See also: IRC log
<scribe> Scribe: ShaneM
<betehess> I guess it's http://www.internetidentityworkshop.com/
manu is presenting slides
(scribe plans on not minuting the slides - there will be a link)
"do you always need a digital signature?"
It is not a requirement. But without one it is not verifiable. It is just a claim.
"By secure, what do you mean?"
You get the same kind security that you would get in any digitial signed document. (offers to chat offline).
"Is there anything about limiting the scope of disclosures?"
"yes. It is a very important property. There are use cases documented that we want to be certain are in version one."
manu: talks about decomposability
"Are you handling updates to the informaiton?"
manu: yes. the interesting thing
is that the claims are portable. You decide where you store it.
You always hold on to the data. An issuer can revoke a
credential. In doing that you have the choice of getting a new
credential, getting it updated, etc.
... we do not support dynamically updating credentials out in
the wild. That's really challenging.
"if the issuer revoked it, how would people know?"
"Is there a way to put claims together?"
manu: yes, claims are composeable
(more from slides)
<dcosta72> the task force documents is here: http://w3c.github.io/webpayments-ig/VCTF
<dcosta72> architecture here: http://w3c.github.io/webpayments-ig/VCTF/architecture/
Architecture questions?
"How much is existing ecosystem and how much is future?"
manu: by existing standards?
"Who is actually running one of these?"
manu: you can look to ETS and Pearson... Who has deployed the technology? A small bit. But there are people with systems LIKE this today.
ETS, Pearson, the DMV
"Estonia?"
manu: Estonia leads the world in digital identity. Every citizen has a digital identity
They can do many many things digitally. The country has done it in a proprietary way, but want to move to standards.
"The impression I am getting is that most of these use cases require not passing off the credentials"
manu: yes. and that is very very
complex. Let's talk about it later.
... we are not doing decentralization in this first work. If we
never get to it we could use email and DNS.
... Rebooting web of trust is another area where people are
looking at this hard problem.
(more from slides)
"Do we produce standards once there is an ecosystem and there is friction that needs to be sorted out, or do you build standards to drive the ecosystem? Microsoft is clearly in the former camp"
manu: we have a number of
organizations that are deploying the ecosystem now. They are
getting feedback. We are concerned that as large organizations
get their work out there it will be hard to harmonize them
later.
... we are deploying and getting feedback that is informing the
work. But the organizations are saying "we need standards to
convince our constituents there is a standard we are working
towards"
... having a forum is helpful to them.
... what we don't want to see is that the industry forces the
hands of the working group. Is that fair?
Michael: That's fair at this level. But it is a question of where we use W3C resources and this might be premature. But I respect the other point of view.
(more from slides)
Manu asked if anyone new wants to participate.
Thompson Reuters: yes. we have been looking at this stuff and are very interested in selective disclosure of attributes.
scribe: we also work a lot on licensing and other things. We possibly could leverage this approach.
"The intersection between this and distributed ledgers seems pretty clear. How does the VCTF se this?"
manu: this is a quickly evolving
field. There is a lot of work about Decentralized Ledgers and
Verifiable Claims at the Rebooting Web Of Trust
workshops.
... the general intent is that there is some sort of shared
database (DHT) that can be used.
... example of first responder problem and the department of
homeland security. They are looking for ways to quickly verify
that people who show up to help are actually an emergency
responder.
... you would think that would already exist. The reality is
that it does not. There is no infrastructure for this
nationwide (in the US).
... other use cases include fraud. Insurance fraud when
multiple claims are made against the same problem. No good way
to coordinate.
A shared DHT with VINs and claims would be one way to address this.
scribe: that's a couple of examples.
Microsoft has been very generous with the RWoT workshops. A lot of work is going into the research.
scribe: I don't expect standards to come out of it in the next year to three years, but there is active work ongoing.
manu: I do have one point about
identity. We avoid talking about it.
