- From: Manu Sporny <msporny@digitalbazaar.com>
- Date: Tue, 09 Jun 2015 15:31:24 -0400
- To: Web Payments IG <public-webpayments-ig@w3.org>
Hi all,
These are the minutes from the Credentials CG telecon. Ian joined us to
talk a bit about payment credentials and the upcoming NYC face-to-face's
Credentials agenda item. There was some feedback from the education,
healthcare, and National Retail Federation (retail) sectors on credentials.
----------------------------------------------------------------
Thanks to Dave Longley and Manu Sporny for scribing this week! The
minutes for this week's Credentials CG telecon are now available:
http://opencreds.org/minutes/2015-06-09/
Full text of the discussion follows for W3C archival purposes.
Audio from the meeting is available as well (link provided below).
----------------------------------------------------------------
Credentials Community Group Telecon Minutes for 2015-06-09
Agenda:
https://lists.w3.org/Archives/Public/public-credentials/2015Jun/0035.html
Topics:
1. Web Payments IG and Credentials
Organizer:
Manu Sporny
Scribe:
Dave Longley and Manu Sporny
Present:
Dave Longley, Manu Sporny, Ian Jacobs, Eric Korb, Richard Varn,
Brian Sletten, Gregg Kellogg, Rob Trainer, Arto Bendiken, James
Anderson, David I. Lehn, Laura Fowler
Regrets:
Nate Otto, Sunny Lee, Pindar Wong
Audio:
http://opencreds.org/minutes/2015-06-09/audio.ogg
Dave Longley is scribing.
Manu Sporny: We have Ian Jacobs with us from W3C, Staff Contact for
Web Payments work, a long time W3C veteran. We'll be talking about
what the Web Payments IG is going and how our work here will impact
it. We can also discuss use cases with any remaining time.
Manu Sporny: Any changes to the agenda?
None
Topic: Web Payments IG and Credentials
Manu Sporny: As many of you know, the Web Payments IG has been
looking at credentials lately, there's a topic at the NYC F2F next
week where we'll be trying to extract use cases around payment
credentials.
Manu Sporny: I thought that it would be a good idea to get Ian on the
call to introduce ourselves to him and let him hear about the work
that's happening here. As a reminder, we all care about credentials
very much and see it succeed. If we can do anything about credentials
at W3C, we want to constructi t to be successful. We're not trying to
make any decisions today, just getting background on Ian's thinking on
credentials and integrating it with the Web Payments work and feedback
from orgs in the education and healthcare space and what they'd like
to see as far as standards are concerned over the next few years.
Manu Sporny: Ian if you could give background on yourself and what
you'd like to see that would be great, sorry to put you on the spot.
Ian Jacobs: Manu has talked to me a bit about the work of the group
and I claim only superficial knowledge of it and would like to learn more.
Ian Jacobs: I'm the lead for the W3C staff for the Web Payments IG
and where we are currently, having launched in Oct., is that we want
to come to consensus on charters for new WGs to integrate payments
further into the Web. We are meeting next week face to face where we
will be discussing the work that has gone into our use cases and
capabilities which are functional modules for enabling the use cases,
and determining which groups, new or existing, should work on the
priority capabilities we've identified for version 1. Part of the
discussion is around identity requirements.
Ian Jacobs:
https://www.w3.org/Payments/IG/wiki/Main_Page/FTF_June2015/Credentials
Ian Jacobs: Manu has brought to the IG's attention that a lot of
effort has gone into designing an approach originally rooted in
payments use cases but then has migrated closer to educational and
healthcare use cases. Manu and I have discussed that we an hour long
conversation within the IG to solidify and get a share understanding
of the financial industry's use cases. We've heard horror stories of
the cost of creating accounts for high networth individiuals and
creating a second account is just expensive as the first one, and
credentials could lower costs. Manu has looked up the penalties
involved in making sure identities are checked, and credentials can
help with that. There are some prominent use cases in there already
like making it easier for users to provide data to merchants like age
and so forth.
Ian Jacobs: Another one is for merchants/users to discuss a new
payment option and there's a contractual set up beyond the technical
integration and credentials could reduce costs for establishing
contracts for new payment mechanisms. We want the IG to have
confidence in proposing to the W3C work that would have benefit to the
payments industry. That's where we are today. I know people have
expressed interest in this and once, as an IG, we have a better handle
on the payments use cases then we can all come together and look at
opportunities to collaborate, depending on overlapping needs, and
possibly move forward as a block which would be great, or as
independent groups because that would be more beneficial.
