The Verifiable Claims Task Force

A Task Force of the Web Payments Interest Group

Verifiable Claims Telecon

Minutes for 2016-02-02

Nate Otto is scribing.
Manu Sporny: Let's go ahead and get started.
Manu Sporny: On the agenda: A summary of the interviews we've done so far, figure out which documents we need by the Web Payments Face to Face, we are going to talk about the documents. Any additions to the Agenda?
No additions to Agenda.

Topic: Summary of Interviews So Far

Manu Sporny: Interview with Drummond Reed (of OASIS and XDI):
Manu Sporny: We did four interviews last week. Drummond was very supportive of the problem statement we were trying to address, gave a lot of great input; he thought very deeply about what we were trying to say: what's user-centric, how does privacy play in the ecosystem...
Manu Sporny: Interview with Christopher Allen (co-editor of the SSL and TLS specifications):
Manu Sporny: Christopher was also fairly supportive of the problem statement. Very interesting insight into how SSL & TLS came to be, and some current crypto work at IETF.
Manu Sporny: Interview with Dick Hardt (of Amazon and lots of Identity 2.0 / OpenID / OAuth work):
Manu Sporny: Dick also was really helpful, thought very deeply about the problem; we got a lot of really good feedback about the previous initiatives that have played around in this area: OpenID Connect, OAuth, SAML, and Dick's involvement in those initiatives, and what he thought was achievable in the short term.
Manu Sporny: Interview with Michael Schwartz (who has implemented SAML, LDAP, OpenID Connect, OAuth2, and heads an Identity (OTTO) initiative in the Kantara initiative):
Manu Sporny: Michael had not had as much time to review it as other folks had, but gave us really good feedback as well, specifically about implementation and different factors associated with the difficulty implementing SAML and OpenID Connect.
Manu Sporny: These interviews are added to the feedback we received from Harry Halpin, David Singer from Apple, and others. We only have 3 interviews left, if those people have time
Manu Sporny: That's what we have so far as far as the interviews are concerned. There are some things that we have consensus on, and others we don't yet.
Manu Sporny: We have consensus on the problem statement generally
Manu Sporny: We have gotten some good advice from Dick Hardt that we shouldn't state it as user centric and service centric (instead talk about privacycentric and privacy enhancing)
Manu Sporny: Largely we have broad buy-in to the problem statement. That probably means we can arrange some work around it.
Daniel C. Burnett: There may be some control aspects as well implied in our "user-centric" term.
Manu Sporny: We also asked the question, where should this work happen? W3C, OASIS, Kintara, IETF? Most folk felt that W3C would be a good place for it, but some of the protocol stuff might be pushed to IETF.
Manu Sporny: There was no opinion that the work should not be done.
Dave Longley: +1 To burn, some modeling aspects too
Manu Sporny: Where we may have disagreement is that the current pieces we have today (Oauth2, OpenID Connect, JOSE), what parts they may play in a final technical solution. We are not at the point of discussing a technical solution yet, so there may be a fair bit of back and forth when we get to that point once we have a working group.
Manu Sporny: That is a general summary of what we have done, where we have consensus, and where we may not. Any questions at this point?
Matt Stone: Manu, are you satisfied with the outcome of the interviews?
Manu Sporny: We are very satisfied with the outcome of these interviews.
Manu Sporny: The VCTF (this present group) was chartered to see if there was consensus that there was work to be done. We feel we have done this. We presented this stuff on a call with W3C Staff yesterday and the staff representative was still unconvinced. That is frustrating.
Manu Sporny: If all the people we talk to in membership feel there is work to be done, W3C is the place to do it, why is there still resistance from w3c? Maybe one strategy is to summarize all the work, package it up, so we don't dump an amount of information that is too much to synthesize.
Manu Sporny: The other concern was that if we don't have clear Payments use cases...
Manu Sporny: A good chunk of the invited experts we interviewed said they don't feel the financial industry will be the first movers on this. They expect the first movers to be the education industry, which we have seen is true. They are organizations that are comfortable with moving and putting in cache. Staff objects that payments should follow, not lead, which opens up a question of who should support this, maybe we should have a workshop (which would set us back a number of months.)
Manu Sporny: There are very clear payments use cases: Knowing who's on the other end of a transaction, coupons, loyalty cards...
Dave Longley: While they were pushing back saying maybe not the web payments IG as the best palce for for this, if there are clear use cases that may not be primary could still make the IG a good home for the work.
Manu Sporny: We must focus on demonstrating that there are clear web payments use cases, make it easy for the Web Payments IG to make a case to the W3C Membership so the W3C doesn't get stuck in an 8-9 month chartering process where a bunch of companies are confused about what makes this separate from OpenID Connect etc.

