Verifiable Claims Telecon
Minutes for 2016-01-05
- Agenda
- https://lists.w3.org/Archives/Public/public-webpayments-ig/2016Jan/0002.html
- Topics
- Organizer
- Manu Sporny
- Scribe
- Dave Longley
- Present
- Dave Longley, Manu Sporny, Dick Hardt, David Chadwick, Shane McCarron, Drummond Reed, David Singer, Nate Otto, Jörg Heuer, Kerri Lemoie, John Tibbetts, Daniel C. Burnett, Bill DeLorenzo, Ted O'Connor, Carla Casili
- Audio Log
Dave Longley is scribing.
Manu Sporny: The purpose of this call is a briefing call on the Verifiable Claims work.
Manu Sporny: The idea here is to introduce you to the work we've been doing for the past 2-2.5 years. This is in preparation for interviews we'd like to do with each of you.
Manu Sporny: We've identified each of you as experts that we'd like to get feedback from you before W3C does anything, if we do anything. We'd like to get your thoughts on the topic, which we will minute and record.
Topic: Background on Verifiable Claims work
Manu Sporny: http://w3c.github.io/vctf/
Manu Sporny: The site was just updated this morning with Benefits to Stakeholders and some other info.
Manu Sporny: The purpose is to find out is there's a need for user-centric Verifiable Claims/Identity Credentials. The proposal focuses on a user-centric system vs. service-centric systems like SAML, OpenID Connect.
Manu Sporny: We're trying to focus on whether a user-centric system would be a good way to address the problems.
Dick Hardt: There are other models besides pure server centric and pure user centric
David Chadwick: If you consider the way plastic cards work today, they are user centric
Manu Sporny: We've identified a problem statement that has pretty broad buy in from those involved so far, but we'd like to reach out to various experts and get their input. We'd like to hear feedback from "This is a terrible idea don't do it" to "This is heading in an ok direction" to "We support the work, etc", various critiques.
David Chadwick: I dont need to tell the card provider who I show the card to
Manu Sporny: We've been trying to solve some of these problems for 15+ years and some would argue longer.
Manu Sporny: The group that has been putting this stuff together for the last two years is called the Credentials Community Group at W3C and have produced some technology, but the Verifiable Claims Task Force is taking a higher view, not focusing on any particular tech solutions at this time, only analysis, etc.
Manu Sporny: Any questions from anyone who is new to the call? (to the background information, etc)
Topic: Problem Statement and Scope
Manu Sporny: http://w3c.github.io/vctf/#problem
Manu Sporny: This has fairly decent buy in from those that have been involved (the problem statement). There is a survey that we sent out, we go around 44 organizations to respond to the survey. We have anonymized those responses and the link is in IRC.
Manu Sporny: The participating orgs have helped put the problem statement together. We have many of the participating on these calls for the past year.
Manu Sporny: We've talked about the problem statement and scope on this page. The question to experts, Dick Hardt, Brad Hill, etc. is "Have we stated the problem well?" "Is this a problem for the Web?" "Is it a good problem statement?" "How should we proceed?" etc.
Shane McCarron: Are there specific business problems your organization needs solved that this sort of activity might address?
Manu Sporny: Any questions from people on the call for the type of feedback we're looking for?
Manu Sporny: http://w3c.github.io/vctf/#problem
Manu Sporny: The link is in IRC^.
Drummond Reed: We've talked about this once before but it might help others on the call. The problem statement specifies OpenID Connect as service-centric. Could you crystalize what you think makes it service-centric and not user-centric?
David Singer: Why is it a priori user-centric?
Manu Sporny: http://w3c.github.io/vctf/#definitions
Manu Sporny: There's a link I'll put into IRC to specify what we mean by user-centric and service-centric. We realize this whole area is rife with terminology and the meanings have changed over time and we apologize for that. We list definitions at the link.
Drummond Reed: Absolutely the whole area is "rife with overloaded terminology".
Manu Sporny: http://w3c.github.io/vctf/#design-approaches
Manu Sporny: We talk about user centric systems as talking about placing users at the center of the ecosystem and we list design ramifications that are outcomes from a user-centric design vs. a service-centric one.
