Re: Preliminary Credentials Use Cases

Hi Manu (and credentials team, WebID Team).

The Web Credentials Group has only recently been formed.  The first teleconference is coming-up soon; i’ve had an array of concerns surrounding identity, authentication, etc.  I note only a few participants in the credentials group ATM; and i’m hoping that the hours i’ve spend putting this note together, yields some additional contributors to this very important piece of work.

(apologies for the length of the note)

SUMMARY
I consider the endeavour set-out by Web Credentials, to be  an enormous undertaking.  It is both extraordinarily important; and, a body of work to be carried out in an environment that has otherwise required a plurality solutions for a plurality situations.  Underlying the body of work must be a baseline set of ’shared values’, such as respect of human rights, and a belief in the capacity of the endeavour to provide safety for individuals, to our best efforts as contributors to a technical solutions, for real-world problems.

I’ve attempted to put together some rather complex considerations, into something i hope is rationally consolidated into something digestible.   I apologise if it appears fragmented; I mean to convey something thats meaningful, in structuring the group.. 

I note that “identity credentials” in your ‘proposed web-payments specification stack’ is defined as ‘identity credentials (login and preferences)[13]

I’ve cc’d WebID - in the hope that participants of WebID join the Credentials Group http://www.w3.org/community/credentials/  in supporting, at a minimum, discourse surrounding the requirements analysis.   Whilst i appreciate that for the purpose of Web-Payments, JSON-LD is required; i do ponder whether other forms of serialisation can also be supported - normalising upon the concept of using methodologies compatible with  (or supportive of?) ‘linked data’. 


QUIZ: Perhaps the best term for this field of work - is ‘web sciences’ [10].  Whilst appreciating that we’re ‘vocal’; currently - the concept of doing a degree in ‘web science’ is not well supported. When it does (if it does) how will the credential apply to you. I consider that it’s unlikely that i’ll have that qualification, yet insurance companies my make it a desirable credential for employment and other professional inclusion purposes.…  

therefore: - What is the difference between credential and a receipt or document? 

NB: A Study via linkedin suggested that a great many people leading industry, society, in specific roles - often for globally known brands (gov, tech, etc.): often do not have a qualification relating directly to the discipline and discharge of responsibilities in relation to their specific role. 

accountability is an important factor.
- HTTPA [11] Speaks of accountability systems: Have these concepts been considered in relation to the issuance and use of a Credentials? 

- How will my web-experience be monitored, influenced and potentially controlled if i choose to use credentials.  If i’m required to use credentials… How does citizenship work for travellers, whether they be travelling ‘virtually’ or ‘physically’ as defined by ‘choice of law’ related systems…

WHAT PRECAUTIONS ARE BEING DEVELOPED TO SUPPORT REMEDIATION OF MISUSE.

EXAMPLE: i signed-up for the AU IGF; the sign-up form required me to provide a ‘company / organisation name’, which appears to be a systems requirement (second time it’s happened.).  Last time, i put ’natural legal entity’.  this time, simply ‘webizen’.  Why must i attend this conference / event - in relation or on behalf of an incorporated legal entity?

The thematics of the credentials group; appears to be seeking to produce the technical standard, as an outcome of public discourse in relation to the issues identified, related (tangentially or otherwise) to the purpose of a proposed credentials standard.  Perhaps a problem is that the breadth of issues are far greater than traditional W3C Community Groups (or standards projects) are designed to support functionally? complex idea, hoping the spirit of the underlying considerations are sufficiently transparent.


INITIAL SUGGESTIONS / CONSIDERATIONS
1. Magna Carta for WWW [6] - how should this group get involved..

In relation to referring (and responding to) to the TimBL Call; i propose we sign-up to the challenge, and make an attempt to both contribute towards this manifesto / bill of rights - in addition to using the task as a means to provide a set of navigable principles for the credentials work.

2. We Establish a tool / method / process for producing, publishing, commenting on and voting in relation to use-cases.

I find it difficult to imagine this type of functional tool is outside of our capacities to produce quickly, and efficiently.  

3. The scope (referring to the use-cases below) needs to be re-targeted for the 'purpose statement' of the group.  
- The scope is broader than the needs of web-payments specifically.  this may effect language, amongst other things...
- I note the group currently does not have a ‘chair’.  Perhaps the input of senior W3C Leadership as a method to discover appropriate chairmanship of this group, as to best serve the needs of all potential users of this spec.  (given best possible opportunity, etc.).