Ian Jacobs: I'll pause there to see if there are questions, etc.
Manu Sporny: I think that's a very accurate description of where we
are. If you're interested in asking questions do `q+` and you'll get
on the queue.
Manu Sporny: The main concern the group had voiced was in the coming
together, figuring out how, if we can come up with a unified way to
address all these use cases.
Manu Sporny: And what the timeline would be, yet. We'd do F2F in NYC,
get use cases, derive capabilities out of the use cases, then once we
have that, see if there's overlap with the other credentials use cases.
Manu Sporny: Credentials Use Cases:
https://docs.google.com/document/d/1GySrTXAYpwa4vDPsGE3BMA42FwIAqAyLGigKuKUTGks/edit
Ian Jacobs: You hit something on the head more clearly than we had
discussed previously. Let me explain how we're using the terms. The
use cases are stories, probably very similar to the work the CG has
done. We want to say "so and so is paying through a website or using
an NFC connection, etc." Right now it's the consumer+merchant
experience. The capabilities is more about the technology needs we
have for the use cases. The next level down will be requirements like
"the user interface needs to be accessible, etc."
Ian Jacobs: I think if we end up having the same capabilities then
that suggests we have a lot of overlap and the work can go on in
concern. That's less about use cases and more about capabilities.
Ian Jacobs: That seems like a good thing to aim for.
Manu Sporny: I don't think this group has seen the trust and
capabilities document yet.
Manu Sporny: We can focus there.
Manu Sporny: DRAFT DRAFT Trust and Identity capabilities for Web
Payments:
https://docs.google.com/document/d/1FbHscEFUA1P6Frm9h-98bgBF8oCNNu3_0BZh8l7Aa0c/edit#heading=h.yekwqd5iky7q
[scribe assist by Manu Sporny]
Ian Jacobs: We're wrestling with the content and the display of it,
and it will likely evolve again. Looking at it now is a good place to
start but expect a lot of changes between now and 10 days from now.
Manu Sporny: I think there's a high degree of overlap in the trust
capabilities with the Web Payments and what will come out of the
Credentials CG. Surely there's still work to do to establish if/where
overlap is. But for the first time I think we know what we're going to
use to determine if we need one or more groups on credentials.
Manu Sporny: Ian, do you expect, if we're able to have a capability
to capability comparison in late June/July then we could write a
charter by September?
Eric Korb: Manu, would that get inline for TPAC in Japan?
Manu Sporny: Yes
Ian Jacobs: For me, we're trying to have a draft charter for a
payments architecture, that the interest group is happy with by end of
next week. At that point, in terms of process, the staff will review
it, go over resource allocation, etc. There will be a membership
review and a typical slowdown in August. I think having a charter that
the IG is happy with in mid June would have its first F2F in Oct 2015.
It takes a couple of weeks before the group launches because of the
advisory committee. It's feasible to get a draft committee together in
August/Sept and have work start in November. Yes, that's feasible,
there's the issue of the summer slowdown (US summer slowdown).
Richard Varn: This is Richard Varn with ETS. I've been working on
identity security/management, for ~30 years now. I wanted to provide a
perspective on that there's a real synergy between
healthcare/educational credentials. I also work with [missed] retail
federation to work on this. I bring a lot of different perspectives. I
think to the extent possible, we would want the standards and
components we use in healthcare and educationat KYC in the financial
industry. We'd want it to be common, largely, and extensible where needed.
Ian Jacobs: I think where we can get broad consensus on a common
standard is only benefits. In our particular case, the Credentials CG,
as a community, has been discussing this for quite some time and the
payments industry has not. And we need to get up to speed, basically,
at which point there's a lot of good will to seek a common solution
without saying what it is, but seeking it is our daily bread at W3C,
so I don't hear any pushback on that.
