The Verifiable Claims Task Force

A Task Force of the Web Payments Interest Group

Verifiable Claims Telecon

Minutes for 2016-02-12

Dave Longley is scribing.
Manu Sporny: We wanted to start off getting some background from each of you and how you got involved with CTI, etc.
Manu Sporny: We'd like to know your perspective.
Manu Sporny: We'll add something to the agenda to talk about what CTI is trying to do as well and then we'll get into the full discussion.

Topic: Background on Jeanne, Bob, and the Credentials Transparency Initiative

Bob Sheets: I'm a research professor at GW Institute of Public Policy, in addition to this project, I've been working for quite a few ayers, what is the necessary data structure for the credential marketplace that improves transparency and efficiency in the greater marketplace and how you exchange information in credential issuers, holders, [missed] -- I've laid out five different building blocks ... we want make it clear what credentials look like and how they issue and provide information about credential holders and organizations.
Jeanne Kitchens: I'm Jeanne Kitchens [missed] Director at Southern Illinois -- I've worked with Bob on many projects, building on a bigger national picture not just focusing on it in the state of Illinois.
Manu Sporny: If you could give us background on CTI and Lumina that would be good.
Bob Sheets: We are just one of many projects that are being funded by Lumina Foundation and their partners to address how we improve the transparency in the credentialing marketplace including how we more clearly define the connections between credentials. The credentialing marketplace around the world is becoming much mroe complex than it was historically with many different types of creds and ways for individuals to say they have creds through many different platforms not just transcripts for example. We are focused on how do we have infrastructure to allow any cred org to make any comparable info about their creds available to the open marketplace and how to declare relatinoships between their creds and others as part of that process.
Jeanne Kitchens: The problem is the maze of credentials that are currently out there the variety of types the confusion around what is defined and what a credential is... the project is around developing the meta data infrastructure, we say that it must conform to the W3C spec for semantic metadata. Our hope is for this to continue on past the project.
Manu Sporny: So why the need for a metadata standard? What mechanisms are used today ... you said many different creds today and ways to get them and display them, why is that not good enough? Why do we need a metadata standard, isn't existing tech good enough?
Bob Sheets: In one way, we've had existing metadata structures for narrow bands of traditional creds that have common language and vocab to describe themselves, but the cred marketplace now is seeing much more other types of creds that can't be described in the existing vocabs commonly used and the common currency among creds is moving towards competencies and these haven't been historically represented in a common way even with common creds. We need to develop a vocab that is much more generalized so we can use a consistent vocab to describe the creds. There are certain aspects of creds that are becoming more apparent, including statements about what people should be able to hold and do when holding a cred.
Manu Sporny: Is the problem only in vocabulary, once you figure that out, will that solve the problem or are there other tech gaps that CTI is looking at right now?
Bob Sheets: I think we also have a situation where people make assertions about each other and third parties make assertions about each other ... and we need to make them available.
Jeanne Kitchens: Spekaing from the project perspective, one clear deliverable is the metadata infrastructure, another is a credential registry that will utilize that infrastructure as an intermediate step, one reason we think this will show value-add with this shared vocab ... we have to do it through a means to store the data. Currently it would be impossible to get all this information to grab it from hundreds of websites.
Bob Sheets: We're working up use cases ... for example, when an individual has a resume and makes an assertion about a credential they hold, historically many employers want to go back and find out what's behind that. The cred org that issued that won't maintain information on it or may not even be around.
Bob Sheets: Imagine where someone has a degree in CS from 1976. We don't have a way for people on the Web to discover and verify what that cred holder is asserting. That info isn't readily available and consistently available. Especially when we have cred orgs that don't have sufficient version control or they may not even be in existence.

