The Verifiable Claims Task Force

A Task Force of the Web Payments Interest Group

Verifiable Claims Telecon

Minutes for 2016-02-09

Dave Longley is scribing.
Manu Sporny: We're supposed to get an update from Deustche Telekom, but they aren't here yet so we'll push that to later on the agenda.
Manu Sporny: Are there any other updates/changes to the agenda?

Topic: Plan to Finishing up Interviews

Manu Sporny: We have a plan to finish the interviews this week. We've got good coverage on our interviews, the vast majority we wanted to interview responded in some way. The folks with very busy schedules like Vint Cerf and Tim Berner-Lee likely won't have time to talk before we have to report, we've got Bob Sheets and Jeanne Kitchens later this week. John Tibbetts sent a private email that could be used as his interview --- super helpful. Coming from someone involved in this space for many years and answered similar questions from the interview.
Manu Sporny: We were going to try and integrate everyone's feedback into the final interview and were going to ask for piecemeal input, but John Tibbett's email was much more helpful, we've already got expertise from people in the CG but we didn't capture their input view interview. So what I think we should do is interviews over email, Matt Stone, Richard Varn, John Tibbetts, etc. I'll ask you to write an email and I'll send a template for you to use. We'd like to hear from you, people who have been participating to get your thoughts on the VCTF charter, etc.
Manu Sporny: My hope is to get input from the folks who want to move on this stuff, not just input from people who don't yet have skin in the game or those who are critical.
Manu Sporny: Heads up to you guys -- we'll be sending out a template and if you can just respond with an email that will be super helpful, send it to the mailing list, we'll put it down on the record and we'll report those findings to the Web Payments IG at the end of the month. Any questions about the interviews or that template?
John Tibbetts: I want to make sure ... I put in the email the second time to the two forums you gave me ... did you not get those? I just wanted to makes sure.
Manu Sporny: When you send it to the IG it will be held for moderation, but your one from the Credentials CG should have gone through, I'm not seeing it there.
Manu Sporny: As long as you send it to those two mailing lists we can reference it from there.
John Tibbetts: Ok.
Manu Sporny: Any other questions ... Richard, specifically, do you think you'll have time this week to write something up?
Richard Varn: I was waiting for a prompt.
Manu Sporny: Yeah, you were going to get one, but we changed the format slightly to parallelize, we'll give you a template.
Richard Varn: Ok, yes, I'll respond this week.
Manu Sporny: Colleen, if you want to respond on behalf of Pearson or get Matt Stone to that would be great.
Colleen Kennedy: Ok.
Manu Sporny: Rebecca it would be great to capture your unique perspective, but if you feel uncomfortable because you haven't been engaged in the work as deeply as some of the other folks.
Rebecca Simmons: I'd like to, I'm afraid it won't be as useful as the other folks.
Manu Sporny: No, just having an opinion about the fact you've been involved in work like this it would be helpful.
Manu Sporny: Same goes for anyone who feels they would have anything helpful to add that the other interviewees haven't said.
Manu Sporny: I'll try to get that template out today and if we can get responses before Friday that would be great, but any time before the 20th (the F2F meeting is around then) that's the deadline. But we want responses by Friday to get them integrated into the presentation.
Manu Sporny: Any questions?

