Verifiable Claims Telecon Minutes for 2016-02-02

Thanks to Nate Otto for scribing this week! The minutes
for this week's Verifiable Claims telecon are now available:

http://w3c.github.io/vctf/meetings/2016-02-02/

Full text of the discussion follows for W3C archival purposes.
Audio from the meeting is available as well (link provided below).

----------------------------------------------------------------
Verifiable Claims Telecon Minutes for 2016-02-02

Agenda:
  https://lists.w3.org/Archives/Public/public-webpayments-ig/2016Feb/0007.html
Topics:
  1. Summary of Interviews So Far
  2. Documents Needed By Web Payments Face-to-Face
  3. Verifiable Claims Task Force Final Report
  4. Use Cases Document
  5. Draft Charter Proposal
Organizer:
  Manu Sporny
Scribe:
  Nate Otto
Present:
  Nate Otto, Manu Sporny, Daniel C. Burnett, Dave Longley, Matt 
  Stone, Richard Varn, Shane McCarron, Eric Korb, Henry Story, 
  David I. Lehn, Peter Hofman, Gregg Kellogg, Rob Trainer, Bill 
  DeLorenzo
Audio:
  http://w3c.github.io/vctf/meetings/2016-02-02/audio.ogg

Nate Otto is scribing.
Manu Sporny:  Let's go ahead and get started.
Manu Sporny:  On the agenda: A summary of the interviews we've 
  done so far, figure out which documents we need by the Web 
  Payments Face to Face, we are going to talk about the documents. 
  Any additions to the Agenda?
No additions to Agenda.

