care.
Heather_Flanagan: So it's not just the w3c working on this space
there's a lot other.
Heather_Flanagan: a lot.
Heather_Flanagan: Lot of other things going on certainly.
Heather_Flanagan: But now let's talk about fed CM so it all
started back in the day uh August of 2020 um a group of people
got together and basically said do we have a problem to solve
here and at the time the answer was absolutely yes because
third-party cookie deprecation.
Heather_Flanagan: Was a really big deal it was a huge Cloud not
just on the horizon but it was already happening in some of the
browsers and some of the authentication protocols.
Heather_Flanagan: The ones coming out of the oath family they had
a dependency um in some aspects on third-party cookies so it's
like okay yes this is definitely a concern.
Heather_Flanagan: Other protocols like saml.
Heather_Flanagan: Didn't exactly depend I mean from a pure
specification level SEL doesn't care about third-party cookies in
the slightest.
Heather_Flanagan: A lot of uh we'll call them sample adjacent
Technologies the kind that actually let you discover which IDP
you might want to use out of a cast of thousands upon thousands
they did they do rely on third-party cookies so yes we felt there
was definitely a problem to solve.
Heather_Flanagan: So that conversation led to a uh the formation
of a ycg.
Heather_Flanagan: Work effort and a workshop on federations and
browsers where really what we wanted to do was Define the problem
statement and just suggest what what's the path forward.
Heather_Flanagan: Well the path forward was you know what we need
to actually create a community group and that happened in August
of 2021 now at this point um you should have access to these
slides and you can get links to all this material.
Heather_Flanagan: Everything have has notes back you know as far
as the August 2020 if you're interested in that.
Heather_Flanagan: So the community group uh definitely spent
quite a bit of time trying to figure out what how all of this was
going to come together and.
Heather_Flanagan: The Federated credential management API some
people were very concerned that it was.
Heather_Flanagan: Interfering in a way that.
Heather_Flanagan: Organizations didn't know what to do.
<kaliya_identity_woman> I also forgot to mention in my remarks
that we have the DID:Unconf Africa happening in February too
https://didunconf.africa/
Heather_Flanagan: Upon a Time right browsers were a passive
conduit for information and now and a lot of the identity
protocols the oath protocols Sam will all of them depended on
that passive just pipe to let information flow through once
browsers started to say actually.
Heather_Flanagan: We need to be in active participant we need to
be a Gateway um to help make sure that the user stays safe.
Heather_Flanagan: And 1 could actually now start to come up with
all other theories as to why browsers want to to own some of this
information regardless of.
Heather_Flanagan: I this became a really important component.
Heather_Flanagan: That having the browser's mediate information
wasn't interesting problem.
Heather_Flanagan: It's happening uh the group has gotten fairly
far uh far enough that they said you know what we think we're
we're getting close enough to actually having a formal
recommendation we need a working group.
Heather_Flanagan: And that working group uh officially formed in
March of 2024.
Heather_Flanagan: The first public working draft was published in
August.
Heather_Flanagan: And 1 of the interesting components we're going
to start to to diverge a little bit here uh was when we were
going through the chartering process.
Heather_Flanagan: There was a big question about a piece of work
that seemed functionally or logically related and that was the
digital credentials API.
Heather_Flanagan: The Federated identity working group and the
community group up to this point had been very focused on what
we'll call traditional Federation models the Oaths the Samus the
open ID connects um.
Heather_Flanagan: IDP you're relying party what some people refer
to as a 2-party model I happen to hate the 2-party and 3-party
model terms but we'll go with them it's what people know.
Heather_Flanagan: But when you think about it what we wanted the
FED fed cm to do is help a user make a choice as to what identity
they wanted to use for whatever transaction they were about to
take and that's a lot of what the digital credentials API was
doing as well.
Heather_Flanagan: And so the original charter as proposed uh said
when digital credentials is ready.
Heather_Flanagan: Will have a space for that work item to come
here.
Heather_Flanagan: That was not a popular decision at the time
folks felt that there needed to be a whole lot more conversation
about that and so we chose to do since fed CM was fairly far
along in terms of its developments we said you know what for this
initial Charter let's just say uh fed cm is our work item.
