SV_MEETING_TITLE -- 26 May 2015

Manu: We need good shared understanding of "Credentials"
... I want to be sure we have shared understanding of what we mean by credentials

<manu> A credential is a qualification, achievement, quality, or piece of information about an entity’s background such as a name, home address, government ID, professional license, or university degree, typically used to indicate suitability. The use of credentials to demonstrate capability, membership, status, and minimum legal requirements is a practice as old as society itself.

Erik: I have a similar understanding
... regulatory bodies would include additional information

Manu: I think "your dog's name" still fits into the above definition (e.g., your background)
... I have concerns about the rabbit hole of "solving identity for the web"

Erik: Our scope is to address account provider needs

Manu/Erik: Credentials are part of establishing identity

<manu> Credentials Executive Summary: https://docs.google.com/document/d/1Nq543-Am1hQUIZ2hhzAFl8KexvIEBwDDc_f3Ikz1opQ/edit

<Zakim> dsr, you wanted to note relationship to intent based API for KYC

dsr: This relates to our interest in KYC and generic mechanisms for doing so
... various approaches to "how you name things"
... in some cases people may want to use existing credentials.
... so there are three things:

- using existing credentials (as currently expressed digitally)

- a generic framework for expressing credentials

- an API that provides access to the binding between a web identity and a real-world identity

<dsr> see blog post http://www.w3.org/blog/wpig/page/3/

Manu: Many existing credentials exist in non-web-like fashion (e.g,. in PDF). we investigated reusing existing credentials and it was challenging.

<Erik> I agree with Manu. Credentials has no standard yet.

<Erik> Credentials should be a W3C initiated focus

IJ: I want to focus on (1) what our use cases are (2) what the landscape is for credential approaches (and what has succeeded or not with them) and (3) background on the CG's work

DSR: PrimeLife project on privacy
... Privacy requirements are part of this discussion / use case

<Zakim> dsr, you wanted to note privacy requirements as part of the discussion on credentials

Manu: Yes. The group deeply cares about privacy (which comes up frequently both because it's important and also because of regulatory needs)

Erik: Credentials are good input to identity solution

<dezell> 1) Validate for purpose of payment.

<dezell> 2) Reuse for other purposes.

<dezell> 3) Common construction with other purposes.

<dezell> [so what is the "must have" profile for payments. Will only the ultimate credential do?]

Q. Where do credentials appear in the payments flow?

IJ: E.g., just at account creation? Or at other times/

Manu: Here's a full flow:

- you are signing up for a bank account or a stored value account.

scribe: that organization would really like to receive a credential (that has been digitally signed) that does the binding between real-world identity and web identity
... they can do the KYC clearing almost immediately upon receiving the information.
... so that's the ACCOUNT CREATION use case

- some additional ideas:

a) If you go to a web site and the site needs to know who processes payments for you (e.g., firstdata, google wallet, etc.).

scribe: once the site gets the credential they know that you have an account.
... you don't need to tell the merchant WHO YOU ARE, they just need to know that you have an account for when you receive an invoice

b) Coupons and loyalty cards can be viewed as credentials as well

c) Shipping addresses can be seen as credentials

scribe: this is more convenient (browser just ships credentialed address to the site; no form is necessary)
... but the other use cases have to do with controlled substances
... e.g, you can only ship them to verified addresses....or if you want to buy other things like fireworks or ammo or other things that required verified shipping addresses
... another use case would be geofencing

d) Proof of age is another use case during purchase flow (e.g., for purchasing wine)

IJ: I am hearing:

* Account creation

* At time of purchase

scribe: agreement to terms specifically

* At time of choice of instrument

DSR: I remember Erik talking about AML reqs

Erik: Security and credentials help you with KYC, AML, consumer protection

Q. How much / what would we need to standardize?

Manu: I think we need:

* Container for credential

(and we are proposing linked data with a digital signature)

* Protocol for issuing, storing credential

* Protocol for requesting a credential

Erik: +1 to standardizing the credential container

<manu> Ian: One way to structure the discussion...

<manu> Ian: What is the business opportunity - will it justify the need for standards work to be done?

<manu> Ian: It's rooted in the current state of KYC/AML - understand the limitations and cost today. Setting up a banking account is very expensive for the bank.

<manu> Ian: How are the regulatory requirements addressed today? They are handled, but it's time consuming and expensive - furthermore, only a small sliver of the world is engaging in this.

<manu> Ian: Tech companies, card processors - they're not standing to lose by having an improved system. They would be interested in systems that would make this work easier - safer for consumers. Frame it as that being the reason for why there is value for being a standard.

<manu> Ian: Coming to the meeting and saying: "This is the industry problem we want to solve, and here are some stories"

<manu> Ian: What has been tried before? Why did it fail? Successes and failures of industry-wide standards - some more weblike than others.

<manu> Ian: Before we go about CG work - inherent limitations to these things? why did adoption fail?

<Zakim> dsr, you wanted to comment on role of protocols

<dsr> +1 to documenting rationale

dsr: Manu mentioned protocols
... we need to understand the motivation and use cases for them.
... it's not clear to me that protocols come into the picture.

Erik: I would focus on how the credential is represented and stored.

Manu: I think we can't have interop unless we say how these credentials get around the Web.

DSR: What do you mean by protocols?

Manu: Other things to mention:

<manu> Ian: 3 big chunks that we've been talking about in first round of prioritization

<manu> Ian: Payment initiation, proofs, and invoices in v1

<manu> Ian: We have a draft - 20% of a charter on that work.

<manu> Ian: Need to have a shared understanding - worth the investment of time

<manu> Ian: Adrian's settlement task force - bridging disparate payment systems - in v1 - of the 3, that's the one we've discussed the least.

<manu> Ian: What needs to be proposed - authentication?

Manu: Authentication stuff is parallel to credentials work.
... should not have a dependency unless we were to bake hardware-based authentication in V1
... on the other hand, the digital signature work is vitally important
... and I am concerned we are going to have a conflict between JOSE work and digital signatures on credentials

[Discussion of need to have the right people embracing the effort]

Erik: Tech + financial

Manu: I will put together an outline
... and I would appreciate feedback on that so that we go into FTF with a unified message around credentials

- DRAFT -

SV_MEETING_TITLE

26 May 2015

Attendees

Contents

Summary of Action Items

Scribe.perl diagnostic output