The Verifiable Claims Task Force

A Task Force of the Web Payments Interest Group

Verifiable Claims Telecon

Minutes for 2016-01-27

Matt Collier is scribing.
Manu Sporny: Thank Drummond for being here today.
Manu Sporny: We're asking people who have been in identity space for decade+
Manu Sporny: The new initiative is called verifiable claims and W3C is trying to decide if we should do work there.
Manu Sporny: We have a problem statement, scope of work
Manu Sporny: We are trying to figure out if people like yourself feel the work is worthwhile and generally get your thoughts on the topic

Topic: Problem Statement

Manu Sporny: We're going to go over the problem statement and get your thoughts
Manu Sporny: We start with assertion that there is no user-centric solution on the web right now.
Manu Sporny: We believe that people want to create a user-centric ecosystem
... do you agree with that statement
Drummond Reed: I strongly agree. Existing solutions are heavily service-centric and there does not exist a user-centric system.
... any system where the identifier for the user is ... where the claims are not portable, is not user-centric
Manu Sporny: We assert there are a number of problems with service-centric systems.
... people cannot easily change their identity provider or service provider without losing their digital identity.
... do you have any comments on that statement?
Drummond Reed: If anything, that statement is not strong enought
... the issues you're pointing to are issues for users, not for service providers.
... systems that give users independence must be reflected in the protocols and standards
... openid, oAuth and OpenID do not address that issue.
... it's hard to quantify what would happen in the marketplace if a user-centric standard exists
... credit cards could be used as an analogy. No one could have predicted the impact that credit cards have had.
Manu Sporny: How deeply involved were you in the OpenID process?
Drummond Reed: I was one of the founding board members.
Dave Longley is scribing.
Drummond Reed: I was deeply involved with OpenID 1.0, and some of the early OAuth stuff, the InfoCard Foundation (Executive Director), and left at the beginning of OpenID Connect.
Drummond Reed: I was on the OpenID board until we transitioned to OpenID Connect. OpenID generation 1 was the original protocol, when it was started, the foundation then started to standardize OpenID 2 and that was to bring all the protocols together and make a standard and that was not succeeding the face of facebook/social login. Third generation leveraged OAuth because it had taken off and it became OpenID Connect. I wasn't involved in finalization of OpenID Connect.
Manu Sporny: Do you think that OpenID Connect solves this problem and we can just use it to carry these claims or maybe just add an extension?
Drummond Reed: No, we need a big architectural shift.
Drummond Reed: I can try to articulate why...