Heather_Flanagan: We're going to shift the digital credentials
discussion out a little bit.
Heather_Flanagan: And let it be its own conversation so we did
that by getting the charter approved and then immediately turning
around and proposing a recharter that again would bring in that
digital credentials work.
Heather_Flanagan: That recharter was proposed in July and in
September.
Heather_Flanagan: Formal objection was submitted to that
recharter basically saying you know what we don't like the whole
idea of of the digital credentials work because it is making it
easier for users to.
Heather_Flanagan: Release information about themselves
unknowingly on the web don't want it don't like it just the the
whole the whole principle.
Heather_Flanagan: Um the push back on that was to say well yeah.
Heather_Flanagan: but that's.
Heather_Flanagan: Because it's happening already and if we do
this work maybe we can put some guard rails around that.
Heather_Flanagan: So there there was no uh consensus to be found
at that point thus the formal objection stood.
Heather_Flanagan: I don't know how much you all know about the
formal objection process but the first step is to try and find
um.
Heather_Flanagan: So that you can just it's almost like
arbitration can you find a way out of this without going to
court.
Heather_Flanagan: In this case the answer was no not really and
so the formal objection went forward and a council was formed the
council is still meeting today uh this has not been resolved yet
if you want to get a bit more background I strongly encourage you
to look at the team report which was published uh last month.
Heather_Flanagan: About what does all this mean how is us all
supposed to work together why is this a concern and what what do
we recommend to happen going forward.
Heather_Flanagan: Now the reason I wanted to give you that
background is to get to this slide uh which to say well okay but
that sounds like maybe your scope is is creeping and the answer
is well no the problem is the scope is changing um entirely
because where we started with a concern about phasing out a
third-party cookies.
Heather_Flanagan: Well that was back in 2020 and today there's
there's just so much more out there that really needs to be
addressed and that we would be remiss not to be touching on there
there exists in the world digital identity wallets there exists
pass Keys which may very well take over the whole concept of
federation in the consumer space.
Heather_Flanagan: but not.
Heather_Flanagan: Necessarily in higher education or Enterprise
or Healthcare or others it's an interesting conversation
regulations actively changing over time and I think everybody is
starting to shift towards that bigger picture of how users can
securely and privately use Federated Authentication.
Heather_Flanagan: I think in this group there's a lot of interest
in saying you know what we want to give that control to the user
themselves.
Heather_Flanagan: And I think that's a model that works super
well.
Heather_Flanagan: Particularly in the consumer space I'm not sure
how well it works in those spaces like in higher education where
you start to say but I don't care who the user is and they don't
own the information that's most valuable which is their
affiliation.
Heather_Flanagan: I think there's some some fun conversations we
could have there that may perhaps not write this instant.
Heather_Flanagan: The changing landscape looking at the FED CM
looking at digital credentials and I think the digital
credentials work is significantly of interest to to you in this
community group um the digital credentials and and pass Keys both
do 1 Thing super well and that's give the user the control of
their key.
Heather_Flanagan: If you boil it all down so much of this comes
down to Key Management at the end of the day.
Heather_Flanagan: Um the Federated flows using things like open
ID connect can add a lot more detail than that.
Heather_Flanagan: Does still look similar about how much control
and at what point you're giving things to the user.
Heather_Flanagan: That said the Privacy properties of both are
very very different.
Heather_Flanagan: And that's where and here's another document I
strongly encourage you to look to the threat model related to
decentralized identities focusing on digital credentials come
into play now um Simone on the w3c held the pen on that 1 and I
think it's a really interesting read I keep rereading it because
I keep getting new stuff out of it and so I would encourage you
to do as well.
Heather_Flanagan: But in all of this I come back to something
that that I feel like gets lost and that is that.
Heather_Flanagan: The web we tend to focus on consumer scenarios.
