IRC log of auth-id on 2018-12-10
Timestamps are in UTC.
- 16:16:13 [RRSAgent]
- RRSAgent has joined #auth-id
- 16:16:13 [RRSAgent]
- logging to https://www.w3.org/2018/12/10-auth-id-irc
- 16:16:20 [Zakim]
- Zakim has joined #auth-id
- 16:16:25 [wseltzer]
- rrsagent, this meeting spans midnight
- 16:16:40 [wseltzer]
- Meeting: Strong Authentication and Identity Workshop
- 16:27:59 [Takashi]
- Takashi has joined #auth-id
- 16:32:26 [shigeya]
- shigeya has joined #auth-id
- 16:33:15 [burn]
- burn has joined #auth-id
- 16:39:53 [Jiewen]
- Jiewen has joined #auth-id
- 16:40:10 [shigeya_]
- shigeya_ has joined #auth-id
- 16:41:50 [achughes]
- achughes has joined #auth-id
- 16:42:08 [shigeya]
- shigeya has left #auth-id
- 16:45:29 [shigeya]
- shigeya has joined #auth-id
- 16:46:07 [manu]
- present+
- 16:46:15 [manu]
- present-
- 16:46:27 [manu]
- present+ Manu_Sporny(remote)
- 16:46:32 [manu]
- rrsagent, make minutes
- 16:46:32 [RRSAgent]
- I have made the request to generate https://www.w3.org/2018/12/10-auth-id-minutes.html manu
- 16:46:34 [manu]
- rrsagent, draft minutes
- 16:46:34 [RRSAgent]
- I have made the request to generate https://www.w3.org/2018/12/10-auth-id-minutes.html manu
- 16:46:43 [manu]
- rrsagent, make logs member
- 16:46:47 [shigeya]
- present+ Shigeya Suzuki
- 16:46:51 [manu]
- rrsagent, draft minutes
- 16:46:51 [RRSAgent]
- I have made the request to generate https://www.w3.org/2018/12/10-auth-id-minutes.html manu
- 16:47:16 [manu]
- present+ Shigeya_Suzuki
- 16:47:20 [manu]
- present- Shigeya
- 16:47:23 [manu]
- present- Suzuki
- 16:47:28 [manu]
- rrsagent, draft minutes
- 16:47:28 [RRSAgent]
- I have made the request to generate https://www.w3.org/2018/12/10-auth-id-minutes.html manu
- 16:47:46 [manu]
- Agenda: https://www.w3.org/Security/strong-authentication-and-identity-workshop/schedule.html
- 16:47:48 [manu]
- rrsagent, draft minutes
- 16:47:48 [RRSAgent]
- I have made the request to generate https://www.w3.org/2018/12/10-auth-id-minutes.html manu
- 16:48:27 [manu]
- Chair: Wendy_Seltzer
- 16:49:01 [shigeya]
- shigeya has joined #auth-id
- 16:51:51 [achughes]
- present+
- 16:52:28 [burn]
- present+ Dan_Burnett
- 16:52:29 [Mathias]
- Mathias has joined #auth-id
- 16:52:30 [hober]
- hober has joined #auth-id
- 16:53:02 [jfontana]
- jfontana has joined #auth-id
- 16:53:55 [Guest11]
- Guest11 has joined #auth-id
- 16:54:00 [markus_sabadello]
- markus_sabadello has joined #auth-id
- 16:54:13 [hober]
- present +hober
- 16:54:28 [jfontana]
- present +jfontana
- 16:54:36 [manu]
- wseltzer: no audio yet...
- 16:54:56 [manu]
- s/wseltzer: no audio yet...//
- 16:55:00 [tomj]
- tomj has joined #auth-id
- 16:55:08 [ken]
- ken has joined #auth-id
- 16:55:09 [Jiewen]
- Jiewen has joined #auth-id
- 16:55:30 [Craigspi]
- Craigspi has joined #auth-id
- 16:57:44 [JoeAndrieu]
- JoeAndrieu has joined #auth-id
- 16:58:44 [Steven]
- Steven has joined #auth-id
- 16:59:05 [manu]
- scribe: manu
- 16:59:19 [manu]
- wseltzer: Hi, my name is Wendy Seltzer, W3C - glad to welcome you here.
- 16:59:33 [manu]
- wseltzer: Thank you to Tony Nadalin and Microsoft for hosting us.
- 17:00:05 [manu]
- wseltzer: We're looking forward to the next two days of discussion, brainstorming, and socializing around Strong Auth and Identity.
- 17:00:41 [manu]
- Tony N. covers location of emergency exists, bathrooms, and parking. Assistance help, medical emergencies help, etc.
- 17:00:46 [manu]
- rrsagent, draft minutes
- 17:00:46 [RRSAgent]
- I have made the request to generate https://www.w3.org/2018/12/10-auth-id-minutes.html manu
- 17:00:52 [marie_]
- marie_ has joined #auth-id
- 17:01:25 [manu]
- wseltzer: Very briefly, introducing the day and goals of the workshop at a high level - logistics, getting conversation going, etc.
- 17:01:51 [shigeya__]
- shigeya__ has joined #auth-id
- 17:01:51 [manu]
- wseltzer: We use IRC for realtime minuting and discussion... to connect to the wifi - MSFT Guest and use the code on the board.
