W3C

- DRAFT -

Social Web Incubator Group Teleconference

09 Jun 2010

Agenda

See also: IRC log

Attendees

Present
MacTed, Thomas, +1.781.416.aaaa, +1.218.296.aabb, paul, rreck, hhalpin, danbri, oshani, +1.510.931.aadd, melvster, +1.510.931.aaee
Regrets
Chair
hhalpin
Scribe
danbri

Contents

<trackbot> Date: 09 June 2010

<MacTed> paul, is that 416 number you?

<paul> I'm on a 781 number

<tlr> 781.416...?

<rreck> are we meeting?

<rreck> me too

i'm having trouble geting in too

<tlr> the UK and FR lines seem to have issues, yes

<rreck> afk

<hhalpin> Mischa - can you scribe?

<hhalpin> scribe: danbri

is the log loggering?

<hhalpin> PROPOSED: to approve minutes from June 2nd meeting.

<hhalpin> http://www.w3.org/2010/06/02-swxg-minutes.html

<hhalpin> +1

+1

<hhalpin> RESOLVED: approved minutes from June 2nd meeting

danbri regrets for next week (Notube f2f project meeting)

<hhalpin> Next Meeting: Distributed access control languages for privacy providers, MIT on AIR and PrimeLife on XACML

final report updates

hhalpin: run-thru of final report actions
... we had several regrets
... mischa started an etherpad draft

<hhalpin> melvster: share etherpad with the rest of the group?

<melvster> one sec

<melvster> just dailing in

<melvster> sure!

<melvster> *work in progress* http://openetherpad.org/Ea4YsoZGeU

hhalpin: i didn't make muh progress on gap analysis

any prog on use cases?

<hhalpin> http://openetherpad.org/Ea4YsoZGeU

(i dropped some messy notes into etherpad but not done much yet)

Paul Trethevick on the State of Digital Identity

(welcome Paul...)

<hhalpin> http://www.slideshare.net/ptrevithick/swxg-201069

ok i won't scribe things that are in the slides

<hhalpin> http://www.slideshare.net/ptrevithick/active-clients-and-pd-ses-4452852

who joined?

<hhalpin> Paul, do you wish to begin?

Paul: Harry asked for a few thoughts on state of Identity industry. Hard challenge!

<hhalpin> So we are on first slide-deck, i.e. http://www.slideshare.net/ptrevithick/swxg-201069

Paul: identity hard problem as perceived differently in different communities
... language varies by community; it 'obviously' means x to some, something quite different / richer to others

<bblfish> hi

Paul: some call that more advanced form 'claims based' identity
... you don't necessarily need to identify a person to haev an interaction
... some see authorisation as primal, identification as secondary

<melvster> bblfish: http://www.slideshare.net/ptrevithick/swxg-201069

Paul: most of us tend to drop the word entirely due to these kinds of confusion
... i was looking yesterday at privacy aware Web definitions, use of 'publisher', ... have to get over these kinds of terminological problems
... - requirements vary by community
... idea that different people are trying to solve slightly different problems
... why do we look at this so differently?
... idea of levels of assurance, eg. NIST's 4 levels
... how much can relying party depend on strength of some assertions
... some need levels of assurance > 1

(hmm this? http://en.wikipedia.org/wiki/Identity_Assurance_Framework#Assurance_Level_Criteria )

<hhalpin> NIST levels are interesting...

scribe: challenge here , some feel that anything > 1 is irrelevant, uninteresting
... that perspective driven by high volume, low value social web transactions
... those on higher level (payment, govt) sometimes feel like 'long tail' cornercases


.

<hhalpin> but the high-volume transactions can eventually get need higher NIST level, i.e. binding payment to your social networking account ala Payswarm

scribe: also eg yesterday talked w/ natioanl cancer institute re sharing medical records
... also Verified vs self-asserted attributes
... much socialweb stuff is just asserted by end users
... other scenarios (reputation systems, payment systems), ... some people / communities will look at these requirements and say 'no thanks'
... eg. equifax can issue 'bearer of assertion is > 21 years old' (but we'll reveal nothing else about them)
... a lot of probs around protecting children are around lack of verified 3rd party assertions of attributes
... also req: need to aggregate from multiple different providers
... for high volume / simple sites, this isn't a problem
... other use cases, you distinguish even from an ID provider and an attribute provider