Topic: Documents Needed By Web Payments Face-to-Face

Manu Sporny: Let's jump to the next topic. There were 3 documents that would help prove this case.
Manu Sporny: First: a summary pointing to statistics collected, interview outcomes: Here's why the work should be done..
Manu Sporny: Second: Use cases document
Manu Sporny: Also: vision document, and maybe draft charter proposal outlining the work that must be done over the next year
Richard Varn: Seems like we keep running into this issue. Maybe we can segment our statements. We have one component: overlap, where we have common tasks addressed in the same way across sectors (one part of a use case). They might also be interested in things that are interdependent&mutually beneficial, but might not be the same solution. 3. as we're deploying stuff that has commonality, the fact that we're building the social fabric in one industry, we
Richard Varn: Built the foundation that makes it possible to use the technology in another industry, like payments.
Richard Varn: ... Even if payments is not the first mover.
Manu Sporny: I'm focusing right now on documents we can create in the next three weeks
Richard Varn: Maybe focus on things where we're all aligned
Manu Sporny: Agree: outline the things that matter to healthcare, finance, other...
Manu Sporny: There are other stuff we don't have consensus on -- people are pushing back on the protocol to move credentials around, which we clearly need to build the ecosystem. The thing the working group would focus on is the spec that underlays the ecosystem: ("if you want to express a credential on the web, this is how you do it")
Manu Sporny: We're trying to focus down on just the stuff that we know there is broad agreement on.
Manu Sporny: If we do that by the end of February, there is a good chance the IG will push this forward.
Dave Longley: David ezell (chair of web payments IG) more or less said: "If there are 12 use cases and only 2 are payments use cases, we could still push the work"
Shane McCarron: Want to push back on the concept a bit that we want to bury the extended use cases. I've been wanting to percolate the some small number of requirements that are backed up by use cases that multiple industries nee.
Shane McCarron: I don't want to lose that important data about all the other industries we're going to help at the same time.
Shane McCarron: No objection to prioritizing things out. archiutectural view is important.
Manu Sporny: This is exactly what happened in the Web Payments use cases: We had 130 use cases, of which much fewer were specifically targeted. We had a huge number of use cases to paint a picture of where we're going, but they didn't have a specific point on the timeline.
Manu Sporny: I raised that perspective and we got a lot of pushback from Ian (W3C Management)
Manu Sporny: If folks remember, we were getting pushed off for starting this task force last year, and the membership overrulled management above minor objections that it was too early to start.
Manu Sporny: It's good to hear staff perspective because they have a lot of experience dealing with the management, but sometimes they're too risk-averse.
Manu Sporny: Best thing we can do right now is convince the 127 individuals in the Web Payments IG that this work is worth doing. Make it very clear what that data is saying. We have use cases, we have an idea on a charter. If we can do that by the end of Feb, we stand a good chance of moving this to the next step, of seeing whether the membership wants to approve a charter.
Shane McCarron: Note that there is nothing terribly unusual about how long this is taking. That doesn't make it any less frustrating.
Manu Sporny: One more parting thought: The whole reason we went through the Web Payments IG on this was that the Credentials work had spun out of the Web Payments (at the time) Community Group, and we thought it would take less time to do this VCTF than to do a workshop and go through the standard W3C process. At this point it seems like the two approaches would have taken about the same amount of time, with a caveat: Identity on the web has a huge long history
Manu Sporny: Of partial successess and partial failures, and it's because of that we're being slowed down. Know for certain we've gathered way more data than a workshop on this sort of stuff usually gathers.
Manu Sporny: If the Web Payments IG sees what we're doing and agrees with it, it will have been a good decision to have gone this way.
Shane McCarron: It doesn't make it seem less like we're pushing a boulder up a hill only to have it roll back down, but doesn't mean we take our marbles somewhere else.

