The Verifiable Claims Task Force

A Task Force of the Web Payments Interest Group

Verifiable Claims Telecon

Minutes for 2016-07-19

Nate Otto is scribing.
Manu Sporny: On the Agenda today: Dissenting opinions have become public on the verifiable claims stuff; Some discussion on JOSE/JWT; Verifiable Claims Working Group F2F agenda prepping for success if it's approved; Any other business, including how we might coordinate with rebooting web of trust workshop and Internet Identity Workshop.
Manu Sporny: Any updates/ changes to the agenda?

Topic: Review All Dissenting Opinions

Manu Sporny: The good news as of two weeks ago was that Web Payments IG decided to push VCTF charter / entire proposal onto W3C Management to approve and send to W3C membership for a vote
Manu Sporny: IG Passed it almost unanimously; there were three dissenting opinions
Manu Sporny: One came from Microsoft, strong; One came from Google, not as strong, around process/incubation; 3rd one came from W3C Staff that they couldn't support the charter as is.
Manu Sporny: Now that the minutes are public we can talk more about each company's objection
Manu Sporny: Microsoft: Mike Champion said MS's opinion is that the work is unnecessarily, overlaps too heavily with JOSE/JWT work; There are plenty of ways to express claims out there.
Manu Sporny: This was repeated at the blockchains/identity workshop where several MS employees expressed they hadn't heard from any of their clients that this was necessary. They expect industry verticals to figure out making claims work across those verticals instead of standardization.
Manu Sporny: There were also a few process concerns about whether this was incubated long enough and had enough cross-pollenation with JWT work.
Manu Sporny: This opinion is not unversally held across the Microsoft organization. But the people who are speaking up against the work have been heavily involved in JOSE/JWT work.
Manu Sporny: Any questions on MS's position?
Drummond Reed: Is there a particular opponent at Microsoft we should be aware of?
Manu Sporny: I think most of this is coming from Anthony Natalin (sp)? Mike Champion is largely repeating his concerns.
Manu Sporny: We are trying to set up a call with Anthony to see if we can get around this objection.
Manu Sporny: Mainly, what they're saying: whatever you build, you should just build it on top of JOSE/JWT
Erik Anderson: JOSE/JWT doesnt support linked data. It must all be embedded in the JWT.
Manu Sporny: And just build it for the education sector, because that's who we have in the group
Manu Sporny: As Erik has pointed out, JWT isn't a perfect fit with Linked Data. Some financial services organizations and others in non-education verticals are pushing for a non-JWT solution
Manu Sporny: Also, you can use JOSE/JWT in the suggested spec, it's up to an industry vertical about what they want to use
Drummond Reed: I'm surprised, because when I met with Kim Cameron (sp), sounds like there was support within Microsoft
Manu Sporny: Sounds like Mike is unaware of Kim's position on this
Manu Sporny: We should get them talking to one another; this might be enough to remove Microsoft's objection to the work
Dan Burnett: There is in all cases working with technology, there is a difference between a technology and a solution that uses a technology. JWT is a technology, it's not the solution that we need. It's one possible grammar that can be used in a solution.
Dave Longley: For people's information: our spec shows an example using JSON-LD (Example 3) and an example using JWT (Example 4) -- here:
Manu Sporny: Any other questions about Microsoft before moving on to Google?
Manu Sporny: Google
Manu Sporny: Google agreed more or less with what Microsoft said, but didn't rehash any of it, so we don't know the degree to which they hold those opinions.
Manu Sporny: Chris ___ was speaking for Google.
Dan Burnett: Michael said this too, that we don't have "real skin in the game from the members who would have to implement and use the resulting specs"
Manu Sporny: Chris felt the work needed to be incubated more. He felt that we don't have enough variation in members outside of education who want to see the work happen. Education is primarily the group we should focus on; if that solution works, we should expand to other sectors (finance, healthcare) after getting more members from those setors.
Manu Sporny: It was a bit confusing why Chris felt there wasn't support in financial services sector because this was being considered in the Web Payments IG.
Manu Sporny: Other objection -- we haven't incubated this work enough. We asked twice "how much incubation is enough". there was no solid answer. More "we'll know it when we see it" not "once you have this deployed in three companies for 10000 people"
Manu Sporny: We did note that the most approved charter in W3C history was the Web Payments IG which had been incubated for 4 years, which was opposed by Google and Microsoft, and was called by them an example of work that began too soon. If that doesn't meet the bar for incubation, what does?
Manu Sporny: My guess is that most of it might boil down to Google wasn't involved in the incubation, so it wasn't incubated long enough. Problem: they don't want to be involved in the work because it exposes them to patent concerns and issues. Google and Microsoft didn't form the Web Payments work until the WG formed -- or maybe only just before at the very end of the IG phase.
Manu Sporny: In any case, it seemed a lot of their posiiton was "why weren't we consulted" -- when they were consulted and didn't respond. Google did have the opinion that the work was important and they wanted it to continue.
Manu Sporny: Google wasn't taking a hard-line stance as Microsoft
Manu Sporny: Apple, who we weren't expecting to weigh in, was very supportive of taking the work to a W3C vote.
Manu Sporny: Any questions on Google?
Manu Sporny: The other organizations who voted in favor was mostly everyone in the room.
Manu Sporny: The people who have participated in the IG and the VCTF were +1 to move the work forward
Manu Sporny: The work over the next month will be chasing down people at Google and Microsoft to see if there's any room for negotiation
Drummond Reed: I'll try to make the connection between Mike and Kim; no promises.