Until the scope of the groups activity / definitions of what the credentials group is attempting to achieve: i query how we engage other related initiatives (i.e. WebID) and other framework related activities, in seeking to provide a cohesive lifecycle solution.. 
- We may be best-placed by defining the objective sufficiently, as to create an offer capable of acceptance to any would be participant interested in acting in the role of chairman, for the group. 


PERSONAL: PREFACE
I have an interest in the evolution of a "Knowledge Economy" | the capacity for an individual to contribute and be recognised for their work, free from requirements of the work requiring recognition via a specific role, within a specific organisation; or other former issues born via lack of technology eco-systems.  This has a relationship to considerations surrounding provenance of business opportunities, amongst the many use-cases.

NOTE: Conceptually, we, as unique individuals, have ‘knowledge capital’, and that’s about it.  

- Where the engagement in pursuing a result, is between a person and an incorporated entity, or between a persons as natural legal entities, or between two or more entities via an arbitrator/s; or, an act that implies (requires) a plurality of actors (natural, incorporated and/or robot).  We have (virtually or reasonable) no capacity as a sole individual to do almost anything without involvement of others; whether interactions be via those operating as a natural legal entity or as an agent for an incorporated legal entity or a bot, it is through communications that almost anything is achieved in the short, medium or long-term. 

The end-result is often less tangible than the actors in the production of a result; whilst equally, in records - often the end-results are more visible than any particular acts of actors in obtaining that result.  ontologically, in theory, accountability systems would support better identification of what is held within a system, and what is related to that system - but obscured from address or accountability metrics.

The initial scope for the credentials CG was born via the needs of web-payments.  Alternative implementations or similar functional specifications that are sufficiently similar characteristically  (as to note them) should be included and considered, in an effort to seek feedback / inclusion, exclusion or consideration more broadly, documented via W3C CG processes, etc..

I believe the reality is that in the majority of circumstances, individuals - as individuals (not agents for an incorporated entity) do not currently have an online identity; save circumstances where identity services are furnished to users via commercial means (often where choice of law is US based (i.e. SNS’s)). 

In-turn, credentials offer opportunities; serving to benefit person/s,
- In-order to be associated with any human right, and political right, any instrument or opportunity as a citizens or legal entity
- as someone or something that exists 
- as is fundamentally requirement to be identified, to have identity (as distinct from identifier, account or persona).
- as a foundation for economic relevance in relation to works with carriage via web for purposes such as accounting or attribution

For whatever reason; the distribution, allocation, provision and practice of furnishing identity services have been, traditionally, (arguably) centred upon the needs of incorporated entities - far more than the needs of individual.  Whilst organisations may act in such a way as to suggest this is in their interest - perhaps the vulnerability is in that any such entity only exists, and acts through the actions of person/s. 

The speech of Eben Moglen on Freedom of Thought [9]  comes to mind, when attempting to resource a presentations that covers this wide-ranging set of considerations, surrounding the realities of an undertakings where we’re attempting to support certifications to authorise and enable.  Whilst the application of his speech is different to that of the lens of media, i’m hopeful that the otherwise initiated can conceptualise where i’m going with my considerations…  

Yet perhaps underlying my passionate undertakings; is the notional concept that those who are vulnerable, working within the sphere of digitally communicated data or output of contributions - are so often poorly served by the web of today in some of the most meaningful of circumstance.  Whether it be by telephone call, that one may seek the right for legal representation - on a system that does not record the conversation in which terms are stipulated, acceptance required as a condition of obtaining that right for legal representation; or whether it be an ignorance for provenance surrounding a work that is deemed commercially valuable; or the integrity and validation of a medical test or treatment, or other  circumstance that may disadvantage or damage a person unnecessarily, through the architectural practices of the systems made available, through commercial and other means - ethical considerations are at play, and not any one-person should ever be capable of defining the rulebook; but rather, perhaps support and act as a contributor in some way meaningful to them.  such considerations in-turn relates to my suggestion above - that we use some sort of method that allows us to develop, refine, support and discuss use-cases, vote on them, etc.  

In other fields, an ordinary demonstration is within the field of public data; whilst an obvious relationship exists between taxation and public service; whereby furnishing the people of citizenship with relevant and materially important data demonstrating facts surrounding outcomes for the governed, on behalf of the people, seems to be a ’no-brainer’. Yet the political difficulties involved in seeking data, that could measurably benefit social-sciences… just one particular use-case of opportunity in the field of applied data-sciences, which in-effect also attends to the potential ramifications of ‘identity credentials - login and preferences’, whilst providing scope to consider the difficulties enshrined within any such act as to meaningfully assist, with the web.