Topic: Problem Statement

Manu Sporny: Ok, so we've got background and information about CTI. So now we're going to shift focus to the VCTF.
Manu Sporny: [Points out problem statement]
Manu Sporny: One of the most important things we do in pre-standardization work is figure out if there's agreement on the problem first before trying to solve it. We've talked to 43 different orgs in healthcare, education, gov't, technology, we've interviewed with 12+ people that are experts involved in credentialing initiatives, etc. We're looking to see whether or not you agree with the problem statement, your general thoughts on it, etc.
Manu Sporny: Of the mechanisms that exist today where you can express a credential in a digital form on the Web, they tend to be service-centric instead of user-centric. The distinction being who has control over where the data is stored. You can think of a service-centric system you can think of data being tightly coupled to those services. And when you send your data those services necessarily know where you're sending it. If you stored your creds at Google/Facebook/Whatever they would know where you are applying for a job or oyu're in legal trouble or whatever, so on, not a privacy-protecting system. Alternatively, in a user centric system, whenever a credential is issued it is issued to the credential holder. They take it and store it wherever they want to. They could, for example, store it on Google/Facebook/Whatever, or in their corporate environment, their university, their mobile phone, a server in their house, they choose where they want to store it. That doesn't mean the issuer can't revoke the credential, for example, if a university determined someone cheated/there was a mistake the credential can still be revoked.
Manu Sporny: Does that make sense?
Bob Sheets: Yeah, a lot of sense.
Jeanne Kitchens: Yes.
Manu Sporny: The assertion we're making is that there is no user-centric standard for verifiable claims and the user isn't in control of this information today (or independent of services). Today there are credentials but services are the middle party and everything flows through them. The other issue there is that a lot of the credentials are stored at that digital identity provider.
Manu Sporny: This has knock on effects like vendor lock in, etc.
Manu Sporny: A variety of other issues arise, your identities are tied very strongly to one service without losing your identity in the process.
Dave Longley: I'm going to also offer up another way to look at user-centric vs. service-centric - service centric is mike@google or mike@facebook... whereas user-centric is just mike, and you can take that wherever you want. [scribe assist by Manu Sporny]
Manu Sporny: As far as the problem statement, we're basically saying that it's very difficult to assert qualifications today. It's difficult to do the equivalent of reaching into your wallet and pull out your driver's license. Hard to do on the Web today. You're also forced to pick certain "wallets" on the Web and once you've picked them, you're locked into those "wallets". You can't move your credentials around.
Manu Sporny: Does that make sense? Would you frame the problem this way or another way?
Bob Sheets: I was thinking the only thing I'm seeing now ... not in the generic sense you're talking about. In our world, the credentialing world, there's a big debate now over this question the context of those people who historically provided different credentials for people like transcript services. Then the question becomes what if the student wants to hold that transcript and then a university doesn't own the statements and it's contributing to someone else. That's an idea ... it's created a lot of discussion "how would all this work?" I'm suggesting for communicating into our world an example would be that.
Manu Sporny: Great, that's very helpful.
Manu Sporny: The fundamental notion for this work is we want a rich and vibrant ecosystem for thousands of different issuers, consumers, storage locations, etc. It's up to the credential holder to decide where to store their credentials. We're not trying to push any particular control model over those credentials; it's perfectly viable for a university to issue a credential and let a person carry it around but they can still revoke it. You can also hand people credentials and say they won't be revoked. No particular control model there, we're just trying to create an interoperable ecosystem with options and the mechanism used to represent and exchange credentials is the same regardless of industry.
Bob Sheets: You've mentioned all the different orgs you've brought this forward to. This would be very interesting to the standards bodies that deal with the HR systems that deal with employers, etc.
Manu Sporny: Yes, we are talking. The HR folks "we would love to consume these credentials, who will start generating them?" Then you got to the universities, some are on board, but others will ask "Ok, who will start consuming them?" And we point at HR systems.
Bob Sheets: What I'm saying is they are trying to consume old credentials now and have a hard problem. They are trying to push them into applicant tracking systems and there are a lot of problems they have now. My suggestion is ... it's not that they aren't trying to consume now.
Manu Sporny: What would you say are some of the problems with getting existing credentials into these tracking systems?