Richard Varn: Here are some of the issues why we haven't moved
quickly as a group, society. The people that are the custodians of
records that are accepted broadly ... I would say the bear anonymous
use, by and large, of credentials... the people who manage the records
are document and paper based, there are few standards that they all
follow, and we need to use them as a point of reference for all tehse
different systems and it's difficult to get them to help. That's one
problem. On the ID site. On the money side, there are a lot of
financial industry conflicts, GOTR stuff. So many people have strong
interest in how that works they don't want to be disadvantaged. The
third issue has been the overlap with privacy, security, access, and
use. That's where you end up with a discussion we've been having here,
for example with short term anonymous credentials that go away
quickly, etc. And you have to have discussions with privacy advocates,
etc. Those are some of the backend problems we have to address, even
if we have common capabilities, etc. there is a lot of drag that pulls
us back. In the education/healthcare area, I'm excited that a lot of
the same problems can be addressed in the same way and mroe people in
those industries are aligned to help each other vs. in other
industries they are adversaries. The interest in solving the problems
are well aligned and what we can get done there can offer potential
common solutions that people can ride on in other things.
Richard Varn: To be able to go somewhere else in the same
organization even helps ("we're doing this with driver's licenses,
let's do it with birth records").
Richard Varn: While education/healthcare may actually help lead the
way to a more common, quicker standardization method.
Gregg Kellogg: +1 To what Richard said
Eric Korb: I'd like to dovetail some of the things he's talking about
with regards to work in the healthcare industry and banking. We're
starting to see the emergence of healthcare banking. Banks can do
their healthcare and insurance payments now. As it gets broader ...
Eric Korb: Credentials will get even more important.
Eric Korb: We're seeing credentialing in the issuer and fulfiller of
the prescription -- and that ties into payments with the person at the
counter.
Eric Korb: Those things could be validated at the point of sale, etc.
banking and healthcare merging.
Eric Korb: I think other overlaps with education are well documented.
Everything starts with education. Everything else is heartbeat, so on,
that we don't want to put on the internet so we need robots to handle
our ID. We need to validate robots that are working on our behalf and
credentials need to be validated on those claims and typically those
claims are based on our education or other things about us we've achieved.
Eric Korb: Also, I'd add that students pay their tution almost
exclusively online.
Eric Korb: Plus, gov't student loans are tramsmitted electronically.
Manu Sporny: I think deployment is well care before the horse,
however, Richard has been doing this for 30 years, Eric has been
getting this stuff deployed and we can see what needs to be done for
deployment and we know why past deployments have failed in the
financial institutions. And many of that is because sharing KYC, to a
certain degree, has been seen as a disadvantage. Education/healthcare
has seen credentials as a big help, don't know if we can see that up
to recently at least with financial industry. Richard and Eric has
said you need a willing coalition/set of orgs to go and deploy this
technology and get it adopted. Education primarily and the healthcare
sector want to do deployments. The financial industry may jump on the
bandwagon but aren't the first players.
Eric Korb: Financial payments made by students, I know Xerox, a major
part of their business is collecting funds/tuition. Education being a
big part of state economy, would benefit from credentials in payment
space.
Ian Jacobs: I'm hearing a couple of different threads in the
conversation. One thread seems to be that, as industries converge and
the Web serves as a bridge between multiple industries, the value of a
common standard goes up. We're in strong agreement on that. It's
helpful to hear those use cases that cross the boundaries among the
different industries.
Ian Jacobs: The second thread is how to strategically address the
desire of the education/healthcare community and credential CG and how
to move forward and how to address the use cases and the alignment of
that and how to leverage the commonality in the work.
Ian Jacobs: I'm happy to engage with you in that conversation, but I
don't think that's the one we need to have today. My job is to find
out what the payments industry needs, it's therefore premature to
think of a strategy that doesn't involve the payments folks. In my
role, we need the payments people involved.
Richard Varn: I hope you weren't thinking we didn't want them involved.
Ian Jacobs: No.
Ian Jacobs: Not that.
Richard Varn: Yeah, we need them. We need payments and identity to
work correctly. We've been waiting a long time. We want to see that
advance. We just think they can advance better together.
Ian Jacobs: I apologize for the blinders I have on... my limited
perspective is having a valuable and informed discussion on identity
and credential needs. I need to hear more from you in historic
pitfalls in what has been tried and how this work takes those into
account and is different. For example, Richard/Eric said that the
banks may resist change, is that something that is going to doom in
the IG to failure or there's simply lessons learned so we can be sure
to take the economics into account in our discussions so even with
competing interests we can be explicit about them or even better find
corresponding benefits for interested parties. Also, who is stepping
up from the Web community for the particular approach being taken by
the CG? It's possible even to have... to split the conversation to
have the functionality we need and we're all in agreement in that, but
it may be harder to get agreement on a particular solution because
we have different communities within W3C like SemWeb who may want
JSON-LD but that may be in conflict with the broader community.
