Comments on VCTF Report from Ian Jacobs on 2016-02-17 (public-webpayments-ig@w3.org from February 2016)

From: Ian Jacobs <ij@w3.org>
Date: Tue, 16 Feb 2016 20:59:32 -0600
To: Manu Sporny <msporny@digitalbazaar.com>, Dave Longley <dlongley@digitalbazaar.com>
Cc: Web Payments IG <public-webpayments-ig@w3.org>
Message-Id: <2016BAF2-FF49-4230-9F4C-FAD217959C13@w3.org>
Dear Members of the VCTF [0],

Thank you for preparing a report [1] on your activities for discussion
at the upcoming face-to-face meeting. I read the report and the
minutes of all the interviews. I have not read the use cases [2].

I have several observations and questions that I'd like to share
in advance of the face-to-face meeting. I look forward to the
discussion in San Francisco. I will continue to think about
topics like "questions for the FTF meeting" and "ideas for next
steps."

Ian

[0] http://w3c.github.io/vctf/
[1] https://lists.w3.org/Archives/Public/public-webpayments-ig/2016Feb/0029.html
[2] http://opencreds.org/specs/source/use-cases/

==================

* First, thank you for conducting the interviews. I appreciate the
time that went into them, and you managed to elicit comments from an
interesting group of people.

* In my view, the ideal outcome from the task force's interviews would
have been this: By focusing on a problem statement in conversations
with skeptics, areas of shared interest would emerge and suggest
promising avenues for standardization with buy-in from a larger
community than those who have been participating in the Credentials
Community Group.

* With that in mind, I think the results are mixed:

     - The interviews included valuable feedback that I believe can be
     useful to focusing discussion of next steps. For example,
     compiling a list of concerns about the project is very useful.

     - I believe the report does not do justice to this useful
     information.

* Here is why I believe the report does not do justice to the
  interviews: it includes information that I don't believe was part of
  the task force's work, which clouds what the report could most
  usefully communicate. Specifically:

    - The survey in 5.1 was not part of the task force's work [0].

    - While documenting use cases [2] is valuable, I did not read
      in the interviewer's comments that they had considered the
      use cases. It would have been interesting, for example, for
      the interviewees to have considered the use cases, and to
      determine whether there was a small number of them where
      there was clear consensus that it was important to address
      them. But without connecting the interview comments to the
      use cases, I believe they only cloud this report.

      Thus, I find confusing the assertion in 6.4 that
      a "point of consensus" is that there are use cases. That
      may be the consensus of the Credentials CG that produced
      them, but it is not clear to me from reading the minutes
      that there is consensus among the interviewees on the
      use cases. Similarly, section 3 (Summary of Research Findings)
      goes beyond the work of this task force to include the use
      cases.

* While there were a lot of valuable comments in the interviews, it would
  not be cost-effective to paste them all here. Here are a few synopses:

  - It sounded like people acknowledged the problem statement
    and also that this is a hard problem to solve.

  - Many people emphasized the opportunity to improve security and privacy.
    One opportunity that was mentioned had to do with user-friendly key
    management (which made me think of SCAI).

  - There is a high cost to setting up an ecosystem, and so the
    business incentives must be carefully considered and
    documented. (This is covered in 7.3 of the report.)

  - I found Brad Hill's comments particularly helpful:
    https://docs.google.com/document/d/1aFAPObWUKEiSvPVqh9w1e6_L3iH4T08FQbJIOOlCvzU/

  - A number of comments seemed to me to suggest a strategy for
    starting work:

    * Start small.
    * Start by addressing the requirements of one industry and build from
      there. I heard two suggestions for "Education" and explicit advice.
      against starting with health care or financial services.
    * Be pragmatic.
    * Reuse existing standards (a point you mention in section 3 of the report).


* I don't understand the role of section 4 ("Requirements Identified
  by Research Findings"). This is not listed as a deliverable of the
  task force [0] and it does not seem to me to be derived from the
  interviews. The bullets don't really say "Here is the problem
  that needs to be solved." I think the use cases comes closer, and
  we need more information about business stories as mentioned above.
  Talking about things like software agents helping people store
  claims feels like a different level of discussion.