Topic: Data Format

Bob Sheets: In a non-technical way, many employers are getting three million applications and a lot of times they are trying to figure out how to parse out a resume that should be like a database ... and how do I parse out a resume into my data fields for screening on eligibility. Sometimes those conditions would be like age, something about work history, minimal credential health, etc. They need to be able to parse that into an infrastructure they can use, so many times they make applicants fill out a structured form online.
Bob Sheets: That can make sense for small employers and 20-30 applicants, but the Web allows people to apply for hundreds of jobs and then people say "Just attach your resume and transcript". You can't immediately get that into a data structure or data base.
Manu Sporny: Yes, that's a data modeling and data format problem. We're asserting there is no standard data model or format that you could put a credential into today that IBM/Oracle or a small software vendor could build something around.
Bob Sheets: In the old credential world that's a problem that's not resolved, in the new credential world we have things called competencies that add a level of complexities that overwhelms the old problem that still hasn't been solved.
Manu Sporny: Jeanne you said you're looking at W3C tech to solve this problem, which techs and how far along are you?

Topic: Technical Advisory Committee on Metadata

Jeanne Kitchens: We have a tech advisory committee and tech advisor and we're working through that process and looking at the domain model and figuring out the properties and vocab to fully describe the credentials, I can't give you a percentage on how far along we are but we have that information available to the public on our website. We have placeholders for the infrastructure and what that design looks like.
Manu Sporny: Do you have a link to that?
Jeanne Kitchens: Sure, one moment.
Manu Sporny: Bob, what do you see as the ideal ecosystem here? If CTI's successful and there's a set of technologies in place, what do you see as the future?
Bob Sheets: I'm really excited about what you are all doing because you're dealing with a related problem that we all have. What we're trying to address is to allow any cred org to clearly say when someone holds my cred, an individual, these are the cred requirements that they met to hold it. That declaration is in version control allowing them to say that when I awarded creds during a time period and actually no one can do and they had other requirements. And they are issuing creds in a way that provides an authN service and... certain creds are time limited sometimes and other cases they aren't. This infrastructure would allow any credentialing org to publish on the Web comparing information about those declarations and make links to other types. We need others like you all to figure out the solutions around what you're describing is a service for individuals to hold a variety of creds that they can make available to employers, other cred orgs, or any other sort of users. We see this as a necessarily, complementary development to what we're trying to do.
Manu Sporny: I'm trying to give the W3C membership an idea of what you're doing. It looks like you're using Linked Data with some prototypes and examples in JSON-LD.
Jeanne Kitchens: Yes.
Bob Sheets: Yes.
Jeanne Kitchens: There are some examples and viewers on the website.
Manu Sporny: Linked Data properties viewer:
Jeanne Kitchens: In step three, under description, that's where you'd see the evolving Linked Data format.
Manu Sporny: Ok, this will help us demonstrate that CTI is looking at W3C technology.

