The Verifiable Claims Task Force

A Task Force of the Web Payments Interest Group

Verifiable Claims Telecon

Minutes for 2016-04-19

Agenda
https://lists.w3.org/Archives/Public/public-webpayments-ig/2016Apr/0035.html
Topics
  1. Introductions to New Participants
  2. United Nations ID2020 Initiative
  3. Review of Questionnaire Responses
  4. Work Items
Organizer
Manu Sporny
Scribe
Daniel C. Burnett
Present
Daniel C. Burnett, Manu Sporny, Kaspar Korjus, Christopher Allen, David Ezell, Nate Otto, Shane McCarron, Dave Longley, Jim Goodell, Brian Sletten, Gregg Kellogg, David I. Lehn, Peter Hofman, Rob Trainer
Audio Log
Daniel C. Burnett is scribing.
Manu Sporny: (Reviews agenda)

Topic: Introductions to New Participants

Manu Sporny: United Nations meeting happening soon that we'll hear an update on. That's the only addition I have to the agenda.
Manu Sporny: New participant from Estonian government.
Kaspar Korjus: Started program 18 months ago to give digital identities to everyone internationally who wants one. Have done this domestically for 15 years. Already have prescriptions, many other areas using digital ids. Over 10000 eResidents so far.
... most from Asia so far. Used heavily to be able to run businesses remotely.
... Have experience with both problem and solution. Want to share eResident information (if permission given) to other service providers (PayPal, BrainTree). Here to learn more about what W3C is doing and how to use existing platforms and standards, as well as to give feedback on what Estonia has done.
Manu Sporny: Estonia is the leader in government-supplied e-identities, FYI.

Topic: United Nations ID2020 Initiative

Christopher Allen: In "rebooting web of trust", top crypto people looked at what decentralized identity means. The ID2020 people were there a year ago and proposed a UN event. It will be on May 20th. First digital identity summit at UN.
... one-day event. Not a design workshop, but followed by a 2-day design workshop to look at use cases from the policy people the prior day.
Manu Sporny: ID2020 Design Workshop: http://www.weboftrust.info/
Christopher Allen: There are 1.8 billion people without any form of identity, and the ID2020 people want to be able to provide that for them.
... One concern raised is abuse within or across countries where privacy is not paramount. Also, many approaches rely on biometrics or other info tightly tied to individuals. Just some perspectives being considered.
... One expected topic is something like verified credentials.
Christopher Allen: Www.weboftrust.info
Manu Sporny: May 20th for the ID2020, then 21-22 for design summit
Christopher Allen: Working with Blockscreen (?), have recently joined W3C. Interested in payments, other blockchain protocols.
Manu Sporny: Who can come to summit and workshop?
Christopher Allen: Need to apply at the summit website since attendance is limited. The workshop requires a one or two page position/problem/solution paper to be submitted.
Kaspar Korjus: I was invited but could not attend. Aman Kumar will be there and can talk about eResident program.
Christopher Allen: I will also be at IIW next week.
Christopher Allen: I would be glad to meet with anyone. Unconference, so easy to meet.
Manu Sporny: Christopher and Drummond will be at IIW.