Ian Jacobs: Those are all things I want to hear and get us on the
same page.
Ian Jacobs: [Ian understands that mosaic of credentials will paint a
picture of identity]
Richard Varn: I was going to add that the one part of this about this
that overlaps in the Identity space is the collection of credentials.
In the way a wallet provides a set of evidence about who someone is,
credentials does that, there's going to be a diversity of opinion on
ways people will do that, we'd have one very hard to crack token and
maybe people want that but that's unlikely and other people want to do
more diverse things. We want to have credentials that are difficult to
fake because they are based on a whole portfolio of things that are
based on industries that issued them etc. (missed some)
Manu Sporny: So why have these other credentialing mechanisms failed?
There are a lot of broad ID mechanisms like OpenID/Connect, and those
have failed to address these use cases because they don't carry
high-stakes credentials; they can establish you have an account with
facebook but they are incapable of expressing information like
citizenship, proof of age, etc. We have technologies that are fairly
naive about the information they carry. They have attributes that are
self-asserted, not countersigned by trusted authorities/issuers.
We've seen this happen in healthcare and education: the solutions only
take one industry into account, gov't have adopted piv tokens for
federal security/buildings/etc. There's an entire ecosystem around
credentials but that's never taken into account in these smaller
solutions. Banking has focused on credentials only for banking, and
then adopted proprietary and patent-encumbered tech, to get "latest
greated" so that was really expensive. Then the orgs that actually
exchanged the credentials were operating on a non-public network, so
under 10K orgs worldwide able to use them. They were never deemed to
be more broadly applicable. So different problems with previous
solutions. The industries tend to try and address them in a fairly
insular fashion and we just want to try and fix them in our industry
and we're sure it will propagate out to others. And using proprietary
and patent-encumbered tech has been a problem sometimes turning out to
be snake oil. I think that's over simplifying it, if you look at any
identity/credentialing systems before now. Problems: 1. No high-stakes
creds in scope when building the tech out (OpenId/Connect), 2.
Industry only took their market vertical into account., 3. Belief that
proprietary tech was best, but patent-encumbered ruined scalability
with cost, etc.
Manu Sporny: I think those are the primary reasons
Richard Varn: There came as an insistence that a privacy (missed) be
agreed and enforced through the identity security mechanisms. I've had
all kinds of discussions in different industries -- and trying to
force identity/security/privacy all through the same mechanism it
doesn't have to be the same.
Ian Jacobs: Can you say more about the particular
community/communities that have been involved in the development of
this. It is often the case that without browser awareness, it becomes
harder to get browser deployment. It may be that support in browsers
is not a key piece in the deployment of this, in which case
understanding that would be helpful. I don't know if in the Payments
case browser support is a key piece of it, etc. I'd like to hear your
views on the role of the browser and the ... support of this.
Manu Sporny is scribing.
Dave Longley: We've been having discussions with the WebAppSec group
at W3C regarding a credential management API that they've been working on.
Dave Longley: They primarily started that spec to make it easier for
browsers to manage passwords for people. People use a lot of tools to
autofill passwords. They're taking baby steps to get direct access to
password manager for websites.
Dave Longley: They're also trying to make the system extensible and
work with federated credentials - we saw the work happening, gave
feedback. They had been creating something called a 'credential
management API' - we saw lots of overlap.
Dave Longley: We had built out something similar - we thought that if
we could build a credential agent in the browser, and we could hook
that up to people's identity providers and we could hook that back to
websites. We'd like to see an API in the browser to request
credentials that the website needs.
Dave Longley: We wanted the browser to go fetch the credentials when
asked - given permission by recipient - etc.
Dave Longley: Ultimately, that's the role we'd like the browser to
play - to protect privacy of person using credentials.
Eric Korb: "Kill the password dead"
Ian Jacobs: Back up for a sec. I understand role of credential agent
in the browser.
Ian Jacobs: Is the IdP tracking you?