Topic: JOSE / JWT Clarification/Analysis

Manu Sporny: We have a seciton in the spec now that talks about expressing verifiable claims as a JWT
Manu Sporny: Scroll down in the above link to Example number 4.
Dave Longley: The Linked Data signatures example is Example number 3.
Dave Longley: (Right above 4)
Manu Sporny: Over the next month or two, we need to be very clear about the reasons some organizations are exploring LD signatures over JWT. Try to stay as agnostic as possible in the working group. "If you want to use LD Signatures, here's how you sign a claim" "If you want to use JWT this is how you sign a claim"
Manu Sporny: We've been looking at JWT for a number of years, have discovered some issues that have caused us to move away from it.
Manu Sporny: Background: JWT is a base64 encoded blob -- you can't see the content unless you decode it
Dave Longley: Potentially a problem or limitation for public credentials
Manu Sporny: Orgs like CTI want to be able to publish credential templates to the web and have them be searchable, picked up by search crawlers. It's not impossible.
Shane McCarron: Also important for things like Coupons and search engines... model is so well understood by the industry now I am loathe to try to turn that boat
Manu Sporny: JWT must be base64 encoded because whitespace matters, where it doesn't for Linked Data signatures.
Manu Sporny: We expect JWT to be a point of contention throughout the work. The more people who are tuned into why this is a point of contention, the better. We don't want folks in this group to go into the discussion completely unaware of the tradeoffs.
Dan Burnett: Specifically about the example as well - It would be nice to include what the public key is so people can verify the signature. Other thing is that you used RS256 algorithm, which is the most widespread, but IETF is working very hard to encourage public posted examples to use stronger encryption. Can we use EC256 or one of the EC variants instead?
Dave Longley: Stronger really meaning "more efficient" in this case (or perhaps predicted to have a longer lifespan)
Dan Burnett: We may never be in a position in a spec to recommend specific algorithms, but even in the case of having examples, it's good to have the examples do what you expect people to do, because newbies often use those as a clue about what algorithm to pick.
Manu Sporny: Point taken, we should upgrade to ES256.
Dave Longley: K1
Manu Sporny: Other points -- there is concern about NSA backdooring into some of the curves -- Bitcoin community is particularly concerned about that. There's no Sec256k1 (sp) implementation for JWT that I know of as well. These are all kind of concerns we should raise as issue markers. If we use something like ES256, we could say "some people are concerned about NSA backdooring of these algorithms; if you have those concerns you can use another"
Dave Longley: Bitcoin uses "secp256k1" and the Web crypto API only supports "secp256r1"
Dave Longley: The latter having some NSA backdoor suspicions
Dan Burnett: Ah, so you had equally valid concerns going in a different direction. If you look at ___ there's a note that says "watch this space because we may need to upgrade to something else". We just want to show whatever the best up-to-date recommendations are, whatever they end up being.
Manu Sporny: We're looking at a bunch of rapidly evolving parts of the signatures space. Good point. This is up to the proposed working group to decide, if any recommendation. We may say "look at this other page for the most up to date recommendation because the lifetime of anything we could use right now is short"
Manu Sporny: The other ask of the group is please participate in this work, either doing a review of the paper or putting your thoughts in.
Manu Sporny: Please insert link to which paper you would like people to view here in the log.
David Ezell: (Right) - we've talked about a number of things, like web couponing. Having this data structured so that people can find it is very important.
Dave Longley: S/dlongley?/Shane
Shane McCarron: I understand the advantages of JWT and why people feel strongly about it; but my opinion is it's not great embedding in content
Nate Otto: My question - been digging into signature mechanisms - Linked Data Signature might work very well for OpenBadges stuff, primarily because it is good at being embedded at different levels. For the purposes of this document, should we be actively identifying parts where JWT are problematic? [scribe assist by Manu Sporny]
Manu Sporny: Probably not in this document, but in the analysis document, we'll want to do that.
Manu Sporny: This analysis doc we're putting together will contain all the reasons to use LD Signatures or JWT, and what you're talking about would be super helpful.
Manu Sporny: We'll likely start out with a google doc, stay tuned for the link
Nate Otto: Google docs is cool, but terrible for code -- found this other one that is pretty cool for editing code in markdown:
Shane McCarron: Apropos of nothing - check out this for shared editing and annotation:
Manu Sporny: Linked Data Signatures was called Secure Messaging back in 2013, we did an analysis:
Manu Sporny: We put out this blog post where we went through and documented the current state of the JOSE stack talking about the benefits and drawbacks. Put this in as input to the JOSE WG as concerns, and we did not get a response from the group, nothing significant beyond "yeah we're looking into it"
Manu Sporny: None of the specs were changed as result to input -- particularly because we were asking for big changes, and they were at the end of the standardization process.