Heather_Flanagan: Because that is perhaps the biggest use case
for you know why why who's on the web how many people what are
they doing well that's where you get your social media you get a
lot of different a lot of different scenarios in the consumer
space but their requirements are very very different from
Enterprise Academia fintech government health care and keeping
all those use cases in mind where you may may have mutually
exclusive requirements.
Heather_Flanagan: Is why we all have a job.
Heather_Flanagan: So what's the status of the working group um
the working group meets exclusively once a month.
Heather_Flanagan: The combined community group and working group.
Heather_Flanagan: Meet every other week so there's a meeting
happening every single week.
Heather_Flanagan: Mostly it's it's with the community group and
we have a document on our process that talks about the different
stages of of work stage zero which is a glint in someone's eye
stage 1 which is okay we have we have uh something written down
and an issue that we can discuss stage 2 being we have
specification.
Heather_Flanagan: Stage 3 being we have consensus on that and now
we're just looking for uh.
Heather_Flanagan: Implementations in stage 4 is when you actually
redirect recommendation status.
Heather_Flanagan: Familiar with um the what WG.
Heather_Flanagan: Uh tc39 we based our process very much on that.
Heather_Flanagan: We're focused on discussing the issues uh
raised during the first public working draft stage.
Heather_Flanagan: Working group in particular focuses on the pull
requests um more than just the issues.
<dmitri_zagidulin> the SocialWeb CG is also in the process of
adopting that same FedID WG staging process! :)
Heather_Flanagan: So far it's proving to be working fairly well
it's a very interesting interesting space and an interesting set
of discussions.
Heather_Flanagan: But that's today what about tomorrow well we
have we have so many questions things like Okay so.
Heather_Flanagan: Coming back to the formal objection.
Heather_Flanagan: Basically there's 3 things that could happen.
Heather_Flanagan: Thing number 1 is that the uh the w3c council
says we 100% uh agree with the objection and this stuff should
not merge and we're done.
Heather_Flanagan: Of an absolute no.
Heather_Flanagan: The next thing is for them to say well there's
there's something to the objection and so we recommend some some
perhaps some changes to the Charter or some other work to happen
but given that the work can go forward.
Heather_Flanagan: The third option is we reject entirely the
objection and everything is fine just as it stands.
Heather_Flanagan: I'm personally betting on option 2 that's
something in the middle of there's going to be some some
additional work that rolls out of that.
Heather_Flanagan: That will ultimately feed into the different
specifications but the charter change will then subsequently
happen.
Heather_Flanagan: Okay so let's assume that's the case.
Heather_Flanagan: What changes if and or when fed cm and digital
credentials come to the same group are we going to see these apis
merge entirely.
Heather_Flanagan: They actually truly solving different problems.
Heather_Flanagan: Uh I think that's a great question and I don't
have an answer for you but it's on the list of things we need to
talk about.
Heather_Flanagan: The next thing uh we need to solve some pretty
hairy problems um coming back to the higher education use case.
Heather_Flanagan: it is.
Heather_Flanagan: Is very typical and completely reasonable that
a relying party will need to present to the to the user over
5,000 different identity providers that they may legitimately be
able to use in order to.
Heather_Flanagan: Login and get access to for example a scholarly
Journal.
Heather_Flanagan: Higher ed has been.
Heather_Flanagan: Dealing with the user experience of that and
just how hard it is for literally uh over 2 decades this is a
super super super hard problem to solve especially when you're
worried about well what if you don't want the relying party to
know a whole lot about the idps or you don't want the idps to
know a whole lot about the relying parties.
Heather_Flanagan: A higher ed has solved this.
Heather_Flanagan: Way in the sample use case but uh it's not it's
not a trivial solution and trying to figure out how to make that
apply to.
Heather_Flanagan: Something like fed cm and digital credentials
and whatnot we don't know how to do it yet.
Heather_Flanagan: Another thing that's on the list of Tomorrow is
we need additional editors and reviewers on this stuff right now
um fed cm is prymrr the the I think it's got 1 edit and that's uh
Nicholas from Google who's doing a fantastic job if I may say so.
Heather_Flanagan: um but.
Heather_Flanagan: We need additional editors on that and we need
additional uh reviewers for the PRS uh that are being proposed so
this is an area that's of interest to you.