Topic: Summary of Interviews So Far

Manu Sporny: Interview with Drummond Reed (of OASIS and XDI): 
  http://w3c.github.io/vctf/meetings/2016-01-27/
Manu Sporny:  We did four interviews last week. Drummond was very 
  supportive of the problem statement we were trying to address, 
  gave a lot of great input; he thought very deeply about what we 
  were trying to say: what's user-centric, how does privacy play in 
  the ecosystem...
Manu Sporny: Interview with Christopher Allen (co-editor of the 
  SSL and TLS specifications): 
  http://w3c.github.io/vctf/meetings/2016-01-28/
Manu Sporny:  Christopher was also fairly supportive of the 
  problem statement. Very interesting insight into how SSL & TLS 
  came to be, and some current crypto work at IETF.
Manu Sporny: Interview with Dick Hardt (of Amazon and lots of 
  Identity 2.0 / OpenID / OAuth work): 
  http://w3c.github.io/vctf/meetings/2016-01-29-1/
Manu Sporny:  Dick also was really helpful, thought very deeply 
  about the problem; we got a lot of really good feedback about the 
  previous initiatives that have played around in this area: OpenID 
  Connect, OAuth, SAML, and Dick's involvement in those 
  initiatives, and what he thought was achievable in the short 
  term.
Manu Sporny: Interview with Michael Schwartz (who has implemented 
  SAML, LDAP, OpenID Connect, OAuth2, and heads an Identity (OTTO) 
  initiative in the Kantara initiative): 
  http://w3c.github.io/vctf/meetings/2016-01-29-2/
Manu Sporny:  Michael had not had as much time to review it as 
  other folks had, but gave us really good feedback as well, 
  specifically about implementation and different factors 
  associated with the difficulty implementing SAML and OpenID 
  Connect.
Manu Sporny:  These interviews are added to the feedback we 
  received from Harry Halpin, David Singer from Apple, and others. 
  We only have 3 interviews left, if those people have time
Manu Sporny:  That's what we have so far as far as the interviews 
  are concerned. There are some things that we have consensus on, 
  and others we don't yet.
Manu Sporny: http://w3c.github.io/vctf/#problem
Manu Sporny:  We have consensus on the problem statement 
  generally
Manu Sporny:  We have gotten some good advice from Dick Hardt 
  that we shouldn't state it as user centric and service centric 
  (instead talk about privacycentric and privacy enhancing)
Manu Sporny:  Largely we have broad buy-in to the problem 
  statement. That probably means we can arrange some work around 
  it.
Daniel C. Burnett: There may be some control aspects as well 
  implied in our "user-centric" term.
Manu Sporny:  We also asked the question, where should this work 
  happen? W3C, OASIS, Kintara, IETF? Most folk felt that W3C would 
  be a good place for it, but some of the protocol stuff might be 
  pushed to IETF.
Manu Sporny:  There was no opinion that the work should not be 
  done.
Dave Longley: +1 To burn, some modeling aspects too
Manu Sporny:  Where we may have disagreement is that the current 
  pieces we have today (Oauth2, OpenID Connect, JOSE), what parts 
  they may play in a final technical solution. We are not at the 
  point of discussing a technical solution yet, so there may be a 
  fair bit of back and forth when we get to that point once we have 
  a working group.
Manu Sporny:  That is a general summary of what we have done, 
  where we have consensus, and where we may not. Any questions at 
  this point?
Matt Stone:  Manu, are you satisfied with the outcome of the 
  interviews?
Manu Sporny:  We are very satisfied with the outcome of these 
  interviews.
Manu Sporny:  The VCTF (this present group) was chartered to see 
  if there was consensus that there was work to be done. We feel we 
  have done this. We presented this stuff on a call with W3C Staff 
  yesterday and the staff representative was still unconvinced. 
  That is frustrating.
Manu Sporny:  If all the people we talk to in membership feel 
  there is work to be done, W3C is the place to do it, why is there 
  still resistance from w3c? Maybe one strategy is to summarize all 
  the work, package it up, so we don't dump an amount of 
  information that is too much to synthesize.
Manu Sporny:  The other concern was that if we don't have clear 
  Payments use cases...
Manu Sporny:  A good chunk of the invited experts we interviewed 
  said they don't feel the financial industry will be the first 
  movers on this. They expect the first movers to be the education 
  industry, which we have seen is true. They are organizations that 
  are comfortable with moving and putting in cache. Staff objects 
  that payments should follow, not lead, which opens up a question 
  of who should support this, maybe we should have a workshop 
  (which would set us back a number of months.)
Manu Sporny:  There are very clear payments use cases: Knowing 
  who's on the other end of a transaction, coupons, loyalty 
  cards...
Dave Longley:  While they were pushing back saying maybe not the 
  web payments IG as the best palce for for this, if there are 
  clear use cases that may not be primary could still make the IG a 
  good home for the work.
Manu Sporny:  We must focus on demonstrating that there are clear 
  web payments use cases, make it easy for the Web Payments IG to 
  make a case to the W3C Membership so the W3C doesn't get stuck in 
  an 8-9 month chartering process where a bunch of companies are 
  confused about what makes this separate from OpenID Connect etc.

