Verifiable Claims Telecon Minutes for 2016-01-27

Thanks to Matt Collier and Dave Longley for scribing this week! The minutes
for this week's Verifiable Claims telecon are now available:

http://w3c.github.io/vctf/meetings/2016-01-27/

Full text of the discussion follows for W3C archival purposes.
Audio from the meeting is available as well (link provided below).

----------------------------------------------------------------
Verifiable Claims Telecon Minutes for 2016-01-27

Agenda:
  https://lists.w3.org/Archives/Public/public-webpayments-ig/2016Jan/0062.html
Topics:
  1. Problem Statement
  2. OpenID Connect
  3. Definitions and User-Centric vs. Service-Centric
  4. Respect Network
  5. Portable Identifiers
  6. Ideal Place for Work
Organizer:
  Manu Sporny
Scribe:
  Matt Collier and Dave Longley
Present:
  Matt Collier, Manu Sporny, Drummond Reed, Dave Longley, David I. 
  Lehn
Audio:
  http://w3c.github.io/vctf/meetings/2016-01-27/audio.ogg

Matt Collier is scribing.
Manu Sporny:  Thank Drummond for being here today.
Manu Sporny:  We're asking people who have been in identity space 
  for decade+
Manu Sporny: http://w3c.github.io/vctf/
Manu Sporny:  The new initiative is called verifiable claims and 
  W3C is trying to decide if we should do work there.
Manu Sporny:  We have a problem statement, scope of work
Manu Sporny:  We are trying to figure out if people like yourself 
  feel the work is worthwhile and generally get your thoughts on 
  the topic

Topic: Problem Statement

Manu Sporny:  We're going to go over the problem statement and 
  get your thoughts
Manu Sporny: http://w3c.github.io/vctf/#problem
Manu Sporny:  We start with assertion that there is no 
  user-centric solution on the web right now.
Manu Sporny:  We believe that people want to create a 
  user-centric ecosystem
  ... do you agree with that statement
Drummond Reed:  I strongly agree.  Existing solutions are heavily 
  service-centric and there does not exist a user-centric system.
  ... any system where the identifier for the user is ... where 
  the claims are not portable, is not user-centric
Manu Sporny:  We assert there are a number of problems with 
  service-centric systems.
  ... people cannot easily change their identity provider or 
  service provider without losing their digital identity.
  ... do you have any comments on that statement?
Drummond Reed:  If anything, that statement is not strong enought
  ... the issues you're pointing to are issues for users, not for 
  service providers.
  ... systems that give users independence must be reflected in 
  the protocols and standards
  ... openid, oAuth and OpenID do not address that issue.
  ...  it's hard to quantify what would happen in the marketplace 
  if a user-centric standard exists
  ... credit cards could be used as an analogy.  No one could 
  have predicted the impact that credit cards have had.
Manu Sporny:  How deeply involved were you in the OpenID process?
Drummond Reed:  I was one of the founding board members.
Dave Longley is scribing.
Drummond Reed:  I was deeply involved with OpenID 1.0, and some 
  of the early OAuth stuff, the InfoCard Foundation (Executive 
  Director), and left at the beginning of OpenID Connect. 
Drummond Reed:  I was on the OpenID board until we transitioned 
  to OpenID Connect. OpenID generation 1 was the original protocol, 
  when it was started, the foundation then started to standardize 
  OpenID 2 and that was to bring all the protocols together and 
  make a standard and that was not succeeding the face of 
  facebook/social login. Third generation leveraged OAuth because 
  it had taken off and it became OpenID Connect. I wasn't involved 
  in finalization of OpenID  Connect.
Manu Sporny:  Do you think that OpenID Connect solves this 
  problem and we can just use it to carry these claims or maybe 
  just add an extension?
Drummond Reed:  No, we need a big architectural shift.
Drummond Reed:  I can try to articulate why...