- 17:02:00 [sanjay]
- sanjay has joined #auth-id
- 17:02:00 [auth-id]
- auth-id has joined #auth-id
- 17:02:11 [jeffh]
- jeffh has joined #auth-id
- 17:02:13 [will]
- will has joined #auth-id
- 17:02:21 [jeffh]
- present+
- 17:02:24 [jeffh]
- :)
- 17:02:36 [brentz]
- brentz has joined #auth-id
- 17:02:39 [tony-tr]
- tony-tr has joined #auth-id
- 17:02:42 [Steven-Google]
- Steven-Google has joined #auth-id
- 17:02:50 [kimhd]
- kimhd has joined #auth-id
- 17:02:58 [manu]
- wseltzer: We are thrilled to have everyone here - just a quick intro to W3C - our goal is to lead Web to its full potential... we work on voluntary consensus standards.
- 17:03:10 [krystian_czesak]
- krystian_czesak has joined #auth-id
- 17:03:25 [auth-id]
- auth-id has left #auth-id
- 17:03:26 [manu]
- wseltzer: We put workshops like this on to bring people together, lots of work is happening here and outside of W3C - if we can be a forum for conversation, great, if it happens elsewhere, great.
- 17:03:27 [kenrb]
- kenrb has joined #auth-id
- 17:03:38 [manu]
- wseltzer: We are not the exclusive endpoint of work, but one possible place to bring that work.
- 17:03:45 [manu]
- wseltzer: We are committed to Web for All.
- 17:03:45 [brentz]
- present+ Brent_Zundel
- 17:03:46 [Didier]
- Didier has joined #auth-id
- 17:04:04 [manu]
- i/scribe: manu/Topic: Introduction to Workshop/
- 17:04:06 [Douwe]
- Douwe has joined #Auth-id
- 17:04:22 [markus_sabadello]
- present+
- 17:04:35 [weiler]
- present+
- 17:04:51 [manu]
- wseltzer: We operate under Royalty-Free patent policy - this workshop is not Recommendation track, contributions here ar enot yet contributions that are goverened by patent policy. Our goal is that specs should be implementatable RF wrt. patents / copyright, etc.
- 17:05:01 [aaronpk]
- present+
- 17:05:16 [manu]
- wseltzer: We are a member consortium, we depend on members to participate - hope to keep that infrastructural work going - 475 members from all sorts of places.
- 17:05:21 [SarahSquire]
- SarahSquire has joined #auth-id
- 17:05:53 [manu]
- wseltzer: We operate workshops under a code of ethics and professional conduct - if anyone has an issue, find wseltzer or someone else in W3C Team. We want to make sure this environment enables everyone to feel safe, respected and heart.
- 17:06:03 [burn]
- s/heart/heard/
- 17:06:12 [manu]
- wseltzer: We are working in difficult areas, standards work well for technical problem, good enough technical problem, and find a common resolution.
- 17:06:29 [manu]
- wseltzer: This all depends on you and the broader community to make sure these things work effectively.
- 17:06:57 [kimhd]
- present+
- 17:07:13 [manu]
- wseltzer: We want to hear from everyone - you have cards, on those cards, you can write down questions/comments/concerns - we will use those to fill into Q/A and discussion that follows... we will also have dots for voting, mark areas of particular interest/concern.
- 17:07:27 [will_]
- will_ has joined #auth-id
- 17:07:59 [dwaite]
- dwaite has joined #auth-id
- 17:08:02 [manu]
- wseltzer: We will have breakout sessions where we are gathering in smaller groups... W3C process for consensus ... these are preliminary directions/ideas... feel free to toss out ideas, but don't worry that if you're not in a group that you're going to miss the opportunity to provide critical input.
- 17:08:09 [manu]
- rrsagent, draft minutes
- 17:08:09 [RRSAgent]
- I have made the request to generate https://www.w3.org/2018/12/10-auth-id-minutes.html manu
- 17:08:25 [manu]
- wseltzer: Also another part of getting together is social - Tony has found us space in a nearby on campus restaurant.
- 17:08:50 [manu]
- wseltzer: This is pay your own way, but pay your own way... ~$20 minimum - interested and expecting to come tonight?
- 17:08:57 [manu]
- tony-tr: There is good beer/wine.
- 17:09:21 [manu]
- wseltzer: Does anyone need a shuttle?
- 17:09:22 [aaronpk]
- looks like all hands raised except a few
- 17:09:22 [kenrb]
- almost everyone raised hands
- 17:09:28 [manu]
- tony-tr: I'll get a couple of shuttles.
- 17:09:45 [manu]
- Scribe notes roughly 60+ people raised their hands.
- 17:10:35 [manu]
- wseltzer: You can make off the record statements... let us know if you want something to be off the record.
- 17:10:48 [Jim]
- Jim has joined #auth-id
- 17:10:58 [John_Bradley]
- John_Bradley has joined #auth-id
- 17:11:35 [manu]
- wseltzer: We can do queue management via q+
- 17:12:03 [manu]
- wseltzer: We can capture what's going on at workshop... everyone is capable of adding things to minutes.
- 17:12:05 [JoeAndrieu]
- present+
- 17:12:12 [burn]
- q?
- 17:12:22 [chrisboscolo]
- chrisboscolo has joined #auth-id
- 17:12:38 [BartW]
- BartW has joined #auth-id
- 17:12:52 [chrisboscolo]
- sorry you can't be here in person, Manu!
