The Verifiable Claims Task Force

A Task Force of the Web Payments Interest Group

Verifiable Claims Telecon

Minutes for 2016-01-29

Dave Longley is scribing.
Manu Sporny: The call is minuted and recorded, let us know if you have a problem with that.
Dick Hardt: Ok.
Manu Sporny: Thank you for being here today, we know you're incredibly busy so we appreciate the time to get your thoughts on this area.
Manu Sporny: The assumption here is that you're speaking as an individual, not representing Amazon.
Dick Hardt: I'm speaking as an individual and none of my contributions (I don't think I'll make up anything with IP in it), my Amazon counsel as said none of this would fall under W3C contribution policies.
Manu Sporny: Got it and they don't.
Manu Sporny: Just a quick intro for those that don't know Dick Hardt - he has been involved in the identity space for over a decade and was involved in the creation of OpenID and OAuth among many other identity-related initiatives. His Wikipedia page is here:
Manu Sporny: We've chatted with you twice before to give you an overview about what this work is about and we've talked to you a bit about the Credential CG work to help you understand the type of work we've been doing. The main reason we reached out to you is to make sure we do our due diligence before starting work at W3C, if we do in fact start it. We want to hear you thoughts on all this, concerns, pitfalls, areas of work that important, things to avoid, in general a brain dump from you because you've been so involved in this space for the past decade+. We've got a problem statement and user centric vs. service centric -- and things we can talk about but it's really up to you, we don't have to stick to the proposed agenda.
Manu Sporny: Any thoughts on the agenda before we get started, did you want to focus on anything else?

Topic: Problem Statement

Dick Hardt: Sounds good, we can figure it out as we go and start with the agenda.
Manu Sporny: What we're really trying to do is get the problem statement right because we want to scope this work down. We don't want to try and "solve identity for the Web", it's a really sticky area and we don't want to fall into that trap.
Dick Hardt: So why not?
Manu Sporny: Because we think that it's been attempted many times. We're trying to take a layered approach to get there and scope down narrowly into a bite-sized chunk because we don't think W3C membership or other bodies have an appetite for something larger.
Dick Hardt: As soon as you start diving into any aspect of it you have to think about how it will scale to solve identity on the Web, it's difficult to have a big bang approach and poof it solves everything about identity, but it's important to have a vision for what identity looks like in the future a mountain you're going to and then you say here's the first problem you're going to solve.
Manu Sporny: Got it, that's the general approach we want to take. We want to take a layered approach, we believe this is the bottom layer and we can build on top of it, understanding that we're trying to get to a unified vision. Does that sound like the right thing to do?
Dick Hardt: Not quite because you're talking about as if there is a bottom layer and then higher layers, I'm thinking there are areas of pain where you can get traction early and you solve it for one group and as that gets solved and matures you can move to other groups.
Manu Sporny: I agree. So we were hoping that banking and finance, healthcare and education would be the main drivers forward. The orgs really driving this seem to be the education industry.
Dick Hardt: I like the education industry, the healthcare and finance have lots of pain but they have so many different requirements it's hard to solve those well. It likely will distort what you're doing such that what you build won't be easily used elsewhere. Imagine if the first thing on the Web was healthcare and banking. We're going to do online healthcare and banking and then envision what we got out of that would be useful for porn or etrade.
Manu Sporny: We're making an assertion in the problem statement, we're saying there's no widely-used user centric system for exchanging claims/credentials via the Web. We were talking to Christopher Allen yesterday and he said a better term is "self-sovereign" where people own their own data.
Manu Sporny: Would you state the problem statement the other way?

Topic: User-centric Design vs Privacy-centric Design

Dick Hardt: I think putting the user centric attribute in front of it is proposing a particular solution instead of saying what the problem is. I've been a big driver of user centric and what's important about that. In order to have scale, I think a user-oriented approach is what is needed. Putting everything in the middle is tough, if you put stuff at the edges you can scale, the Internet has shown this. If we want to operate at Internet scale you need a distributed approach. And a flow that goes through the user instead of centrally enables you to have the scale and also has another valuable attribute around privacy and knowledge and consent. If it's flowing through the user with the user more in the middle of it then they have the ability to have more knowledge and understanding of what's there, not necessarily that they will understand but the tools are there and they can participate in what's happening. In contrast to giving a little bit of piece of data to a server and they talk to a bunch of other servers and you have no idea what's going on and they go off and talk about you and then get back to you to let you know your credit is good. THat's different from "power to the people view" and that's not really the model that I think is critical. All the identity statements made about you aren't yours and aren't made by yours. It's someone else that's trusted that's making that statement.
Dick Hardt: It's the state of CA saying I can drive, Canada saying I'm a citizen, Amazon saying I'm an employee, UBC saying I attended, a credit agency saying I've got good credit, those are statements others have said about me.
Manu Sporny: THat's good and I'm hearing alignment with the thinking we've been doing.
Manu Sporny: The person is in control of those claims when they hand them over.
Dick Hardt: I would say that the user is in the loop when the claims are moved. Control and informed, so they know it's happening and acknowledge it, but it's not that they control it per se.
Dick Hardt: Subtle but significant. With control says "I've got them all and I can hand them out" and I don't think it's a requirement for that. I would just say "There's no widely used standard for ... presenting a claim from one entity to another." Anything that's self-asserted isn't interested, it's really the stuff that other entities are saying about you that we want to get to.