Topic: OpenID Connect

Drummond Reed:  What OpenID Connect still doesn't address is 
  portability of user's digital identity and their claims. I 
  personally have been convinced some time now that we're only 
  going to get there by moving to a semantic graph model for 
  modeling identity and claims.
Drummond Reed:  If you don't take that step it's not adaptable, 
  extensible enough to do it. Otherwise you're just going to get 
  single-sign on at best.
Manu Sporny:  Can you be more specific with technologies when you 
  say semantic tech?
Drummond Reed:  The identifiers need to be portable and are 
  supported with semantic graphs and linked to claims for the user 
  or organizations and that will provide the technological basis 
  for interop and portability for broad adoption.
Manu Sporny:  So tech like the XDI work you've been involved in 
  for a long time and Linked Data at W3C?
Drummond Reed:  Yes, those are the two things I would point to.
Manu Sporny:  Moving to the second bullet point -- about no 
  interop standard that cuts across industries. Industries create 
  their own solutions and they are costly and don't work across 
  lines. I think you've covered that but do you find any language 
  in there to be long?
Drummond Reed:  I wouldn't change a word, I'd emphasize that if 
  you break out of industry specific solutions you will enable a 
  whole new level of not sure e-commerce but e-business; 
  relationships that can take place online today but just can't 
  today because of too much friction.
Manu Sporny:  Third point, asserting qualifications on the Web is 
  hard. Do you know of any tech that makes it easy to do today?
Drummond Reed:  That is an unsolved problem. There's been no 
  adoption not even slight-adoption, only industry specific 
  solutions, no standard. It was in scope for OpenID and OpenID 
  attribute exchange, the center of the bowling alley for InfoCard 
  and neither one made a dent in that part of the problem. I'm very 
  close with the OpenID community and I don't want to go on record 
  as saying it hasn't worked, as they are still working on it, but 
  that doesn't change my mind that until you move to a semantic 
  graph model or the claims and the sharing of the claims and make 
  it portable you won't get over the hump.
Manu Sporny:  We've done these interviews with a variety of 
  different people and some are asserting that OpenID attribute 
  exchange handles it and that's all we need plus some JOSE stuff 
  with JOTS, etc. and that's all you need, the problem is solved. 
  That's all the tech you need for verifiable claims, do you 
  agree/disagree/partial agree/thoughts?
Drummond Reed:  I think you can absolutely make a case that the 
  OpenID Connect architecture is designed to provide claims and I 
  honestly have not gone back down into the standard and looked at 
  attributes and see if they provide signed claims that can be 
  stored independent of the service provider and do they provide 
  portability. I don't believe the answer to any of those is yes. 
  But I'm qualifying that by saying I haven't dived back down into 
  it to make sure that's true.
Manu Sporny:  Do you know of anyone we could definitively ask 
  that of?
Drummond Reed:  Sure, John Bradley, Mike Jones, Matt Zakamura and 
  I've known all three for a long time, all involved w/OpenID and 
  2/3 involved with InfoCard. If you're going to get the strongest 
  "yeah, this is why we solved the problem" it would be from them. 
  All very articulate. I'd point you at John Bradley first maybe I 
  can get you an intro.
Manu Sporny:  Ok, we haven't heard from them yet, only hearing 
  3rd-4th hand from others saying the problem is solved but we want 
  to dig in and get answers from people closer to the source.
Manu Sporny:  We'd love an intro w/John Bradley.
Drummond Reed:  I'd be happy to do that.
Manu Sporny:  That's the problem statement. We're asserting that 
  this is not a solved problem, specifically we're saying 
  "user-centric mechanism" standard is not a solved problem. We're 
  contrasting that w/service centric mechanism. We're saying you 
  can do service-centric things today, but as you said you can't 
  express this information as a semantic graph and people can port 
  claims from one place to another and that's where we need to do 
  some work.
Drummond Reed:  Yeah.