- 17:12:53 [manu]
- wseltzer: Thanks to the PC and Manu and the rest of the PC for putting all of this together.
- 17:12:58 [Karen]
- Karen has joined #auth-id
- 17:13:32 [manu]
- wseltzer: Thanks to Tony and Microsoft for hosting us here... our goal is to move things quickly. Please add slides to google slide deck.
- 17:13:54 [manu]
- wseltzer: You can email me to put material on Google Slide deck...
- 17:15:23 [manu]
- Kaliya: Hi, passed around cards to all of you - purpose of the workshop is to build mutual understanding across strong auth and identity projects, to do that, we're trying to gather as much input as possible.
- 17:15:35 [manu]
- Kaliya: We want to find potential connections between your work and work being presented.
- 17:15:45 [manu]
- Slide Directory for presentations -- https://drive.google.com/drive/folders/1Oldmw0i1NKhJJwKflG4X9egqP6LLySA2
- 17:16:06 [manu]
- Kaliya: We want questions, concerns, connections that you're seeing - we'll collect them after each of 7 presentations, we want to get a sense of the room about each of these.
- 17:16:10 [Mitja]
- Mitja has joined #auth-id
- 17:16:45 [manu]
- Kaliya: Please put number on the card, and questions/concerns -- this can be made anonymously.
- 17:17:14 [manu]
- Kaliya: We will collect them after each presentation.
- 17:17:19 [manu]
- Topic: Understanding Verifiable Credentials
- 17:17:31 [manu]
- burn: We are going to go through this quickly, this is a quick overview.
- 17:17:38 [manu]
- burn: When we talk about VCs, what do we mean by that?
- 17:17:50 [manu]
- Slides: https://docs.google.com/presentation/d/11hm-ajsLzroPmA-BcC2TryqAhKsF3jZ_wxHDnyUi_pg/edit
- 17:18:05 [manu]
- burn: There are all sorts of things we use today quite successfully - we wanted to duplicate that in an electronic form.
- 17:18:21 [manu]
- burn: We would show age/drivers license -- we're switching to education credentials - diplomas for example.
- 17:18:59 [wseltzer]
- rrsagent, draft minutes
- 17:18:59 [RRSAgent]
- I have made the request to generate https://www.w3.org/2018/12/10-auth-id-minutes.html wseltzer
- 17:19:04 [manu]
- burn: Diploma is interesting... I have PhD from Oregon, which was acquired by another school... that school doesn't exist anymore... that org might not exist anymore in any form... we want to make sure we cover use cases like that... we are interested in cryptographically verifiable credentials.
- 17:19:37 [manu]
- burn: The work on VCs are just on a data model, not on protocol yet... issuer/verifier -- we don't define ecosystem normatively, but it's hard to talk about this w/o suggesting an ecosystem.
- 17:19:40 [manu]
- Slide 3
- 17:20:06 [manu]
- burn: When we talk about Verifiable credentials... issuer issues to holder... holder holds on to it... verifier asks for credential from holder.
- 17:20:35 [manu]
- burn: In this model, a VC contains credential metadata, claims, and proofs... the identifiers can be cryptographically controllers, but issuers can also be identified.
- 17:20:44 [achughes]
- burn: the verifier is the one seeking verification
- 17:20:46 [manu]
- burn: What is a claim - one statement about a subject, Pat is over 21, for example.
- 17:21:11 [wseltzer]
- i|welcome you here|-> https://docs.google.com/presentation/d/1U5ArEC6lyZ5AS3UYiaKrO-fcXJuCcbE2A7JTjIGaKQA/edit?usp=sharing Intro slides
- 17:21:33 [manu]
- burn: Here's an example in JSON-LD Syntax... we are defining a data model, and showing how you can use different syntaxes...
- 17:22:29 [manu]
- burn: At some point there is a realization of the syntax... the main thing I want you to see is that there is an ID for the credential, there is some type information... from perspective of user... they are just using ProofOfAgeCredential... etc... we have an issuer field, when it's issued, the part in red is the actual claim.
- 17:22:56 [manu]
- burn: We used to call this a "claim"... now we call this the "credentialSubject" - the id represents the subject of the claim... the property is ageOver and the value is 21.
- 17:23:31 [manu]
- burn: There is a proof... the details don't matter... ther eis just a proof on there... we do have some suggestions on cryptographic proofs, but lots of this is flexible/variable.
- 17:23:59 [wseltzer]
- s/ther eis/there is/
- 17:24:17 [manu]
- burn: We also talk about presentations... issuer, holder, verifier - it's actually a verifiable presentation by holder to verifier... it's for multiple credentials, often about same subject... identifier, some metadata, claims or some whole credentials... main idea w/ presentation is something that holder can pull from multiple credentials.
- 17:24:24 [manu]
- burn: What are verifiable credentials and what are they not?
- 17:24:34 [Pamela]
- Pamela has joined #auth-id
- 17:24:34 [manu]
- Slide 8
- 17:25:02 [manu]
- burn: VCs allow an issuer provide a statement of fact... holders hold on to them, verifier can see if the statement hasn't been tampered with.