* In section 6 "Areas of Consensus:

  - "Current technologies are not readily solving the problem."

    I don't think that's the consensus point. I think that formulation
    suggests too strongly "and thus new technologies are needed."

    I think the following headline phrase is more accurate: "Reuse
    widely deployed technology to the extent possible." You do say
    something close to that in the paragraph that follows, and
    again in 7.8.

  - "Minimum First Step is to Establish a Way to Express Verifiable
    Claims"

    (Also covered in a bullet in section 4.)

    First of all, I did not reach that result from reading the
    interviews.  Second, the very sentences in the paragraphs that
    follow suggest there is no consensus. Namely:

    * "Many of the interviewers suggested that having a data model and
      syntax for the expression of verifiable claims AS ONLY PART OF
      THE SOLUTION." (This suggests they may not agree that "expression"
      is a minimal first step and that MORE is required in a first step.)

    * "Some of the interviewers asserted that the technology already
      exists to do this and that W3C should focus on vocabulary
      development." (So this is a recommendation to do vocabulary work.)

    * "Others asserted that vocabulary development is already
      happening in focused communities (such as the Badge Alliance,
      the Credentials Transparency Initiative)." (This doesn't say
      anything about what W3C should do; perhaps this sentence could
      be attached to the previous one instead.)

    * "Many of the interviewers suggested that the desirable outcome
      of standardization work is not only a data model and syntax for
      the expression of verifiable claims, but a protocol for the
      issuing, storage, and retrieval of those claims, but
      acknowledged that it may be difficult to convince W3C member
      companies to undertake all of that work in a single Working
      Group charter. " (This sounds like a repeat of the first bullet.)

    * "In the end, consensus around the question what kind of W3C
      charter would garner the most support seemed to settle on the
      creation of a data model and one or more expression syntaxes for
      verifiable claims."

    Basically, I do not think there is a consensus to do that among
    the interviewees. In detail, here’s what I read:

        - Brad Hill: "I don't know"
 - Christopher Allen: (I don't see any comment)
 - Drummond Reed: "user-side control of key management"
        - John Tibbetts: "document what a credential looks like
                         (perhaps either a data model or ontology)
                         plus a graphical diagram"
        - Bob Sheets: "I have a hard time addressing that question,
                       whatever it takes to get your group started and
                       on the map and doing work the better."
        - David Chadwick: (I don't see any comment)
        - Mike Schwartz:  (I don't see any comment)
        - Dick Hardt:  (I don't see any comment)
 - Jeff Hodges: (I don't see any comment)
        - Harry Halpin: "Another option is to scope down and aim at a
                        particular problem domain, for example a
                        uniform vocabulary for educational
                        credentials. "
        - David Singer: (I don't see any comment)

* I found interesting the section on "areas of concern" (along with
  Brad Hill's comments). It might be possible to categorize the
  concerns like this:

  a) Social issues
     7.2 scalability of trust
     7.3 business models and economics
     7.4 business model for infrastructure
     7.7 liability; fraud and abuse

  b) Design issues
     7.5 slow evolution of agent-centric designs
     7.6 risks associated with identifiers, keys, revocation
     7.7 reusing existing work

  c) Communication
     7.1 communicate vision / big picture
       (BTW, I agree, but this does not imply it belongs in a charter).

  - Scalability of trust is very interesting. I think I agree it's
    good to have an architecture that supports diverse business
    models, trust models, etc.

  - On business models and economics: "it is yet unknown if
    kickstarting the market will be enough to build a strong economic
    incentive feedback loop." It might be easier to find an answer
    by adopting the above strategy points about starting small and
    picking one market.

* Please list the editors of the report. Also, if possible, please list in an
  acknowledgments section of the report the participants in the task force.

--
Ian Jacobs <ij@w3.org>      http://www.w3.org/People/Jacobs
Tel:                       +1 718 260 9447
Received on Wednesday, 17 February 2016 02:59:42 UTC