Topic: OpenID Connect

Drummond Reed: What OpenID Connect still doesn't address is portability of user's digital identity and their claims. I personally have been convinced some time now that we're only going to get there by moving to a semantic graph model for modeling identity and claims.
Drummond Reed: If you don't take that step it's not adaptable, extensible enough to do it. Otherwise you're just going to get single-sign on at best.
Manu Sporny: Can you be more specific with technologies when you say semantic tech?
Drummond Reed: The identifiers need to be portable and are supported with semantic graphs and linked to claims for the user or organizations and that will provide the technological basis for interop and portability for broad adoption.
Manu Sporny: So tech like the XDI work you've been involved in for a long time and Linked Data at W3C?
Drummond Reed: Yes, those are the two things I would point to.
Manu Sporny: Moving to the second bullet point -- about no interop standard that cuts across industries. Industries create their own solutions and they are costly and don't work across lines. I think you've covered that but do you find any language in there to be long?
Drummond Reed: I wouldn't change a word, I'd emphasize that if you break out of industry specific solutions you will enable a whole new level of not sure e-commerce but e-business; relationships that can take place online today but just can't today because of too much friction.
Manu Sporny: Third point, asserting qualifications on the Web is hard. Do you know of any tech that makes it easy to do today?
Drummond Reed: That is an unsolved problem. There's been no adoption not even slight-adoption, only industry specific solutions, no standard. It was in scope for OpenID and OpenID attribute exchange, the center of the bowling alley for InfoCard and neither one made a dent in that part of the problem. I'm very close with the OpenID community and I don't want to go on record as saying it hasn't worked, as they are still working on it, but that doesn't change my mind that until you move to a semantic graph model or the claims and the sharing of the claims and make it portable you won't get over the hump.
Manu Sporny: We've done these interviews with a variety of different people and some are asserting that OpenID attribute exchange handles it and that's all we need plus some JOSE stuff with JOTS, etc. and that's all you need, the problem is solved. That's all the tech you need for verifiable claims, do you agree/disagree/partial agree/thoughts?
Drummond Reed: I think you can absolutely make a case that the OpenID Connect architecture is designed to provide claims and I honestly have not gone back down into the standard and looked at attributes and see if they provide signed claims that can be stored independent of the service provider and do they provide portability. I don't believe the answer to any of those is yes. But I'm qualifying that by saying I haven't dived back down into it to make sure that's true.
Manu Sporny: Do you know of anyone we could definitively ask that of?
Drummond Reed: Sure, John Bradley, Mike Jones, Matt Zakamura and I've known all three for a long time, all involved w/OpenID and 2/3 involved with InfoCard. If you're going to get the strongest "yeah, this is why we solved the problem" it would be from them. All very articulate. I'd point you at John Bradley first maybe I can get you an intro.
Manu Sporny: Ok, we haven't heard from them yet, only hearing 3rd-4th hand from others saying the problem is solved but we want to dig in and get answers from people closer to the source.
Manu Sporny: We'd love an intro w/John Bradley.
Drummond Reed: I'd be happy to do that.
Manu Sporny: That's the problem statement. We're asserting that this is not a solved problem, specifically we're saying "user-centric mechanism" standard is not a solved problem. We're contrasting that w/service centric mechanism. We're saying you can do service-centric things today, but as you said you can't express this information as a semantic graph and people can port claims from one place to another and that's where we need to do some work.
Drummond Reed: Yeah.

Topic: Definitions and User-Centric vs. Service-Centric

Manu Sporny: We say verifiable claims are a set of statements that are cryptographically verifiable (non-repudiable/authentically made)
Manu Sporny: That's what we're calling a verifiable claim.
Manu Sporny: Any questions on that?
Drummond Reed: Nope, very clear.
Manu Sporny: User centric vs. service-centric [manu reads definition].
Manu Sporny: An example of service-centric would be facebook/twitter ID, logging in with social login is a service centric experience. You don't pick your credentials from wherever you want to store them, you have to store them at facebook/twitter/etc.
Manu Sporny: Is that clear?
Drummond Reed: Editorial writing feedback -- if you read through the ramifications of each it makes it clear. The opening statement about placing people at the center of the ecosystem is too vague.
Drummond Reed: If you didn't have the ramifications the definitions aren't clear enough. I'd be happy to work with it looking at ramifications. This is near and dear to my heart because with Respect Network we're building a whole user-centric system. We started with five principles for what this means in law and I'm not suggesting you go that far, but there's a level of precision and depth that's not here yet.
Manu Sporny: We'd love some help with updating the language here, something terse or good explanation of these things.
Drummond Reed: Sure.

Topic: Respect Network

Manu Sporny: Could you go into the Respect Network more and those five tenets, etc?
Drummond Reed: Sure, but not too deep we'd spend the whole call on it :).
Drummond Reed: User-centric claims and users having control of their claims ... if you said there was a network, similar to a social network, where when you join the network you aren't only getting portable identifiers, and a semantic graph you can use, but you are guaranteed, legally, in the membership agreement, if you promised permission, protection, portability, and proof.
Drummond Reed: The promise is that every member of the network is making the same promise, it's mutual amongst all members.
Drummond Reed: Permission means all data, all claims is viewed by permissions.
Drummond Reed: Protection: When you accept shared data you agree to protect it.
Drummond Reed: Portability: The identity and data of any member is portable you can't lock it in, it's based on semantic graph.
Drummond Reed: Proof: Enforcement of that agreement on the network is via a reputation system on the network itself. At a baseline it just establishes the level of trust people or orgs have in you.
Manu Sporny: Is there a network of any kind that meets these five principles today?
Drummond Reed: Absolutely not that's why we're building it :)
Drummond Reed: One of my great interests in this work is portable digital identity is fundamental, we can't build our network without it. It's a starting place, not an ending place.
Manu Sporny: We're about half-way through. The general question is: Do you feel that there's a certain part of this problem that should be tackled before the others? If you agree with problem statement and user vs. service centric. Do you feel that just working on the data format like the semantic modeling portion of it, is that enough? Or do you feel like you have to work on the data format and the protocol for issuing, storing, requesting, ... do they have to be done in parallel or can it be phased work?