Topic: Documents Needed By Web Payments Face-to-Face

Manu Sporny:  Let's jump to the next topic. There were 3 
  documents that would help prove this case.
Manu Sporny:  First: a summary pointing to statistics collected, 
  interview outcomes: Here's why the work should be done..
Manu Sporny:  Second: Use cases document
Manu Sporny:  Also: vision document, and maybe draft charter 
  proposal outlining the work that must be done over the next year
Richard Varn:  Seems like we keep running into this issue. Maybe 
  we can segment our statements. We have one component: overlap, 
  where we have common tasks addressed in the same way across 
  sectors (one part of a use case). They might also be interested 
  in things that are interdependent&mutually beneficial, but might 
  not be the same solution. 3. as we're deploying stuff that has 
  commonality, the fact that we're building the social fabric in 
  one industry, we
Richard Varn:  Built the foundation that makes it possible to use 
  the technology in another industry, like payments.
Richard Varn:  ... Even if payments is not the first mover.
Manu Sporny:  I'm focusing right now on documents we can create 
  in the next three weeks
Richard Varn:  Maybe focus on things where we're all aligned
Manu Sporny:  Agree: outline the things that matter to 
  healthcare, finance, other...
Manu Sporny:  There are other stuff we don't have consensus on -- 
  people are pushing back on the protocol to move credentials 
  around, which we clearly need to build the ecosystem.  The thing 
  the working group would focus on is the spec that underlays the 
  ecosystem: ("if you want to express a credential on the web, this 
  is how you do it")
Manu Sporny:  We're trying to focus down on just the stuff that 
  we know there is broad agreement on.
Manu Sporny:  If we do that by the end of February, there is a 
  good chance the IG will push this forward.
Dave Longley: David ezell (chair of web payments IG) more or less 
  said: "If there are 12 use cases and only 2 are payments use 
  cases, we could still push the work"
Shane McCarron:  Want to push back on the concept a bit that we 
  want to bury the extended use cases. I've been wanting to 
  percolate the some small number of requirements that are backed 
  up by use cases that multiple industries nee.
Shane McCarron:  I don't want to lose that important data about 
  all the other industries we're going to help at the same time.
Shane McCarron: No objection to prioritizing things out.  
  archiutectural view is important.
Manu Sporny:  This is exactly what happened in the Web Payments 
  use cases: We had 130 use cases, of which much fewer were 
  specifically targeted. We had a huge number of use cases to paint 
  a picture of where we're going, but they didn't have a specific 
  point on the timeline.
Manu Sporny:  I raised that perspective and we got a lot of 
  pushback from Ian (W3C Management)
Manu Sporny:  If folks remember, we were getting pushed off for 
  starting this task force last year, and the membership overrulled 
  management above minor objections that it was too early to start.
Manu Sporny:  It's good to hear staff perspective because they 
  have a lot of experience dealing with the management, but 
  sometimes they're too risk-averse.
Manu Sporny:  Best thing we can do right now is convince the 127 
  individuals in the Web Payments IG that this work is worth doing. 
  Make it very clear what that data is saying. We have use cases, 
  we have an idea on a charter. If we can do that by the end of 
  Feb, we stand a good chance of moving this to the next step, of 
  seeing whether the membership wants to approve a charter.
Shane McCarron: Note that there is nothing terribly unusual about 
  how long this is taking.  That doesn't make it any less 
  frustrating.
Manu Sporny:  One more parting thought: The whole reason we went 
  through the Web Payments IG on this was that the Credentials work 
  had spun out of the Web Payments (at the time) Community Group, 
  and we thought it would take less time to do this VCTF than to do 
  a workshop and go through the standard W3C process. At this point 
  it seems like the two approaches would have taken about the same 
  amount of time, with a caveat: Identity on the web has a huge 
  long history
Manu Sporny:  Of partial successess and partial failures, and 
  it's because of that we're being slowed down. Know for certain 
  we've gathered way more data than a workshop on this sort of 
  stuff usually gathers.
Manu Sporny:  If the Web Payments IG sees what we're doing and 
  agrees with it, it will have been a good decision to have gone 
  this way.
Shane McCarron:  It doesn't make it seem less like we're pushing 
  a boulder up a hill only to have it roll back down, but doesn't 
  mean we take our marbles somewhere else.