Heather_Flanagan: we would.
Heather_Flanagan: I'd love to have your participation.
Heather_Flanagan: And that is my update as to where things stand
today it was it was a pretty high level 1 um but I'm happy to.
Heather_Flanagan: Questions as best I can and there may be other
people on this.
Our Robot Overlords are scribing.
Manu Sporny: It feels it feels like there is an enormous amount
of convergence that's happening here and it feels like the stakes
are a little higher right now meaning like you know if the if for
example like you know I I agree with your your your uh uh thought
that it's probably option to the formal objection has some Merit
but like there's also work that we need to do here and better to
do the work here than have it just.
Manu Sporny: Be be done elsewhere where we don't know what's
going to happen um but but in order to do the work as you said
like I'm you know that that diagram you showed of like all the
different orbits of like identity and everyone that's involved
and all that kind of stuff it feels like there's a there could be
a massive convergence that happens right I mean you know at the
last w3c technical planner we had you know people from Google
going like well what exactly is the difference between a pass key
and additional credential and this and that aren't they actually
kind of the same thing um what what do you feel like.
Manu Sporny: Here's a big.
Manu Sporny: Question on like where that discussion should
happen and if it happens in the working group there's like there
are huge ramifications for that like for example like the
European Union is is kind of depend like from a regulatory
perspective depending on this work happening um.
Manu Sporny: How do you how do you see I mean being the chair
how do you see navigating that like I mean there's some you know
wait what happens if a conversation gets kicked off where we try
to merge all these things together and it leads to like 2 years
of disagreement or whatever so so I guess what are the
contingencies what are the backup plans how are the different
ways we could we could you know get through this knowing that
there's so many people looking at what's going to happen in this
in this working group over the next year.
Heather_Flanagan: So I have an answer I'm not entirely happy with
the answer let me put that right out there but the the only way I
know of threading this particular needle is to be very very very
precise in the scope of work and that means being able to say
that's you know problem Ah that's a super valid problem we cannot
solve it here.
Heather_Flanagan: Know go have a side meeting about where you
might want to solve it but it cannot be solved here for.
Heather_Flanagan: For the reason might be most probably because
we don't have the right people in the room.
Heather_Flanagan: Um or it's a a cross-cutting type of thing so.
Heather_Flanagan: I've been I've been uh working with different
groups and whatnot uh large-scale collaborations for about.
Heather_Flanagan: 20 years.
Heather_Flanagan: At this point and that's the only thing I've
ever seen work is to is to stay tight to your scope.
Heather_Flanagan: It's not great because you lose things um and
sometimes you've got a very valid question that doesn't have a
home.
Heather_Flanagan: Do you want the core work to be able to
progress sometimes you do have to you do have to.
Heather_Flanagan: Keep it tight.
Harrison_Tang: So Heather I have a question can you further
clarify what's the difference between fed cm and digital
credentials API is the difference between is the differences
between like Federate identity the or the traditional oibc and
then the digital credentials API is more like a decentralized
software identity.
Heather_Flanagan: So that is a fantastic question and.
Heather_Flanagan: I'm going to drop a link in the chat.
Heather_Flanagan: That um should be.
Heather_Flanagan: Anyone with the link can view this and it's a
copy of some notes taken uh that I took during the internet
identity Workshop.
Heather_Flanagan: Uh in October because that was exactly the
topic what's the difference between fed cm and digital
credentials and pass keys.
https://docs.google.com/document/d/1Ntpuscpzbgzb4KJFyPrRfJZiXCh8H5WfokR4Dm0Ewlg/edit?usp=sharing
Heather_Flanagan: My takeaway from it was.
Heather_Flanagan: How was was the discovery component it to me
that felt like a big a big aspect of it was the FED CM was was
more focused on getting the user to discover uh any number of
different identities and could conceivably be regardless of
protocol of what you were using.
Heather_Flanagan: The other thing that I kept hearing was that
um.
Heather_Flanagan: Digital credentials is focused on that that
bridge between if you think about it it's actually a super tiny
component that Bridges between the browser and the operating
system.
