The Verifiable Claims Task Force

A Task Force of the Web Payments Interest Group


Verifiable Claims Telecon

Minutes for 2016-08-16

Dave Longley is scribing.
Manu goes over agenda.
Manu Sporny: We have a new participant in the group joining for the first time today from KouponMedia.
Manu Sporny: We had a nice meeting with Bob in San Jose last week.
Manu Sporny: We'll do an intro to him at the beginning of the call. Any other additions to the agenda?
Adrian Gropper: I've joined the call as well.
Manu Sporny: Ok, great, we'd like an intro to you as well after Bob.

Topic: Introduction to Bob Burke, Koupon Media

Bob Burke: Hello everyone, pleasure to be here, I appreciate all the work done here. I'm CTO of KouponMedia, been doing digital offers space for over 5 years now. Interest in VC is an opportunity for digital offers. We find a lot of clients are interested in apps and the mobile web experience and VC help there.

Topic: Introduction to Adrian Gropper, HealthURL

Adrian Gropper: I am a full time volunteer CTO of a non-profit called Patient Privacy Rights for the past 4 years or so. My focus is on self-sovereign tech for managing private info.
Adrian Gropper: I'm a long time contributed to user management authorization work out of the pantara group and the helped start UMA under OpenID foundation.
Adrian Gropper: All based on OpenID Connect and OAuth, I'm trying to put together a demo on all these things and how they fit together under the W3C community model.

Topic: Verifiable Claims Face-to-Face at IIW

Manu Sporny: Welcome Bob and Adrian to the group. We're hoping this will be very useful for what you're trying to do.
Manu Sporny: We reached out to the folks that run II workshop and had a good conversation with them to co-locate or getting space around those days at IIW ... maybe before or after.
Manu Sporny: Those discussions are still on-going but it's looking like we're going to meet in October and have our first F2F then.
Manu Sporny: Loosely, just to recap, there's a meeting of the rebooting Web of Trust Workshop the previous week to IIW. We think that it's going to be RWoTW and then VC F2F and then IIW.
Manu Sporny: That would sandwich us in the middle or we might move it to the end of IIW and co-locate with them, we're still working through the details but this is our only chance to meet this year and co-locate.
Richard Varn: Dates please? :)
Dave Longley: It would be 25-27 October for IIW.
Manu Sporny: We're trying to do RWoT 18-20
Manu Sporny: So around 21-22 or 27-28 (roughly).
Manu Sporny: If we go later we lose a couple of folks, Nate, Dan, etc.
Dave Longley: I'll be missing regardless, maybe remote access, I don't know.
Manu Sporny: So those are the dates we're playing with.
Gregg Kellogg: +1 For end of IIW
Manu Sporny: 20-21, 21-22, Or 27-28.
Manu Sporny: Of October.
Manu Sporny: Regardless if we don't co-locate with IIW then we'll have a big session there.
Dan Burnett: +1 Before IIW
Tim Holborn: Apart from the more centralized versions, the alternatives appear to be blockchain or biometrics, protecting self-sovereignty by computational horsepower ... other things, like IPFS look like a social mechanism for protection. I'm wondering if pointing out that distinction is a good idea.
Manu Sporny: That's the third agenda topic today.
Manu Sporny: We'll definitely get to it in the agenda today.
Gregg Kellogg: People are probably coming from out of town for both RWoT and IIW but probably more for IIW and taking onto IIW may get more participation. That might encourage more adoption. Myself I'm not available at all during RWoT week.
Manu Sporny: Unfortunately, it's always the case we're going to lose key people with any dates we pick.
Manu Sporny: Anything else on IIW/F2F?