Topic: Verifiable Claims Task Force Final Report

Manu Sporny: I was able to put some time into this over the weekend, it's not going as quickly as I had hoped but the basic structure of the document is there as well as the first couple of sections. The sections are kind of filled out. Going from the top of the document down ..
Manu Sporny: The purpose of this document ... it will be circulated to 300+ W3C member companies, giving them a background on the work we've been doing to make a case to start work at W3C, proving our due diligence.
Manu Sporny: We start out with a background on VCTF and the problem statement then go into a summary of findings. These member companies have reps that are really busy and they may only read the first page and a half. The rest is supporting documentation so people can find all the assertions in the doc.
Manu Sporny: We assert a number of things about broad consensus on the problem statement, etc.
Manu Sporny: We have clear use cases documented in banking, finance, education, etc.
Manu Sporny: Current tech doesn't address those use cases, and so on. A summary of findings there. If the group participants can take a look at that doc and highlight issues with things they have concerns with that would be super helpful.
Richard Varn: Joined
Manu Sporny: We go into what we mean by privacy enhancing and user centric ... it's continuing point of confusion, we list the survey, we have 43 orgs we've surveyed, etc. We list them out. That's more supporting material showing there's a desire to solve the problem.
Manu Sporny: Then interviews on page 4. We listed all experts W3C staff wanted us to interview and anything from the Credentials CG experts that want to respond.
Manu Sporny: I hate to say this but the bigger the company you're with the more weight the interview may carry; while we want to hear from small orgs, they may not be as convincing as large orgs to W3C.
Manu Sporny: The rest of the doc elaborates on things we have clear consensus on and things we don't and potential pitfalls, etc. We need to point out all the things people are worried about us messing up.
Manu Sporny: That's the shape of the VCTF final report, there will be a presentation on the Monday of the F2F meeting. We've been given 90 minutes which is a pretty large chunk of time. We need to figure out if the Web Payments IG will back our charter proposal and use cases or not. We need very clear payments use cases or they will feel that they don't have much to see there. The chairs have said they only need to see a couple of payments use cases (not a majority).
Manu Sporny: Any questions?
Manu Sporny: Do folks feel like this is the right approach or is something missing?
Brian Sletten: Do you need any assistance?
Manu Sporny: I could use all the help I could get, I'm very thin on time these days but will get it done regardless. I don't know how to parallelize the work at this point, the best idea I have is for people to go into the topics where we talk about consensus and pitfalls and then scan the interviews and make sure we aren't missing anything. In each section we need to copy and paste quotes from people or link to the interviews that raise any concerns. Looking at page six, each topic should have a paragraph summarizing what the topic is about and then referencing all the interviews related and showing quotes that show agreement or concern.
Manu Sporny: Make sense?
Brian Sletten: Yes.
Manu Sporny: At this point, if you have time, please fill out anything that isn't filled out in the document, that will really help. We were hoping to have it done this Friday but it won't be on my own, I'll get it as soon as I can, it will be done before F2F, but the more people we have the tighter we can make the message.
Brian Sletten: I'll take a look at ... I don't have more time than you but maybe we can each stay up until 2am instead of 4am :)
Manu Sporny: Sounds like a plan, a sad plan, but a plan! :)
Shane McCarron: The semi-final report
Manu Sporny: What we may do is suggest that what we do is provide the report as a draft -- that will give the IG some kind of buy in to let them change the content so if they ask us to elaborate we can do that and demonstrate our responsiveness to their desires.