Topic: Review of Questionnaire Responses

Manu Sporny: Please fill out this questionnaire if you haven't and want this work to proceed.
... if we do not get enough people the work will not start.
... we have asked around 65 people in this space already and have gotten 24 responses so far. We are hoping for 50 responses total at least. Will be sending two more reminders.
... Feedback from payment/financial companies, educational sector, federal governments so far. Heavy on education but could use more!
Manu Sporny: We asked "The Verifiable Claims Problem Statement is accurate" - 64% strongly agreeing, 36% mostly agreeing
... (Manu summarizes results for each question and will post into IRC)
Manu Sporny: We asked "The Goals proposed by the Verifiable Claims work are good goals to pursue": 72% strongly agreeing, 28% mostly agreeing
Manu Sporny: We asked "The Scope of Work and Deliverables would help address the Problem Statement": 32% strongly agree, 68% mostly agreeing
Manu Sporny: We asked "My organizations verifiable claims problems would be addressed if the use cases in the Use Cases document were addressed" 28% strongly agreeing, 48% mostly agreeing, 12% neutral, 4% mostly disagreeing, other
Daniel C. Burnett: Seeing strongly agreeing and mostly agreeing is good - but it's obvious on the third question that there was a reversal - first two, predominantly, but that dropped to scope of work and deliverables - haven't seen results from the questionnaire - why do people feel scope of work and deliverables didn't get "strongly agree". [scribe assist by Manu Sporny]
David Ezell: Quick comment - we got some pushback from various folks on ongoing work - the specs that are a part of ISO - JCT1 - I think these specific issues ISO20111 - not an expert in these, so talked to colleagues in X9 - deeply involved in ISO but also deeply involved in payments, offered an interesting perspective - from point of view of payments folks - the ISO29000 series of work is too general to be of use to payments people. [scribe assist by Manu Sporny]
David Ezell: We got some pushback about ongoing work in this space, specifically specs in ISO. I think 29191. Some colleagues involved in ISO and payments said that the 29000 work is too general to be of use. Problem for us payments folk, but if we take the time to show its relevance it may help to get them on our side.
Christopher Allen: Comment+
... while we do need to convince the W3C AC, there are other payments pepole who may be happy about this work.
Christopher Allen: Some of our initial uses are around ?? and travel. Funds need to be non-fungible. How can we still share credentials. We like the credentials approach. Wonder what ISO folks are thinking in this space - do they need a central authority, and if so, why? Are concerns just history here?
Christopher Allen: ?? = Kyc = know your customer
Manu Sporny: Some of these orgs have invested much in OpenID and OpenConnect.
...Also they are working on a generalized way to do this, but the documents are more legal requirements than technical specifications.
... we are focused on the technical solution here. We want alignment with legal frameworks, but that's why we are getting pushback.
Nate Otto: +1 Manu. The proposed work goes most of the way toward complete solutions and is a good foundation for later work ut doesn't solve all problems on its own.
Manu Sporny: Regarding burn's question about reversal in questionnaire results for question 3. What we are proposing does not propose any sort of protocol because we didn't want to get into OpenId fight, so we are starting with syntax that anyone can use. If it becomes clear that we can't address the entire problem statement we'll go further.
Christopher Allen: +1 (Our payment protocols can create confidential channels)
... this is the smallest bite we can take at this point, because including a protocol in the deliverables now will cause formal objections.
... Our problem statement alludes to lack of protocol as a problem, but since we don't propose work on it that's the issue. Note that no one is objecting. They are just commenting that it may not solve the whole problem.
David Ezell: Thanks to Chris for his post to the AC Forum. There are two levels at W3C that matter. One is purely technical.
... It sometimes seems that existing companies at W3C don't want some work to happen. It may not be that there's anything wrong with a proposal, just that companies don't want it to happen for other (secret) reasons.
Christopher Allen: I'm concerned there is no commitment around selective disclosure.
... I understand this may be 2.0 work, but for our community it's more important and isn't offered by other standards. In EU, I don't know how to meet their requirements without selective disclosure .
Christopher Allen: It is a complicated topic.
Manu Sporny: Lack of selective disclosure so far has not been a non-starter. Experts in this space know about selective disclosure and understand its importance and value. The current design enables it without going into a protocol specifiying how to do it.
Shane McCarron: I am open to putting the selective disclosure requirement back into the use-cases.
Shane McCarron: It only got dropped out because we were winnowing down the collection.
... we have a way to only show attributes that the credential consumer is requesting. We don't require cryptographic complexity of other approaches, and we specifically don't mention it. If you want it, please propose specific text changes for the charter.
Christopher Allen: Range proofs, heirarchical keys, etc. can also do some limited selective disclosure.
Christopher Allen: But no objections so far?
... the more we put in, the greater the risk of objections.
... there haven't been objections yet for selective disclosure, but we don't have solid proposals for it yet.
Christopher Allen: (Range proofs are part of open source Elements project)
... we have a mechanism that does not require special crypto primitives in order to achieve sel. dis., but that would be part of the protocol which we are not doing now.
... No org so far has stated they would object because we did not include selective disclosure.
Christopher Allen: (An aside in case people don't know what a range proof is. They allow a prover to convince a verifier that a digitally committed value is a member of a given public set. A special case of this problem is when to show that the committed value lies in a specified integer range.
Manu Sporny: We asked "My organizations verifiable claims problems would be addressed if the use cases in the Use Cases document were addressed"- 28% strongly agree, 48% mostly agree, 12% are neutral...
Shane McCarron: :/
Manu Sporny: We asked for use case reviews but haven't received many. Please review!
Manu Sporny: We asked "My organization would participate in the following way if a Verifiable Claims Working Group were to materialize at W3C" - 28% saying "would participate and are W3C members", 16% saying "not W3C members, but would join W3C", 16% saying "not a member, but will do technical review, but not join W3C", and 36% "other"
... the percentages aren't bad, but we don't have enough organizations saying they would join and participate. In particular we don't have enough committed to implement whatever we create.
... When we asked why people wouldn't participate, the answers were about money/support, or only wanting it focused more just on education. But there were few of these responses.
Christopher Allen: Stagger days of week for pings.