Then through another lens; some may perceive threats to people made via concepts of privacy.  Whether it be restricting accessibility to an individual for records relating to that individual, in the name of privacy; or the notional misunderstanding that in-order to provide valued services, the necessary cost is that of privacy; or that in-order to  be furnished with the right of privacy one must do so at the cost of identity. If they want privacy, they must become ‘anonymous’ (whether or not that is a technically accurate description for all 3rd parties involved…)

It seems the vulnerable are least capable of considering the consequential outcomes relating to these ‘debates’, in a field of science that is yet to effectively grapple with underlying concept - of identity. recognition before law, as a person - a formative human right. This field, of human rights is not something that has no precedent. in fact, some wonderful resources exist [12], yet their meaning sometimes becomes opaque; unreasonable barriers presented to individuals who needs to have such precedent recognised, meaningfully, at times of need.

So therefore; some thoughts.

DEFINING CREDENTIALS
Whilst i’m still working on the wording - my thoughts are that the definition may become something along the lines of "a credential may be defined as a digital instrument used to certify a representation by a legal entity, to 3rd parties, digitally.”

Google Defines[1] credentials in the following way
"
a qualification, achievement, personal quality, or aspect of a person's background, typically when used to indicate that they are suitable for something. 
"recruitment is based mainly on academic credentials” 
- a document or certificate proving a person's identity or qualifications. 

synonyms: documents, documentation, papers, identity papers, bona fides, ID, ID card, identity card, passport, proof of identity 

- a letter of introduction given by a government to an ambassador before a new posting.
“ source: [1]

Perhaps also a credential could be defined as a "symmetrical verification of a fact in relation to a legal entity”, which in-turn (through utility) becomes a "credential". 

The documentation on the homepage http://www.w3.org/community/credentials/ seems perfectly reasonable; yet i believe it also needs to be expanded significantly. 

FEEDBACK ON CURRENT USE-CASE SCOPE
The current use-cases are defined (inclusive of the language used) more specifically for payments / transactions.  Whilst of course, the use of credentials for payments is an exacting purpose of developing some form of W3C Orientated standard for Credentials (as a constituent of identity services) an array of other use-cases exist that can and would also benefit in the application of credentials. 

It is my suggestion that we review and update the identity/credentials use-cases.  The needs for financial markets provides a great precedent for the needs of individuals, and we should treat the needs of legal entities.  Individuals will be incapable of issuing credentials for themselves, unless it is a credential relating to something they produced - like a piece of registered (electronic) mail.  Within this sphere of course; brings about other use-case discovered requirements, such as levels of assurance in relation to credentials;  Organisations, similarly, will also reasonably require means to mediate credentials - as to safeguard the assurance level of issued credentials. 

‘Credential’ based ‘data aggregation’ - what stops a ‘master credential’ being used to aggregate all user-data, using the credential as an epicentre - what protection exists surrounding how this can be done? 


An entity represents themselves to hold;
 
- A position in an incorporated entity
- A qualification (a university or institutional qualification) 
- A Trade License
- an association (ie: member of a group)
- an agent relationship (i.e. a sales agent) 
- A certificate stating someone has been unwell. (a doctors certificate)
- A Low-Income Credential (which might then be used for assessments in relation to gov. services)

IMPLICATIONS FOR DEFINITIONS AND LANGUAGE USED WHEN DEFINING CREDENTIALS?

DEFINE:  “A Credential allow an authorising party to produce and make available a digital instrument for the purpose of providing a credential to a 3rd party.” ??

- What are the privacy, or ‘data safety' implications surrounding the use and issuance of Credentials.  What forms of Authentication are assessable? Is an identity displaceable? 

NB: I’ve initially sought to consider ‘data rights’ [2].  Yet, overtime i keep considering the concepts conveyed by Vint Cerf, in the verisign presentation [3] and am led to consider that perhaps the better term is "data ‘safety’". 

TERMS OF ANONYMITY 
It is my belief that the actions of a person using the web can be tracked, depending on the amount of funds / resources thrown at specific ‘problems’.  This is not simply a HTTP undertaking; and without getting into it, it seemingly boils down to the politics of sovereignty, human rights and systems of law.   Therefore, in terms of scope - it is important (in my opinion) that the outcomes of this group support pseudonymity [4], which from initial considerations appears to suggest that inclusive to terms of citizenship; a person has (more broadly) the right to anonymity.  