Topic: OpenID Connect, SAML, and OAuth

Manu Sporny: When we didn't have user centric there -- a lot of assertions were made that the tech is already there, like OpenID Connect, SAML, etc. and those techs exist and can express, present, receive verifiable claims.
Dick Hardt: I don't think so.
Dick Hardt: Having worked on a number of those technologies I don't think they do it at all. They do it for like one or two claims right? But it's not a broad thing where I can go to any random site and share a wide variety claims with them... I can go to a site and prove I have a google or facebook account, but none of the interesting things I just talked about.
Manu Sporny: We were talking to John Bradley and he said that OpenID has a system of distributed claims and you can do this.
Dick Hardt: I don't think so.
Manu Sporny: People have said you can just put these technologies together JOTS/JOSE, OpenID Connect, etc. and you can achieve this no problem.
Dick Hardt: I think there are a bunch of useful pieces there but other pieces are missing because obviously we're not able to do it today.
Manu Sporny: If we were to start this work, what would a working group focus on? Would it be being able to express the claim, data format, signature format, etc. extensibility for various industries? Or do you think that's useless without also working on the protocol for issuing consuming, expressing credentials.
Manu Sporny: Do you think identifiers are important, self-sovereign identifiers? Being able to tie claims to identifiers that aren't tied to domains.
Manu Sporny: What would the first useful step be?
Dick Hardt: Let's back up a bit on the problem statement.

Topic: Useful Technology Pieces

Dick Hardt: You talk about those techs and one of the pieces that isn't clear is ... "How can we share claims in a way that doesn't create a highly-correlated identity fabric?" So we need to say "How is it privacy protected" and I don't see that and that's part of the problem. We need a mechanism of sharing these that is privacy protecting.
Manu Sporny: Yes, absolutely, I think that's a core desire. But you think we're not pointing that out to the appropriate degree in the problem statement?
Dick Hardt: Yeah, you think that's covered by the user-centric attribute, but I want to take that out and put in privacy ... user-centric does cover it when you go deeper but privacy should be brought up. YOu can say the user is informed about what the system is doing.
Dick Hardt: The other questions you put up there... do we need a way of expressing claims?
Dick Hardt: I don't think we need yet another way of expressing a claim, that's well-trodden path. Do we need an architecture that's privacy protecting? We need that today.
Manu Sporny: How would you express claims?
Dick Hardt: I would just use JWTs (jots).
Dick Hardt: If someone wants to use [missed] we can do that too. I don't think we need a new way to do that, what am I binding these things to ... that's privacy protecting and that's missing.
Manu Sporny: Can you go into the privacy protecting architecture more?
Dick Hardt: We don't have something for that, we need to figure that out.
Manu Sporny: Is that different from the protocol or related?
Dick Hardt: Related. A number of people have talked about ideas but there's no consensus. Distributed ledger is one way to do it so it's not centralized identity, so that's a way of doing some pieces, but there's no consensus about how to go about doing that but how does it all fit together no one has laid it out. As soon as you get to privacy solutions it's been a full stack that doesn't take advantage of everything else. We need something with all the right characteristics for privacy but enables us to use a bunch of other machinery so we can link it into other systems. Anything shared off of facebook isn't privacy protectin necessarily. Facebook is the one store and that's problematic for a bunch of other reasons.
Manu Sporny: So you think that's most important, privacy protecting architecture and protocl, etc.?