Topic: Work Items

Christopher Allen: Do one on a friday night, for instance
... will keep this open for two more weeks. Again, want 50 responses. W3C minimum bar is 20 organizations saying they would participate as members.
Manu Sporny: Charter Cleanup
... there are three items to focus on
... FAQ, use cases, charter. Use cases doc is suffering from lack of reviews.
Christopher Allen: (I have reached out to IBM and Intel's reps to comment — will continue to prod)
... We could also create a spec to use as input to a WG. Google and MSFT made comments on the public list saying they would rather have the work incubated first.
... Mike Champion (MSFT) and Chris Wilson (Google).
... They want to see what the technical proposal would be. But they are the same orgs that made the same request when the payments work was starting. We could create a spec that is what we have so far but removes the protocol pieces.
Dave Longley: They may also only be looking for that because they are browser vendors -- and there's nothing for the browsers to implement here.
Shane McCarron: +1 To splitting the document and putting the limited version forward as a strawhorse
Dave Longley: It's a trap! -- Admiral Ackbar
Manu Sporny: Shouldn't be too hard to pull together. Thoughts? Is this a trap for us, to have a doc that people can shoot down?
Christopher Allen: (I reached out to Wayne Carr of Intel, and Arnaud Le Hors of IBM — both may have reasons to support verified credentials because of their blockchain efforts)
Dave Longley: Mainly just having fun with my General Ackbar comment.
Shane McCarron: The goldilocks spec
Christopher Allen: I'll include them in the ping for questionnaire fill out [scribe assist by Manu Sporny]
David Ezell: A catch-22 here, if you do nothing it gets shot down, if you put details it can get shot down, but there is often a happy medium that will work
Dave Longley: One of the issues may be that there is nothing for the browsers to implement, so Google and MSFT may not see value.
Shane McCarron: +1 To make it clear there is nothing for browsers to do. and it would be good for implementors to speak up
Nate Otto: Don't know enough about the politics to evaluate risk either way. It is hard to get the right level of low-fi abstraction to not get dragged into the weeds on minutiae without the ability to respond (because it's really the job of a working group to sort out).
... a related question then is who would implement, which is why Pearson and others need to respond.
Dave Longley: I think the best response would be: "Browsers don't need to implement anything --- and these orgs X, Y, and Z will be implementing and/or using."
Christopher Allen: We may need to be more specific about why new blockchain technologies are needing this. Traditional solutions are not working with block chains.
Dave Longley: That addresses both of their main concerns, IMO.
... Will try to articulate this better, that the demand is not just for web browser web payments.
Manu Sporny: I'm hearing weak support for putting together a goldilocks spec that makes weak statements.
... wrt MSFT and Google, we can respond with much of what was discussed today.
Christopher Allen: Proof of publication/existence may also be good to include.
Nate Otto: Will take an action to review use cases. Sorry I've been very busy!
Shane McCarron: Let's have spec-ops do the simplification
Manu Sporny: I am doing charter cleanup, Shane the use cases, but we are stalled on the latter because not enough reviews. Please review (again). I will work with Dave L on the reduced spec.
... if you know of anyone who could be an implementer, please talk to them.
Christopher Allen: Thank you.
Shane McCarron: SpecOps should do spec.