Topic: Need for Credentials Technology

Manu Sporny: If we were not able to get this work started, how would that impact the work you're trying to do? We're talking about a cred ecosystem, that can issue credentials, store them at cred holder's choice, and then a credential consumer like an HR department could technically request a set of creds from someone and get them in a machine readable format. If the membership votes down this proposal, what would the effect be on your initiative?
Bob Sheets: We would have a hard time because it's part of a three legged stool. We need to have the cred orgs publish comparable info in the marketplace, we need individuals to be able to communicate claims and send to their employers, etc. If someone doesn't address the problems you're dealing with on your leg that would be a problem ... if someone isn't working on the individual side of this and how the information is held and communicated in the marketplace that is one building block of the cred marketplace that isn't being addressed and we hope you all do it.
Bob Sheets: Think about this on the employer side. I'm not just dealing wit hthings a cred org would give to a individual, employers want a variety of other things like citizenship, and other things an individual is attesting they are that go along with the cred info we're talking about, which is why I like what you're doing.
Bob Sheets: It all needs to be handled in the same way.
Manu Sporny: Yes, that's what we're proposing, the way all of these credentials would be handled in the same way. We have some CG technical proposals showing how that can be done.
Bob Sheets: That's why I love the power of your guys vision because it needs to be handled in the same way.
Manu Sporny: There's currently some back and forth going on with what the technical work might be. There are two views, all at once and a phased approach. Phased approach would be first, figure out the data model and format for expressing these credentials. There are orgs saying that should be easy and we can get it done in a year and let's focus on that. How the creds flow around the ecosystem can wait. Another camp says we need that, but without a protocol for saying how you transmit these credentials around (request creds, store them, etc). then it's not good enough. The questions is should we phase this work or have it done all in one go? Would it be worth while to focus on the data model and data format and determine how to express this from a technical format, or do you feel like just expressing them isn't enough?
Jeanne Kitchens: I'm not sure how to answer that, but I understand the question.
Bob Sheets: Same here. I know one thing that keeps coming up ... question we keep getting is what is the protocols for controlling the information by the issuers of the credentials. That is the biggest deal, most cred orgs ... I'm constantly being asked about authentication services and maintaining my brand in the marketplace. That gets at protocols. My worry is that to introduce it to people that we deal with that aren't the technical people ... the people who would have to buy on as stakeholders if you don't convince people you've given sufficient thought to the protocols you may get some resistance.
Manu Sporny: The resistance is primarily around "can we take baby steps to try and address this issue or can we not see any benefit until we see both data model+format and protocol in place?"
Bob Sheets: If you had just laid out what the questions are on the protocol that need to be addressed, that would give people more confidence that it's been scoped out sufficiently.
Manu Sporny: Ok, that's helpful. From both of your standpoints, would it be better to do data format+model and protocol together or can we wait a couple years to do the data format+model and then wait to get the protocol done after trying it out in the marketplace?
Bob Sheets: I have a hard time addressing that question, whatever it takes to get your group started and on the map and doing work the better. I would urge the group start up and get a center of gravity because it would bring coordination that won't be fruitful without a stake in the ground. That would be wonderful as soon as possible.
Manu Sporny: Thanks, very helpful. This question we ask more to the more technical people, but do you have any opinions on which standards bodies should be involved? We're proposing W3C could do some work and IMSGlobal is participating with the task force.
Bob Sheets: I would suggest look at [missed] whether they'd be a good partner. You may have to interview them.
Bob Sheets: What I'd like to do ... We're trying to coordinate with all these different standards groups. I'll be attending the HR consortium meeting in March, I'll know more then I'd be more than happy to connect with them in this space.
Manu Sporny: That would be fantastic. We need connections in that space.
Bob Sheets: I'll be talking with them in the middle of March I'll send information or suggest connections after that.
Manu Sporny: Thank you very much for that.
Manu Sporny: We've gone through many of the things we wanted to cover today, now that you have a bit more of an idea of what we're trying to do... If we're able to get a W3C WG to work on this, ... once they are chartered the group could produce an international recommendation for how to express credentials/potentially a protocol, do you have any other ideas or concerns about that space? Maybe about how difficult it is to deploy that stuff, business models, etc.?
Bob Sheets: No reservations at all. As long as you are coordinating with IMS Global, etc. in this space, it's really important work and if W3C can coordinate related initiatives in this work that would be very valuable.
Manu Sporny: To put a finer point on it, whatever CTI ends up creating, you've got a registry and this is what these credentials mean, one of the use cases we're going to be putting in here would be that you could take something from the CTI registry and issue a digital credential that someone can store someone using this W3C technology. That's the kind of coordination we kind of see 6-18 months down the road. Are both of you under the same impression?
Bob Sheets: Yes, exactly I'm real excited. Because of the importance of having that connection, especially on authentication services, that is such a critical connection.
Manu Sporny: Anything else for the interview today?
Bob Sheets: How do we keep in contact w/ where you're at?
Manu Sporny: Jeanne has my email address, there's a VCTF page showing the meetings, all recorded and transcribed. There's also a Credentials CG I recommend people from CTI join, we do have some people already joining VCTF, such as Stuart Sutton who is fantastic and knows what's going on.
Bob Sheets: That's wonderful. As long as Stuart and Jeanne are connected that's wonderful.
Manu Sporny: Thank you, Jeanne and Bob, we really appreciate you taking the time and talking about CTI, etc. We will publish these minutes publicly within the next day or two and we'll give you a link to the final report on these interviews (probably around end of this month). We'd like to get a WG started up if we can convince 300+ companies. :)