- From: Daniel Burnett <danielcburnett@gmail.com>
- Date: Wed, 3 Aug 2016 11:32:56 -0400
- To: Manu Sporny <msporny@digitalbazaar.com>
- Cc: Web Payments IG <public-webpayments-ig@w3.org>, Credentials CG <public-credentials@w3.org>
- Message-ID: <CA+EnjbLyLZ95kU6ZKmHEOVgojCrLcggOq=d5g5GuiBwPj2q0Bw@mail.gmail.com>
Sorry I missed the call yesterday -- was speaking all day at another conference. It looks from the minutes as if October 21st (or so) was being considered as a time for us to meet rather than 27th-28th. I just wanted to give my +1 for that since I will be presenting in China Oct 28th-29th and might have trouble joining you simultaneously in California at that time. -- dan On Wed, Aug 3, 2016 at 10:23 AM, <msporny@digitalbazaar.com> wrote: > Thanks to Shane McCarron for scribing this week! The minutes > for this week's Verifiable Claims telecon are now available: > > http://w3c.github.io/vctf/meetings/2016-08-02/ > > Full text of the discussion follows for W3C archival purposes. > Audio from the meeting is available as well (link provided below). > > ---------------------------------------------------------------- > Verifiable Claims Telecon Minutes for 2016-08-02 > > Agenda: > > https://lists.w3.org/Archives/Public/public-webpayments-ig/2016Aug/0000.html > Topics: > 1. Feedback on Charter from W3C Management > 2. Verifiable Claims Face-to-Face Agenda > 3. Terminology and Expiration > 4. Linked Data Encrypted Signatures > Action Items: > 1. ShaneM to reach out to Chris Wilson about google contact > 2. Manu to contact Daniel and ask about the space around IIW. > Organizer: > Manu Sporny > Scribe: > Shane McCarron > Present: > Shane McCarron, Manu Sporny, Nate Otto, Dave Longley, Dave > Crocker, Christopher Allen, Eric Korb, David Chadwick, David > Ezell, David I. Lehn, Richard Varn, Matt Stone, Colleen Kennedy, > Matthew Larson, Les Chasen > Audio: > http://w3c.github.io/vctf/meetings/2016-08-02/audio.ogg > > Shane McCarron is scribing. > Manu Sporny: We need to talk about Wendy Seltzer's responses. > We'll do that at the beginning of the call. Any other changes to > the agenda? > Nate Otto: Manu, David Chadwick also requested to add two items > to agenda: "i) expiry time of credentials, ii) definitions for > user-centric and privacy-enhancing" > > Topic: Feedback on Charter from W3C Management > > Manu Sporny: Wendy is the domain lead for the activity. needs > to be okay before we put it to a vote. > ... has provided some high level feedback. Similar to stuff we > have been hearing for a while. > ... has not made specific suggestions. Just raised general > concerns. > ... High level points: > ... Problem Statement is too over-arching > Manu Sporny: > http://w3c.github.io/webpayments-ig/VCTF/charter/#problem > ... Usually a charter problem statement will be solved when the > group is complete. > ... she asserts that our statements are visionary. > ... we assert that there is no widely used self-soverign > standard... > ... pushing back on widely used. can't be sure that will be > solved. > ... if the scope of data model, we are not specifying a > protocol. so there is no way to pass them back and forth. > ... we are not talking about transacting because there is no > protocol. > ... She also took issue with the word verifying. There is a > big difference between this has a valid signature and this is > connected to valid data. > ... we are saying that there is a mechanism to verify a digital > signature, but there is no way to ensure that the data is valid. > ... There is substantial infrastructure required to make > self-soverign meaningful. > ... we would need more to have a complete ecosystem. > ... there is no way to ensure that the claims would be used in > a privacy-enhancing manner. The links could be used in a privacy > invasive manner. > Dave Longley: (If this is helpful: digital signatures are a > mechanism for verifying the authorship of the claim ... that's > what what is 'verifiable' about the claims) > Manu Sporny: She found similar problems with the goals. > ... she would like us to narrow the goals down to things that > are achieveable. > ... Also saying that she does not quite understand how service > provider independence would work with what we are proposing. > ... She doesn't see how we can develop vocabularies for groups > that do not participate. > Dave Longley: And the vocabularies are interoperable > Manu Sporny: There