Topic: Verifiable Claims Task Force Final Report

Manu Sporny: Let's talk about the documents.
Manu Sporny: I've started filling out the document general structure and themes
Manu Sporny: Second page we have a bulleted summary of findings
Manu Sporny: Page three, we break this up into topics we have consensus on, and topics where there may be potential pitfalls (topics we have not been able to dig into deeply enough yet at this phase to see if there is consensus, but concerns have been raised)
Manu Sporny: This is where we want to hear feedback from the folks who are in each industry. Richard, Matt, John Tibbetts, that's where we'd want to hear a response to "there's no case for using this in ___industry___"
Manu Sporny: Clearly people who are at large billion dollar businesses will be prioritized to get responses in this section
Shane McCarron: Question: I know there's a couple interviews left to do -- what's the timeline on a solid draft of this document?
Manu Sporny: We're not going to wait for those interviews -- we'll let them know we'd love to talk to them, and we'll incorporate feedback when we can talk to them, but we're not going to wait. We contacted them three times. Hoping to have a final draft by the 12th.
Manu Sporny: Going to be presented on the 22nd of Feb
Shane McCarron: I assume you want the use cases document solid by then as well?
Manu Sporny: Yes, solid = "in some shape we can present it to the Web Payments IG" May be in draft form still, but presentable.
Dave Longley: +1 Burn, user centric is about more than just privacy
Daniel C. Burnett: You got one piece of feedback that privacy-enhancing is better than user-centric and the "privacy-enhancing" term appears in this draft, many in the group think there is more meant by "user-centric" than the narrower term.
Manu Sporny: You are correct, put back "user centric" and added a note that someone has suggested "privacy-enhancing"
Manu Sporny: Many people said "user-centric" is problematic because the openId work has coopted the term to mean something different than what is meant in this group
Manu Sporny: For example, when we talked to Mike Schwartz, "user centric is problematic because OpenID already does that, cuts the legs out from your justification" "It doesn't matter what the dictionary definition is -- of credential -- that's what professionals in teh security community thinks it means"
Manu Sporny: Argument that Dick Hardt made that was convincing was that if you focus on privacy-enhancing, the user-centric aspects happen naturally
Dave Longley: There was also "self-sovereign" terminology
Dave Longley: Brought up by Christopher Allen
Richard Varn: Three main pillars: knowledge, consent, & choice; been working on privacy and policy statements around these three things in commerce software.
Richard Varn: Privacy-enhancing user-centrism is cool, but the pillars are how the system is designed, and these adjectives then describe it.
Matt Stone: +1
Dave Longley: We also go down and list exactly what we mean by user-centric and privacy-enhancing. I don't think we want to use the other things we mean by user-centric, analyze them and see whether there is a different term that is not coopted
Manu Sporny: Here's the issue with the bulleted list: Nobody read them. It became very clear that interviewees started talking about user-centric without leading the list
Dave Longley: Seeing a new term (other than user-centric) might make it more likely that they would look at the supporting documentation
Manu Sporny: Let's think about it over the next week. Send good fresh ideas to the mailing list
Manu Sporny: We'll touch base on this next week to see if we can find something not as problematic as "user-centric"

Topic: Use Cases Document

Manu Sporny: Will take action to drive that document forward
Manu Sporny: Excellent work from ShaneM ,burn , and __ to get that document into shape
Shane McCarron: We've migrated the document into ReSpec, coalescing the data from the original version of the CG use cases document, pulling from multiple use case drafts.
Shane McCarron: Three of us working on it, dividing by section so we don't stomp on toes. We're trying to put these use cases together as scenarios that support specific requirements.
Shane McCarron: Hopefully also synthesizing the motivation for each case, so people understand the motivation for each requirement. We'll go through a quick cycle of prioritizing things: Initially, Someday, etc. Gut feel reactions from editors at the moment.
Manu Sporny: How paralellizable is the work right now?
Shane McCarron: Working very well, don't think we can divide it any further
Manu Sporny: Do you think we'll be done by the 12th?
Shane McCarron: Will survey editors after this call to see how they feel about it and redistribute effort if necessary.
Manu Sporny: Any questions on where we are on use cases?
Manu Sporny: Thanks a ton Shane and other editors for moving this forward. It's looking good. You've made a lot of progress over the last week