... we are NOT trying to solve identity on the web. It means
different things to different people. We are worried that we
would not be able to make progress if we got into that
morass.
"The right way to do this would be to ensure it is hardware security backed. Is there anyting VCTF needs from hardware security right now?"
manu: we have been tracking it,
and we absolutely need what the group is doing. We think you
are doing what we will need to secure the ecosystem.
... thank you for the offer!
"how much of the avoidance of identity management is impinging on the deployment of some use cases tomorrow?"
scribe: identity is such a difficult problem.
manu: if you characterize this as
"how do I prove that I have authority over this identity?" If
you talk about it that way then it is slightly more
managemenable.
... we need a way for strong ways to cryptographically verify
that the certificate is valid.
... we have the ecosystem deplyed and implemented purely
through polyfills in the browser. It would be better if there
were support in the browsers to help ensure that the data is
valid.
"Not sure how this addresses transferrability"
manu: thats about
decentralization (and blockchain to a certain degree). If you
have an identifier on a domain, you DON'T really own
that.
... if there a way to have a self-soverign identifier. Can you
cryptographically prove that you have control over it. For
example, you would use your browser is self-issue an
identifier. That would give you a key and an ID. It puts it
into a decentralized network.
... all you have done here is issue yourself an identity.
"Since you are avoiding the issue of identity though, you would be compatible with solutions that are NOT decentralized... like what estonia is doing."
manu: You are right. There is
nothing in the proposal that requires decentralization. You
could use SAML or OpenID Connect or whatever. Or some future
looking system like the one we are trying to createe.
... broad compatibility with existng identity management
systems.
"Is this a layer on top of LWT or something. It would be nice if the architecture explained how these things relate. I would like tosee that fleshed out in this diagram or somewhere else."
scribe: learn how a W3C standard
could add value to this complexity.
... words or a more elaborate diagram.
"if this ultimately boils down to a standardized syntax that you use to extend SAML or whatever, or tied to a decentralized web of trust, that would be useful. If that is what the aim is then we should say that."
manu: I agree that we should say
it better. We have the text but it is buried.
... I think that we are trying to ensure that all thigns are
possible, but there are a lot f players.
"We need to make a distinction between the owner/holder of the claims and the use of them. It is conceivable that when a claim is issued it is issued against an identity. It will refer to a human, but it is against the issuer really."
scribe: renting a car on my behalf would not require biometrics, but other thigns like opening a bank account might require more rigorous verification.
manu: the general class of that
is delegating credential access to others.
... we are looking at something about macaroons from
Google.
... VCTF proposal is linked off of the breakout wiki. You can
learn more there. We will share the slide deck. We meet every
Tuesday at 11 AM US Eastern Time. If you subscribe to the
Credentials Community Group.
Everything is minuted. We record the audio for all the calls. It is a nice, friendly community. You will get updates as we progress.
<manu> scribe: ShaneM
This is scribe.perl Revision: 1.144 of Date: 2015/11/17 08:39:34 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: RRSAgent_Text_Format (score 1.00) Found Scribe: ShaneM Inferring ScribeNick: ShaneM Found Scribe: ShaneM WARNING: No "Topic:" lines found. Present: Manu_Sporny Chris_Webber Natasha_Rooney Mike_Champion Chris_Wilson David_Costa Shane_McCarron Dan_Burnett Eric_Prudhommeaux David_Ezell Adrian_Hope_Bailie Benjamin_Young Alexandre_Bertails Rodolphe_Marques and_roughly_31_people_total Got date from IRC log name: 21 Sep 2016 Guessing minutes URL: http://www.w3.org/2016/09/21-vctf-minutes.html People with action items: WARNING: No "Topic: ..." lines found! Resulting HTML may have an empty (invalid) <ol>...</ol>. Explanation: "Topic: ..." lines are used to indicate the start of new discussion topics or agenda items, such as: <dbooth> Topic: Review of Amy's report[End of scribe.perl diagnostic output]