- 17:25:12 [manu]
- burn: VCs don't represent verified truth... just who claimed what
- 17:25:14 [manu]
- Slide 9
- 17:25:32 [manu]
- burn: This work is being standardized right now in VCWG... in scope is data model and syntaxes...
- 17:25:47 [manu]
- burn: We are looking at JSON-LD... and JWT...
- 17:26:06 [manu]
- burn: We do not have browsers in scope... we do not define protocol... we don't address "Identity on the Web"... we're just providing VCs.
- 17:26:38 [manu]
- burn: out of scope work could be chartered in future WG... Credentials CG is looking at these items...
- 17:26:59 [manu]
- burn: We have a spec, we're tryign to wrap up ZKP and JWT support... we have done some Horizontal Review (non official... expecting CR very soon.
- 17:27:09 [manu]
- burn: We have test suites, use cases... (slide 10)
- 17:27:21 [manu]
- burn: If you are curious about use cases... take a look at use cases document...
- 17:27:53 [manu]
- burn: Details of pictures are W3C Member Confidential... in commerce, there are governments, banks, large websites, usign VCs.
- 17:28:23 [manu]
- burn: In trade, DHS, CBP, Canadian Provinces... importer, exporter, etc. are some target use cases... real adoption here.
- 17:28:27 [manu]
- slide 13
- 17:28:35 [manu]
- burn: Are there questions?
- 17:28:50 [wseltzer]
- q?
- 17:29:02 [wseltzer]
- dirk_balfanz
- 17:29:09 [manu]
- @@@: If you are conerned w/ data model - some credential, over 21, you want to know if *I* am over 21...
- 17:29:18 [manu]
- s/@@@/dirk_balfanz/
- 17:29:36 [manu]
- burn: There is plenty of discussion around subject != holder.
- 17:29:58 [manu]
- JoeAndrieu: Use Cases talk about that use case - we are looking at things that are out of scope in protocol... but important to get a holistic view of things.
- 17:30:23 [jillwill01]
- jillwill01 has joined #auth-id
- 17:30:48 [manu]
- burn: Anyone can make any claim about anything... if you look at the ID in red, that's a DID, this is where you may start seeing use for DIDs.
- 17:31:11 [manu]
- burn: Control over the identifier is an interesting question we're going to hear about soon...
- 17:31:55 [manu]
- tony: In looking at the current spec, it still looks like JSON-LD is the language, it looks like you're going to wrap regular JSOn or other types of JWTs/CWTs - get a little concerned... those get quite large, little concerned around size of expression.
- 17:32:16 [manu]
- tony: We're not looking for just users making these statements, we're looking for devices... concerned around size of claims.
- 17:32:22 [manu]
- burn: Is that a question or statement?
- 17:32:33 [jzcallahan]
- jzcallahan has joined #auth-id
- 17:32:53 [manu]
- burn: I'm not going to talk about the merits of one format of the other... as a Chair, we have been asking for feedback from others for the entire lifetime of WG... we do have people looking at other formats.
- 17:33:16 [manu]
- burn: We do have folks that are looking to support other expression formats.
- 17:33:51 [manu]
- Oliver: We have a pull request in for JWTs - we do have some shorter expression avoid duplication in JSON-LD... issuer could become iss field.
- 17:34:01 [manu]
- q+ to note that we're trying to be agnostic.
- 17:34:07 [kimhd]
- Minutes and PR: https://www.w3.org/2018/11/19-vcwg-minutes.html
- 17:34:32 [kimhd]
- https://github.com/w3c/vc-data-model/pull/267
- 17:34:37 [Dalys]
- Dalys has joined #Auth-id
- 17:34:40 [manu]
- burn: We have welcomed participation, we would like more input... we'd like help wrapping up what we have... additional proposals to recharter.
- 17:35:01 [manu]
- Sarah_Squire: Proposal in Ethereum community ERC725 - are you working w/ them.
- 17:35:30 [wseltzer]
- q?
- 17:35:34 [wseltzer]
- ack manu
- 17:35:34 [Zakim]
- manu, you wanted to note that we're trying to be agnostic.
- 17:36:33 [wseltzer]
- manu: we're trying to be agnostic. Lots of experiments underway
- 17:36:40 [wseltzer]
- ... the model has proven to be flexible
- 17:36:53 [wseltzer]
- ... It's true that some formats have big payloads that won't work for small devices
- 17:37:04 [wseltzer]
- ... could be that cwt or jwt work at different layers of the stack
- 17:37:23 [wseltzer]
- ... and licensing has a bigger payload
- 17:37:29 [wseltzer]
- ... different tools in the toolbox
- 17:37:38 [John_Bradley]
- John_Bradley has joined #auth-id
- 17:37:51 [manu]
- wseltzer: Any further questions for Dan Burnett.
- 17:38:25 [manu]
- wseltzer: We're building up modules, understanding different components that are available - different places that they might be useful. Think about incompatibilities... ways we can work together.
- 17:38:35 [manu]
- Topic: Decentralized Identifiers
- 17:38:56 [manu]
- Slides are here -- https://docs.google.com/presentation/d/1BX8r1KoxvJSQIX3PtAOzOawirwBYyze9QlyIaAbBRrM/edit
- 17:39:55 [manu]
- kimhd: Hi, I'm Kim, CTO of Learning Machine - work in educational credentials... co-chair of W3C Credentials CG - also DIF Steering Committee.