Topic: The Work on OpenID

Dick Hardt: Well, now we move into where the work should happen, is W3C the best place?
Manu Sporny: What do you think?
Dick Hardt: The only reason the OpenID foundation exists because the IETF was mean to us and if they wouldn't let us play in their sandbox we'll make our own. But now they aren't mean so we can play there. Maybe there are are some architecture in statements that would make sense in W3C.
Manu Sporny: Protocol mode in IETF and higher-level document stuff in W3C.
Dick Hardt: Yeah, that seems to be how those orgs are broken up and what people look to.
Manu Sporny: I'm interested in hearing about OpenID Foundation -- how do you feel the OpenID Foundation experiment worked and what were good lessons learned from that initiative?
Dick Hardt: On one hand, we got a lot of momentum around OpenID because there were some pain points that many people in the community had and so our timing was good on working to solve a problem. So we rallied and got people together. The problem was relying party websites wanted to reduce the friction of people signing up. As we got into using them, logging in wasn't really a painpoint for the relying party but registering was. As soon as the user had to type it was bad but just clicking buttons was a huge plus. In registration we wanted to know a verified email because its a friction in conversion, if they have to go to an email and click a button it was out of the flow and if they could just click and be redirected so I don't have to verify myself that's great. Unfortunately as we came up with that we stumbled around...
Dick Hardt: Addressing some of the other issues in the protocol and some of the members in the foundation implemented version 2 of OpenID they were reluctant to look at a new version or have work go on about the adoption issues around OpenID and that stalled innovation and then the foundation say everyone is using OAuth and the facebook model and the foundation pivoted to using that because that's what people are doing and that suddenly moved us away from a user-centric flow to a service-centric flow.
Manu Sporny: Looking at tech today, OpenID Connect is there and most of sites I go to have login with facebook, login with twitter, login with google, etc. why do you think that happened?
Dick Hardt: Why do I think which happened?
Manu Sporny: Multiple different login buttons on a site? Do you feel that OpenID Connect was supposed to address that or that was the natural outcome?
Dick Hardt: Well, we've often called that the Nascar problem with a big flurry of logos and icons all over the place the user trying to pick it.
Dick Hardt: For the relying party they just wanted to simplify registration and there were additional value adds there, and the OAuth flow would let you find out about the user and which one it was an it was a substitution for authentication when it was really an authorization flow. [missed] In contast to SAML.
Manu Sporny: A number of people have said SAML can express verifiable claims so maybe you just need to revamp SAML and it will address the problem statement, your thoughts?
Dick Hardt: That's what the SAML people told us as the OpenID people that their stuff would work and then it became Oauth and OpenID connect and so clearly it wasn't solving the problem and people did these other things, so No.
Dick Hardt: One of the other problems with SAML is JSON has eclipsed XML. The other thing is that the protocol flow ... people have learned how to do that simpler and easier.
Manu Sporny: Just to be clear though, your'e not suggesting that OpenID Connect could be modified to address the problem statement.
Dick Hardt: Depends what you mean by modify. OAuth 1 and 2 are radically different and some people think OAuth 2 just modified OAuth 1. It could be a good starting point with OpenID connect but it's a big difference to get to what we're talking about and how we manage the privacy aspects, etc.
Manu Sporny: So it sounds like then we could get the problem to fit around the privacy aspect instead of something else we're focusing on.
Manu Sporny: We're asserting there are a number of problems that exist today because of service-centric architectures [manu lists ramifications from vctf].
Dick Hardt: Before you go too much further ... let me make a few statements. In order for something to happen people often need a commercial driver for it. We had commercial drivers for the Web, you had AOL. If we're trying to solve something that's a foundational infrastructure problem it's going to be difficult for there to be a business model around it and fortunately we have standards bodies to handle it. To talk about some places that have somewhat solved citizen identity like Estonia and Singapore. They've put in centralized systems and their cultures allow them to know everything you're doing and it works for them. It's a railway type system getting data from A to B but going to C is really hard. It's really only the big players that are pariticipating in moving it around so it doesn't have the internet/web characteristics where it's easy for anyone to join and that dramatically reduces innovation because the bar to participate is too high like rails.
Dick Hardt: Rails are a certain width, where you can go is dictated by the railway the carts, the way it moves.
Dick Hardt: Different from highways systems, add new roads, connect up to it, etc.