What i am attempting to consider, is that a person should not be required to do anything for commercial purpose; that is beyond requirements or circumstances pursuant to the ‘rule of law’[5]; which in-turn may mean that should a dispute arise the proper forum of arbitration may be a court of law.  

Thereafter, it appears to become more complicated; as issues such as ‘choice of law’ start to attend to the fact that an organisation who may pursue credentials for some purpose (i.e.: a provider) may select a ‘choice of law’ that is unreasonably accessible to the individual for whom that credential is furnished or concerns. 

SO: Understanding this is a technical standards forum; to which we’re participating in defining a technology or software solution; which means we’re able to define tools that when assembled may have a ‘compliant’ or ’non-compliant’ nature (in-turn relating to the functional usability of the resource); how broad will our scope become, as to attentively consider the consequential considerations surrounding the application of a credentials standard.

Perhaps, arguably, the web is currently unbalanced in terms of its functional capacities of providing ‘safety’ to its end-users who are continually engaging incorporated entities for the purpose of survival and obtaining opportunities to grow as individuals, and contribute to their fullest potential.   Even email can be ‘faked’[14], whilst we’re phished [15], paying more for internet connectivity due to the cost-burdens of issues such as SPAM. 

TimBL and the WebWeWant campaign has noted Tim’s presentation at TED, relating to the Magna Carta for the web [6] recently.  A potential ‘threat’ that may not be new, but that the practice of defining credentials may clarify further through a declarable ‘toolset’ is the ability or practice for some to unreasonably reduce the capacity for others to be economically recognised for their work, where that work is not illegal or harmful.   This in-turn, when relating the concepts to that of a ‘knowledge economy’ perhaps fundamentally, in the US, relates to the spirit of how the Copyright Clause was defined in the US Constitution [7] 

"To promote the Progress of Science and useful Arts, by securing for limited Times to Authors and Inventors the exclusive Right to their respective Writings and Discoveries.” [7] the consideration therein being the underlying notion of acknowledgement as a minimum.  A concept followed by creative commons in their license inclusion of ‘attribution’. 

Credentials should be a toolset or resource to provide safety for all.  A means, to have your vote count[8].  Not specifically a toolset for sophisticated entities to be engendered rights that are beyond the capacity of all individuals; but rather, a toolset of shared-values. 


AUTHENTICATION
Authentication mechanisms have two principle facets.  

- how to securely Identifying someone.  
- how to Identifying when authentication is used to mislead systems/persons, in relation to a representation.  (easy example is using someones computer when they’re already logged into FB.  more complex, is a site collecting credit-card data stored as clear-text, or indeed, accessing a persons identity when they’ve connected to an array of identity credentials)...

I doubt this is simply a technical (S/W + H/W based) approach / set of requirement.


END-NOTES

- are we intending to produce some free software targeted at supporting the outcomes of the credentials work...

I’ve started http://www.webcivics.net/ - through which i’m hoping to contribute towards some free-software and public discourse.  More helpers the better, and i’m absolutely dedicated to attending to the needs of this Credentials spec.   If people have documents, pointers, URLs, Blogposts or other material that you’d like to flag with me - perhaps the easiest way atm is via https://twitter.com/webcivics 

I do appreciate that some of the discourse is not specifically specifications orientated.  So, i do ponder the best method to create an inclusive set of communications strategies as to ensure our specifications - are as holistically supportive as possible.

TimH.

LINKS
[1] https://www.google.com/search?q=credientials
[2] http://lists.w3.org/Archives/Public/public-webpayments/2014Jul/0043.html
[3] http://www.verisigninc.com/en_US/innovation/verisign-labs/speakers-series/evolution-of-internet/index.xhtml
[4] http://en.wikipedia.org/wiki/Pseudonymity
[5] http://en.wikipedia.org/wiki/Rule_of_law
[6] http://www.ted.com/talks/tim_berners_lee_a_magna_carta_for_the_web
[7] http://en.wikipedia.org/wiki/Copyright_Clause
[8] http://vimeo.com/30416090
[9] https://www.youtube.com/watch?v=sKOk4Y4inVY
[10] http://www.w3.org/2007/09/map/main.jpg
[11] http://dig.csail.mit.edu/2010/Papers/IAB-privacy/httpa.pdf
[12] https://www.youtube.com/watch?v=aiFIu_z4dM8
[13] https://docs.google.com/drawings/d/17mfHu4EqsnZQ2eFI115qC8FUuLOX-ZSnWpCjo7q1Vlc
[14] http://en.wikipedia.org/wiki/Utegate
[15] http://en.wikipedia.org/wiki/Phishing