Topic: Use Cases Document

Shane McCarron: So everyone is on the same page, a couple of weeks ago I offered to take lead on the use cases pulled together from various sources. Gregg and Dan, Brian assisting.
Shane McCarron: We're gathering a lot of use cases and organizing them together into a structure where similar use cases are grouped together under certain requirements. Requirement X has scenario Y and use cases. We're going to try and get a consistent editorial style over the next week and get the payment-related scenarios floated to the top of the list. For each requirement we want payment scenarios there. If there isn't a requirement related to payments (and I can't find one) we can relegate those to a "someday" pile or find a use case that does.
Shane McCarron: Any questions?
Manu Sporny: Deep thank you.
Manu Sporny: The use cases doc is in way better shape than it was two weeks ago so that's great and we've been able to circulate to people and say it's in rough shape but people have responded positively to it. Clear we have done due diligence and people have seen their own use cases in there and these are people in finance/banking. People understand it's rough but it's resonating.
Manu Sporny: Ian Jacobs has pushed back on the use cases document and said that we should focus on eight core use cases and associate a charter with that rather than shotgun a ton of use cases their way, some we can't deal with in phase I. The argument that he made for the Web Payments use cases was that we get a bunch of use cases together and then prioritize. It feels like they are asking for something different here from Web Payments Use cases, I don't know if that's because those use cases didn't work out how folks wanted or if there was push back. I know when W3C starts is to list a minor set of use cases. The problem is that they are not very descriptive of the ecosystem that the Credentials CG is trying to build and that's the point of contention... Shane, do you have any thoughts on that? We have this big document but can we paste maybe some payments ones into a Phase I doc so we can show that if they push back?
Shane McCarron: That's a strategy. We can do required and nice to have phases ... those are all ways to do it. If you wanted me to create a version of the document of Phase I and related to payments use cases ... that's trivial so that will just fall out. Are you suggesting that, when we have lots of scenarios that support a use case... are you suggesting we hide some scenarios so only payment ones are shown so it's not overwhelming?
Manu Sporny: So I don't know.
Manu Sporny: That's frustrating as an editor.
Shane McCarron: It means I get to pick and that's fine. I only heard feedback from Ian what I heard was that "don't waste your time on things that don't have to do with payments".
Shane McCarron: Lol.....
Manu Sporny: What I think Ian typically wants is to not overwhelm the membership with too much data. Whittle it down to eight use cases that resonate with the membership, make sure a couple are payments so the IG can act and make sure the charter is scoped to those use cases.
Daniel C. Burnett: I understand the value of focus, there's definitely value there. But as we've seen, recently, and actually you've seen for a long time now. There's this back and forth thing that happens. When your reduce people will say "I can think of a way to solve this that's simpler" ... "but we have all these other use cases" ... "yeah but you didn't show me those" ... "because you didn't want to see them."
Daniel C. Burnett: If you don't understand why we're suggesting certain directions you can look at these other use cases. People can read the first eight and if they can't see justification then they can read the rest.
Shane McCarron: That's a really good point, thank you. We want to show how we're supporting a lot of things. We want to have all the data. Maybe a strategy is to have the either or ten that are the highest priority in section three and then there's an appendix with all of the rest of the things. We are bringing all the data to the table.
Daniel C. Burnett: Yes, that's exactly what I was talking about. What Ian was asking for you don't make the entire document, it's the front of the document and then you have an appendix that's the rest of the document.
Shane McCarron: If we get pushback I'll add a button to hide the appendix.
Dave Longley: +1 To that direction!
Carla Casilli: +1 To that direction, too
Shane McCarron: +1
Stuart Sutton: +1
Manu Sporny: +1 To that direction
Manu Sporny: Ok, that sounds like our direction for the use cases.
Manu Sporny: Sounds good. Anything else on that, Shane?
Shane McCarron: Everyone who is not editing say a little prayer for us, we'll get there.
Daniel C. Burnett: The reason for this is that some people will use lack of focus to nix the work, while others will use lack of context to nix it. This provides both.
Manu Sporny: If either of you guys want to present the Deutsche Telekom work on Credentials you guys are welcome to present that to this group.
Peter Hofman: I will do that, I think the user centric approach is very much in line with what we are doing. At the moment I am just new to the group.