Topic: Verifiable Claims Task Force Final Report

Manu Sporny:  Let's talk about the documents.
Manu Sporny: 
  https://docs.google.com/document/d/1dYup3KC2nak3LVTzyapr996TKxDj1w5Eyp4g13rQQBA/edit
Manu Sporny:  I've started filling out the document general 
  structure and themes
Manu Sporny:  Second page we have a bulleted summary of findings
Manu Sporny:  Page three, we break this up into topics we have 
  consensus on, and topics where there may be potential pitfalls 
  (topics we have not been able to dig into deeply enough yet at 
  this phase to see if there is consensus, but concerns have been 
  raised)
Manu Sporny:  This is where we want to hear feedback from the 
  folks who are in each industry. Richard, Matt, John Tibbetts, 
  that's where we'd want to hear a response to "there's no case for 
  using this in ___industry___"
Manu Sporny:  Clearly people who are at large billion dollar 
  businesses will be prioritized to get responses in this section
Shane McCarron:  Question: I know there's a couple interviews 
  left to do -- what's the timeline on a solid draft of this 
  document?
Manu Sporny:  We're not going to wait for those interviews -- 
  we'll let them know we'd love to talk to them, and we'll 
  incorporate feedback when we can talk to them, but we're not 
  going to wait. We contacted them three times. Hoping to have a 
  final draft by the 12th.
Manu Sporny:  Going to be presented on the 22nd of Feb
Shane McCarron:  I assume you want the use cases document solid 
  by then as well?
Manu Sporny:  Yes, solid = "in some shape we can present it to 
  the Web Payments IG" May be in draft form still, but presentable.
Dave Longley: +1 Burn, user centric is about more than just 
  privacy
Daniel C. Burnett:  You got one piece of feedback that 
  privacy-enhancing is better than user-centric and the 
  "privacy-enhancing" term appears in this draft, many in the group 
  think there is more meant by "user-centric" than the narrower 
  term.
Manu Sporny:  You are correct, put back "user centric" and added 
  a note that someone has suggested "privacy-enhancing"
Manu Sporny:  Many people said "user-centric" is problematic 
  because the openId work has coopted the term to mean something 
  different than what is meant in this group
Manu Sporny:  For example, when we talked to Mike Schwartz, "user 
  centric is problematic because OpenID already does that, cuts the 
  legs out from your justification" "It doesn't matter what the 
  dictionary definition is -- of credential -- that's what 
  professionals in teh security community thinks it means"
Manu Sporny:  Argument that Dick Hardt made that was convincing 
  was that if you focus on privacy-enhancing, the user-centric 
  aspects happen naturally
Dave Longley: There was also "self-sovereign" terminology
Dave Longley: Brought up by Christopher Allen
Richard Varn:  Three main pillars: knowledge, consent, & choice; 
  been working on privacy and policy statements around these three 
  things in commerce software.
Richard Varn:  Privacy-enhancing user-centrism is cool, but the 
  pillars are how the system is designed, and these adjectives then 
  describe it.
Matt Stone: +1
Dave Longley:  We also go down and list exactly what we mean by 
  user-centric and privacy-enhancing. I don't think we want to use 
  the other things we mean by user-centric, analyze them and see 
  whether there is a different term that is not coopted
Manu Sporny:  Here's the issue with the bulleted list: Nobody 
  read them. It became very clear that interviewees started talking 
  about user-centric without leading the list
Dave Longley:  Seeing a new term (other than user-centric) might 
  make it more likely that they would look at the supporting 
  documentation
Manu Sporny:  Let's think about it over the next week. Send good 
  fresh ideas to the mailing list
Manu Sporny:  We'll touch base on this next week to see if we can 
  find something not as problematic as "user-centric"

Topic: Use Cases Document

Manu Sporny:  Will take action to drive that document forward
Manu Sporny:  Excellent work from ShaneM ,burn , and __ to get 
  that document into shape
Manu Sporny: http://opencreds.org/specs/source/use-cases/
Shane McCarron:  We've migrated the document into ReSpec, 
  coalescing the data from the original version of the CG use cases 
  document, pulling from multiple use case drafts.
Shane McCarron:  Three of us working on it, dividing by section 
  so we don't stomp on toes. We're trying to put these use cases 
  together as scenarios that support specific requirements.
Shane McCarron:  Hopefully also synthesizing the motivation for 
  each case, so people understand the motivation for each 
  requirement. We'll go through a quick cycle of prioritizing 
  things: Initially, Someday, etc. Gut feel reactions from editors 
  at the moment.
Manu Sporny:  How paralellizable is the work right now?
Shane McCarron:  Working very well, don't think we can divide it 
  any further
Manu Sporny:  Do you think we'll be done by the 12th?
Shane McCarron:  Will survey editors after this call to see how 
  they feel about it and redistribute effort if necessary.
Manu Sporny:  Any questions on where we are on use cases?
Manu Sporny:  Thanks a ton Shane and other editors for moving 
  this forward. It's looking good. You've made a lot of progress 
  over the last week

