The Verifiable Claims Task Force

A Task Force of the Web Payments Interest Group


Verifiable Claims Telecon

Minutes for 2016-04-05

Dave Longley is scribing.
Manu Sporny: So we've had some concerning feedback on the charter and without mentioning it too specifically, we'd like to get some feedback from everyone here on that as best we can and we'll be discussing our strategy moving forward to get the charter to the next stage.
Christopher Allen: I'd like to briefly explain what the bitcoin and blockchain community are thinking about in this space.
Manu Sporny: Yes, let's do a brief intro to you and some of your background and if you can launch into who you're representing at W3C and talk about blockchain that would be great.

Topic: Introduction to Christopher Allen

Christopher Allen: My name is Christopher Allen, probably best known for leading the IETF effort to make SSL and TLS 1.0 a standard. That was a 4-5 year process to get through and today is largest deployed security standard in the world. Involved in a lot of different things, smart contracts, CTO of Certicom, mobile dev, all kinds of interesting things. Most recently in the last two years, I've been involved in the bitcoin/blockchain area.

Topic: Blockchain Interest in Identity Credentials

Christopher Allen: I've been hired by Blockstream to lead their standards efforts and to do research into specific initiatives. One of them is to work on decentralized ID. For the past year I've been working on XDI which is an OASIS standard, making it a decentralized protocol rather than centralized. We produced a strawman last Oct and moving forward. They presented their ideas to get a SBIR grant. DB has also submitted research proposals and they also won an SBIR and I'm helping with that as well. At UN I'm working on self-sovereign identity ... around issues human rights, refugees, digital identity. I'm very passionate about decentralized identity and I don't know how to do it without blockchain technologies.
Christopher Allen: I've come to W3C around the verifiable identities and what you call user-centric and we call self-sovereign identity is exactly what we need to have for the blockchain community. We have BIP-70 which is a standard, it's roughly equivalent to a Web Payments standard, someone looked at it and said they are 80% similar. BIP-75 (?) helps you share credential information. Particularly useful when you have to report things for large transactions. It's not a KYC but a "I'm transferring more than $10K worth of value and have to report that." We want to do that with confidentiality and in no way do we want that info to connect to the actual funds transferred etc. We're creating a private channel and sending credentials. X.509 is a problem here it makes us uncomfortable and we'd like to see verifiable credentials used to replace X.509 in a more decentralized way. We want to reconcile BIP-70 with Web Payments and Confidential Channels to Web Payments and we'd love to see verifiable credentials/claims, something very much in that direction for a variety of future work.
Christopher Allen: http://www.ID2020.org
Christopher Allen: Conference at UN http://www.ID2020summit.org
Manu Sporny: So hopefully people understand from that that we're gaining interest from a number of other industries, payments and education involved, hopefully some national gov'ts will be joining us soon can't talk too much about it yet. Showing the work we're doing is quite interesting to people who are feeling the pain of a lack of credentials on the Web.
Manu Sporny: Any other additions to the agenda?
None