Heather_Flanagan: Is not with fed cm is doing fed CM doesn't have
anything to do with the operating system underneath so I think
there's there's some aspects like that that are different now
that's how they're different today.
Heather_Flanagan: Do they need to be that different can they be
merged.
Heather_Flanagan: I don't know that's why I'm chair because I
think that's a great question and I have no skill to solve it so.
Heather_Flanagan: Is something that I think we will end up
talking about I've heard some people say yeah I think there's
room to merge them and I've heard other people say no of course
they're different so.
Harrison_Tang: So for those like who are not familiar with fcm
like can you clarify what what it does because in the traditional
Federated identity like effectively the most dominant uh uh like
uh identity providers are just like Google and Facebook right so
in other words in some ways this might be a controversial
statement but in some ways the relying party just Outsourcing
their identity problems to to the big Tech right so in its
fascinating basically trying to replace a the identity providers
with browsers and left browsers uh do that job or can you kind of
clarify a little bit yeah.
Heather_Flanagan: Um I wouldn't say that uh either idps or RPS
was were exactly trying to Outsource anything um it's more that
fed cm is going to add a binding to some of the existing
protocols that allow the protocols to pass that information back
and forth between the RP and the IDP.
Heather_Flanagan: At the the.
Heather_Flanagan: Request permission of the user.
Heather_Flanagan: I think that's that's kind of how it boils it
boils down is is them standing in as a as a little Gateway.
Heather_Flanagan: But once once the permission has been given
they're supposed to get out of the way of the the actual
protocols such that uh open ID connect ooth can still just work
the way they're used to working.
Manu Sporny: Um yeah so so early in your presentation um you
mentioned that um you know w3c you know focuses a lot on kind of
consumer identity and that is different from you know educational
identity in fintech identity and stuff like that to some degree
um I wanted to kind of uh uh dive in on that a little little more
um just to give you know some background you know this is the
community that you know incubated decentralized identifiers and
incubated verifiable credentials and you know those standards
that you know are those specs that went to become standards that
at w3c so there's a there's a pretty strong focus on like.
Manu Sporny: An individual being in control of their attributes
and having consent on when they're released in in things of that
nature um in in how that's not necessarily the model that you
know is used in um uh you know education or fintech like they're
they're asking different questions so I was wondering if you
could kind of um explain the the differences there so to to me it
feels like this it feels like it could be the same thing and I
think the the barrier there feels largely cultural like education
and fintech has operated in a very specific way for decades and
it's kind of built into their DNA for them to kind of not include
the individual in um.
Manu Sporny: Uh and things of that nature whereas you know self
Sovereign identity movement is very much about putting the person
in the middle and being them being able to say like no don't
share that information about me with with party X so um what are
you uh what are the what are the what are the kind of you feel or
like the.
Manu Sporny: Able differences between those those 2 spheres um
if you think those exist don't think.
Heather_Flanagan: Well I think in some cases you're right that it
is it is strongly a cultural thing I think uh.
Heather_Flanagan: 1 of the things I find fascinating uh looking
at the higher ed space is is how how you've got Divergence
between digital credentials.
Heather_Flanagan: For something like a diploma.
Heather_Flanagan: which is.
Heather_Flanagan: Definitely very active work here versus the
authentication process.
Heather_Flanagan: Because uh an active student or researcher
needs access to material that the institution has um.
Heather_Flanagan: Business relationship with.
Heather_Flanagan: They're very they they have been they're
different departments at the University they're solving different
problems they're they're very very separate in how they work and
and what kind of contracts are written which I think is a piece
that comes into this that that makes things a little bit hairy
you've got your culture differences but those cultural
differences are actually embedded in legal contracts in some ways
in terms of what's allowed what's required.
Heather_Flanagan: Uh and I don't know that.
Heather_Flanagan: W3c can really.
Heather_Flanagan: Directly do much about that.