On 25 Aug 2014, at 6:08 am, Manu Sporny <msporny@digitalbazaar.com> wrote:

> Hi all,
> 
> W3C Community Groups are supposed to get a wiki, but ours isn't showing
> up yet. I was going to transfer over the identity/credentials use cases
> that we have in the Web Payments CG to this CG, but can't yet. As a
> temporary alternative, they're listed below.
> 
> For those that may not have been tracking the Web Payments CG work,
> these use cases came out of a workshop[1] that W3C put together on
> payments (held in Paris, March 2014). They've been refined over the last
> couple of months to meet the needs of the payments work. Clearly, we're
> going to have more use cases added in this group. These are just a
> starting point. We're also going to have to modify the language a bit to
> make them more generic. For example, we will probably want to replace
> the 'payer', 'payee', 'merchant' language to something more akin to
> 'sender', 'receiver', etc.
> 
> Web Payments Identity/Credential Use Cases
> ------------------------------------------
> 
> === Glossary ===
> 
> There are a number of roles assigned to entities in each use case below:
> 
> payer - the entity sending value in a transaction.
> payee - the entity receiving value in a transaction.
> buyer - an entity that is performing a purchase.
> merchant - an entity that is offering a product or service for sale.
> payment processor - an entity that is responsible for transferring value
> between entities and generating verifiable digital receipts.
> 
> There is terminology that is common to all use cases:
> 
> credentials - attributes such as name, shipping address, government
> issued ID, or proof-of-age associated with a particular entity that may
> be exchanged before, during, or after a transaction.
> 
> === Version 1.0 Use Cases ===
> 
> Use Case: Store basic credentials and payment provider information on
> the Web in a way that is easy to share with various payees/merchants
> given authorization by the owner (payee) of the credential, and that is
> easy to synchronize between devices.
> 
> Use Case: Steve (buyer) visits a website (merchant) and authorizes the
> transmission of one or more credentials (such as proof-of-age, shipping
> address, etc.) previously stored with a credential storage service to
> the website to enable access or fulfillment of a transaction.
> 
> Use Case: Given the permission of the participants (payer, payee, buyer,
> merchant) of a transaction, the transaction metadata can be used to
> discover additional attributes associated with those participants. For
> example, given the buyer's authorization, a merchant could query the
> identity URL for the buyer contained in a digital receipt and obtain an
> up-to-date email address.
> 
> Use Case: Digitally verifiable credentials such that a merchant and
> payment processor involved in a transaction can prove that they have
> performed the proper due diligence when identifying the payer and the
> payee (Know Your Customer).
> 
> Use Case: A payer executes a transaction without revealing secrets that
> are not vital to the transaction (i.e. identity, passwords, PINs or
> other information that the merchant does not need to know).
> 
> Use Case: Use an existing, widely deployed identity provider mechanism
> (i.e. OpenID Connect) to integrate with the digital credentials sharing
> and payments initiation process.
> 
> Use Case: Transact with a merchant without revealing any identifying
> information. Identifying information is available to the payment processor.
> 
> Use Case: Gunther (payer) enters a short-identifier that he believes
> identifies The Widget Store (merchant) into a UI. The UI displays a
> certificate of authenticity that indicates the short identifier is in
> fact for The Widget Store. Gunther uses the short identifier to make a
> payment to the store.
> 
> Use Case: Jack (payer) wants to send Jill (payee) some money and asks
> Jill for a short, memorable payment identifier. Jill sends the payment
> identifier to Jack via an SMS message. Jack makes a payment using the
> short payment identifier; the payment processor translates the short
> payment identifier into a destination financial account for Jill.
> 
> === Out of Scope or Future Use Cases ===
> 
> Use Case: Enable truly anonymous transactions such that the identity of
> the payee is not discoverable by payees, merchants, or payment processors.
> 
> Design Criteria: A primary entity (buyer, merchant, etc.) with access to
> a credential service sets a second entity (buyer, merchant, etc.) as a
> backup for accessing their credentials should they inadvertently lose
> their ability to access the credential service (accidental loss of
> password or 2-factor authentication device).
> 
> -- manu
> 
> [1] http://www.w3.org/2013/10/payments/minutes/
> 
> -- 
> Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny)
> Founder/CEO - Digital Bazaar, Inc.
> blog: The Marathonic Dawn of Web Payments
> http://manu.sporny.org/2014/dawn-of-web-payments/
> 

Received on Monday, 25 August 2014 06:40:12 UTC