W3C TPAC 2016 Verifiable Claims Working Group Proposal Breakout Session

21 Sep 2016

See also: IRC log


Manu_Sporny, Chris_Webber, Natasha_Rooney, Mike_Champion, Chris_Wilson, David_Costa, Shane_McCarron, Dan_Burnett, Eric_Prudhommeaux, David_Ezell, Adrian_Hope_Bailie, Benjamin_Young, Alexandre_Bertails, Rodolphe_Marques, and_roughly_31_people_total


<scribe> Scribe: ShaneM

<betehess> I guess it's http://www.internetidentityworkshop.com/

manu is presenting slides

(scribe plans on not minuting the slides - there will be a link)

"do you always need a digital signature?"

It is not a requirement. But without one it is not verifiable. It is just a claim.

"By secure, what do you mean?"

You get the same kind security that you would get in any digitial signed document. (offers to chat offline).

"Is there anything about limiting the scope of disclosures?"

"yes. It is a very important property. There are use cases documented that we want to be certain are in version one."

manu: talks about decomposability

"Are you handling updates to the informaiton?"

manu: yes. the interesting thing is that the claims are portable. You decide where you store it. You always hold on to the data. An issuer can revoke a credential. In doing that you have the choice of getting a new credential, getting it updated, etc.
... we do not support dynamically updating credentials out in the wild. That's really challenging.

"if the issuer revoked it, how would people know?"

"Is there a way to put claims together?"

manu: yes, claims are composeable

(more from slides)

<dcosta72> the task force documents is here: http://w3c.github.io/webpayments-ig/VCTF

<dcosta72> architecture here: http://w3c.github.io/webpayments-ig/VCTF/architecture/

Architecture questions?

"How much is existing ecosystem and how much is future?"

manu: by existing standards?

"Who is actually running one of these?"

manu: you can look to ETS and Pearson... Who has deployed the technology? A small bit. But there are people with systems LIKE this today.

ETS, Pearson, the DMV


manu: Estonia leads the world in digital identity. Every citizen has a digital identity

They can do many many things digitally. The country has done it in a proprietary way, but want to move to standards.

"The impression I am getting is that most of these use cases require not passing off the credentials"

manu: yes. and that is very very complex. Let's talk about it later.
... we are not doing decentralization in this first work. If we never get to it we could use email and DNS.
... Rebooting web of trust is another area where people are looking at this hard problem.

(more from slides)

"Do we produce standards once there is an ecosystem and there is friction that needs to be sorted out, or do you build standards to drive the ecosystem? Microsoft is clearly in the former camp"

manu: we have a number of organizations that are deploying the ecosystem now. They are getting feedback. We are concerned that as large organizations get their work out there it will be hard to harmonize them later.
... we are deploying and getting feedback that is informing the work. But the organizations are saying "we need standards to convince our constituents there is a standard we are working towards"
... having a forum is helpful to them.
... what we don't want to see is that the industry forces the hands of the working group. Is that fair?

Michael: That's fair at this level. But it is a question of where we use W3C resources and this might be premature. But I respect the other point of view.

(more from slides)

Manu asked if anyone new wants to participate.

Thompson Reuters: yes. we have been looking at this stuff and are very interested in selective disclosure of attributes.

scribe: we also work a lot on licensing and other things. We possibly could leverage this approach.

"The intersection between this and distributed ledgers seems pretty clear. How does the VCTF se this?"

manu: this is a quickly evolving field. There is a lot of work about Decentralized Ledgers and Verifiable Claims at the Rebooting Web Of Trust workshops.
... the general intent is that there is some sort of shared database (DHT) that can be used.
... example of first responder problem and the department of homeland security. They are looking for ways to quickly verify that people who show up to help are actually an emergency responder.
... you would think that would already exist. The reality is that it does not. There is no infrastructure for this nationwide (in the US).
... other use cases include fraud. Insurance fraud when multiple claims are made against the same problem. No good way to coordinate.

A shared DHT with VINs and claims would be one way to address this.

scribe: that's a couple of examples.

