Re: Voluntary (and non-) Standards from Hodges, Jeff on 2016-12-16 (public-webpayments-comments@w3.org from December 2016)

From: Hodges, Jeff <jeff.hodges@paypal.com>
Date: Fri, 16 Dec 2016 17:08:15 +0000
To: Manu Sporny <msporny@digitalbazaar.com>
CC: "w3c-ac-forum@w3.org" <w3c-ac-forum@w3.org>, "public-webpayments-comments@w3.org" <public-webpayments-comments@w3.org>
Message-ID: <D4794E69.DFEEF%jehodges@paypalcorp.com>

On 12/10/16, 12:14 PM, "Manu Sporny" <msporny@digitalbazaar.com<mailto:msporny@digitalbazaar.com>> wrote:
On 12/09/2016 01:54 PM, Hodges, Jeff wrote:
IMV the proposed VC work is essentially yet another take on
federated identity management (FIM).

... to be opposed to the Verifiable Claims WG proposal based on a comparison to
the shortcoming of FIM systems would be misguided.

I did not state that I am opposed, I am making observations.

We are also aware of the studies that you linked to on the current
problems with FIM.

I cited the papers (linked below) primarily for the benefit of others here in the AC committee who may not be familiar with them.

To be specific, you are asserting that the Verifiable Claims work is yet
another take on Federated Identity Management. That is painting with far
too broad of a brush.

Sorry, I respectfully disagree. The VC work is specifically regarding making third-party claims/assertions about a subject, which is what is generically at the heart of FIM (regardless of actual syntax and flows employed in whatever particular deployment profile).

InCommon.org [1] is a deployed example where subject claims (termed 'identity attributes') are asserted by issuers (termed 'identity providers') to inspectors (termed 'service providers') -- an example claim is "affiliation" (similar to "proof of age")...

https://spaces.internet2.edu/display/InCFederation/Supported+Attribute+Summary

In the VC work..

http://w3c.github.io/webpayments-ig/VCTF/architecture/#basic-architecture

..the "holder" seems to comprise a user agent that actively participates in the protocol flows. This is analogous to the work on an "enhanced client" in the FIM world..

https://www.oasis-open.org/committees/download.php/4948/hirsch-paos-lecp-draft-01.pdf

=JeffH

[1] InCommon participants ( ~ 8 million users )
https://www.incommon.org/participants/

On 12/9/16, 10:54 AM, "Hodges, Jeff" <jeff.hodges@paypal.com> wrote:

[ these are my personal thoughts and do not necessarily reflect those of
my employer ]

+1 to mnotting's comments/observations.

To add to that, actual deployment and use of technologies such as those
envisioned by the Verifiable Claims (VC) proponents has significant
economic components. It has been observed that deployment success hinges
on a rough balance of economic interests between participants, e.g., see:

Economic Tussles in Federated Identity Management
http://128.248.156.56/ojs/index.php/fm/article/view/4254/3340

Can We Fix the Security Economics of Federated Authentication?
https://www.cl.cam.ac.uk/~rja14/Papers/sefa-pr11.pdf

Federated Identity Management: We Built It; Why Won't They Come
https://pdfs.semanticscholar.org/9333/d971b3ba11772bb42a370eace26565b048d5.
pdf

[ Aside: yes, IMV the proposed VC work is essentially yet another take on
federated identity management. ]

HTH,

=JeffH

Received on Friday, 16 December 2016 17:08:51 UTC