Topic: Verifiable Claims Face-to-Face Agenda

Manu Sporny: This topic comes with a huge caveat: There is no such thing as the VCWG
Manu Sporny: We are currently chatting with W3C staff/mgmt to see how the proposal can be put forward to W3C membership for a vote. We're effectively in a holding pattern for W3C management for changes they would like to see made to the charter.
Manu Sporny: Wendy Seltzer is the point person on this, currently engaged at IETF in Berlin this week, so we don't expect quick response. We've already discussed this in this group, so we'll likely be able to respond very quickly to what she says.
Manu Sporny: Then it's up to W3C management to put it up for a vote. W3C management felt it was unlkely to get a vote closed by TPAC, but we might get the vote open by TPAC. we're talking about getting some space in the Web Payments IG
Manu Sporny: This is a link for a proposed full day agenda, but we're likely to want to propose a half day agenda as well
Manu Sporny: Waiting for W3C management to provide feedback on what type of charter would mostly likely be able go through a W3C membership vote.
Manu Sporny: It's hard to plan travel on this short notice. Today would be about 8 weeks which is the minimum.
Manu Sporny: We may be asking folks to join the W3C and plan make the travel to TPAC in the near term if we can get the time on the schedule, and our schedule ask will depend on who can come.
Manu Sporny: The agenda draft goes from 8:30 to 5:30/6pm. There's a space for comments/brainstorming at the bottom of that page. Please make comments and things of that nature. We'll probably extend this page to also prototype half-day or two-day agendas as well.
Manu Sporny: Any questions or concerns about the agenda?
Dan Burnett: Agenda looks good
Shane McCarron: We could just organize a meeting on the Sunday ;-)
Manu Sporny: Alright, I think that's the end of our official call agenda.
Manu Sporny: ... Shane, that is true; that's definitely a very interesting option.
Manu Sporny: Would there be folks who could show up to TPAC a day early for a VC meeting?
Dan Burnett: Definitely yes
Richard Varn: I cannot. i am on vacation that weekend
Manu Sporny: Might have to change my flight
Shane McCarron: I was sort of joking, but if you feel like it's good, we could do a quick 2-day survey or something.
Shane McCarron: Mid-October
Manu Sporny: Other option would be to link it in with Internet Identity Workshop
Drummond Reed: +1 To linking it in with the Internet Identity Workshop

Topic: Coordinating with Other Workshops

Manu Sporny: Internet Identity workshop 25th-27 October, Mtn View
Gregg Kellogg: +1 To IIW
Nate Otto: I'm conflicted on that date, we have ePIC in Bologna and MozFest in London that week for the Open Badges community. Heavy conference season.
Richard Varn: Educause in in Anaheim October 25-28
Manu Sporny: That might not be a bad idea; we could pick up a number of people from there, at least as observers- might be a good way to kick off a first face-to-face.
Richard Varn: Send out a survey
Manu Sporny: Drummond, do you think we could colocate at IW
Drummond Reed: ___ Is always looking for ways to make colocations like that happen; High possibility.
Dan Burnett: When is iiw?
Manu Sporny: Will reach out to you, Phil, and IIW folks.
Dan Burnett: Oh
Manu Sporny: There's a blockchain/healthcare workshop in MD in end of September, then immediately after is Rebooting Web of Trust Workshop. Clearly we want a verifiable claims thread through all of those. We want to keep people up to date on what's going on.
Manu Sporny: Clearly some of us are going to miss each of these events. Kind of an open question to folks: think about opportunities to weave VC stuff in with these identity conferences you're going to. If you get a bright idea on a good way to colocate, let us know.
Manu Sporny: Thanks. Any other thoughts on coordinating with other conferences?
Nate Otto: EPIC (internet and Identity conference -- very small, probably not the right people, but they'd be very open to colocating in Bologna end of October) -- the other end of october options might be more attractive.
Manu Sporny: It's very unlikely for people to be able to commit to travel to TPAC, so it's my hope that we can use TPAC to circulate charter, but not likely to be able to get the orgs that really want to participate to TPAC
Nate Otto: BA will not pay for W3C membership until this charter is approved to hold it over their heads, so a non-TPAC F2F would be more ideal for me.
Manu Sporny: Anything else?
Manu Sporny: That's it for the call. We will meet again next week if we have made progress on the JWT analysis.