- 17:40:21 [manu]
- kimhd: What is a DID? It's a new type of URl that is globally unique, highly available, presistent, cryptographically verifiable, and doesn't require a centralized admin.
- 17:40:41 [Loqi]
- Loqi has joined #auth-id
- 17:41:02 [manu]
- kimhd: In education use cases, we want the recipient of a credential to be identified using a DID.
- 17:41:09 [manu]
- kimhd: A DID is an identifier for a subject.
- 17:41:16 [wseltzer]
- [slide 3]
- 17:41:25 [manu]
- kimhd: here we have did:x:123 as the identifier for the subject.
- 17:41:44 [manu]
- kimhd: What does a DID look like?
- 17:41:47 [manu]
- slide 4
- 17:42:06 [manu]
- kimhd: we have a scheme "did:", then "DID Method", then did specific string.
- 17:42:38 [manu]
- kimhd: There are examples of what these look like at the bottom of the page...
- 17:43:05 [manu]
- kimhd: Globally unique identifier - in many of these cases, you can self-create your identifier... prove that you control it, no central admin can take it away from you.
- 17:43:39 [manu]
- kimhd: Each DID Method must specify a set of mechanisms - Create, Read, Update, Delete (aka revoke)
- 17:44:26 [wseltzer]
- [slide 5]
- 17:44:46 [manu]
- kimhd: One critical part - DIDs resolve to DID Documents - we have a Veres One identifier here - document it resolves to - contains authentication mechanisms, public key material, services...
- 17:45:17 [manu]
- kimhd: markus_sabadello is goign to talk about that next... DID Resolver is retrieving DID Document.
- 17:45:27 [wseltzer]
- [slide 6]
- 17:45:34 [manu]
- kimhd: So, DIDs resolve to DID Documents... let's look at specific DID resolution process.
- 17:46:02 [manu]
- kimhd: This is saying we're using the BTCR method spec, run it through the universal resolver, produces a DID Document.
- 17:46:48 [manu]
- kimhd: identifier tells you which block, which transaction, to find the transaction in.
- 17:47:10 [manu]
- kimhd: Resolver knows, per method spec, how to get information, how to return this thing.
- 17:47:25 [manu]
- kimhd: so, DID Document has keys, authentication, services, signatures, timestamps.
- 17:47:35 [manu]
- slide DID Document
- 17:48:09 [manu]
- kimhd: This document has been incubated at RWoT and IIW, currently draft in W3C CCG, protocols and prototypes at DIF, there is a DID Method Registry, DID Auth, DID Resolver...
- 17:49:01 [manu]
- kimhd: We'd like to discuss a DID Working Group at this Workshop.
- 17:49:17 [kenrb]
- kenrb has joined #auth-id
- 17:49:22 [wseltzer]
- ack nadalin
- 17:49:25 [wseltzer]
- q+ hober
- 17:49:37 [manu]
- tonyn: What do you expect to standardize?
- 17:50:05 [manu]
- tonyn: There doesn't seem to be cross-blockchain interop... I need different DIDs on every blockchain... who is going to run the registry... concerned around transparency of resolvers...
- 17:50:31 [manu]
- kimhd: Interop first - that's the big part... what's the content of the DID Document, that describes how interop is possible...
- 17:50:43 [manu]
- kimhd: DID Auth, for example, needs that document....
- 17:51:38 [manu]
- ChristopherA: There are a couple of different issues here - DID authenticates DID DOcument, strongly make claim about DID Document... that document can contain other key material from other places... including keys that are compatible with say a different blockchain w/ different proof formats, PGP keys in there, information that lets you allow you to leverage FIDO.
- 17:52:30 [manu]
- ChristopherA: There are things like sigma proofs, ZKPs, private keys in one curve equivalent to private keys in antoehr group... it's premature to pick a method, maybe at some point the market will say there is one two or three that are dominate... but reality now is that there are multiple DID methods.
- 17:53:21 [manu]
- kimhd: We are starting to categorize DID Methods.. BTCR and IPLD are ones where, if you are comfortable w/ using that technology, you can create them and use them in some way... depending on registry authentication, you can start using that now... truly self-sovereign identifiers, I create them, no one can take them away from me.
- 17:54:08 [manu]
- kimhd: In other cases, private/permissioned blockchain, those enable different properties - for example Guardian models... batch registration of individuals... some depend on properties of the blockchain itself... which use cases argue for which... we don't do guidance yet, DIF may do that... W3C is not in that role.
- 17:54:38 [manu]
- kimhd: People will have those questions... you don't want to use something on a blockchain that can't be rewritten... part of strength of it, something we're getting feedback on ecosystem.
- 17:54:55 [manu]
- tony: Who is going to run the registry, how scalable is it, who would pick up the registry
- 17:55:00 [manu]
- q+ to note registry is optional.
- 17:55:25 [manu]
- ChristopherA: We are talking about the DID Registry - you can reserve the DID Method... not a DID Registry.
- 17:55:54 [manu]
- ChristopherA: The requirements to have a proposal are very small... as you move up the scale of maturity, we will have requirements for what you have to do to do that.
- 17:56:07 [shigeya__]
- BTCR DID Method https://w3c-ccg.github.io/didm-btcr/
- 17:56:29 [manu]
- ChristopherA: We need to allow for innovation right now... there is nothing that says one has to support every DID method, for example... don't use BTCR unless you need technology.