Topic: Review of Questionnaire

Manu Sporny: We have an editor's draft of a charter and use cases, FAQ, final report, for VC that we're asking for feedback on. We're going to be circulating a questionnaire.
Manu Sporny: Questionnaire for feedback on Verifiable Claims Editors Draft Charter: http://goo.gl/forms/8aQ0UPDPDo
Manu Sporny: If folks haven't had a chance to review it, please respond with feedback.
Manu Sporny: The question we're asking people is "Does the charter look good to you, and if not, what needs changing? And if it looks good, will you actually join the WG?"
Manu Sporny: That's the key question. Is anyone going to object -- and if you don't object, will you actually join and put resources into the WG?
Manu Sporny: We have ~50 orgs to circulate the charter to and get feedback.
Manu Sporny: If folks have had time to review the questionnaire, does anyone have any comments/concerns about it?
Christopher Allen: I answered it yesterday and I felt like, compared to earlier charters, I felt that there was some watering down on user-centric, self-sovereign stuff I care about but I felt I could live with it and move forward.
Manu Sporny: That wasn't the intent, we tried to keep it in there.
Christopher Allen: I agree it's in there, I just felt that it was becoming a smaller piece, but I'm fine with it. I can't compromise on that piece.
Carla Casilli: Wondering if we should include a question about, if you are a W3C member and would participate, how many people from your oganization would be able to contribute to the work?
Manu Sporny: I think no one wants to compromise on that in this group. This group has been about that from the beginning, it's what differentiates it from OpenID Connect, SAML, existing technologies.
Christopher Allen: In my case at last 1.0+ FTE engineers
Manu Sporny: If others feel like we've accidentally watered it down we want to change it, so that's good feedback.
Christopher Allen: BlockStream would probably put in multiple engineers but equivalent to 1.0 FTE.
Manu Sporny: WebDHT proposal: http://opencreds.org/specs/source/webdht/
Matt Stone: The balance between focusing on identity and claims, etc. is important. [missed]
Matt Stone: +1 On ChristopherA contribution :)
Christopher Allen: I want to be able to add selective disclosure -- I've got a cryptographer looking into several things there. That's not a requirement in the group, but we're taking it a notch up. This isn't necessarily something big banks are going to jump in feet first, there's some entrenched momentum. But we think we can get hearts/minds of dev community and signing a file, allowing delegation, allowing code coverage, different types of reputation, "i put 20 hours of security review into build X and found a flaw" those kinds of statements get the dev community interested. And because of the blockchain hype (to be honest) we have some small countries interested in the work.
Christopher Allen: This allows us to roll some of this stuff out in PoCs and such. Figuring out a strategy from small to the big, feels like ... the results of some of the pushback we're getting from the big.
Manu Sporny: If you're on this call, please feel out that questionnaire.
Shane McCarron: Remember that it is okay to lobby your friends too
Manu Sporny: The way we get this work started is if 25 orgs commit to putting someone into the WG and even more that will commit to supporting the work even if they can't get someone into the WG. Please get them to me by 3pm today.
Christopher Allen: +1 For adding number FTE to survey
Manu Sporny: "Them" meaning any feedback to the questionnaire (any changes) because we'll be sending it out at 5pm or so.
Manu Sporny: To 50 orgs, and also, please spread the word.
Shane McCarron: (Manu means 5pm eastern time)
Manu Sporny: I'm a -1 to putting FTE in the survey, we just want to know if they are going to send someone. That's good enough, we don't need an exact number right now, want to keep the questionnaire simple.
Christopher Allen: I was at hyperledger meeting -- they are talking about these types of things, OASIS XDI is, there's a W3C blockchain community that is skirting around some of these issues. I just wanted people to be aware that there's a desire in some communities they may not be aware of VC/credentials, but there are people to recruit.
Manu Sporny: One way to do that is to point them at this questionnaire. If you know of an org that isn't participating regularly in this group, please ping them.
Manu Sporny: The charter and use cases are hopefully a good intro to what we want to do.
Shane McCarron: IDPF would have interest here. RIAA. CTA.