is some confusion about what we are > proposing. We are not saying that we will define the > terminology. We are saying we will define the data format FOR > the vocabularies. > Manu Sporny: We will need to close the loop with her on some of > these. We can probably make edits to address some others. > Manu Sporny: We have not heard back from the JWT folks. > Dave Crocker: There was a discussion at the IETF meeting > ... it was brief. two items stand out. > ... One clarified the suggestion about education vertical. > Wendy made the comment that it was suggested because that was > where the effort had gotten support as far as she knew. > ... The other was more general: She wasn't seeing a depth of > support that would encourage one to believe that it would get > adopted once the work was done. > ... I can't evaluate how accurate that is. > ... Sometimes efforts like these get started because some > people are enthusiastic. When there is a strong support of > implelentors and consumers there is more likelihood of success. > Manu Sporny: These are the organizatins that say they're going to > implement: http://w3c.github.io/webpayments-ig/VCTF/implementers/ > Manu Sporny: One of the issues we have with that sort of comment > is that we have gone to a lot of trouble to present those > organizations. > Manu Sporny: Demonstrate that there is industry support: > http://w3c.github.io/webpayments-ig/VCTF/support/ > ... as far as industry suypport we went to a lot of trouble to > demonstrate that there is industry support. > ... I am wondering if she still feels that is not enough. If > so that is very confusing to me > ... We have had others that had far less support and got > started. > Manu Sporny: I feel like we have answered the question over and > over again. Either Wendy has not seen the links or they are not > convincing to her. > Dave Crocker: I have known wendy for a long time but not very > well. My superficial assessment is that she is focusing upon > pragmatics. > ... my experience with these types of situations is that they > need a sit-down dialog with the proponents and thrash it out in > realtime. > ... these types of differences in perception don't get resolved > in emails. > Manu Sporny: We have tried to get a meeting for a long time. > Wendy is very busy. > ... my hope is that we can have that sit-down soon. We are > having it with microsoft now and we are making progress. > Christopher Allen: Has there been any progress with Google? > Manu Sporny: No - not yet. > Dave Crocker: Who's the contact? > Manu Sporny: Chris Wilson the issue but it was mainly on > process. It is not clear if Chris was coordinating with the > Google identity team. > ... if anyone ahs a contact there please letme know. > Manu Sporny: My thinking is that if google withdraws their > objection, microsoft will follow suit. > ... we would prefer they both say this is great stuff and we > want to be involved. > ... we are still trying to get in touch with Google. > Eric Korb: Is there someone else who can contact them? > David Chadwick: Perhaps microsoft's objection is different than > google's > ... maybe it is a business issue, not a technical issue. > Manu Sporny: That may be the case, but it is not what they said > on the phone and in email. > ... they are usually straight forward. > ... we have not seen them strongly oppose work that actively > overlaps with one of their business units. But that doesnt mean > it is implossible > Shane McCarron: I can reach out to Google. [scribe assist by > Manu Sporny] > > ACTION: ShaneM to reach out to Chris Wilson about google contact > > Nate Otto: Are we going to edit the problem statement? Or are > we waiting? > Manu Sporny: Yes - I am going to do it because I am the only one > who has been in contact with everyone. > ... I will put it up as a draft alternative. Bring it back to > see if the group agrees. > ... might be a fairly aggressive set of changes. > ... which will be okay if the group goes for it... and if that > satisfies the objections. > Nate Otto: Good luck! > Manu Sporny: Probably no meeting next week. > Nate Otto: Here's some text I put together as we were chatting, > you may consider -- or it may be quite a bit off where you want > to go with it: "There is no standard data format and vocabulary > that may currently be used to make claims about entities and the > properties attributable to them in a way that is compatible > across industries, carries verifiable digital signatures, and > protects the privacy and agency of the individuals and > organizations that are the subjects of these claims." > David Ezell: I have a conversation coming up with Microsoft. > Manu Sporny: Different than the one I have been having. > David Ezell: Mike Champion and I have worked together for years. > No one has a crystal ball. Some objections might be about > making a complicated set of udner constructions standards. > ... it is kind of a thin argument. None of the activities may > be adequate. The group has tried looking at things that are > already in progress. > ... I know MS cares about ISO and X9. I know that the people > involved from the Petro and Payments side are pretty disenchanted > as they apply to payments. even if you look at the ISO/X9 way of > doing things there are things missing. > ... it may come up that the WG that is being proposed will > develop the data model, but then step back and give the > requiremetns to the speciality groups to create the PKI structure > or whatever. > ... I would like to talk with you, Manu, before my meeting with > Mike. > Manu Sporny: We are actively working the problem. Trying to > find common ground. > Christopher Allen: MS is doing a variety of things relating to > blockchain. Daniel Duchner is working with the block stack > people on bringing that tech into MS related work > ... as I understand it they are working with other groups. I > know that blockstack is planning on using verified credentials > and JSON-LD and other things. > ... so there is work in this space ongoing at MS. They put a > lot of importance into BC. > ... whoever is talking to them might remind MS that internally > they are already interested. > Manu Sporny: There are three touchpoints. dezell is speaking to > the AC rep. Manu is speaking with the identity contact. And > then Kim Cameron - identity czar at MS > ... Mike doesn't have a position as far as I know. Anthony > doesn't seem as opposed. Kim's group is already actively looking > at VC. > ... there isn't one opinion at MS. They are coming up to > speed. > ... It is migrating to "let it run its course" or "let's get > more involved". > > Topic: Verifiable Claims Face-to-Face Agenda > > Manu Sporny: > > https://docs.google.com/document/d/1uYDRcHs_EOpJzezJerKnKT4Grni1sFLX2nRp7zlq2BE/edit > Manu Sporny: Based upon most recent feedback it is not going to > happen in time for TPAC > ... the most we can hope for is that if the vote is open we can > invite people to participate. Bring people up to speed. > ... we have asked the WPIG for a block of time. > ... There is an opportunity to hang the meeting off another > meeting at the end of October. > ... Last day of IIW and day after > ... We have floated the idea past Phil just to get it on the > radar. Given the schedule that is the most reasonable plan we > could have for a F2F meeting. > ... The upside is whether the WG happens or not we can probably > do something at IIW. > ... We are going to have to plan all of it ourselves and pay > for it ourselves. > ... We need to find sponsors, figure out space etc. > Shane McCarron: +1 To attaching it to IIW > Manu Sporny: It'll be around October 27 & 28 > Nate Otto: Can't come -- in London for MozFest until the 31st. > But +1 to attaching a F2F to a compatible event sometime in the > latter half of 2016. > Christopher Allen: We also have a rebooting web of trust at the > end of september > ... We have had enough people who are critical who feel like > they cannot make that meeting. > ... We want it to be a 3 day event but the first day is a > conflict. > ... We were talking about moving it to the three days before > IIW. > ... MS says that they can hold that space for us. > ... 