Topic: Portable Identifiers

Drummond Reed: I'm always in favor of phasing the work but I don't think that the architecture and the tech solution can be separated out that way. I think you have to look at this wholistically. There are three legs of the triangle. Data format, protocol, and the identifiers. You need that pyramid right for it to hold up. I would argue that whole huge efforts in the industry have failed for that reason.
Manu Sporny: Because of a lack of portable identifiers?
Drummond Reed: No, that's not the only reason, but spending literally 15 years on that one core aspect ... it's a lot harder than it looks. It's more important than it looks.
Drummond Reed: If you don't pay attention to that, then you'll find that all the claims and the protocols wind up being service centric and I want to put a fine point on that. OpenID said they'll solve it by giving everyone a URL. That was a starting point going into it.
Drummond Reed: They didn't recognize that URLs aren't designed to be portable identifiers.
Drummond Reed: That's one aspect .... I could go on for hours. Claims that aren't expressed as a semantic graph ... the entire InfoCard effort expressed claims as XML and not a semantic graph and it looks easy and straighforward and we hit the wall.
Drummond Reed: And the protocol, don't get me started.
Manu Sporny: We do want to hear about it!
Manu Sporny: But first, what are the minimum requirements for the identifier?
Manu Sporny: You're saying URLs (as in, http-based URLs) aren't the solution. What is the solution?
Drummond Reed: I can give a fairly short answer, I think the WebDHT spec, it's just a draft but it was fairly well-articulated there.
Drummond Reed: It's not that an http-based identifier could not be portable it's that the design of DNS is fundamentally ... is not ... there are aspects of portable identifiers that aren't addressed by DNS you have to move to URNs or OIDs ...
Drummond Reed: DOI.
Drummond Reed: To get into the space of identifiers that are designed for persistence.
Drummond Reed: Ultimately the challenge is in that triangle.
Drummond Reed: I assume you guys are familiar with that.
Manu Sporny: Yes.
Drummond Reed: You want persistence, portability by the user, controlled by the user. Providing that technically and making that usable is really hard.
Manu Sporny: Right.
Manu Sporny: We have been met with a fair bit of skepticism with this initiative that comes in various forms -- one of them is: We don't see how this problem statement is any different from OpenID Connect or SAML or Liberty, etc. those previous things. Do you see what the difference is or do you still think that the way we've worded the problem statement is unclear? How we're trying to differentiate this work.
Drummond Reed: I do see the difference in a major way. I can see why others are looking at it and saying "not enough of a difference" and it's a matter of perspective of these underlying problems.
Drummond Reed: I attended a previous call and followed links to read about the critiques and they are good and real. The challenges of moving from centralized authorities to decentralized ones and claims are enormous.
Drummond Reed: They are hard problems.
Drummond Reed: And you have entrenched interests, some are disinterested or actively opposed to decentralized solutions because it's threatening.
Drummond Reed: I'm not sure what the best way to deal with that is. I do agree to more precisely articulate existing systems and why they don't solve the user-centric problem ... the better you can do that the more obvious it becomes that this work is needed. I don't know, on a political basis, if it's a winnable war. I've left that area to go to the startup side ... enough arguing and we'll just build something. We'll build some on open standards and otherwise just invent what we need that isn't there.