Topic: Draft Charter Proposal

Manu Sporny: We've got some pushback on presenting this at the face to face meeting from the w3c staff contact. VCTF pushed back on that saying "we need to get something in front of people so they can see what we're doing"
Manu Sporny: Where we have consensus so far is in data format data model in expressing verifiable claims.
Manu Sporny: Many have objected that this is not very useful unless there is a protocol for how you deliver, request, and store a credential
Manu Sporny: In the interim we can submit a "W3C Membership Note": "while we're getting consensus on this current scope, X proposed protocol is what a number of organizations are deploying because they can't implement without a protocol and can't wait for the W3C and we expect the W3C to pick up this protocol at a later date"
Manu Sporny: Estimated 18 months to get data format to W3C Rec status, and we may even start protocol work before the data format group work is wrapped up
Manu Sporny: Any company on the call pushing a solutilon into the market that needs a W3C standard stamp on the protocol? Or are folks comfortable implementing something that doesn't have the stamp on it
Matt Stone: We're hearing from our user base that this topic is important
Manu Sporny: Would it be enough if you could point to official work on data format this already happening. Would those stakeholders feel ok with your commitment to standards in that case?
Matt Stone: One of the reasons we're so interested in the success of this group: we're promising that we're contributing..
Eric Korb: Accreditrust is pushing for a solution for standard from this group
Nate Otto: Badge Alliance Community, we also need a protocol - the one that was divised in 2012 - the one that came out of Mozilla - sending/requesting badges - the same sort of problems that are expected in the protocol work you're talking about - just Friday Mozilla made efforts to release more of ecosystem to community control. [scribe assist by Manu Sporny]
Eric Korb: Stone, +1
Nate Otto: We're going to need to work on this protocol sooner than later - adopting something from W3C would be good - if it was official W3C work as opposed to an alternative to the Mozilla protocol. [scribe assist by Manu Sporny]
Nate Otto: We do need to move pretty fast - we need a replacement protocol pretty soon with modifications to Mozilla protocol as a polyfill. [scribe assist by Manu Sporny]
Manu Sporny: We can certainly work through the technical protocol in the CG and submit a member submission pretty quickly, but it wouldn't mean much
Nate Otto: I think the best course of action is to maintain a good idea of where proposals are in the standardization process. We don't want to align with something that's headed down a different track. [scribe assist by Manu Sporny]
Henry Story: There is the LDP work which is a protocol standard, but they never added authentication to it. There is a web access control thing people have implemented that can be added to that, which allows you to authenticate with any kinds of means (OpenID, Web Signature). There might be something that could be done in parallel. If the credentials work works with it, perhaps that could be tied in and completed at the same time.
Manu Sporny: We've looked at LDP, the issue has been that some of the protocol is expected to be built into the browser (a credential management API)... that does malware/site checking, authorization. The LDP stuff is really good for automated credential exchange that happens behind the scenes. LDP would be one way to ship these credentials back and forth. That's why in the first phase of the work we propose just expressing the credential.
Manu Sporny: Some of our feedback from invited experts is that you shouldn't try to "pick a winner" protocol, because this stuff might be reused in other/multiple protcol.s
Manu Sporny: Because some of concerns, because LDP might work for some use cases, they specifically might not work for some education partners.
Henry Story: Would be interesting to get some feedback on what those concerns were, LDP is working to adapt
Matt Stone: Seems like the last few minutes is mixing concerns from VCTF and the Community Group work that had been working on this bigger vision
Eric Korb: Stone, +1
Shane McCarron: +1
Manu Sporny: Agreed, that sounds like very good input. As the task force wraps up around the end of this month, we'll start CG calls again and get back into that.
Henry Story: Yes, agree. I was just responding to the concern that some people expressed that they may need a protocol with a W3C stamp of approval to move their work forward in their company