10 or so people have paid for the original dates so we are > closing the loop with them. > ... Maybe we should contact Daniel about the MS space and if > that might work for the VC F2F. > > ACTION: Manu to contact Daniel and ask about the space around > IIW. > > Christopher Allen: Does this change the TPAC plan? > Manu Sporny: There will still be 2 VC events at TPAC. Breakout > session on Wednesday and another during the WPIG meeting. Talk > about charter questions etc. > Christopher Allen: I am trying to rate my attendence at that > meeting. This is the only topic I am interested in. Do I travel > to Lisbon for that? > Manu Sporny: It would have been ideal to have a f2f there... but > it is too slow. > David Ezell: As we are building this agenda for TPAC (WPIG) manu > you should get a page and put this down as a definite session. > Manu Sporny: I thought Ian said he didn't want anything definite > yet. > David Ezell: Well, putting your name on the slot makes it more > definite. > Christopher Allen: What was that topic named? > David Ezell: If you have additional topics for the IG that would > make the meeting more interesting just let me know. > ... I know that I wanted to talk with you ChristopherA about > emerging markets. Maybe that is of interest? > Christopher Allen: Thank you. > David I. Lehn: Not available. At a meeting in Paris. > Richard Varn: As noted before, EDUCAUSE is october 25-28 in > Anaheim. i am currently planning on attending that > Christopher Allen: I could do the friday before IIW (21st of > October). > Richard Varn: I can do that > David I. Lehn: I could probably do that. I need to know pretty > soon though. > Nate Otto: Doesn't make a difference for me. I'm blocked October > 15-31. But I'm just one.. :) > Matt Stone: My calendar is open for late Oct. > Manu Sporny: That is really pretty interesting. We could do it > the friday and saturday... > Christopher Allen: What is the paris event? > ... WG meetings are usually two days. I think having it on the > 27th and 28th. But if there is no venue then it doesn't matter. > Manu Sporny: I will keep you in the loop ChristopherA so that we > are not stomping on one another's events. > Dave Crocker: The anti-abuse group is meeting in Paris at that > time. > Nate Otto: https://www.m3aawg.org/upcoming-meetings in Paris > M3AAWG Oct 24-27 FYI > > Topic: Terminology and Expiration > > David Chadwick: I am writing a paper about VC and an > implementation we ahve done > ... a key point is that VC are user centric and privacy > enabled. They are not in the glossary. They should be. > Manu Sporny: > http://w3c.github.io/webpayments-ig/VCTF/charter/#terminology > ... I have provided some candidate definitions. > Manu Sporny: We have definitions int he charter > ... they should have been in the glossary. Can you look them > over and see if you agree or if they should be changed? > Nate Otto: I see self-sovereign, but I don't see "user-centric" > or "privacy enabling" > David Chadwick: They key terms are not in that glossary. > Christopher Allen: +Q > Dave Longley: We stopped using the term user-centric. We > switched to self-sovereign. We had some discussions about > privacy enhancing and how much we wanted totalk about that. > David Chadwick: We don't have the term defined. It would be > okay to have a local definition of user-centric or replace it > with another. > David I. Lehn: I recommend against using the term with a new > definition. > Dave Longley: Our intention was to replace the term. > Christopher Allen: I am responding to the privacy question... I > am hoping that we can defer identifier and confidentiality > issues. > ... I need the format now. We can dive deeper in another round > of work. > ... are we saying there are real privacy enhancements now? > Dave Longley: "Omnidirectional vs. unidirectional" > Manu Sporny: We are saying that we are enabling it. Privacy has > a lot to do with the idenitifiers that are used. If an > identifier is long lived and ties everything together it is NOT > privacy enhancing. If you have one that is generated on each > transaction... > ... let's not do this in 1.0. we can do it in 2.0 as long as > we are very aware of the limitations. > Christopher Allen: In many cases it is not even the data. I > didn't know if moving things forward causes thigns to be unclear. > We just want flexibility for the future. > Manu Sporny: We have 10 minutes left. > David Chadwick: Expiration time. Nothing has really come of the > discussions. > Dave Longley: http://w3c.github.io/webpayments-ig/VCTF/ <-- much > of this supersedes the VCTF final report, so whatever terms are > there are what we're proposing to W3C > David Chadwick: I thought we had agreed that there should be a > time in the credential. > ... there needs to be a way to ensure that credentials can > expire. Nothing is in there now. > Nate Otto: On expiration: Sounds like something the official work > should take up and make part of the vocabulary. I don't think > expiration should be a mandatory property of a credential. > Manu Sporny: There