- From: Kumar McMillan <kmcmillan@mozilla.com>
- Date: Thu, 10 Oct 2013 11:18:29 -0500
- To: Manu Sporny <msporny@digitalbazaar.com>
- Cc: Web Payments <public-webpayments@w3.org>, Dan Callahan <dan.callahan@gmail.com>, Shane Tomlinson <stomlinson@mozilla.com>, Lloyd Hilaiel <lloyd@mozilla.com>, Ben Adida <ben@adida.net>
Thanks for posting the minutes. Interesting stuff. I was indeed interested in replacing JWT with JSON-LD for navigator.mozPay() because it solved a lot of problems in how you can link data with URLs and external contexts. However, I still want to wait until there are at least as many JSON-LD developer libraries as there are for JWT (or at least a few more major languages). It sounds like that will happen very soon. -Kumar On Oct 9, 2013, at 2:38 PM, Manu Sporny <msporny@digitalbazaar.com> wrote: > Lloyd Hilaiel, from the Mozilla Persona identity team, and I found a bit > of time to talk about payments, persona, and identity this morning. The > goal of the discussion was to figure out how we could leverage the > Persona work for the identity work we're doing in the Web Payments > Group. I think we were largely successful in finding a solution that > wouldn't complicate Persona and that would work for the Web Payments > identity requirements. > > The call was recorded and minuted to make sure that others that need to > know this information have easy access to it: > > https://payswarm.com/minutes/2013-10-09-persona/ > > Full text of the discussion follows for archival purposes at the W3C. > Audio of the meeting is available as well (link provided below). > > -------------- > Web Payments & Persona Telecon Minutes for 2013-10-09 > > Agenda: > http://lists.w3.org/Archives/Public/public-webpayments/2013Oct/0026.html > Topics: > 1. Persona, Identity, and Payments > 2. JSON-LD vs. JOSE > 3. JWT support for Extended Attributes. > Present: > Manu Sporny, Lloyd Hilaiel > Audio: > http://payswarm.com/minutes/2013-10-09-persona/audio.ogg > > Manu Sporny is scribing. > > Manu Sporny: To be clear, the part of the Agenda that this call > is about is item #4: Identity and Payments > > Topic: Persona, Identity, and Payments > > Manu Sporny: Thanks for taking the time to talk about Persona / > Financial Identity. Would you like some background before we > start? > Lloyd Hilaiel: High-level background would be great. > Manu Sporny: I just spent a considerable amount of time at world > banking conference. it gathers all 6,900 international banks > under one roof to talk about issues. One of those is bank > standardization. Banks have an issue with identity > standardization right now, it's expensive, not standardized at > all, etc. Know Your Customer verification covers government > issued ID, you're not on terrorist watchlist, etc. When someone > walks into a bank branch, they keep having to verify people and > pay for it. > Manu Sporny: It would be better to have a bring your own > identity mechanism - get an assertion from the government that > says they're a citizen or live at a particular address, when they > need to prove that, they can just provide that assertion to the > service. We'd like to figure out a way to extend Persona in a way > that is simple, but provides richer identity mechanisms for banks > and financial institutions. > Manu Sporny: We have a way that Persona could provide a > bootstrapped mechanism into this, but we need to know if what we > need to do is do-able. > Manu Sporny: What we were going to do was to say that the > financial institution should become a Persona identity provider. > The financial institution gives them an e-mail address, like > lloyd@paypal.com. > Manu Sporny: When you go to login to a site that you want to buy > something, or prove that you have a particular shipping address > or govt. ID, you'd login w/ Persona and the assertion provided by > the bank would include extra data. For example, an identity URL > that is compatible with the Web Payments standards. It could > contain a bitcoin address, etc. The question we have is - is that > in the persona design? Could an identity provider include other > information that the identity consumer could use to bootstrap a > discovery process. > Lloyd Hilaiel: I think the answer is yes. > Lloyd Hilaiel: Let's be clear. This would be data in the > certificate asserted by PayPal. > Manu Sporny: Yes, they could also be endorsements by a 3rd > party, but let's keep it simple for now and say that only PayPal > is making the assertions. > Lloyd Hilaiel: Yeah, you could include other data signed by > other people. > Lloyd Hilaiel: There is a concern here about information > leakage. > Manu Sporny: Yes, we're concerned about information leakage. For > example, in PaySwarm you can have multiple identities and each > one of those identities is going to have information that you > want to share and information that you don't want to share. In > some cases you want people to know your shipping address, in > other cases, you don't want people to know your shipping address. > Lloyd Hilaiel: So, shipping address is something that might be > in some certs and not in others. > Manu Sporny: Yes, but let's not go that far. All we want to do > is provide some sort of bootstrapping mechanism. So, the only > thing we're talking about emedding in the Persona assertion is a > URL. If they want to find out more information, they go through > something like an OAuth token request to get the shipping address > or govt ID number. Whoever owns the identity is going to make > that decision. > Manu Sporny: That won't be part of the Persona process. All we > need Persona to do is to assert a payment processor identity URL. > So, to answer your question, we're not