<hhalpin> attribute provider/identity provider an interesting distinction.

scribe: you can not have to keep authenticating but can aggregate attribs [missed]

[slide 5 now on slideshare]

scribe: linkability
... this makes perfect sense to some, but too much for others [see kim camerons laws of id ... re deployable systems]
... you can agree / disagree, but this is the landscape of [lack of ] consensus

"Some uses cases require high assurance and unlinkability (and sometimes even offline presentation of security tokens)."

submarine example; disconnected from 'net but need to auth things internally

scribe: a lot of discussion lately re levels of protection
... converse of levels of assurance
... coudl we could to a world where use is a party to digitally signed contract
... it's released to relying party, but the rp is bound not to resell
... for that to be non-repudiable, need ... [missed detail, sorry]
... concern that lately too much emphasis on crypto
... some control, but also more on accountability, in everyday life

<bblfish> zakim aaee is bblfish

scribe: so there are only prototypes of tech currently that can handle this
... again these are just examples of why this [consensus] is hard
... hard to build something universal, addressing all requirements
... ie. this talk might be considered something of an apology for lack of progress given the energy/effort

<hhalpin> no apologies needed paul, there is clearly progress being made and the problem is hard!

scribe: several community

Identity Commons (2005) http://idcommons.net

scribe: distinguishing open / user centric id folk from enterprise / proprietary world (of which i know little)

IIW is the (intense, 3 day) hub of this world

scribe: OpenID Foundation (2007) http://openid.net

[ is http://community.livejournal.com/lj_dev/683939.html the 1st openid spec btw?]

scribe: internal competition within openid now
... different groups, perceive problem sets differently
...Qs: what is the openid foundation? a broad church or an advocacy org for one particiular protocol?

dataportability? DataPortability.org (2007)

scribe: struck a nerve re user control

Information Card Foundation (2008) http://informationcard.net

scribe: began around ms cardspace and oasis IMI, ...
... "Next generation: Integrated with the browser. Consistent UX across protocols including: un/pw, OpenID (to reduce phishing), IMI (legacy), and OpenID V.Next, client side certs (perhaps)?"
... that foundation also at a crossroads
... is more emphasising active clients
... found some issues w/ active clients

esp requiring a download, and insisting on a single unifying protocol

scribe: soul-searching and next gen work
... moving beyond single protocol

makign it 'better with'

"Kantara (2009) - http://kantarainitiative.org

scribe: kinda interesting
... analysis coupleyears ago, interviewed rigorously many from ID scene
... under NDA
... to make a new org
... they [we] concluded that we have moved into a cross-protocol era
... needed a pulling together of a number of these disperate communities
... was then the old liberty alliance, saml work
... which was a response to hailstorm/passport
... also openid appeared
... 3 tech groups appeared
... to some extent it's an unrealised objective
... strategically it's right
... Kantara replaced liberty alliance
... and working on some crosscutting stuff

( also new ones this year )

a joint board, infocard and openid(?)

scribe: discussion of what's missing, usability vs specs
... role of biz agreements that allocate liability
... joint sales efforts
... obama team wanted to open govt up and use commercial ids from industry
... catalytic effect
... govt said we like openid, but want also stronger assurances, info card stuff, ... but hey we're just a customer,...
... big enough that got attention of those 2 foundations, who self-organized and stopped quibbling
... in some way stopped competing a bit
... united front to the federal govt, and said 'whichever, we see the fed govt won't enter into commercial relationships w/ for example paypal, yahoo, google, whoever... unless there are certifiable properties, privacy characteristics, audits, ...
... understand liability, ...
... caused spontaneous creation of the Open Identity Exchange

(OIX?)

scribe: so they joined forces to form that

<Zakim> danbri, you wanted to ask how messy patent situation is (what is feasible royalty-free?)