- 17:56:35 [manu]
- q-
- 17:56:35 [manu]
- q?
- 17:56:50 [manu]
- kimhd: We can come back to that - would like to focus on breadth
- 17:56:55 [tantek]
- tantek has joined #auth-id
- 17:56:58 [manu]
- Kaliya: This dynamic is also what these cards are for
- 17:57:20 [manu]
- Kaliya: If you have thoughts/comments/questions - please write them down on paper right now.
- 17:57:43 [manu]
- hober: Does the DID Method registry just let people know what an unregistered method is?
- 17:57:53 [wseltzer]
- ack hober
- 17:58:07 [manu]
- hober: Is it relatively straightforward to write simple JSON and hook into all of this?
- 17:58:17 [manu]
- kimhd: Yes, we can look into examples.
- 17:59:06 [manu]
- Pete: If I wanted to add a new DID, how do I get resolved?
- 17:59:08 [hober]
- s/write simple/serve static/
- 18:00:01 [manu]
- kimhd: There are different resolvers - which methods support they support is up to each resolver... part of value is that each DID method and how you perform its operations... write any resolver to note your test case... it's not going to be prescriptive.
- 18:00:21 [manu]
- wseltzer: Thank you very much Kim... next up... Markus to talk about DID Auth...
- 18:00:31 [manu]
- wseltzer: Keep questions and comments coming throughout two days here...
- 18:00:50 [manu]
- Topic: Understanding DID Auth
- 18:01:08 [manu]
- Slides -- https://docs.google.com/presentation/d/1TSMW5hckaaaybpV9OVeNbWO1QE_OsMP3Pc3GovAfvjw/edit
- 18:01:08 [Loqi]
- Slides has -1 karma over the last year
- 18:02:17 [manu]
- Markus: Hi, working in CCG and DIF, and Sovrin... DID Auth is more of a concept rather than a spec... makes a lot of sense to have a concept... DPKI for DIDs... and what they enable.
- 18:02:26 [Mitja]
- Mitja has joined #auth-id
- 18:02:55 [manu]
- Markus: Using a DID Resolver to authenticate - you have DID, you have key material associated with that... control the identifier... not about proving we're over the age of XYZ, we just prove that we have control over a DID.
- 18:03:06 [martijnvdven]
- martijnvdven has joined #auth-id
- 18:03:18 [manu]
- Markus: We worked on a paper around Rebooting the Web of Trust... looked at DID Auth - Kim noted authentication.
- 18:04:10 [manu]
- Markus: Authentication block points to public key - who has control of the DID? If you have public key information, you can know that anyone that has private key is authenticated.
- 18:04:19 [wseltzer]
- [slide: DID Auth Example Architecture]
- 18:04:24 [manu]
- Markus: This is one example for uPort - web page - mobile app authentication...
- 18:05:08 [manu]
- Markus: With a mobile app, private key corresponding to DID, I can provide response to QRCode - post it back to web page... important, web page uses DID Resolver to find DID, then find public key, then verify that the signature on the authentication was signed correctly.
- 18:05:15 [manu]
- Markus: This is just one of th epossible flows.
- 18:05:25 [wseltzer]
- s/th epossible/the possible/
- 18:05:51 [manu]
- Markus: We tried to analyze this stuff - different scenarios / different flows - there are many, so DID Auth isn't just one thing... it's a family of things that are being explored.
- 18:05:59 [elbowspeak]
- elbowspeak has joined #auth-id
- 18:06:07 [manu]
- Markus: There are many transports, HTTP, QR, etc....
- 18:06:43 [manu]
- Markus: There are many more flows... observation - we were able to draw all of these flows where there are two parties... if we look at traditional models, we usually have 3 parties... but this one has 2.
- 18:07:11 [wseltzer]
- [slide 7]
- 18:07:17 [manu]
- Markus: I control a certain identifier - trust relying party - individual - all sorts of different transports...
- 18:07:20 [wseltzer]
- [slide 8]
- 18:07:45 [manu]
- Markus: There are also people that are using different data formats internally... we will reuse things, but as I said, DID Auth is not trying to come up w/ a new authentication protocol... but reuse where possible.
- 18:08:07 [kimhd]
- kimhd has joined #auth-id
- 18:08:17 [manu]
- Markus: I have seen JWTs... we can also see JSON-LD VCs... self-issued VC....
- 18:08:35 [manu]
- Markus: We have been thinking a lot about OIDC + DID... also looking at WebAuthn + DID...
- 18:09:05 [wseltzer]
- [slide 10]
- 18:09:27 [manu]
- Markus: We've done some initial thinking - working w/ OpenID Connect protocol, where we use self-issued OpenID ... one way this could be done is to have personal openID connect provider... protocol could be used, similar with WebAuthn... FIDO... could reuse that.
- 18:10:06 [manu]
- Markus: There are other experiments around DID-TLS, DID-based HTTP Signatures... DID-based PGP... using DIDs in SSH.
- 18:11:05 [sknebel]
- sknebel has joined #auth-id
- 18:11:10 [wseltzer]
- [slide 11]
- 18:11:23 [manu]
- Markus: Some things to consider for the workshop - how would a DID Auth relate to VC exchange protocol?