Topic: Draft Charter Proposal

Manu Sporny: Jorg and I have talked a lot about the work we're doing here and what you're doing and we agree there's a tremendous amount of alignment. It would just be getting everyone up to speed in this area.
Manu Sporny: We need to make a decision on the proposal pretty soon. The proposal ... we haven't been asked to provide a charter proposal but we'll do it anyway because it helps the Web Payments IG see what we're asking for, it's a solid ask. I think we're to the point where we can do solid asks and see what the team and IG thinks. We're having trouble formulating what the solid ask is for however, ... through the interviews we asked if the problem was in data models or formats, like how to express digital credentials like drivers license, debt obligations, whatever. What's the data model and format to do that, how do you do that online ... OR is the focus on how to issue, request, and transmit the credentials? If we split the work up like that can they be independent; can you do one and then the other? The current charter is about getting the data model and format down ... and talk about how to express a claim and get it nicely locked down. Then the vision is to work on the protocol. How do you move those around on the Web and internet that is private, secure, easy, etc. First group just wants to work on the data model and data format, don't work on protocol. The other group of folks says don't just work on the data model and format, because until you can move things around you don't have a healthy ecosystem. If you don't specify the ecosystem you may actually do damage because you won't have interop.
Manu Sporny: Does anyone have strong feelings one way or another for what to put in the charter? If we make it too big, it sounds like it will take many years to do ... they will be less prone to do the work.
Dave Longley: I feel like if we don't cover both of these things, we'll get pushback from one of the two groups - data format is not important, if all you're going to do is data format, don't bother. [scribe assist by Manu Sporny]
Carla Casilli: How might the data model work tie into the CTI work?
Dave Longley: Other's feel that data format is really important and we shouldn't do protocol yet. [scribe assist by Manu Sporny]
Dave Longley: Some might find that there is nothing for them to work on. We can try to limit the scope in a number of ways. [scribe assist by Manu Sporny]
Dave Longley: We could focus on doing only the browser API - make it clear that work should be done at W3C - disadvantage of not having HTTP API. So, that might give us limitd scope to get something done. [scribe assist by Manu Sporny]
Dave Longley: The other thing we can do is to be clear about providing simple means to store information in the browser and share it via the browser - we don't try to do anything other than that. If we keep it limited to that - we need a format for the data and we need to have the simplest version of the ecosystem. [scribe assist by Manu Sporny]
Shane McCarron: +1 For browser api - sharing / storing; need callout to ensure that third party apps can do it
Manu Sporny: Here's my primary concern with that approach -- we have zero browser vendors joining the calls and a few of them disagree with the approach we're taking. Mike West, for example, is skeptical of the work and Richard Barnes of Mozilla ... and Brad Hill from facebook. If we proposed a browser API without vendors behind it, I'm pretty strongly convinced it won't happen because we've gone through this in the Web Payments group ... we proposed an API and there was ignoring/rejection of that. It does no good to propose a browser API with no vendors behind it.
Dave Longley: My response would be - yes, Mike West is skeptical - but there is already a Credential Management API that we intend to try to extend. We already got Mike West to say in that spec, that the Credentials CG intended to extend the spec and do some other things. We could point to it and say this is what we're doing. So, we can build polyfills on top of that, I think we have some of that groundwork where we might otherwise be starting entirely from scratch. [scribe assist by Manu Sporny]
Shane McCarron: Longley, I don't disagree, we have a hook. Maybe we don't want to use the hook or the hook is broken. We have some sort of existing W3C browser API. I would also note there is some Web Authentication activity, I don't know how it dovetails with what we've been doing.
Manu Sporny: I'll put him back on the queue, hopefully he'll reconnect.
Shane McCarron: Wow I was super eloquent
Manu Sporny: It doesn't have any overlap as far as we can tell, the Web Authentication WG is not allowed to work on multi-origin credentials or federated identity.
Manu Sporny: That's effectively what we're working on.
Manu Sporny: So we're what's "out of scope" for that WG.
Shane McCarron: Perfect
Richard Varn: Add varn to cue
Manu Sporny: We still do not have a browser saying "we will back this" and without that I don't think we can get anywhere. I think Mike West and the Google folks are saying "We'd be interested in seeing a proposal and we'll think about it once it's on the table ..." but I think once we say that they'll say "this API was never intended to work that way, you should build on something else." and as a result we're completely stonewalled.
Daniel C. Burnett: +1 I've had that experience in multiple groups. If you need anything implemented by browsers and they aren't participating, it won't happen. I agree Manu's concern is a major one and we don't want to go down a road that ends up with no implementations.
Carla Casilli: +1 To what Richard is saying. The combination of use cases is the complexity that extends beyond what edu wants right now.