Heather_Flanagan: What I think the w3c can do though and this is
something that's going to change over time so I'm going to date
myself uh a bit here when I was working at Stanford University as
the Director of systems that was the point in time where Stanford
was starting to uh give students rather than host the students
email they're like you know we're going to contract with Google
and Google will host students email.
Heather_Flanagan: Because we just don't want to have it it's more
more trouble than it's worth and this is what the students are
asking for and it will all be fine The Faculty on the other hand
said yes Over My Dead Body will you put my email on big Tech
servers no way no how not going to happen and it took about 3 or
4 years for the faculty to say oh my God we have no functionality
not like that we see that our students have could you just put
our stuff on Google please.
Heather_Flanagan: I'm willing to bet that this that's the kind of
thing that's going to happen um very much in with with some of
the digital credential work where people are going to be
experiencing it out in the wild and they're going to come back to
their institutions their Workforce their schools what have you
and say why aren't you giving me this functionality.
Heather_Flanagan: I think I think we'll be able to drive a
cultural difference.
Heather_Flanagan: By existing improve providing a better
experience than what they have today.
<manu_sporny> haha! super useful backstory about how that
happened!
Harrison_Tang: Any other questions.
Harrison_Tang: By the way uh another clarification question
Heather is that is it a true or is a misunderstanding where
fascism is more about browser authentications and digital
credentials Works more with the wallets right for example Apple
wallet and Google Wallet what is it not true.
Heather_Flanagan: Uh I think it's mostly true.
Heather_Flanagan: But not I mean everything comes down to Like An
Origin story which is 1 of the reasons I wanted to go through the
origin story for fed CM fed cm is coming out of a place where yes
it's it's it's browser focused 100% digital credentials is coming
out of.
Heather_Flanagan: Use cases mobile operating systems and that and
now I think there's going to be a point where those converge
where the browser will be a wallet on the web and therefore it's
going to look a lot like the other things.
Heather_Flanagan: 1 of the 1 of the things I've observed uh is
that the where something comes from even as its use cases evolve
that that core origin has a huge impact on the overall design of
the spec.
Heather_Flanagan: Um in this case I think fed cm and it's it's
backstory of looking at browsers looking at cookies it changes
the shape of the spec going forward I think digital credentials
with its backstory of looking at um mobile operating systems and
whatnot is going to change the way it looks going forward.
Heather_Flanagan: I think the same exact thing is and this might
be controversial but I think the same exact thing has happened
with the verifiable credential space What was what was the what
problem was it initially trying to solve.
Heather_Flanagan: The answer for that with the w3c is verifiable
credentials using capital letters.
Heather_Flanagan: A very broad open flexible model.
Heather_Flanagan: In the iso that was based on a driver's license
use case and therefore it is much more structured and restrictive
now canopy opened up yeah but it it always comes back down to.
Heather_Flanagan: A very very structured use case versus an open
use case and all the every further uh development of the
specifications are going to reflect I think that mindset that
went into that core.
Heather_Flanagan: Uh core material the core use case that drove
the thing to exist at all.
Harrison_Tang: Cool thank you David.
Heather_Flanagan: And that right there is like why that's that's
the hard part you're right because both those models are valid.
Heather_Flanagan: Both those use cases are reasonable both those
use cases are required by somebody and the fact that we have to
be flexible enough to support both makes our job really hard.
Heather_Flanagan: I know personally how to do it other than to
say okay here's here's your base now here's your profile if
you're having to deal with this kind of situation because the
profiles are you know are always more strict than the base
component.
Heather_Flanagan: That's personally it's the only way I can think
about how to do it.
Dmitri Zagidulin: To that question a little bit uh to answer D
David Chadwicks.
Dmitri Zagidulin: Uh and that is to say the 2 models are
actually not that different.
Dmitri Zagidulin: It's just that.
Dmitri Zagidulin: The verifiable credential we may verify the
credential ecosystem in the wallet ecosystem.
Dmitri Zagidulin: Uh have been putting off thinking about
identifying verifiers but now that implementations have gone out
the door now that we have issuing software now that we have a
handful of both open source and proprietary wallets now that we
have verifiers vicious come up front and center which is why you
see so much work being done around issuer and verifier
registries.