- 18:12:06 [manu]
- Markus: Other DID Auth principles... We may want to meet some principles, otherwise it's not DID Auth... for example, identifier stays the same... rotate keys, change service endpoints, change OID endpoints, authmethod, but we continue to always be able to prove control of the same identifier.
- 18:12:15 [manu]
- wseltzer: Questions from the room?
- 18:12:29 [wseltzer]
- q+ tonyn, ChristopherA, dirk
- 18:12:47 [oliver-terbu]
- oliver-terbu has joined #auth-id
- 18:12:49 [dwaite]
- dwaite has joined #auth-id
- 18:12:55 [manu]
- JohnB: I may beat Tony to some of these questions ... In a number of the flows that you put up, potentially they are a step backwards from a security perspective because they're phishable... we need to make sure we're not going backwards from a security perspective.
- 18:13:23 [manu]
- JohnB: I would even step back a bit further and question - is the use case for DID Auth actually authentication, or is it more appropriately proving presentment of VCs.
- 18:13:51 [manu]
- JohnB: We do have pairwise privacy preserving WebAuthn... even Apple is deploying it... do we actually need to present correlatable claim, or should we look at the best mixture?
- 18:14:08 [manu]
- JohnB: Some have said we need new authentication method when that may not be the best path.
- 18:14:47 [wseltzer]
- q+ Daniel
- 18:14:58 [manu]
- Markus: Lot of questions - let's keep the benefits of existing things... not be phishable... concept of DID Auth is that we have an identifier that cannot be taken away from me, I can rotate keys, I can rotate metadata out... I think OIDC or WebAuthn don't provide that out of the box.
- 18:15:49 [manu]
- JohnB: The argument that you need to rotate credentials is making presumptions about how they're stored... I don't buy into the premise that a DID is required because you need to rotate private keys, not arguing that there are not use cases for DIDs, let's find the right use cases for them.
- 18:16:20 [manu]
- JohnB: For purely pairwise pseudonymous auth, I don't believe a DID having a public key published is a requirement.
- 18:16:39 [manu]
- q+ to agree with JohnB -- purely pairwise pseudonymous auth doesn't require DIDs - yep.
- 18:16:53 [manu]
- q-
- 18:16:57 [jillwill]
- jillwill has joined #auth-id
- 18:18:17 [manu]
- Daniel: A couple of things on the business side (from Microsoft perspective)... would love it if people used LinkedIn for everything (Microsoft property) - Universities didn't really want to sign up to single entities, because of corporate identifiers controlled by something other than University.
- 18:18:43 [manu]
- Daniel: So, there is a strong business use case for DIDs... large entities that don't want other large entities to lock them in via identifiers.
- 18:19:42 [manu]
- Daniel: There are also use cases around progressive trust... you start out pseudonymous, but then upgrade over time. For example, FIDO doesn't cover the use case for expressing services around DID Documents... granting access to my data storage service.
- 18:20:30 [manu]
- Tony: I get concerned around methodology for DIDs... you don't actually know if person that created the key is doing the DID Auth itself... you can do this in FIDO... authenticators is a drvice that you control. I'm not seeing end to end comprehension of how you keep keys safe and to the actual creator of the keys. How do you prove that situation in DID Auth.
- 18:20:42 [burn]
- ack tonyn
- 18:20:46 [burn]
- ack ChristopherA
- 18:20:49 [wseltzer]
- ack Daniel
- 18:20:58 [manu]
- ChristopherA: I think part of the problem here, we're overinflating the use of keys, for simplicity purposes, you see DID Document up there - presuming that private key is in a file some place...
- 18:21:43 [manu]
- ChristopherA: That is a gross simplifciation, we can keep separate keys... we don't call it a signature block, there might be a variety of different types of proof... for example, if I issue Verifiable Credential covering you for 1 million dollars... I want a higher spec of authenticator/proofs before I give you that verifiable claim.
- 18:21:49 [JoeAndrieu]
- q+
- 18:21:54 [manu]
- q+ to note FIDO + DIDs are complementary.
- 18:22:55 [manu]
- ChristopherA: DID Documents enable you to use all of this stuff... we need people that have experience with these systems. All the perils of mixing authn w/ authz... but at some point we need something like a DID DOcument... just because someone asks for a VC or other things, doens't mean I have to give it to them/comply... or they have to accept.
- 18:23:14 [wseltzer]
- q+ oliver-terbu
- 18:23:23 [wseltzer]
- ack dirk
- 18:23:27 [manu]
- Dirk: Where do you see DID and DID Auth fit into the larger picture... I think I understand VCs... I want to prove my age, SSN, I thought DIDs were a means to an end...
- 18:23:40 [wseltzer]
- zakim, close queue
- 18:23:40 [Zakim]
- ok, wseltzer, the speaker queue is closed
- 18:24:10 [manu]
- Dirk: One way I could do that, who are you?, I could provide DID and DID Auth, prove that's who I am... find something in DID Document, claim I'm over 21? Am I seeing that right... how is DID connected to VCs?
- 18:24:34 [manu]
- Markus: We don't put VCs in public ledgers...
- 18:25:06 [manu]
- Markus: DID Documents are for looking up key material and services.... not VCs.
- 18:25:19 [wseltzer]
- q?
- 18:25:27 [manu]
- Markus: There are no claims in DID Document, only metadata required to verify VC material...
- 18:25:36 [manu]
- Markus: DID Auth is just a high level concept so far...