(patent talk later)

kantara and others ... corporate sponsors, + leadership council

(i missed some detail)

<hhalpin> likes the community members and corporate sponsor model, maybe that could work for the w3c

oidf and icf ,... same governance model, blender board, 1 member one vote, community members outweigh

scribe: re participartion, indivs and companies can join, but $100 for an indiv, in some cases $25
... in terms of how openly they operate, that could be debated
... theoretically, all open to all
... but strong interpersonal relationships and personalities are in many cases the driver of what happens than the formal structures
... has to be seen to be believed
... this is not something like w3c or oasis
... kantara is most formal/structure, icf more, openid foundation

they all have public archived mailing lists

all 3 have private board lists

vast majority of everything is public

last one, Xauth, is interesting ---

--- it's a way to personalise the login situation

scribe: if oyu only have an unmodified browser, you show up with a fresh browser it can't be customised

(forgetting the CSS History hack :)

scribe: school of thought that says 'browsers don't know who you are ...
... nor who your preferred attribute/identity providers are
... hence the 'nascar problem', long list of logos
... so a tyranny of the mega-brands
... so relying parties put facebook/google/yahoo at the top
... which has a somewhat perverse effect
... xauth says with html5 and some tricks, we can hack a way for the relying party to learn what someone's prefs are
... shorter list
... these are ways to work around an architectural problem
... which is that browsers don't know who you are
... slide 7 http://www.slideshare.net/ptrevithick/swxg-201069
... openid 2.0 (legacy openid)

50k sites and growing, relying parties

scribe: q is where we go from here

openid has a number of problems

3 key

1 - OpenID-AB [Attribute Binding] - http://bitbucket.org/openid/ab/wiki/Home

Proposed by Nat Sakamura and others in early 2009

scribe: has not had much attention yet

2 - OpenID V.Next

(discussed last fall and this spring at IIW)

v.Next codename for whatever appens

in May, OpenID Connect proposal from David Recordon (and social Web friends)

all these 3 are breaking changes

not backwards compatible

scribe: I don't yet see how this is going to get resolved
... openid connect is 'get a spec out there ... let's just do it!'
... caught some ppl by suprise
... openid community is trying to figure out a way fwd thru all this
... I hope the earlier slides set some context for this
... and difficulty in agreeing even common requirements

Slide 9 -

personal opinion -

scribe: we can't stop creation of new protocols
... open, etc
... what happens a lot is much reinvention
... come up with stuff, don't see what came before
... do something quick/dirty that solves some problems now
... then start making it more robust
... realise it isn't 80% solution, but 45%, ...
... then someone new jumps in
... natural cycle of reinvention
... yesterday/last-night investigating webid [ie. foaf+ssl]

<bblfish> I'd say WebId being based on the semweb, in one protocol that can then bind all of them together.... One can bind in OpenId for example. (not sure about the others)

scribe: looks like it would solve some fraction of use cases, has nice characteristics
... but partial solution
... not clear how much things will converge
... or how much analogy with email, where Internet email eventually dominated
... i note that whenever we build something new that gets used, ... it is out there and not going away
... and that username + password could easily stay dominant for 10+ more years
... we have learned things
... users don't care
... they want something that makes sense to them
... ux is the key to them
... if you go to an RP and say 'this is great tech, saml no infocard no openid no ...." the RP will say "well, we have to support at least username/ password .. and i'll have to link the accounts ...

<bblfish> (note on above there is work integrating WebID with SAML in Machester, with SOAP in University of Southampton...)

scribe: so the RPs live in a necessarily multi-protocol world

but our communities don't organize in those terms

scribe: eg create a common apache module
... this is a structural problem

[ very interesting! --danbri ]

scribe: communities eventually say 'oh we have overlap, need to blend things ... '
... attempts to say 'here is an active client, eg. ms cardspace '. ... it just didn't work
... to use the solution, you needed 'this thing', the right version with your OS, download it if needed, need to be on windows, etc etc
... so the idea that active clients needed for system to work ... a nonstarterr
... always this locked down enterprise computer, library kiosk, ... person can't install plugin, upgrade a pc, etc ...
... so lately active client ppl have a 'better with' approach
... ie. it works normally but is 'better with' the addon (whether an ng-browser, or addon)
... ppl look at 'open identity community' and they see a swirling churning mess of people putting down each other's stuff, partial penetration, etc
... and they say 'ok, let's wait for this catfight to calm down'
... status quo, is do nothing, use a proprietary thing, if username/password don't do it
... with 1 exception: facebook connect, picking up a lot of use across Web
... they have an id tech plus attributes
... last pt: the identity community, with all these nonprofits, is not structurally in a good place to solve needs of the marketplace
... couple of specific points re socialweb
... identifiers and user experience
... my perception
... in beginning, was 'type in your openid URI'
... rough consensus: not working
... they understand it only as for pages/info
... doesn't work on ppl
... they understand email addresses
... so openid said 'click on a button'
... but measured results were higher conversion rates