Microsoft has been very generous with the RWoT workshops. A lot of work is going into the research.

scribe: I don't expect standards to come out of it in the next year to three years, but there is active work ongoing.

manu: I do have one point about identity. We avoid talking about it.
... we are NOT trying to solve identity on the web. It means different things to different people. We are worried that we would not be able to make progress if we got into that morass.

"The right way to do this would be to ensure it is hardware security backed. Is there anyting VCTF needs from hardware security right now?"

manu: we have been tracking it, and we absolutely need what the group is doing. We think you are doing what we will need to secure the ecosystem.
... thank you for the offer!

"how much of the avoidance of identity management is impinging on the deployment of some use cases tomorrow?"

scribe: identity is such a difficult problem.

manu: if you characterize this as "how do I prove that I have authority over this identity?" If you talk about it that way then it is slightly more managemenable.
... we need a way for strong ways to cryptographically verify that the certificate is valid.
... we have the ecosystem deplyed and implemented purely through polyfills in the browser. It would be better if there were support in the browsers to help ensure that the data is valid.

"Not sure how this addresses transferrability"

manu: thats about decentralization (and blockchain to a certain degree). If you have an identifier on a domain, you DON'T really own that.
... if there a way to have a self-soverign identifier. Can you cryptographically prove that you have control over it. For example, you would use your browser is self-issue an identifier. That would give you a key and an ID. It puts it into a decentralized network.
... all you have done here is issue yourself an identity.

"Since you are avoiding the issue of identity though, you would be compatible with solutions that are NOT decentralized... like what estonia is doing."

manu: You are right. There is nothing in the proposal that requires decentralization. You could use SAML or OpenID Connect or whatever. Or some future looking system like the one we are trying to createe.
... broad compatibility with existng identity management systems.

"Is this a layer on top of LWT or something. It would be nice if the architecture explained how these things relate. I would like tosee that fleshed out in this diagram or somewhere else."

scribe: learn how a W3C standard could add value to this complexity.
... words or a more elaborate diagram.

"if this ultimately boils down to a standardized syntax that you use to extend SAML or whatever, or tied to a decentralized web of trust, that would be useful. If that is what the aim is then we should say that."

manu: I agree that we should say it better. We have the text but it is buried.
... I think that we are trying to ensure that all thigns are possible, but there are a lot f players.

"We need to make a distinction between the owner/holder of the claims and the use of them. It is conceivable that when a claim is issued it is issued against an identity. It will refer to a human, but it is against the issuer really."

scribe: renting a car on my behalf would not require biometrics, but other thigns like opening a bank account might require more rigorous verification.

manu: the general class of that is delegating credential access to others.
... we are looking at something about macaroons from Google.
... VCTF proposal is linked off of the breakout wiki. You can learn more there. We will share the slide deck. We meet every Tuesday at 11 AM US Eastern Time. If you subscribe to the Credentials Community Group.

Everything is minuted. We record the audio for all the calls. It is a nice, friendly community. You will get updates as we progress.

<manu> scribe: ShaneM

Summary of Action Items

Summary of Resolutions

[End of minutes]

Minutes formatted by David Booth's scribe.perl version 1.144 (CVS log)
$Date: 2016/09/21 22:09:46 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.144  of Date: 2015/11/17 08:39:34  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: RRSAgent_Text_Format (score 1.00)

Found Scribe: ShaneM
Inferring ScribeNick: ShaneM
Found Scribe: ShaneM

WARNING: No "Topic:" lines found.

Present: Manu_Sporny Chris_Webber Natasha_Rooney Mike_Champion Chris_Wilson David_Costa Shane_McCarron Dan_Burnett Eric_Prudhommeaux David_Ezell Adrian_Hope_Bailie Benjamin_Young Alexandre_Bertails Rodolphe_Marques and_roughly_31_people_total
Got date from IRC log name: 21 Sep 2016
Guessing minutes URL: http://www.w3.org/2016/09/21-vctf-minutes.html
People with action items: 

WARNING: No "Topic: ..." lines found!  
Resulting HTML may have an empty (invalid) <ol>...</ol>.

Explanation: "Topic: ..." lines are used to indicate the start of 
new discussion topics or agenda items, such as:
<dbooth> Topic: Review of Amy's report

[End of scribe.perl diagnostic output]