Topic: Verifiable Claims RC-2 Draft Charter

Manu Sporny: One more thing -- we're looking for folks to put in some money to help sponsor food and stuff like that for people. We may need money for a venue, my hope is that SpecOps may put some in and we want other orgs to help out. We're co-locating so not that expensive, a couple thousand dollars. Please contribute if you have the means to do so.
Manu Sporny: Wendy Seltzer from W3C management team got back to us with a list of changes she wanted. We responded to everything and made some concessions in the charter without hopefully violating what we're trying to accomplish here.
Manu Sporny: We sent that out a little more than a week ago, havne't heard back yet, in a holding pattern waiting to hear from W3CM and Microsoft.
Manu Sporny: Hopefully, Shane, when you talk with Google you can pass this by them as well.
Manu Sporny: Here's a diff marked copy in IRC.
Manu Sporny: It contains the changes that we've made.
Manu Sporny: The main feedback she had was around scope; wanted to keep it under control. We were talking about transacting claims in the charter but we weren't planning on standardizing anything for that in the WG.
Manu Sporny: In the worst case the group might believe it was chartered to work on a protocol when it's not. We changed words like "transact" with "express" etc.
Manu Sporny: We're not proposing to do a protocol in this WG.
Manu Sporny: She said we can't promise that what we do will be widely used so we struck that. In the problem statement is the biggest change to the charter.
Manu Sporny: There are two conflicting things we're trying to reconcile: ... there's a general desire from the CCG and the VCTF to identify a fairly broad problem. We've gone to great lengths to get consensus on the problem statement. THe problem with this is that Wendy and MS found issue with it because it sounds like we're going to try and solve the *entire* problem statement in the first cut. The yellow text clarifies that the problem statement provides motivation for the work but the WG scope is more narrow. So then we list all the things that are out of scope.
Manu Sporny: For example, protocol is out of scope. A creation of a self-sovereign ecosystem requires more work than what's in the charter ... and that's out of scope. Then they said they wanted us to focus on use cases that had participants in the group. If we work on something for the automotive industry and we have no one in the group from that sector we don't focus there. Instead, we focus on cases for people in the group, like retail, education, etc.
Manu Sporny: We can't insist that what we're coming up with will work for industries that aren't in the group.
Manu Sporny: The final thing we say there is that, while the scope is narrow, the group should not prevent the broader problem from being solved (keeping the broader problem in mind, basically).
Manu Sporny: Are people ok with this, does it go too far, etc.?
Tim Holborn: What happens if, through the dev of the work, and new stakeholders become interested ... are we able to amend?
Tim Holborn: Pending some trigger, if X parties join, etc.?
Manu Sporny: Absolutely, I understand what you're saying. The third bullet point says will focus on WG participants, it doesn't say anything about when they join.
Manu Sporny: If we get 5 companies joining from some industry half way through, that should be in scope.
Tim Holborn: Do we need to add something about onboarding, so that opportunity is made clear?
Manu Sporny: Let's hear from the group.
Adrian Gropper: We're not saying enough about what self-sovereignty means relative to the participants and the scope. For example, when you say education and payments, when you narrow it to that as opposed to healthcare for example, we're losing the concept that professional societies that represent ... like doctors, lawyers, representing both of these groups are much more interested in self-sovereignty than industrial participants. I think we can't just focus on industrial contributors out of say, institutional contributors, like educaitonal, automotive, that have to deal with that issue.
Dan Burnett: We need to do whatever gets the group created for now. As long as we participants maintain our understanding of what is meant by the charter we can do the work we need to do. Let's modify the charter as little as we can get away with for now.
Dave Longley: The obvious danger of working on changing the targets when someone new shows up is that it can destabilize the process. It can be a non-terminating process as well. The usual way of dealing with new people joining is to educate them offline so they don't interrupt the flow. To the extent that people join with new goals that aren't addressed it makes sense to stop and think about changing and expanding goals vs. reorienting goals. If there's a sense that the current goals have a reasonable degree of core benefit ... then when someone new comes in will just be adding not asking for changes.
Dave Crocker: Usually, and hopefully and in this case, you can defer adding things and what this does is to build up a wish list for V2.
Manu Sporny: Right.
Manu Sporny: Usually the way this happens is that large industry participants drive the work at W3C. There's a disconnect ... at least I have observed a disconnect from what is good for society and what the industry participants want to accomplish and when they collide it's the organizations that are doing implementations that have massive numbers of people using their systems that tend to work out. There's a great example of this happening in the Web Payments WG right now. The WPCG did a lot of work to put specs into place, design an ecosystem, etc. and that ecosystem is definitely not being implemented in a way that CG wanted to have happen. And the people in this group and in the VCTF could potentially be in that same position. If we say that self-sovereign is really important to us and we care about identifier portability and we want to onboard new work as new participants come on ... and we'll have two or three very large technology companies join that disagree with the general direction.