<dsearls2> Hey Dan, all. It's Doc.

scribe: with benefit to those at top of list

see link for logs, doc

<dsearls2> ok

paul: 'people get that, re use of email
... end-user re-education is a huge issue
... and now with xauth we can personalise the nascar icon list to something more manageable
... best we can do short of active client
... slide 12:

<oshani> dsearls2, here's the slides: http://www.slideshare.net/ptrevithick/swxg-201069

attribute schemes

scribe: there are so many of these things, so much overlap, ...
... if you start taking view from biz point of view, that relying party is key ,... you want that to be easy as possible

too many schemas makes RP's life hard

<Zakim> danbri, you wanted to ask how messy patent situation is (what is feasible royalty-free?) and to

[other deck]

can you scribe harry?

<rreck> thanks for your presentation, it was very informative

<hhalpin> scribenick: hhalpin

danbri: any patents in identity scene?
... any idea how messy situation is?

paul: it doesnt get talked about that much
... varies by organization depending on struture
... we try in ICF and Kantara to have IPR rules

<danbri> (w3c history - eg see http://www.w3.org/TR/P3P-analysis )

paul: we can tell that things happen just willy nilly
... not developed in a structure and not necessarily ideal
... pretty confusing to me
... hard to know whats lurking out there, esp. with OpenID

danbri: if we wanted to get something in all the browsers
... could we get those vendors to commit to RF-status?

paul: I work in this Eclipse Higgins project
... so our patent reviews are pretty good
... an explicit license is being given to contribution

danbri: relevant specification, go back to paper trail to see how the W3C developed its patent policy

paul: not sure re specs

<scribe> scribenick: danbri

<melvster> paul: awesome job

<bblfish_> ?q

<bblfish_> heh

<Zakim> tlr, you wanted to ask whether Paul sees any chance for the identity work to move into less willy-nilly space, eventually

tlr: thx for the talk, paul
... in your answer to danbri's impossible q, you sounded mildly frustrated
... re work happening in a 'willy nilly' way
... see any chance for that to fix itself over time?

paul: for full disclosure, ... there is a project 'bingo' towards consolidating a number of these efforts, back into a more structured but broad church
... where the church is about consistent messaging/marketing/ipr, not tech
... my personal bias is that we would do better to come up with a broad base consolidating a number of these

<dsearls2> Think big tent instead of church.

paul: but saying that i can hear friends of mine like dave recordon, chris messina, saying 'we can just hack it...'
... but when the recession came, they took jobs at big companies
... so now when they say it you have to consider the source, they work for google, yahoo, facebook etc

<bblfish_> Hey, I am unemployed now!

<dsearls2> Dave works for a different big co every year.

<bblfish_> so you can trust me :-)

paul: you always have to figure out what's personal view, and what [ not wanting to say something unfair here ] ... looking at openid connect, ...
... could be perceived as a retrospective stdisation of fb connect

<hhalpin> theres also Google FriendConnect

<hhalpin> i.e. FriendSense :)

paul: some aren't so concerned for the crypto
... and oauth hardcodes rather a lot
... so i'm somewhat at a loss to predict what'll happen

<Zakim> hhalpin, you wanted to ask about browser integration and w3c

harry: a lot of discussion talking more now about browser-based integration
... w3c has some work there w/ html5, ... and w/ big browser makers
... discussion before re w3c involvement has focussed on its membership model which can be seen as exclusive
... do you think w3c could have a role w/ one or more foundations, to see if some mature tech here could go into new browsers?
... possibility of stdisation (at format level? more w3c's thing than protocols which go better at ietf)
... if so, what to do about the number of these foundations?