Topic: Charter Review To Date

Manu Sporny: A number of us went to the W3C AC meeting in Boston a couple weeks ago. We talked with large orgs and people concerned about the charter and alleviated concerns there. We got some good input from W3C TAG and that was going fairly well.
Manu Sporny: We have since received feedback through the AC forum. The AC is 400 individuals with reps from orgs members. And charter reviews can happen on the AC forum and we got responses back from two very large orgs.
Manu Sporny: Both of them gave mixed feedback. These are two out of 400 that have provided feedback. The responses fit into a couple of themes.
Manu Sporny: The first theme has to do with the orgs feeling work is being done elsewhere, like at ISO. The problem with the ISO stuff is that we can't see it because it's $80K or $180K or something a year to see it. Through a liaison relationship we're going to try and see that stuff. To be clear, the Web is not powered by ISO standards, but they are related. They did not point at OpenID/SAML, they said that the data format stuff is happening at ISO so W3C shouldn't do the work.
Manu Sporny: The second theme was some skepticism that W3C won't staff the work. W3C staff is spread thin these days, we've suggested hiring a W3C fellow to do it.
Manu Sporny: More feedback was that they weren't hearing from any orgs with skin in the game. No one from this group responded and that silence was viewed as indifference.
Shane McCarron: I wrote a blog post about this... https://www.spec-ops.io/blog/investing-and-being-invested-standards
Manu Sporny: If you are in this group and you are a W3C member and you did not respond to that W3C AC post for the review of this charter *please* make sure you respond, get your AC rep to respond.
Christopher Allen: I officially joined today, so if you can point me where to respond or who to respond.
Manu Sporny: Request for informal AC review of charter: https://lists.w3.org/Archives/Member/w3c-ac-forum/2016JanMar/0081.html
Manu Sporny: What you said in the Credentials CG and Web Payments IG was great but the AC forum folks won't see it. They are fantastically involved and for larger orgs they are in a lot of WGs. Anyway, what you said was great it just needs to get in front of these other orgs.
Manu Sporny: So second theme was they weren't hearing support. I think people in this group are thinking that it should be obvious, because they've been in here for years that you support the work, but none of the other AC members know that.
Manu Sporny: So please respond so that they know.
Manu Sporny: The third theme was a bit frustrating because we've been asked multiple times not to presuppose a solution by W3C staff and a couple member orgs -- to not push any particular agenda. You could argue that the Credentials CG has an agenda, we have a particular design and some nascent specs. We got feedback from W3C members that the correct way to this stuff is twitter, facebook login, google plus, etc.
Manu Sporny: We're saying that we're going to create a data format/syntax that works and not work on protocols but we'll figure that out in the WG.
Manu Sporny: Now we're being told by other orgs that we have to, instead, do the opposite, and take a position, have some spec input and say what the one true way of doing this is. And they've said to go back an incubate for 6 mo-year (etc) and come back with a proposal.
Manu Sporny: Those are the themes we're hearing, but to underscore, this is just from two member companies out of 400.
Shane McCarron: I don't want anyone here to take the feedback he's relaying the wrong way. One person made a comment and that comment is very different from the comments we've been hearing. We haven't gotten that feedback to date. The good news is that we have an answer ... we have been incubating for years. We can say that.
Shane McCarron: We can also say we didn't bring that forward because of X, Y, Z. Not blame anyone/cast aspersions, but we can go ahead and say this stuff and we can even move forward if there's just one member objecting -- we just need to respond. We can still move forward.
Matt Stone: This is more a question maybe tactics. If you want ... I just read the email again asking for an informal review of the charter. I looked at this and we're one of the authors and giving continuous feedback here in the group. Where do you want feedback, what's the most bang for the buck?
Manu Sporny: The best bang for the buck would be to respond to the notion that there aren't big orgs with skin in the game. Pearson is a great counter example to that argument.
Carla Casilli: Are either of the two orgs that provided feedback part of the ISO work? Is there a possible conflict of interest?
Manu Sporny: Responding directly to that and saying why you're participating and so on and saying that in the AC forum would go a long way in countering that argument.
Matt Stone: So just reply to that email?
Manu Sporny: Yes.
Manu Sporny: You'll want to seek out your rep and have them do it.
Matt Stone: Got it, I'll try to get through the corporate process.
Manu Sporny: The ISO work is: JTC1 SC 27 [http://www.iso.org/iso/iso_technical_committee?commid=45306, https://en.wikipedia.org/wiki/ISO/IEC_JTC_1/SC_27]
Christopher Allen: I just tried replying but can't yet, I'll figure it out. I've got a question ... it is worthwhile responding to the individual feedback? I don't know, specifically, what's going on with the ISO standard or what it is or what number it is. My guess is that's it's associated with using attributes w/X.509 certificates. It has a centrality to it that all the ISO standards have and that's a problem. Should we respond to those individual things and why those things don't fit?
Manu Sporny: “ISO/IEC 29191 Requirements for partially anonymous, partially unlinkable authentication”, “ISO/IEC 29003 Identity proofing” “WG 5 Study Period on Privacy-preserving attribute-based entity authentication”.
Manu Sporny: None of these sound like what we're doing, maybe some aspects that overlap, a lot of them sound like studies, not technical proposals. They said their security expert told them not to participate in the work because they're already working on it.
Manu Sporny: Carla raised a good question -- are these orgs participating in the ISO work and is there a conflict of interest?
Manu Sporny: I'd say yes they probably are and possible a conflict of interest. I'm sure one of them is heavily involved in trying to produce identity solutions. The argument used was that there are plenty of standardization efforts happening in this space and we don't need another one.
Christopher Allen: I wanted to add one more thing, hyperledger/IBM submitted their first proposal and some people think steamrolling the process. Further investigation has shown that IBM may be around membership services, which is a centralized CA-like for doing blockchains and other kinds of things blockchains can do and that's something they are fundamentally not telling people about in their strategy with the group.
Christopher Allen: I'm wondering if there are similar things here -- like entrenched centralized models for these types of things, etc. It could be that some orgs are in the CA services model and that's another level of conflict.
Manu Sporny: Yeah, selling centralized identity solutions, etc could be conflict of interest. But we should be careful that they aren't responding according to that.
Manu Sporny: They thought what we're trying to do is identity, but we've said, time and time again we're not trying to solve identity on the Web/Internet, this is just about verifiable claims. But that message is being lost when reading the charter.
Manu Sporny: So that's maybe something we have to change (spell out) in the charter.
Manu Sporny: We have 15 mins left, let's move onto how this feedback changes how we work in the next 4-6 weeks. Unless there are objections, I'd like to move us to that.
Christopher Allen: Was there any objection with how Web Payments fit in?
Manu Sporny: There were two things I failed to raise -- one of the large orgs wanted to know what browser vendors would need to do. There was some assumption that browser vendors would have to be involved and we've been careful to craft the charter so that's not required but that still wasn't clear.
Shane McCarron: I don't think there is any requirement for built-in user agent support in what we are attempting to specify.
Manu Sporny: To answer your question -- the Web Payments IG talked about this in the last meeting. The comments from the IG were primarily that this stuff is a fundamental primitive for Web Payments and faster payments, etc. And so the discussion was about how the IG responds in a way that is supportive of the work starting.
Christopher Allen: I may be able to get some more Web Payments members interested.
Christopher Allen: It lets people send credentials -- and there's half a dozen banks, $300M funded startups, all talking around in this space. From the blockchain/cryptocurrency field this is something they very much care about. They want to have a transaction with someone that meets regulations but not reveal who you are to third parties.
Manu Sporny: So the Web Payments work is specifically not chartered to work on that for Phase I, so we can't change that.
Manu Sporny: But, what you could do is talk to the Web Payments IG and say, for future facing work we care deeply about this and it's required. Delaying start on the work is not an option. What we've been asserting over the last several years is that this work isn't happening elsewhere and if it is, it's not user-centric/self-sovereign, but centralized. And the work being proposed at W3C is not being done elsewhere and is essential to education, healthcare, payments, etc. initiatives.