Manu Sporny: There's very little that can be written into a charter that can prevent that from happening at W3C.
Manu Sporny: So ... you can recharter the group with new, expanded scope, but typically they are done once the charter is written.
Manu Sporny: We don't many healthcare companies or NGOs talking about citizen rights, etc. so that's where we are.
Tim Holborn: The charter goes out to 2018 and the Web develops so quickly ... when large companies push the world in a particular direction and things change very rapidly. A large number of opinions have been expressed on this call. I think setting some boundaries on engaging people effectively to bring them to the table would be good.
Manu Sporny: If you can think of a sentence to put in th echarter to address that, that would be helpful, but my experience is that it's really hard to control that.
Manu Sporny: We need to be able to convey people are welcome.
Tim Holborn: There are a variety of stakeholders that can be positively impacted by this work over time. Between October and 2018 ... is a fair chunk of time and a lot can happen. Locking in the stakeholders now ... it's less than ideal.
Tim Holborn: Without the means to be able to scale is unfortunate.
Tim Holborn: Lastly, with regard to self-sovereign identifiers. VC is very much about what an org says about you. The idea of having an identity on the Web is different ... and some of the WebDHT like work addressed some of those works. I understand the merits and I'm a believer of the human-centric Web but I do have concerns about the terminology of self-sovereign as opposed to what may become a digital magna carta, etc. I see that as a separate issue. WIthin that I think there's an opportunity for the CG to collaborate with other groups and incubate within CGs.
Tim Holborn: That's a very separate thing from how orgs may engage in the WG charter. Does that make sense?
Kerri Lemoie: Agree that verifiable claims could be considered separate from identity yet verifiable claims are dependent on verifiable identity.
Manu Sporny: I think so. Let's take the definition discussion and move that to later in the agenda and focus this on the charter.
Manu Sporny: I'm hearing the charter is too limiting with respect to the use cases that we're outlining.
Manu Sporny: I think I'm hearing that correctly, is that right?
Adrian Gropper: Yes.
Tim Holborn: I would say, for the status quo, it's quite reasonable, but if it continues to get more momentum it may get out of date.
Manu Sporny: What Dave Crocker said is important to note, the orgs want the scope locked in when it goes out. If the scope changes the orgs may have to withdraw from the WG and this has to do with patent requirements and other legal things wrt W3C. A change in scope while the WG is operating and that's a big red flag for orgs. They tend to vote against WGs with those problems.
Manu Sporny: Hinting that the scope could change will invite formal objections -- that's my expectation. That would change MS from being ok to objecting because they don't know what they are signing up to.
Tim Holborn: I think that's a very fair concern. Maybe some mechanism for scope to be locked in and onboarding language.
Manu Sporny: That mechanism is a rechartering.
Manu Sporny: If 20 companies join the group from other industry then that's a good reason to recharter or as Dave Crocker said, it's good for version 2.
Manu Sporny: We can say the current work can't prevent version 2 wish list from happening. But very valid points from you and Adrian.
Manu Sporny: Would be good to see some language to summarize this discussion and address it.
Manu Sporny: Any other questions on the problem statement or what's been changed there? That's the biggest change.
Manu Sporny: We say we're going to focus on claims wrt the use cases document. We now say we're going to say this work has to cut across at least two industries, previously we said "several", was too broad.
Manu Sporny: It's fine if we have even more participating.
Manu Sporny: Rest of the changes play with language mostly, "broad" to "broader", for instance
Adrian Gropper: When we do this with respect to industries -- there are two kinds, regulated through licensed professionals and regulated at the corporate level. I don't know if we can capture this aspect in the charter because it's fundamental. The entire reason for VC is to deal with regulatory practice and if we don't recognize that some industries ... 99% of money spent in healthcare is spent by licensed professional not corporation then I think we'll get lost. It might look like it works for payments. My experience with [] if you use education that way you don't make a lot of progress because education is very squishy. Payments are narrow and not privacy and regulatory intensive. I just want to point out that point about industrial perspective vs. licensed professional as a regulatory foundation.
Manu Sporny: So I think we make that distinction in our use cases which we point to in our charter.
Manu Sporny: We have a number of medical use cases in here.
Matt Stone: We use "regulatory credentials" as a term to describe the credentials that serve non-commercial/governmental needs.
Tim Holborn: +Q
Manu Sporny: It's certainly not out of scope and we point to medical use cases in the use cases document. You used a phrase that sounds like we could easily put it into charter. Corporate creds vs. licensing professionals ... if you could think of some language to put into the charter for that that would be good. If we expand from payments and education to payments, education, and healthcare ... the problem is we will only have two healthcare orgs saying they'll participate in the WG. Other W3C members will want to see more like 5.
Manu Sporny: I think the vast majority of people in the group agree with you. This tech will be used across many industries of different types and we have to think about that to ensure it works.