Topic: Definitions and User-Centric vs. Service-Centric

Manu Sporny: http://w3c.github.io/vctf/#definitions
Manu Sporny:  We say verifiable claims are a set of statements 
  that are cryptographically verifiable 
  (non-repudiable/authentically made)
Manu Sporny:  That's what we're calling a verifiable claim.
Manu Sporny:  Any questions on that?
Drummond Reed:  Nope, very clear.
Manu Sporny:  User centric vs. service-centric [manu reads 
  definition].
Manu Sporny:  An example of service-centric would be 
  facebook/twitter ID, logging in with social login is a service 
  centric experience. You don't pick your credentials from wherever 
  you want to store them, you have to store them at 
  facebook/twitter/etc.
Manu Sporny:  Is that clear?
Drummond Reed:  Editorial writing feedback -- if you read through 
  the ramifications of each it makes it clear. The opening 
  statement about placing people at the center of the ecosystem is 
  too vague.
Drummond Reed:  If you didn't have the ramifications the 
  definitions aren't clear enough. I'd be happy to work with it 
  looking at ramifications. This is near and dear to my heart 
  because with Respect Network we're building a whole user-centric 
  system. We started with five principles for what this means in 
  law and I'm not suggesting you go that far, but there's a level 
  of precision and depth that's not here yet.
Manu Sporny:  We'd love some help with updating the language 
  here, something terse or good explanation of these things.
Drummond Reed:  Sure.

Topic: Respect Network

Manu Sporny:  Could you go into the Respect Network more and 
  those five tenets, etc?
Drummond Reed:  Sure, but not too deep we'd spend the whole call 
  on it :).
Drummond Reed:  User-centric claims and users having control of 
  their claims ... if you said there was a network, similar to a 
  social network, where when you join the network you aren't only 
  getting portable identifiers, and a semantic graph you can use, 
  but you are guaranteed, legally, in the membership agreement, if 
  you promised permission, protection, portability, and proof.
Drummond Reed:  The promise is that every member of the network 
  is making the same promise, it's mutual amongst all members.
Drummond Reed:  Permission means all data, all claims is viewed 
  by permissions.
Drummond Reed:  Protection: When you accept shared data you agree 
  to protect it.
Drummond Reed:  Portability: The identity and data of any member 
  is portable you can't lock it in, it's based on semantic graph.
Drummond Reed:  Proof: Enforcement of that agreement on the 
  network is via a reputation system on the network itself. At a 
  baseline it just establishes the level of trust people or orgs 
  have in you.
Manu Sporny:  Is there a network of any kind that meets these 
  five principles today?
Drummond Reed:  Absolutely not that's why we're building it :)
Drummond Reed:  One of my great interests in this work is 
  portable digital identity is fundamental, we can't build our 
  network without it. It's a starting place, not an ending place.
Manu Sporny:  We're about half-way through. The general question 
  is: Do you feel that there's a certain part of this problem that 
  should be tackled before the others? If you agree with problem 
  statement and user vs. service centric. Do you feel that just 
  working on the data format like the semantic modeling portion of 
  it, is that enough? Or do you feel like you have to work on the 
  data format and the protocol for issuing, storing, requesting, 
  ... do they have to be done in parallel or can it be phased work?