Dave Longley: No, we want to prevent it from tracking you.
Dave Longley: We want there to be a system that holds on to your
credentials, but they don't know who you're giving those credentials to.
Dave Longley: The other piece in the browser is providing a mechanism
for issuing websites to use to issue credentials via the browsers.
Dave Longley: To tie it back into credential management API - API
that they designed allowed websites to ask for previously stored
passwords or credential tokens... they had the same sort of idea of
how the API would work, but their current spec is very narrowly
focused on just the login case - primarily the password case.
Dave Longley: We'd like the scope to be broader - we see the future
of the Web to be a bit less about login and more about having
credential to get access to a particular portion of a website.
Dave Longley: Certainly, usernames and passwords will continue to be
used - but you can get more granular with community groups.
Ian Jacobs: I know there have been questions about identity
management around domains - what in the conversations w/ WebAppSec and
w/ browser vendors specifically - was there any feedback on lack of
interest on this general approach?
Ian Jacobs: Were there other questions around support or reluctance
around this idea.
Dave Longley: There has been pushback - first was that the WebAppSec
was not chartered to deal w/ our use cases in any way. We came up w/ a
proposal to support generalized credential use case.
Dave Longley: The Chair of WebAppSec pushed back and questioned that
the API was a good for both cross-origin and same-origin credentials.
Dave Longley: Mostly people want to stay w/ same origin policy - we
don't want to touch that too much
Dave Longley: This is something that needs to happen on the Web, just
because there is a secure way to secure certain types of data. We
shouldn't say we're not going to look at it.
Ian Jacobs: So, I think that's a big hurdle. I've been hearing that
tracking is important in some ways, and in other cases we care about
privacy.
Ian Jacobs: The default expectation on the Web - the things that we
enable that allow tracking is problematic.
Ian Jacobs: So, I'm hearing two things - we want to support certain
use cases that require tracking, but others we want to default to privacy.
Ian Jacobs: We may need to do something about same origin vs. cross
origin policy.
Eric Korb: +1
Dave Longley is scribing.
Manu Sporny: I think there's one point I want to make before we hang
up and that's the thing that we've found with the WebAppSec group is
that the charter was very narrow on the type of credential they were
looking at. That meant whenever we get close to talking about the meat
of the discussion, the charter got in the way. In my personal opinion,
we know that what they are trying to do is not the best thing for the
Web. There are password managers out there, building that into the
browser may cause lock in problems, then Chrome shares all passwords
within Chrome and it's difficult to export to Firefox, etc. and that's
being swept under the rug. And just because we understand the same
origin policy very well, that doesn't mean there aren't very good use
cases for cross-origin credentials and there are ways to secure some
of that information. The problem is whenever we try to have a
discussion about it it gets shut down. So charters or security people
get nervous and it gets shutdown. So "this makes me nervous, stop
talking."
Ian Jacobs: Have you scheduled a chat with the security IG or TAG, etc.?
Manu Sporny: Talking with the security group has resulted in people
feeling nervous and not wanting to discuss and TAG would take a lot of
time but it's something we have to do.
Ian Jacobs: Raising awareness of the TAG needs to be considered
because some of what you have heard may be "This is how the Web works
for security" (I'm imagining that as something people might say). And
we need to check in and see if the TAG really thinks that's true and
we may need to push boundaries. Just like the Web has moved into a
place where JS has a more prominent role vs. angled brackets. I think
it's worth having the TAG there as an architectural grounding
influence. Post IG meeting, that may be something to look into. With
Wendy (Seltzer) she's our security lead and we can discuss with her.
We didn't get to the economics of credentials and I imagine they are
different for each industry or if not what's similar? I'd like to see
who would want a vibrant open market for credential providers. What's
the expectation for gov't agencies to step up, what about people who
don't want to use these IDs, maybe there are countries that have done
IDs successfully, how will the economics work and I'm particularly
interested in the payments landscape.
Eric Korb: Thx Ian
Manu Sporny: I know Richard has a tremendous amount of experience in
that space and hopefully we can use his time in NYC to dig in deeper
with that. Thank you, Ian for joining.
Manu Sporny: We won't have a call next week because the Web Payments
F2F will be going on and a number of us will be there. Thanks all!
Received on Tuesday, 9 June 2015 19:31:49 UTC