Topic: Ideal Place for Work

Drummond Reed: I think W3C has done great work with JSON-LD and that's really helped open things up and I do think if something can be done this is the right group to do it.
Manu Sporny: You think this is a solvable problem (not a technological one), but it's not like we're talking about faster than light travel, it's feasible... 2 or 3 years if we can head in the right direction.
Drummond Reed: Absolutely.
Drummond Reed: I'm not saying that XDI is needed for something like that.
Drummond Reed: JSON-LD is a solid foundation, the WebDHT work, blockchain tech. All the crypto is there.
Drummond Reed: Really the problem is getting to consensus and code bases that will implement.
Drummond Reed: That will implement portable claims and digital identity.
Manu Sporny: Where do you think the work is best done?
Manu Sporny: You're moving to the startup realm and you'll be building and deploying there and that's one way to go about it. Another way is to go to a standards body and do the work there and they can actually be done in parallel, those two things. Which standards setting org is the best to make rapid progress? OASIS? W3C? IETF? Something new?
Drummond Reed: The only clear answer is not the latter. Org after org happened to help with this ... arguable OpenID foundation could have done a fork inside one of the existing ones but it didn't politically happen that way. I don't think you need a new one, I could be wrong, if entrenched interests won't sign on, etc. I'm almost certain ... I can hear people "in my hear" saying that is what OpenID foundation is for and it should be an OpenID WG. I really don't know ... my experience has been with OASIS for a long time, yours has been with W3C and that has produced some outstanding stuff and IETF is always going to be there. I don't have enough experience with those other orgs to guide you there.
Manu Sporny: So I'm scanning down the list of open questions that we had...
Manu Sporny: And you've given us fantastic answers and the amount of insight you have is really great and perhaps the deepest we've gotten to date because of your heavy involvement over the last 15 years.
Manu Sporny: So thank you. We already asked the question if there is tech that can solve this problem ... but are there techs today that could solve bits and pieces of it? What bits of OAuth2 would you use and what bits of OpenID Connect or JSON-LD would you use? Can you identify really interesting tech that you feel would accelerate the process? Do you have any strong feelings about any of that?
Drummond Reed: I have very strong feelings that the basis for the solution has to be semantic graph. Complete conviction.
Drummond Reed: RDF and JSON-LD will absolutely do the trick, XDI will eventually but it's still very young. I don't think you'd want to try and use it to solve this problem.
Drummond Reed: The crypto I am a huge fan of the what the bitcoin community has developed. I've been getting steeped in that, working with Christopher Allen. I absolutely believe that ... I'm realizing early on that there's one thing I didn't mention that I can point to ... my own thinking has evolved tremendously in the last year. What's not addressed in the existing protocols OpenID, SAML, you name it, what's missing completely is key management. Specifically user-centric key management. It just doesn't exist -- no animal meets that requirement. The closest thing you can come to is bitcoin wallet. That's because it's based entirely on proof of control. If you're going to provide portable identity and portable claims with real control by the user, then you have to solve that problem.
Drummond Reed: You have to solve the problem of user-side control of key management.
Drummond Reed: What the bitcoin community has done with keys and how it's going with key recovery and building that in with the overall solution is going to be what's required to "really hand over the keys to the user".
Manu Sporny: Haha, ok that's great. We've gotten a lot of great info from you today.
Manu Sporny: We'll be reporting all of this back to W3C management and the VCTF group, etc. Do you have any other thoughts or concerns about the work?
Manu Sporny: Before we close this discussion out?
Drummond Reed: Not really. I'm tremendously interested to see if ... it's like being interviewed for a presidential election ... here's my opinion by what's going to happen here? I'm interested to see what W3C does, to see if a WG gets started.
Manu Sporny: We're trying to get a WG after the next 3-4 months and we're going due diligence since this is a well-trod road and W3C wants to make sure we talk with people like you, etc.
Manu Sporny: Do you see what we're trying to do as different this time around?
Drummond Reed: I think that sums up the whole interview -- if the aspects of the problem that we've talked about are specifically in the charter of this new group, then it can actually solve the problem and get user-centric, interoperable claims in a way that won't be gotten to ... OpenID aspires to that (SAML doesn't), OpenID people would say bring it here and we'll make it the next generation of what we're doing. From my perspective, I don't know about the political standards battle. But we *have* to get to semantic graph. portable identifiers, and user control, key management and then we'll finally get where industries have been trying to get. If you can put together the effort that will tackle those things then we will get there.
Drummond Reed: Brad Hill's critique was very articulate about the challenges.
Drummond Reed: I believe they are all solvable but they are real challenges.
Manu Sporny: Thank you again for all your time, we really appreciate it.
Manu Sporny: We'll CC you on that so you can make any corrections. Thanks so much.
Drummond Reed: I'd be happy to help any way I can.