Manu Sporny: Can you think of some language to use in the charter to address those concerns?
Adrian Gropper: Yes, absolutely.
Tim Holborn: Medical creds are fairly high-stakes. I'd love to see a world where signatures are send across the Web ... for tissue samples, etc. That's particular high-stakes data. Another possible alternatives is civics. Is there's a use case where you are looking at the sorts of things that you need in medicine but not such high-stakes data. You want to see the tech proven out fairly well.
Manu Sporny: As far as use cases are concerned, we talk about legal identity.
Manu Sporny: And we talk about things like refugee crisis use cases, digital driving licenses, we do have some lower-stakes use cases in there.
Manu Sporny: Don't know if that addresses it.
Tim Holborn: Healthcare is pretty serious. To be able to go into that industry you really need all ducks in a row. Technically, to be able to example it in an industry where it is working ... less direct, some of the refugee things ... other areas where you have similar businesses but isn't as life threatening.
Tim Holborn: I'm wondering if we can achieve the same outcome for healthcare using a related industry with lower stakes.
Manu Sporny: I think with all of these use cases there are cases that aren't as high-stakes. Like prefilling a medical form with a proof of residence/address credential, that's lower stakes. Or an educational credential that says you've done a weekend course. I think we have those. If you look at the use cases that drive the large orgs to want to use it are the high stakes. Lots of money/risk on the line. Clearly those orgs are going to go through a multi-year process vetting this technolgoy and while they are doing it we can still test it out in more low stakes settings. The strategy is aligned with what you're suggesting.
Tim Holborn: Identifying whether or not an Uber driver had appropriate credentials was another one.
Manu Sporny: Ok, we've gotten through the charter. Any strong feelings/objections to the changes made, etc.?
Manu Sporny: Does anyone feel this is unworkable or they wouldn't join the work?
Shane McCarron: It's not that I wouldn't join the work, you're jumping through a bunch of hoops here that someone held for you, what are the odds that the people that held up the hoops will let things happen?
Manu Sporny: That's an important question. All we can do is do proper due diligence and act in good faith.
Manu Sporny: At some point it will become apparent that the people were holding the hoops up had real concerns or it was for entertainment.
Manu Sporny: I don't think it's just for entertainment, I think these orgs are intrigued enough to engage with us.
Manu Sporny: If it turns out we made all these concessions and the answer is still no, then we can roll those concessions back and go through another standards body.
Manu Sporny: We've done everything we can to act in good faith and it's up to W3M and MS to respond to that.
David Chadwick: To remind the group and enhancing privacy and what that meant and it was to be added to that section.
Manu Sporny: That's on me, I forgot. We will make those changes and Dan Burnett raised some typos to fix.
Manu Sporny: David, please ping me again and make sure I get that in there.
David Chadwick: Will do.
Adrian Gropper: +Q
David Ezell: It's a bit stronger than the people in the room -- we gave two week period for people to object and we didn't get any objectiosn even from the companies expressing doubts. You have IG support.
Manu Sporny: Thank you David.
Adrian Gropper: The comment about the privacy enhancing terminology makes me want to pile on, but is a much bigger topic. I spent 2+ years on Identity Ecosystem Steering group ... I don't want to go into what that is, but it was a missed attempt to introduce privacy enhancing practices on a very large scale. The companies that we have here at W3C did not show up ... and the general problem for dealing with cyber security issues in all industries is an unsolved problem that MS and Google and a lot of other organizations have not found a home for how to approach that. All I'm saying is that the experience we're having ... I worked for a consultant for the postal service looking at connect.gov and postal service relative to cyber security ... we don't have five years to do this work. To start slowly here and see what happens 2 years after that. Becaus ewe are failing, not just in the US, but globally, at doing the work we try to do.
Tim Holborn: +1
Manu Sporny: Hopefully it makes you feel good that privacy is throughout the charter and we've got a specific section on it.
Manu Sporny: Scroll down to 3.2 in the charter, we have a full section on privacy and security considerations, we call it out specifically.
Manu Sporny: We're trying to improve upon it. That's the most we can do in a charter and say we're going to design towards a privacy preserving tech.
Manu Sporny: And that we're going to collaborate with other groups on that.
Adrian Gropper: I'm trying to talk aobut how to sell our charter to MS and Google.
Manu Sporny: Are you saying that would make it more compelling to them?
Adrian Gropper: If we approach it from cyber security perspective. NIST 5 years ago saw the link between privacy enhancing and cyber security ... was the reason for the whole project. Only orgs with narrow interest in identity management showed up and Google and MS weren't there. We don't know enough about their interest in the cyber security aspect and how that relates to privacy policies, etc. It's a governance problem we're in a position to solve that isn't being solved elsewhere.
Richard Varn: We cannot wade into cyber security in the VCTF space without a lot of qualifiers
Manu Sporny: I don't nkow how to modify the charter to capture what you just said. Could you write a strategy email for how the group could react to what you just said or similar that woudl be helpful.