Manu Sporny: So we describe the differences between a user centric system and a service centric one and the hope is that before we do interviews with you that you read our definitions.
Manu Sporny: Based on the definitions we have on the page, we describe OpenID Connect as service-centric because the service is in the middle, it issues the claims, claims are not portable, you are locked into a particular identity provider/agent vs. portable and owned by the user themselves, etc.
Drummond Reed: IMHO, identifiers not being portable is a huge point.
Manu Sporny: These are just some of the reasons that the system isn't user-centric. People have been talking about some of these things for years like Dick Hardt.
Manu Sporny: A user-centric system has portable identifiers, yes, as Drummond Reed mentioned.
Dick Hardt: Would be nice to be able to be on the call.
Manu Sporny: David Singer asked "Why is it a prior user-centric?" ... We needed to put a stake in the ground about how what we're talking about here is different from previous attempts to solve verifiable claims on the Web.
Manu Sporny: So how is this different from LDAP, SAML, OpenID Connect, etc.
Manu Sporny: So a user-centric design has a lot to do with that.
David Singer: I agree that it's important to talk about previous solutions, but why is user-centric part of the problem statement?
Manu Sporny: The easy answer is that that's how the group decided to phrase the problem statement; the fundamental thesis of the group is that service-centric systems exist, OpenID Connect, SAML, pick your super provider, etc. saying we're going to address a problem that those solve is a non-starter, but clearly problems still exist. Solving what those solve is a non-problem. Not seeing user-centric systems, things that are not on the Web now -- like driver's licenses and passports and things we put in our wallets and that we control in that way ... those user-centric systems are the ways we deal with verifiable claims in the real world/physical world.
Manu Sporny: We haven't been able to transfer those things to the Web and why haven't we? And thus the user-centric language comes into the problem statement.
David Singer: Yeah, that's good enough for now.
Dave Longley: I would like to add... [scribe assist by Matt Collier]
Dave Longley: We build up physical identities but that has not translated well to the web. [scribe assist by Matt Collier]
Dave Longley: One thing to add - having these credentials in the physical world, but not having them in the digital world - we go about our lives building up our physical identies - describes different parts of our lives - we can't create rich digital identities that can can carry and give out to different consumers where relationship between us and our wallet is not important. [scribe assist by Manu Sporny]
Drummond Reed: Good answer.
Dave Longley: Use some other container to hold our credentials - the relationship is between us and the consumer, or us and the issuer. There is this whole aspect our lives in the physical world that have not translated into the digital world. A lot of it has to do with user-centric design. [scribe assist by Manu Sporny]
Nate Otto: +1 Dlongley
Dick Hardt: There are other models besides pure user-centric and pure server centric.
Drummond Reed: Yes, I think that's a great subject for the interviews.
Manu Sporny: Does that provide enough information for this subject for the interviews?
Manu Sporny: Yes, we definitely want to hear about those other models, Dick.
Manu Sporny: When we speak with you, we'd love to hear your feedback on that. We're not saying the system won't be some kind of hybrid.
Manu Sporny: But the first question is "Is there a problem that needs solving?" And then if the answer is yes, "Are there some general guidelines to help us falling into traps of the past?"
David Singer: We also need to agree it is our problem....
Drummond Reed: I think there's very broad agreement on the problem. The key question will be: what is unique about the solution that will allow it to break through where all the previous attempts have failed.
Topic: Key Questions
Manu Sporny: Please go and read everything on that VCTF page -- because it's stuff that we have consensus around from the 20+ orgs participating in the work. But we can challenge those things and change them based on your input.
Manu Sporny: https://www.w3.org/Payments/IG/wiki/ProposalsQ42015/VerifiableClaimsTaskForce#Open_Questions
Manu Sporny: If you don't have the time to read and formulate your own response, we do have a set of questions we can ask you.
Manu Sporny: Link is in IRC for some of these.
David Chadwick: That is mirrors the use of plastic cards in the physical world, because they work
Manu Sporny: [Lists questions at link]
Jörg Heuer: We've worked on - and demoed at occasions - a system that relies on a user-centric flow with corporate-centric credential objects... is that close to what you think of, Dick? (like in the good old 'info card' days)
Manu Sporny: The other point to make about these questions is that they are just suggestions. During your interview, please feel free to discuss whatever you want. They are just there to help you figure out the type of input we're looking for.