going to put any > information in there that could leak personal details about that > person (into the Persona certificate). > Lloyd Hilaiel: One could imagine extensions to Persona to allow > other data to be embedded in the certificate. Identity providers > need to make sure that they don't leak information. Maybe they > can select between multiple certificates. > Lloyd Hilaiel: In the beginning, if there is information that > the identity provider is comfortable embedding in the > certificate, then I think we're talking about a very small change > to add extended attributes to Persona. I thought that already > existed in Persona. > Lloyd Hilaiel: The only thing you need is extended attributes in > Persona assertions... is that correct? > Manu Sporny: yeah, that's all we'd need. The line we're talking > about adding looks like this: paymentIdentity: > "https://dev.payswarm.com/i/manu" > Lloyd Hilaiel: We need to refresh our JWT implementation and > conform w/ the latest version of JWT, it would be interesting to > understand the ext parameter to view expected attributes. > Manu Sporny: I think that was pulled out, but maybe I'm > mis-remembering. > Lloyd Hilaiel: As a follow-up, let's look at JWCrypto to see how > difficult it would be to add it (if it's not already there). Then > we can just let a thousand flowers bloom. > Lloyd Hilaiel: There is an interesting related use case, we're > using Persona internally at Mozilla, our identity provider > ensures that only people that should be able to see data can see > it. Our systems require canonical email, so that could be extra > information added to the payload as far as Mozilla is concerned. > That would be a good test. > Lloyd Hilaiel: There is a line here that you have to walk, you > could cause users to expose information that they never wanted to > expose. > Manu Sporny: Yes, we have the same sort of issue in the Web > Payments world. For example, we have anonymous identities that > only the identity provider and the customer know about. Someone > outside the system wouldn't be able to track that anonymous > identity back to the person. To be clear, we still follow the > letter of the law, you can be a government and demand to know who > the anonymous identity is, but only a legal mechanism can extract > that information. So putting the anonymous identity and a > real-world identity together in a Persona assertion would be a > terrible thing. > Manu Sporny: Yes, so information leakage is a big issue, which > is why we only want to do, at most, one extra line in the Persona > assertion. The more information you add, the more combinatorial > information leakage issues you face. > Lloyd Hilaiel: This brings up another issue. We would like to > encourage identity providers that use site-specific > pseudoanonymous identifiers that you can choose to eliminate and > remove from your own identity. In order to enable this, Persona > would need to give the site a deterministic, user-specific, > site-specific string/token so that they could reliably generate a > site. That's one case where leaking/fingerprinting that the > identity provider can't track where you can go on the Web. It's a > tension that we haven't been able to figure out. You may want to > do a deal with your identity provider to give you information to > specific sites. > Lloyd Hilaiel: A specific certificate that is specific to a > particular target origin, that's a tricky call. > Manu Sporny: Some identity providers are going to provide that > functionality because it eases the whole experience. > Manu Sporny: Look at payments on the web. There are many cases > where people don't want to be bothered w/ typing out their > shipping address. In the Web Payments case, Amazon.com could make > a request to an identity URL to pull shipping information. It's > like giving them an OAuth token to get your address information. > So, the shipping address assertion wouldn't live in the Persona > assertion, it would live in another database/process outside of > Persona. Then Amazon.com could ask for the shipping address by > making a direct query against the identity provider, and if > they're in the access control list, the identity provider gives > the information to Amazon. > Manu Sporny: Specifically, in the web payments case, that is > going to be the norm. The person that has the identity and the > identity provider, they will authorize certain sites to get data > w/o their continouous authorization. > Manu Sporny: There are other things that come into play wrt. > what sort of information it can give out and/or protect. This is > all really complicated and specific to the use cases. Either > Persona is going to take all of these use cases into account, or > you're going to have to push these features into another spec > that deals w/ this sort of stuff. > Manu Sporny: There are many organizations that require an > identity mechanism that can contain SSNs and government ID > numbers. > Manu Sporny: My assumption to this point is that Persona team is > primarily focused on the basic login problem. > Lloyd Hilaiel: As of today, yes, that's correct. We don't want > to blow up the Persona spec, we want to layer stuff on top. We > want to solve the login/auth problem in a way that's forwards > compatible. Let's solve the 80% case, a simple protocol that can > be built into browsers. > Lloyd Hilaiel: I think this boils down to being able to have > extensions in the Persona assertion, it allows freedom to > experiment. > Manu Sporny: So, I think that we can be a canary in the mine as > far as extended attributes are concerned. We'd really like to use > Persona for the identity mechanism. it doesn't make sense for us > to