Richard Varn: I was going to add that we always run into a danger that we have a scope so large that it swallows discussion. The education community is involved because they want to exchange credentials, discover them, etc. The protocol as you're describing it, no one really cares what it is in that use case world, they just want it to work, and one or more of them to plug into the data to build a trust model around it that's adequate to its use. If we can express that without trying to cover every area of interest here ... if we can cover some areas in how to format or express these credentials then that's the unique contribution we can make. The other thing I see is the Web Auth WG has our stuff out of scope so they will be helpful and so will the Web Payments group, so I'm trying to make sure we make a contribution that is unique and link it to shared contributions and I'm not sure how to do that.
Manu Sporny: The answer to Carla's question is that it's the same way this work ties into other credentialing initiatives. They all need a data model and format to express this stuff in an interop/verifiable way. It sounds like the bare minimum we could do is do just that. We can say we know we're going to need a protocol in the future but we don't have browser buy in yet. The protocol stuff is somewhat controversial because it seems like we're trying to boil the ocean there and all we're left with is data model and data format. The hope is that we can through that in a years time. We're already working with Badge Alliance, CTI to pull that stuff together and we can bring that into the working group and in a year we can build a case to having a browser API. After hearing some of the input I think the thing that everyone seems to have in common right now is a common way to express these claims and make sure they are verifiable. When it comes to browser API then people start fragmenting and we can't say we have consensus on those things. That just comes down to let's work on data model and format in the charter until we get consensus and buy in on browser API.
Carla Casilli: :)
Shane McCarron: I understand what you're saying Manu with "gets some points on the board" if you will. If the group agrees with the direction you're pushing for, do you want us to push use cases that aren't protocol related to go up to Phase I?
Manu Sporny: Ian has pushed back on phases and said just talk about a charter ... to be clear I think the answer to your question is "yes", meaning we'll want to put something to the order of "phase I/phase II" or "VC Data Format WG" and "VC Protocol WG".
Manu Sporny: And stage it.
Manu Sporny: I think we all want data model/format and protocol to be done. That's when it has a tremendous amount of value to us.
Manu Sporny: I'm finding it difficult to put the protocol stuff in there because we already know W3C management will push back hard on it. If so, it's hard to get it front of the membership, which means giving them something they think they can sell.
Shane McCarron: (Personally) Just because there are political impediments to doing something doesn't mean we should not try.
Carla Casilli: Bleak!
Shane McCarron: ShaneM tells a story about flies.
Victoriano Giralt: EDU (from my point of view Unis and govermental bodies issuing credentials like degrees)
Victoriano Giralt: At this moment are happy using "off line" transports
Victoriano Giralt: For that I mean not in the browser
Shane McCarron: I don't know what benefit we'll get out of defining a format without a protocol. It's like defining a header file with no implementation.
Victoriano Giralt: As much I would like to have a browser API, if that is a problem, we woudl be happy with a datamodel
Victoriano Giralt: We can use other protocols
Victoriano Giralt: EOT
Daniel C. Burnett: I understand Shane's concern quite a bit. Sometimes you can't properly do one piece without understanding what the other piece will look like. I will say that all standards work that has been successful has been effectively staged. There's a certain mass of people that want to do one thing or a set of things and then you decide to do that and then say there's stuff you want to do afterwards. Everyone will participate in phase I and if there are enough then phase II will happen. Eventually you won't have enough people. It's always a question of where you draw that line. Ideally you don't have to draw that line, but sometimes you can say "Here's part one" and once that's done if there's enough demand for it, you'll get to part two. Politically, that's the only way to get work done.
Victoriano Giralt: * I whish I could have heard the flies story :-)
Shane McCarron: I don't think that I would find a working group argument compelling as an AC member if there weren't going to be a usable output.
Peter Hofman: I think we should try and reach for more in the work, that's my view.
Manu Sporny: At the end of a data model and format ... we'll have something useful out of it. We'll be able to express these verifiable claims and some people have said that a transport layer could be OpenID Connect or maybe it's something else. The trap we can fall into ... we have a protocol in Credentials CG, but it requires us to solve a self-sovereign identifier problem w/a WebDHT tech. That's not trivial to address. That's a concern with trying to do the protocol work.
Manu Sporny: I'm not convinced we can do that in two years, not enough people and funding.
Manu Sporny: We can pull off data model and format.
John Tibbetts: I do think there's value in data format, sort of moving in the direction of JWTs. I'm wondering if the dynamic side of it that's realized in an API if that couldn't be expressed more non-specifically. Like talking about the kinds of required interactions we need to have work without getting into the exact protocols. We want to have some dynamic expressed but could we do it abstractly or diagrammatically?
Manu Sporny: Yes, I think we can do that. The question is... does this group feel like we should just do data format, etc. first.
John Tibbetts: +1 To push call back
Manu Sporny: We're past time, next week I won't be here so we can have someone else run it or we can push it off to Thurs/Fri to make sure we have all the docs ready.
Shane McCarron: I can live with just formats and model. But if there were example APIs or something that might be useful.
Manu Sporny: I'll send an email about potentially pushing it off.