Topic: Portable Identifiers

Drummond Reed:  I'm always in favor of phasing the work but I 
  don't think that the architecture and the tech solution can be 
  separated out that way. I think you have to look at this 
  wholistically. There are three legs of the triangle. Data format, 
  protocol, and the identifiers. You need that pyramid right for it 
  to hold up. I would argue that whole huge efforts in the industry 
  have failed for that reason.
Manu Sporny:  Because of a lack of portable identifiers?
Drummond Reed:  No, that's not the only reason, but spending 
  literally 15 years on that one core aspect ... it's a lot harder 
  than it looks. It's more important than it looks.
Drummond Reed:  If you don't pay attention to that, then you'll 
  find that all the claims and the protocols wind up being service 
  centric and I want to put a fine point on that. OpenID said 
  they'll solve it by giving everyone a URL. That was a starting 
  point going into it.
Drummond Reed:  They didn't recognize that URLs aren't designed 
  to be portable identifiers.
Drummond Reed:  That's one aspect .... I could go on for hours. 
  Claims that aren't expressed as a semantic graph ... the entire 
  InfoCard effort expressed claims as XML and not a semantic graph 
  and it looks easy and straighforward and we hit the wall.
Drummond Reed:  And the protocol, don't get me started.
Manu Sporny:  We do want to hear about it!
Manu Sporny:  But first, what are the minimum requirements for 
  the identifier?
Manu Sporny:  You're saying URLs (as in, http-based URLs) aren't 
  the solution. What is the solution?
Drummond Reed:  I can give a fairly short answer, I think the 
  WebDHT spec, it's just a draft but it was fairly well-articulated 
  there.
Drummond Reed:  It's not that an http-based identifier could not 
  be portable it's that the design of DNS is fundamentally ... is 
  not ... there are aspects of portable identifiers that aren't 
  addressed by DNS you have to move to URNs or OIDs ...
Drummond Reed:  DOI.
Drummond Reed:  To get into the space of identifiers that are 
  designed for persistence.
Drummond Reed:  Ultimately the challenge is in that triangle.
Drummond Reed:  I assume you guys are familiar with that.
Manu Sporny:  Yes.
Drummond Reed:  You want persistence, portability by the user, 
  controlled by the user. Providing that technically and making 
  that usable is really hard.
Manu Sporny:  Right.
Manu Sporny:  We have been met with a fair bit of skepticism with 
  this initiative that comes in various forms -- one of them is: We 
  don't see how this problem statement is any different from OpenID 
  Connect or SAML or Liberty, etc. those previous things. Do you 
  see what the difference is or do you still think that the way 
  we've worded the problem statement is unclear? How we're trying 
  to differentiate this work.
Drummond Reed:  I do see the difference in a major way. I can see 
  why others are looking at it and saying "not enough of a 
  difference" and it's a matter of perspective of these underlying 
  problems.
Drummond Reed:  I attended a previous call and followed links to 
  read about the critiques and they are good and real. The 
  challenges of moving from centralized authorities to 
  decentralized ones and claims are enormous.
Drummond Reed:  They are hard problems.
Drummond Reed:  And you have entrenched interests, some are 
  disinterested or actively opposed to decentralized solutions 
  because it's threatening.
Drummond Reed:  I'm not sure what the best way to deal with that 
  is. I do agree to more precisely articulate existing systems and 
  why they don't solve the user-centric problem ... the better you 
  can do that the more obvious it becomes that this work is needed. 
  I don't know, on a political basis, if it's a winnable war. I've 
  left that area to go to the startup side ... enough arguing and 
  we'll just build something. We'll build some on open standards 
  and otherwise just invent what we need that isn't there.