do something ourselves. We're going to push Persona and we'll > try to add the extended attribute stuff. Seems like you're saying > that there is a desire to work on that sort of thing in the > future. If it's a simple mechanism, like using extended > attributes in a JWT, then problem solved. It also shows that > Persona can be extended to handle the more complex identity use > cases. > Lloyd Hilaiel: Yes, I'm going to look at the code. > > Topic: JSON-LD vs. JOSE > > Manu Sporny: the other thing I wanted to discuss was the use of > the JOSE stack vs. JSON-LD: > http://manu.sporny.org/2013/sm-vs-jose/ > Manu Sporny: That's going to be a much more difficult > discussion, because it could result in a lot of work for you > guys. > Manu Sporny: We've been working w/ the Mozilla Badge team about > JSON-LD. JSON-LD has gotten a good bit of pickup - Google is > using it in Gmail, IBM is using it for Activity Streams. There > are ways of doing digitally assigned assertions that is better > than the way it's done in JOSE. JSON-LD could express Persona > assertions and other things that we've been talking about, > express it more simply, etc. > Manu Sporny: We're also talking w/ Kumar at MozPay, I think we > convinced them to switch to JSON-LD right before they decided to > drop MozPay in preference of a secure frame. We have a pretty > decent track record of approaching people using JOSE and talking > about benefits of JSON-LD over JOSE. The ability to add arbitrary > data into Persona assertions would be a big benefit. Now, the > downside is ripping out JWT and putting in JSON-LD could be a > considerable amount of effort. One potential option here is that > we support JWT and JSON-LD in the Web Payments Persona identity > solutions. We're using JSON-LD for all of the other messaging on > the network, if we could provide the assertions in JSON-LD, then > that would be great for the Web Payments stuff. > Manu Sporny: Even if its the Web Payments based websites use > JSON-LD version of Persona. > Lloyd Hilaiel: I'm skimming your blog post right now, the > comparison looks very thorough. For us, there are some format > changes we want to make in the coming months. Stuff like hex in > some places, base-64 in some places. Being able to have multiple > keys as an Identity Provider, you can do key revocation and > change keys in a way that has no user impact. > Lloyd Hilaiel: If you have a breach, then pull the key, you're > good. > Manu Sporny: yes, and that's the sort of thing you can do in > JSON-LD easily. We have a Web-based PKI mechanism which is really > nice. > Manu Sporny: When you digitally sign something, you use > web-based key, so for example: > https://dev.payswarm.com/i/manu/keys/4 > Manu Sporny: So, JSON-LD is very web-based, more than JOSE. > Manu Sporny: I just wanted to make sure that we could at least > have a discussion about it. > Lloyd Hilaiel: Is anyone else on Persona team aware of this? > Manu Sporny: I posted the link once, but I don't think anyone > read it because you guys are pretty busy. > Lloyd Hilaiel: Ok, I'll take two actions - look at extended > attributes, and look at JSON-LD. We want something more formal by > the end of the year. Now is a great time to read the blog post > and consider what this would look like. > Manu Sporny: If you need any details, JSON-LD community would be > happy to help. > Manu Sporny: That's pretty much all I had for today. Extended > attributes can be done. JSON-LD/JOSE discussion can be pushed off > until you guys are ready to talk about it. > Manu Sporny: Thanks so much for taking the time to chat about > this stuff. > Lloyd Hilaiel: Sorry that it took so long to sync up. > Manu Sporny: You guys are doing an absolutely fantastic job w/ > Persona, we're really impressed with it. Keep up the great work! > Lloyd Hilaiel: Thanks! > Manu Sporny: I'll go back to the Web Payments group, tell them > the plan to use Persona. We'll devise the technical details of > how we're going to do this, and then we'll implement Persona as > the login mechanism for the Web Payments stuff. > Lloyd Hilaiel: Great, we're here to support you, just let us > know how we can help. > > Topic: JWT support for Extended Attributes. > > Lloyd Hilaiel: so Manu, when I look at the jwt spec, it seems > like the provision for extensions are discussed here: > http://tools.ietf.org/html/draft-ietf-oauth-json-web-token-12#section-4.2 > Lloyd Hilaiel: so if an IdP were to embed additional properties > in a jwt "certificate", those would be additional claims. > Lloyd Hilaiel: if our code were not hostile to such claims, then > it seems like the mechanisms required are present > Lloyd Hilaiel: does my read sound right to you? > Manu Sporny: ah, yes... now I remember reading that when I did > the review. thanks! So, in the very worst case, we'd register a > new Public Claim Name in the JSON Web Token Claims Registry for a > payment identity URL, which could then be used to boostrap deeper > identity claims (like govt. issued ID numbers, address > information, etc.) > Lloyd Hilaiel: yes, and you would have 3 chars to make that claim > discoverable > Manu Sporny: Lloyd, I think you're read is correct... we'll keep > going down that path until something blows up on us. > Lloyd Hilaiel: Manu, ok, when it blows up, ping me. > Manu Sporny: Will do. > Manu Sporny: Thanks a ton lloyd - we have what we need to make > progress now. > Lloyd Hilaiel: my pleasure! > > -- manu > > -- > Manu Sporny (skype: msporny, twitter: manusporny, G+: +Manu Sporny) > Founder/CEO - Digital Bazaar, Inc. > blog: Meritora - Web payments commercial launch > http://blog.meritora.com/launch/ >
Received on Thursday, 10 October 2013 16:18:59 UTC