Dmitri Zagidulin: And and for those for those of you not
familiar with what we're talking about it's the fact that when I
hand you a credential when I hand you a diploma.
Dmitri Zagidulin: Uh not only do you need to identify the issuer
right because it's signed by an opaque key signed by an opaque
did you have no idea who that key belongs to so you have to look
it up in your known mapping you can say okay this opaque key
belongs to this University so that's identifying the issuers so
we're we're all starting to sort of understand why we need to do
that but even in the non-mobile driver's license world in in
regular plain verifiable credential world we have responsibility
to the user to identify the verifier as well specifically to
identify to identify who's asking for their credentials.
Dmitri Zagidulin: I'm applying uh for a job and the employer is
asking me for my diploma my wallet needs to say this company that
you're applying for is asking for your diploma that the UI needs
to say that otherwise there could be uh also the potential for
man in the middle attacks and so on and if I'm doing it in person
if I'm standing in front of the desk of the employer I can sort
of identify who's asking just by the timing I scanned the QR code
and immediately a request popped up but with any sort of online
uh online form or even in person we still have a responsibility
to the user to look up the identity of the request and present it
to the user in a comprehensible way right it's not enough to say
he 1 to 3 is requesting your diploma it needs to be this employer
or this other university you're applying for is asking for your
diploma and for that we use the same exact mechanisms as issuer
Registries it's just that they're now issuer and verify our
registries.
Dmitri Zagidulin: All of that.
<phil> To expand on Dmitri's comment - it's a responsibility of
the issuer and verifier registry to convey the trust signals that
are associated with a given issuer and verifier so we're not
relying on brand names etc.
<harrison_tang> well said, Dmitri :)
Dmitri Zagidulin: Uh all of that digression is to say is the the
2 models are exactly the same in the MDOC world and in the
verifiable credential world it's just that we haven't uh gotten
around to standardizing the format of the uh uh issue and verify
a Registries in the verify credential world but we're working on
it right we have several several specifications uh in progress
being actively worked on that working groups 1 of them is open a
federations another 1 is ccgs very own verified issue and verify
specification and have uh the diff um I forget what it's called
okay I'll I'll pause here.
<manu_sporny> I like this website already
Dmitri Zagidulin: It depends on the wallet though several of the
um both European union and us-based wallets uh some of the
vertical specific ones are enforcing.
Harrison_Tang: Any other question.
Harrison_Tang: Oh wait uh just a curiosity question Heather um so
like uh digital credentials API and the fcm is basically uh
empowering the users to basically take control of the credentials
exchange and uh feder identity historically at least I associated
with like Google login.
Harrison_Tang: So my question is why is the working group named
Federate identity working group like why not it's called like
South Sovereign identity working group or something.
Heather_Flanagan: Because naming things is hard and that's the 1
we were able to actually agree on when when we.
Heather_Flanagan: Talk about it's not just the social login it's
also.
Heather_Flanagan: it's also.
Heather_Flanagan: What the user is doing is picking the IDP and.
Heather_Flanagan: Going from there but we had lots of different
options we started with web ID.
Heather_Flanagan: And then people didn't like that 1 and then we
didn't want to get too confused with the what was happening in
the self Sovereign space.
Heather_Flanagan: Didn't have objection to it but we wanted to to
give something to indicate we were focused more on open ID
connect ooth Samuel use cases things like that so that's where we
ended up.
Harrison_Tang: Got it okay.
Harrison_Tang: Cool no thank you for the clarification yeah I was
just like saying that some people might have that confusion if
they didn't read closely into it so thank you.
Harrison_Tang: All right I think uh there's a we can have time
for 1 more question anyone else has any questions.
Harrison_Tang: Well thank you thanks Heather uh for jumping on
and taking your time to uh lead a wonderful conversation and
presentation so thanks a lot.
Heather_Flanagan: Sure thing happy to do it.
Harrison_Tang: All right this concludes uh this week's W3 ccg
meeting thank you thanks everyone for attending.

Received on Monday, 2 December 2024 17:19:20 UTC