Topic: IPFS and Verifiable Claims

Manu Sporny: We don't have enough time left to talk about IPFS and VC discussion -- will have to wait until the next call.
Manu Sporny: Tim has raised some great questions about IPFS. The group knows quite a bit about IPFS and we've worked with Juan Benet closely. But we don't think IPFS is a solution for WebDHT or blockchain decentralized identifiers, etc. IPFS doesn't have mirroring guarantees ... you can lose information on IPFS if nodes don't keep it, not a good fit.
Tim Holborn: Vint cerf said to me today: "I am in contact with the IPFS folks with regard to digital archiving and preservation."
Kerri Lemoie: Badgechain is exploring IPFS for some aspects of open badges data.
Manu Sporny: Group is looking at other techs ... flex ledger, sovrin, badge chain, etc.
Manu Sporny: We're aware of IPFS, we don't think it's a solution for some of the things here, but you can store some data in IPFS, but can't give guarantees. For DID it's not a good solution, for pseudo-anonymous badge info, it's good.
Manu Sporny: Just like badge data you can store data in any location, hash in a blockchain, store data itself in a flex ledger (as long as no PII), can store in IPFS -- a variety of other storage mechanisms.
Manu Sporny: IPFS is complementary, but we don't think replacement/implementation for the DID stuff.
Tim Holborn: I talked to Vint Cerf and he said he's in contact with IPFS for interplanetary filesystem, etc.
Kerri Lemoie: Something to look into: https://ipdb.foundation/ It's based Bigchain db.
Tim Holborn: I'd like to see a new blockchain (current computationally flawed), with LDP we're looking at how to create human centric identifiers. WebDHT did a lot of that and that's been put to one side and there's a resourcing issue. Given that Vint Cerf is looking at it for preservation, maybe we should be following that up, directly or indirectly via CG, etc.
Manu Sporny: Sounds like we need to have a discussion in the group and how VC fits into these new techs.
Manu Sporny: We'll put that on the agenda for next time, sorry for 2 minutes over, out of time.
Manu Sporny: We may not have the call next week, because we're in a holding pattern w/W3M, but expect a call the week after that.
Kerri Lemoie: Thanks everyone.