Topic: Options Moving Forward

Manu Sporny: We had a bit of a discussion in the WPIG and some sidebars with members in this group. The WPIG is trying to figure out how to take an official position like "This is missing from the Web and we need it." So we're thinking maybe the WPIG could publish a "Finding" like the W3C TAG does for things that are missing the Web Platform or anti-patterns in design, etc. Maybe the WPIG could publish a note and say "This is what we think right now." And the rest of the W3C membership could then see that and that a 179 member interest group says we need to solve this problem.
Manu Sporny: That's one strategy moving forward. Another is that this group isn't telling W3C what we should do. We (VCTF/CG) do not want to do all the technical work right now, if you do too much the membership doesn't like it. If you do too much work you may not get support because it looks like a rubber stamp, and too little work looks like you don't know what you're doing. So we need something in the middle.
Manu Sporny: We could split up the Identity Credentials spec into two specs protocol and data format+syntax and then submit the latter to show a drafty proposal.
Manu Sporny: Then we can talk about how that solution can fit into any of the protocols or into a new one.
Manu Sporny: So maybe a month of work.
Manu Sporny: So those are the proposals for moving forward ... one we don't control, that's up to the IG.
Manu Sporny: As far as work we can do in this group we need to revise the charter and use cases based on feedback, collect more feedback, but one item to add to the work is to propose a rough draft for the WG to start with.
Manu Sporny: There's really only one thing this group would need to add.
Dave Longley: +1 To proposing a drafty spec on data format+syntax
Christopher Allen: Where are the lines on the proposals? Couldn't quite follow.
Shane McCarron: I think this group should be advocating with its own and other AC membners to chime in on the earl;y review thread. I think that is the most helpful thing we can do for our generael case.
Manu Sporny: We have 3-4 specs that are incubating in the Credentials CG/Opencreds. We've been incubating, WebDHT and the Identity Credentials specs primarily.
Christopher Allen: Specifically, referring to those two, the WebDHT spec ... it needs to be solved, but it's furthest away from what we need. The spec for the data format/syntax with just the addition of proof of existence you could publish certificates. I would concentrate more on that side of things.
Manu Sporny: Yeah, exactly. We're not proposing WebDHT be put into a WG now, it's too early. We know we need it for self-sovereign identifiers, but that needs more incubation.
Manu Sporny: We'd take the IC spec and remove the protocol bits and just show data model + syntax and show how to express it.
Manu Sporny: And that's it. And we say that's all we're going to work on. We're going to propose how it could go into OpenID Connect/SAML and it's up to those communities to adopt.
Shane McCarron: Doing data model in YAML? Are you mad?
Shane McCarron: Oh... SAML
Manu Sporny: Data format + syntax and a note on how it could potentially look in those protocols.
Manu Sporny: Shane brings up the point that we should be advocating to the AC members -- please, this week, respond to the AC forum.
Manu Sporny: If you're a W3C member.
Christopher Allen: Is anyone here going to be at the Internet Identity Workshop this month?
Manu Sporny: I think that's a no... we should chat with you a bit so you could circulate these ideas at IIW. Identity Woman pinged us about coming to IIW and my hope was that you and Drummond could talk about it there.
Manu Sporny: That's it for the call today, thanks all.