Topic: Draft Charter Proposal

Manu Sporny: http://w3c.github.io/vctf/charter/proposal.html
Manu Sporny:  We've got some pushback on presenting this at the 
  face to face meeting from the w3c staff contact. VCTF pushed back 
  on that saying "we need to get something in front of people so 
  they can see what we're doing"
Manu Sporny:  Where we have consensus so far is in data format 
  data model in expressing verifiable claims.
Manu Sporny:  Many have objected that this is not very useful 
  unless there is a protocol for how you deliver, request, and 
  store a credential
Manu Sporny:  In the interim we can submit a "W3C Membership 
  Note": "while we're getting consensus on this current scope, X 
  proposed protocol is what a number of organizations are deploying 
  because they can't implement without a protocol and can't wait 
  for the W3C and we expect the W3C to pick up this protocol at a 
  later date"
Manu Sporny:  Estimated 18 months to get data format to W3C Rec 
  status, and we may even start protocol work before the data 
  format group work is wrapped up
Manu Sporny:  Any company on the call pushing a solutilon into 
  the market that needs a W3C standard stamp on the protocol? Or 
  are folks comfortable implementing something that doesn't have 
  the stamp on it
Matt Stone:  We're hearing from our user base that this topic is 
  important
Manu Sporny:  Would it be enough if you could point to official 
  work on data format this already happening. Would those 
  stakeholders feel ok with your commitment to standards in that 
  case?
Matt Stone:  One of the reasons we're so interested in the 
  success of this group: we're promising that we're contributing..
Eric Korb: Accreditrust is pushing for a solution for standard 
  from this group
Nate Otto:  Badge Alliance Community, we also need a protocol - 
  the one that was divised in 2012 - the one that came out of 
  Mozilla - sending/requesting badges - the same sort of problems 
  that are expected in the protocol work you're talking about - 
  just Friday Mozilla made efforts to release more of ecosystem to 
  community control. [scribe assist by Manu Sporny]
Eric Korb: Stone, +1
Nate Otto:  We're going to need to work on this protocol sooner 
  than later - adopting something from W3C would be good - if it 
  was official W3C work as opposed to an alternative to the Mozilla 
  protocol. [scribe assist by Manu Sporny]
Nate Otto:  We do need to move pretty fast - we need a 
  replacement protocol pretty soon with modifications to Mozilla 
  protocol as a polyfill. [scribe assist by Manu Sporny]
Manu Sporny:  We can certainly work through the technical 
  protocol in the CG and submit a member submission pretty quickly, 
  but it wouldn't mean much
Nate Otto:  I think the best course of action is to maintain a 
  good idea of where proposals are in the standardization process. 
  We don't want to align with something that's headed down a 
  different track. [scribe assist by Manu Sporny]
Henry Story: https://www.w3.org/TR/ldp/
Henry Story: https://www.w3.org/wiki/WebAccessControl
Henry Story:  There is the LDP work which is a protocol standard, 
  but they never added authentication to it. There is a web access 
  control thing people have implemented that can be added to that, 
  which allows you to authenticate with any kinds of means (OpenID, 
  Web Signature). There might be something that could be done in 
  parallel. If the credentials work works with it, perhaps that 
  could be tied in and completed at the same time.
Manu Sporny:  We've looked at LDP, the issue has been that some 
  of the protocol is expected to be built into the browser (a 
  credential management API)... that does malware/site checking, 
  authorization. The LDP stuff is really good for automated 
  credential exchange that happens behind the scenes. LDP would be 
  one way to ship these credentials back and forth. That's why in 
  the first phase of the work we propose just expressing the 
  credential.
Manu Sporny:  Some of our feedback from invited experts is that 
  you shouldn't try to "pick a winner" protocol, because this stuff 
  might be reused in other/multiple protcol.s
Manu Sporny:  Because some of concerns, because LDP might work 
  for some use cases, they specifically might not work for some 
  education partners.
Henry Story:  Would be interesting to get some feedback on what 
  those concerns were, LDP is working to adapt
Matt Stone:  Seems like the last few minutes is mixing concerns 
  from VCTF and the Community Group work that had been working on 
  this bigger vision
Eric Korb: Stone, +1
Shane McCarron: +1
Manu Sporny:  Agreed, that sounds like very good input. As the 
  task force wraps up around the end of this month, we'll start CG 
  calls again and get back into that.
Henry Story: Yes, agree. I was just responding to the concern 
  that some people expressed that they may need a protocol with a 
  W3C stamp of approval to move their work forward in their company

Received on Friday, 5 February 2016 22:27:15 UTC