<rreck> got to go, thanks again

harry: trying to appreciate thigns on a tech level, and figure out what kind of a role might make sense for us
... eg. browser aspect, html5 etc happening

paul: I think now is a great time
... things are at a crossroads in most of the foundations
... kantara, oidf, ... [missed last acronym]
... dan based on your comments last week, i've mentioned to others there might be a new actor [=w3c] to consider

<dsearls2> ICF... Information Card Foundation

paul: there is sort of this feeling that, from the californian web kids' perspective, ... that w3c isn't relevant but browser folk are, ... if you get mozilla to build this stuff in, that's the way to go
... and html5 is a part of the equation
... more discussion about getting this into browsers [ie, firefox, chrome] than html5
... but that's not to say there's nothing discussed there

<hhalpin> also notes two years ago I was talking about OpenID with Hixie at TPAC :)

paul: 2 years ago, w/ david recordon, relying party metadata stuff should be in html5

(thx dsearls2)

scribe: my personal belief, that w3c thru html5 angle, a great place to advance this idea of active clients, ID in the browser, ...
... has in past been a lot of outreach from w3c on these things
... in past, ID folks also tended to talk amongst themselves, but not have strong links to browser world
... speaking for info card foundation, definitely interested

<tlr> paul, I'd be happy to help with that sort of discussion from the W3C side

scribe: and kantara, new chair...

(tlr, can you put that in audio, don't know if paul reading irc)

<tlr> happy to

paul: some will be wary of even more institutionalisation
... there are threads, eg. 'if the openid foundation doesn't do it, we'll just do it'

tlr, these days we are shying away from joint work with the ietf ...

scribe: in sense of a group being simultatnously belong to both
... however we are doing much more heavily coordinated work with them, and it is going pretty well

<hhalpin> The IETF does make sense for OpenID connect, unless OpenID Connect feels like its need browser integration or the W3C RF Patent Policy

scribe: re paul / infocard, ... i'd behappy to help from w3c side
... can take it to email and see where it goes

bblfish: thx for mentioning webid ...
... there has been work on linking that with SAML (from manchester), with [missed, SOAP??] from S/hampton
... because semweb is an abstraction of all syntaxes that it is a perfect foundation for integrating all these different pieces; you can map anything into the sw

[any format at least? -- dan]

scribe: so you can see semweb as a glue for all these pieces.

tlr, url for diagrams?

paul: I understand, and happen to think semweb and linked data have a bigger role to play in future in identity ...

<Zakim> hhalpin, you wanted to ask about ostatus

<tlr> q0

hhalpin [asks about ostatus]

paul: it absolutely is related

<hhalpin> ostatus framework hooking up to OpenID/WebID/etc.?

paul: these 2 worlds have to come together in a coherent way
... ostatus stuff has to come together in a coherent way
... with the identity world
... some admirable things happening via 'small pieces loosly joined'
... ostatus is a great example of that
... but if we step back and say 'lets look at it from ux perspective' [as we're doing in new kantara group]
... moving beyond simple login, ... it is about sharing, things like ostatus, ... how do you make this understandable, coherent, simple?
... what i've found, the need to knit things together becomes self-evident, and the gaps in the available technologies become clearer

lately am trying to be ux first, tech 2nd

<hhalpin> linked data has a fairly hostile user experience :)

scribe: so there i think we need to think about ostatus, and about updates to linked data too

paul: good to be here forming some bridges
... diplomacy and tact may be undervalued in some community, but it's the only way we'll make progress in the bigger picture

<tlr> Thanks, again, Paul for joining!

+1, thanks Paul :)

<paul> My pleasure

<melvster> thanks paul, awesome call

<bblfish_> thanks, very much

<bblfish_> great talk

<hhalpin> trackbot, end meeting

<paul> Thank you all. I look forward to continuing

Summary of Action Items

[End of minutes]
Minutes formatted by David Booth's scribe.perl version 1.135 (CVS log)
$Date: 2010/06/09 16:17:51 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.135  of Date: 2009/03/02 03:52:20  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 1.00)

Found Scribe: danbri
Inferring ScribeNick: danbri
Found ScribeNick: hhalpin
Found ScribeNick: danbri
ScribeNicks: danbri, hhalpin
Default Present: MacTed, Thomas, +1.781.416.aaaa, +1.218.296.aabb, paul, rreck, hhalpin, danbri, oshani, +1.510.931.aadd, melvster, +1.510.931.aaee
Present: MacTed Thomas +1.781.416.aaaa +1.218.296.aabb paul rreck hhalpin danbri oshani +1.510.931.aadd melvster +1.510.931.aaee
Agenda: http://lists.w3.org/Archives/Public/public-xg-socialweb/2010Jun/0010.html
Found Date: 09 Jun 2010
Guessing minutes URL: http://www.w3.org/2010/06/09-swxg-minutes.html
People with action items:
[End of scribe.perl diagnostic output]