Manu Sporny: Any feedback on open questions or general feedback?
Drummond Reed: I don't see a question focused directly on portable identifiers (it's inherent in the "moving claims" topic).
Drummond Reed: It's a pretty good question list. Maybe the question of portable identifiers is important enough that there isn't a direct question about that. It's a good list, it's comprehensive.
Manu Sporny: I'll add a question about portable identifiers.
Shane McCarron: That's a good point!
David Singer: We need to know if W3C is the right place, and has the right people and skills
Dick Hardt: I don't think portable identifiers are a required part of the architecture.
David Chadwick: I agree with Dick re portable IDs
Dick Hardt: I think there is an important problem to be solved. It is unclear what role W3C should or could play.
Shane McCarron: Are service-centric identifiers a problem?
Manu Sporny: Ok, great input, that's the type of stuff we hope come up in the interviews.
Kerri Lemoie: Should the distributed web be explored? Blockchain, bittorrent....
Manu Sporny: Dick is saying the problem is important but unclear what role W3C should play.
Drummond Reed: That's a great question, given that aspects of this problem have been tackled by IETF and OASIS and OpenID Foundation and Open Identity Exchange as well.
Drummond Reed: I'm sure I've left out others.
Manu Sporny: Brad Hill together a real quick document giving us his thoughts before this call happened.
Manu Sporny: Brad Hill's feedback so far: https://docs.google.com/document/d/1aFAPObWUKEiSvPVqh9w1e6_L3iH4T08FQbJIOOlCvzU/edit?usp=sharing
Manu Sporny: That's a list of all of the concerns he's had so far. General concerns about problem statement, fraud abuse, trust, all that stuff.
Manu Sporny: This is the type of feedback that is super helpful. We want to make sure we're considering all the pitfalls with the problem statement as proposed, etc.
Manu Sporny: If you have time to provide that kind of input that would be super helpful. Written input is good, at some point we're going to document what you tell us one way or another.
Manu Sporny: Putting it in a google doc is good because we can iterate one that, but also showing up on a call and rambling about everything you're concerned about for an hour is also good. We'll have someone scribe it.
Manu Sporny: Any questions on how to provide feedback or the questions or type of input we're looking for? Does everyone feel comfortable, if we get on a call with you one-on-one you can let us know what you think directly?
Drummond Reed: Yes, this is great background.
Drummond Reed: Absolutely, this is excellent background.
Manu Sporny: David Singer, Ted?
Manu Sporny: Karen?
Drummond Reed: I also like the idea of putting feedback and thoughts in a Google doc.
David Singer: Good so far
Topic: The Interviews
Manu Sporny: After listening to this, reading the minutes again would you be able to provide some input?
Manu Sporny: We're hoping to do interviews in the last two weeks of January and we're hoping to get them finished as quickly as possible so we can iterate and keep our rapid progress going.
Manu Sporny: Let me bring up the questionaire on your availability
Manu Sporny: If you have been asked to do an interview - please sign up for some times that work for you during the last two weeks of January: http://goo.gl/forms/RY4f5h36Y5
Manu Sporny: Please let us know what time works for you on that form.
Manu Sporny: When you let us know, it will be the same dial number as now ... hopefully with any issues resolved.
Manu Sporny: We're going to go through anything that's on your mind, any concerns, etc.
Manu Sporny: That's it as far as background and what the problem statement and scope is and the key questions we're going to ask you and the type of feedback expected.
Manu Sporny: Any other questions from the people doing an interview? Do you feel well-prepared?
Drummond Reed: I certainly do.
Manu Sporny: We're going to try and circle back around with Dick Hardt and Brad Hill because they couldn't dial in.
David Singer: I am sure more questions will come up in internal discussion, ...
Dick Hardt: I don't really know what I missed by not being on the call.
Manu Sporny: If there aren't any other questions please fill out that form and let us know what time works for you. Thanks everyone so much for your time, it's really appreciated.
Shane McCarron: Good briefing! Thanks!
Manu Sporny: Apologies to those that had connectivity issues, we'll try to figure out what happened.