Topic: The Best Mode for a Solution

Dick Hardt: Railway is more efficient to move from A to B but long term the highway system has so much more flexibility but isnt' as safe, controlled but enables more innovation.
Dick Hardt: What's the highway system for moving identity info vs. the railway system that's proven in a few countries.
Manu Sporny: There's always a big argument for building systems out in a modular way... and those args apply here, but do you feel that it would be damaging for us to say there may be 3 or 4 ways to express a claim ... do you think we should say you should have multiple solutions at each point in the architecture, multiple ways to express, multiple ways to transport, etc or would that be a failure to standardize?
Dick Hardt: I think there are a number of things to leave open for standardization. You say which way of the road you drive on and how stop signs look and how traffic lights work there are a few things like that, the minimal amount for interop, but the payload is probably something we don't need to specify. That can be a different group and maybe a variety of different systems.
Manu Sporny: Do you believe the problems in the statement exist today or would you state them in a different way?
Dick Hardt: I'd rephrase 1 differently and the second and third ones are great ways of talking about it.
Dick Hardt: Vendor lock in is obviously a challenge and starting off ... identity services inject themselves into every relationship is just stating an opinion around something. You want to get away from where there's somebody that has to be central in the movement because that doesn't scale and it has negative privacy implications.
Dick Hardt: It's a control point ... there a number of problems I'd like to articulate better.
Dick Hardt: You don't want everything to go through a central service, minimize that, this is the Web. Or maybe operate like DNS is operated.
Manu Sporny: You were saying things that are at this standards core, so you may want to standardize on a data model.
Dick Hardt: You want to enable all of those and let people change the data model, maybe there will be a new one in 10 years.
Manu Sporny: So more like content-negotiation like http handled it?
Manu Sporny: You've got the http protocol to move docs but content-negotiation to say what syntax to use, etc.
Dick Hardt: And the same server may be able to say it in a variety of different formats and as new models come out they can say it in a different way.
Manu Sporny: Ok, let's move off of problem statement ... do you feel like the changes you've mentioned you'd feel comfortable saying there should be work started around it?
Dick Hardt: It's a problem that needs to be solved and we should figure out how to solve it and there's a lack of consensus around the problem so far and a good work item would be tightening up that problem statement.
Manu Sporny: That's effectively what the VCTF is charged with doing so we want to come out with a problem statement with consensus.
Dick Hardt: I think if you don't have consensus from a wide variety of people not just a single industry it won't solve the problem.
Manu Sporny: Banking, healthcare, education, general web technologists as a minimum?
Dick Hardt: I would go with rough consensus and downplay the people who have the hard problems and minimizing their influence because they will have so many other requirements that will cloud the essential ones. Education is potentially more open to things. And doesn't have privacy and ... all these other things like HIPAA and other financial regs ... and identity system would not work with them initially and the regulatory environment and how it works and people have more confidence in what they do (banking and healthcare) would eventually adopt those things. But having them drive it would lead us down a path to a suboptimal solution that would work for them but not others.
Dick Hardt: Education, porn sites that want to know you're old enough, things that aren't mission critical, no life endangerment, etc.
Dick Hardt: With OpenID we had that whole long tail of people who wanted to solve the problem but it wasn't mission critical stuff. They just wanted registration solved and you can type in your own email etc ... that was a great use case and we blew it.
Manu Sporny: So anything that's dealing with low stakes registration?
Manu Sporny: Give us your shipping address or prove you're over 18.
Dick Hardt: Yeah, the postal services have been trying to figure out how to be relevant and where do you really live and proof of that's really your address could be an area.
Manu Sporny: It sounds like with some changes based on your input you'd maybe be ok with the problem statement and you think there's work here to be done on a protocol and privacy, etc. Are you in general saying, this is interesting and we could do some work here? or do you think maybe we shouldn't start the work right now ... any thoughts?
Dick Hardt: The timing thing ... the main thing in this space we need a chicken, egg, and a rooster. Someone making the statement, someone wants the statement, and the user. All three need to get aligned. Adding that third party makes it a little more complicated than in the past. You need to find some industry that wants to solve it but is willing to pay the highway tax we'll call it in a way that's more open and extensible to solving other problems.
Manu Sporny: As you pointed out, education is one such industry, they want to express credentials in a standard way...
Dick Hardt: From a timing point of view you need someone who wants the info and they will also be sending it out and they can tell the students what to do.
Dick Hardt: So that sounds like it has the right characteristics of a group to work with. The challenge is making sure it works in other places as well.
Dick Hardt: Extensible, etc.
Dick Hardt: SAML was a mistake because everything had to fit into a particular type of assertion and how will you stuff SAML into an HTTP header and so on.
Dick Hardt: If I heard more about what everyone else had to say I'd have opinions on what they said.
Manu Sporny: There's a link with everyone else so far, so you can read it, all public.
Manu Sporny: Christopher Allen, Brad Hill, Drummond Reed, so far in terms of interviews.
Manu Sporny: We might circle back around with you once we have a charter and get your feedback.
Dick Hardt: Ok, I hope it will.
Manu Sporny: We really appreciate your help. Thank you very much.