Topic: Ideal Place for Work

Drummond Reed:  I think W3C has done great work with JSON-LD and 
  that's really helped open things up and I do think if something 
  can be done this is the right group to do it.
Manu Sporny:  You think this is a solvable problem (not a 
  technological one), but it's not like we're talking about faster 
  than light travel, it's feasible... 2 or 3 years if we can head 
  in the right direction.
Drummond Reed:  Absolutely.
Drummond Reed:  I'm not saying that XDI is needed for something 
  like that.
Drummond Reed:  JSON-LD is a solid foundation, the WebDHT work, 
  blockchain tech. All the crypto is there.
Drummond Reed:  Really the problem is getting to consensus and 
  code bases that will implement.
Drummond Reed:  That will implement portable claims and digital 
  identity.
Manu Sporny:  Where do you think the work is best done?
Manu Sporny:  You're moving to the startup realm and you'll be 
  building and deploying there and that's one way to go about it. 
  Another way is to go to a standards body and do the work there 
  and they can actually be done in parallel, those two things. 
  Which standards setting org is the best to make rapid progress? 
  OASIS? W3C? IETF? Something new?
Drummond Reed:  The only clear answer is not the latter. Org 
  after org happened to help with this ... arguable OpenID 
  foundation could have done a fork inside one of the existing ones 
  but it didn't politically happen that way. I don't think you need 
  a new one, I could be wrong, if entrenched interests won't sign 
  on, etc. I'm almost certain ... I can hear people "in my hear" 
  saying that is what OpenID foundation is for and it should be an 
  OpenID WG. I really don't know ... my experience has been with 
  OASIS for a long time, yours has been with W3C and that has 
  produced some outstanding stuff and IETF is always going to be 
  there. I don't have enough experience with those other orgs to 
  guide you there.
Manu Sporny:  So I'm scanning down the list of open questions 
  that we had...
Manu Sporny:  And you've given us fantastic answers and the 
  amount of insight you have is really great and perhaps the 
  deepest we've gotten to date because of your heavy involvement 
  over the last 15 years.
Manu Sporny:  So thank you. We already asked the question if 
  there is tech that can solve this problem ... but are there techs 
  today that could solve bits and pieces of it? What bits of OAuth2 
  would you use and what bits of OpenID Connect or JSON-LD would 
  you use? Can you identify really interesting tech that you feel 
  would accelerate the process? Do you have any strong feelings 
  about any of that?
Drummond Reed:  I have very strong feelings that the basis for 
  the solution has to be semantic graph. Complete conviction.
Drummond Reed:  RDF and JSON-LD will absolutely do the trick, XDI 
  will eventually but it's still very young. I don't think you'd 
  want to try and use it to solve this problem.
Drummond Reed:  The crypto I am a huge fan of the what the 
  bitcoin community has developed. I've been getting steeped in 
  that, working with Christopher Allen. I absolutely believe that 
  ... I'm realizing early on that there's one thing I didn't 
  mention that I can point to ... my own thinking has evolved 
  tremendously in the last year. What's not addressed in the 
  existing protocols OpenID, SAML, you name it, what's missing 
  completely is key management. Specifically user-centric key 
  management. It just doesn't exist -- no animal meets that 
  requirement. The closest thing you can come to is bitcoin wallet. 
  That's because it's based entirely on proof of control. If you're 
  going to provide portable identity and portable claims with real 
  control by the user, then you have to solve that problem.
Drummond Reed:  You have to solve the problem of user-side 
  control of key management.
Drummond Reed:  What the bitcoin community has done with keys and 
  how it's going with key recovery and building that in with the 
  overall solution is going to be what's required to "really hand 
  over the keys to the user".
Manu Sporny:  Haha, ok that's great. We've gotten a lot of great 
  info from you today.
Manu Sporny:  We'll be reporting all of this back to W3C 
  management and the VCTF group, etc. Do you have any other 
  thoughts or concerns about the work?
Manu Sporny:  Before we close this discussion out?
Drummond Reed:  Not really. I'm tremendously interested to see if 
  ... it's like being interviewed for a presidential election ... 
  here's my opinion by what's going to happen here? I'm interested 
  to see what W3C does, to see if a WG gets started.
Manu Sporny:  We're trying to get a WG after the next 3-4 months 
  and we're going due diligence since this is a well-trod road and 
  W3C wants to make sure we talk with people like you, etc.
Manu Sporny:  Do you see what we're trying to do as different 
  this time around?
Drummond Reed:  I think that sums up the whole interview -- if 
  the aspects of the problem that we've talked about are 
  specifically in the charter of this new group, then it can 
  actually solve the problem and get user-centric, interoperable 
  claims in a way that won't be gotten to ... OpenID aspires to 
  that (SAML doesn't), OpenID people would say bring it here and 
  we'll make it the next generation of what we're doing. From my 
  perspective, I don't know about the political standards battle. 
  But we *have* to get to semantic graph. portable identifiers, and 
  user control, key management and then we'll finally get where 
  industries have been trying to get. If you can put together the 
  effort that will tackle those things then we will get there.
Drummond Reed:  Brad Hill's critique was very articulate about 
  the challenges.
Drummond Reed:  I believe they are all solvable but they are real 
  challenges.
Manu Sporny:  Thank you again for all your time, we really 
  appreciate it.
Manu Sporny:  We'll CC you on that so  you can make any 
  corrections. Thanks so much.
Drummond Reed:  I'd be happy to help any way I can.

Received on Wednesday, 27 January 2016 23:13:49 UTC