is nothing in the proposal, but it is all > over the spec. I think what you are asking is that it is there > in the definition. > David Chadwick: It should be a mandatory propoerty of a > credential. > Manu Sporny: The group has typically landed on that propoerty > being optional and specified by the vertical. > Matt Stone: Should recommend the verification package have an > expiration period that's separate from the claim itself > Manu Sporny: On the other hand ever use case we have seen has > included expiry information. > ... we have always intended stuff to expire in the general > case. > Christopher Allen: In Smart Signatures, the expiration is part of > the signature, but it is a separate standard. > > Topic: Linked Data Encrypted Signatures > > Christopher Allen: (I.e. the signature expires, not the cliam) > Nate Otto: Reading use cases and saw that no use case requires > the actual subject of the claim. That seems strange in a > self-sovereign architecture. > ... it feels inconsistent in that any older of a claim could > share the claim with anyone else without the approval of the > subject. > Matt Stone: In concept, the claim payload is still available, > but no longer verifiable in "this" transaction > ... I proposed an optional extension to have the subject and > the issuer to agree on inspectors who can verify the claim. > Manu Sporny: We had a discussion off line and in email about > encrypted signatures. So that only the targeted recipient can > decrypt the signature and verify the data. > ... how does this really protect the subject. > Christopher Allen: That feels like a signature format > Dave Longley: I'd like to see any of this be heavily use case > driven > ... not clear. But regardless it demonstrates how flexible > linked data signatures are. > Manu Sporny: If the goal is to make sure that the receiver of > the information cannot misuse it... well, that's not possible. > Once an inspector has the information, they can do anything with > the data. > Nate Otto: To be clear: any information that an individual has > may be shared with others. I posit that there is a significant > difference between a verifiable claim and an unverifiable claim > (a claim with a signature that cannot be verified by the holder). > Christopher Allen: (You can make it such that forwarded it > doesn't validate) > Manu Sporny: We don't think the technical solution prevents > misuse of their information. > Christopher Allen: You can't prevent someone from taking the > claim information and passing it on, but you CAN make it such > that the signature is not valid when you pass it on. > Nate Otto: +1 To ChristopherA. I think this subtle distinction > may be significant in the long run. At least enough that I may be > interested in implementing this behavior. > ... if you are only relying upon VC as being valid, then it > will work. > David Chadwick: The issue is about trust. You use the signature > so that you know who sent it. If I cannot check the signature > but I get it from someone else who says "I chedked it" and I > trust them, then I have a trust chain and it holds up. > Dave Longley: Very clear use cases will help > Manu Sporny: That all folds into whether the information remains > trustworthy. If you want to restrict forwarding of VALID data > there are ways to do that. > Christopher Allen: (It is even possible to link those two, such > that the sign fails untill the countersign is made) > Manu Sporny: In case people are not aware, the current protocol > has the subject countersign the claim when it is handed over. > One is from the original issuer, and one from the subject that > indicates "I was in control when I handed it over to you, > inspector". > Nate Otto: +1 To David. A chain of trust is a valid use case for > this. This is not designed to prevent an inspector who has > verified the signature from telling others about that information > in a technical sense. That is actually a valuable use case as > well. I doubt that all implementers of VCs will want to implement > this extra complicated behavior, but there are some valuable use > cases I think for some people implementing this. > Manu Sporny: Even that mechanism does not prevent the misuse of > information. > Nate Otto: Sounds like my task will be to define a better set of > use cases. Thanks for bringing this to the floor, manu. > > > > >
Received on Wednesday, 3 August 2016 15:34:14 UTC