- 18:25:45 [burn]
- q+ to answer Dirk
- 18:25:51 [manu]
- Markus: No assumptions about documents are in ledger, where keys are stored, where hardware wallets are... etc.
- 18:26:09 [manu]
- wseltzer: We have a queue... and then break...
- 18:26:13 [kenrb]
- kenrb has joined #auth-id
- 18:26:17 [wseltzer]
- ack JoeAndrieu
- 18:26:24 [oliver-terbu]
- present+ oliver_terbu
- 18:27:15 [wseltzer]
- JoeAndrieu: None of these components yet is identity assurance
- 18:27:16 [weiler]
- rrsagent, draft minutes
- 18:27:16 [RRSAgent]
- I have made the request to generate https://www.w3.org/2018/12/10-auth-id-minutes.html weiler
- 18:27:29 [wseltzer]
- ... the proof that you are the person who can make these claims
- 18:27:32 [wseltzer]
- manu: it's not either or
- 18:27:45 [wseltzer]
- ... we're trying to combine elements of the prior art
- 18:27:46 [wseltzer]
- ack manu
- 18:27:46 [Zakim]
- manu, you wanted to note FIDO + DIDs are complementary.
- 18:28:10 [wseltzer]
- ... authentication flow that takes FIDO key material into a DID doc and uses HW token to identify
- 18:28:11 [weiler]
- manu: I hear in this discussion a perception of an either-or thing. the experiments going on right now .... there is an auth flow that takes a FIDO authenticator, puts the credentials in the DID document
- 18:28:41 [kimhd]
- q?
- 18:28:46 [oliver-terbu]
- q-
- 18:29:15 [manu]
- JoeAndrieu: For VCs and DID and DID Auth - none of those is sufficient for identity assurance... whether the key is on a hard drive, or on a hardware authenticator, we can't prove that person controlling device is the person... it's a strong factor.
- 18:29:20 [weiler]
- ... There is a a lot of work around blending these models rather than picking one.
- 18:29:23 [oliver-terbu]
- +1 manu
- 18:29:40 [manu]
- markus_sabadello: We did quite a bit of work around blending models at IIW.
- 18:29:44 [manu]
- rrsagent, make minutes.
- 18:29:44 [RRSAgent]
- I'm logging. I don't understand 'make minutes.', manu. Try /msg RRSAgent help
- 18:29:48 [kenrb]
- kenrb has joined #auth-id
- 18:29:53 [manu]
- rrsagent, draft minutes
- 18:29:53 [RRSAgent]
- I have made the request to generate https://www.w3.org/2018/12/10-auth-id-minutes.html manu
- 18:30:44 [manu]
- Everyone takes a break, socializing, expect to get back into OpenID, JWT/CWT, etc. use cases.
- 18:30:52 [manu]
- rrsagent, draft minutes
- 18:30:52 [RRSAgent]
- I have made the request to generate https://www.w3.org/2018/12/10-auth-id-minutes.html manu
- 18:32:18 [wseltzer]
- [break for 30min]
- 18:43:53 [elbowspeak]
- elbowspeak has joined #auth-id
- 18:45:46 [Jiewen]
- Jiewen has joined #auth-id
- 18:46:36 [kenrb]
- kenrb has joined #auth-id
- 18:47:37 [Jim]
- Jim has left #auth-id
- 18:48:36 [Jim_Masloski]
- Jim_Masloski has joined #auth-id
- 18:51:43 [achughes]
- achughes has joined #auth-id
- 18:55:18 [PindarHK]
- PindarHK has joined #auth-id
- 18:57:48 [kenrb]
- kenrb has joined #auth-id
- 19:02:56 [tony-tr]
- tony-tr has joined #auth-id
- 19:03:22 [JoeAndrieu]
- JoeAndrieu has joined #auth-id
- 19:03:36 [wseltzer]
- topic: WebAuthn, CTAP
- 19:03:45 [Didier]
- Didier has joined #auth-ID
- 19:03:45 [sanjay]
- sanjay has joined #auth-id
- 19:04:18 [wseltzer]
- -> https://docs.google.com/presentation/d/1fiMFAw397cb2UPvywN4zCHCZtz_1tQsR0A6f5rpzoKw/edit?usp=sharing Slides, Modern Authentication
- 19:04:40 [wseltzer]
- [slide 2:: How Security Keys Work]
- 19:05:01 [jillwill]
- jillwill has joined #auth-id
- 19:05:07 [wseltzer]
- JohnFontana: presenting slides
- 19:05:18 [wseltzer]
- [slide 3: Registration]
- 19:06:53 [wseltzer]
- JohnFontana: FIDO2 is an umbrella term for WebAuthn and CTAP
- 19:07:01 [wseltzer]
- ... CTAP at FIDO, WebAuthn at W3C
- 19:07:02 [Mitja]
- Mitja has joined #auth-id
- 19:07:08 [wseltzer]
- [slide 4]
- 19:07:31 [wseltzer]
- ... CBOR is the CTAP data format
- 19:07:44 [wseltzer]
- [slide 5: WebAuthn]
- 19:08:03 [wseltzer]
- ... create and get strong authentication
- 19:08:18 [wseltzer]
- i/slide 2::/scribenick: wseltzer
- 19:08:51 [wseltzer]
- [slide 6]
- 19:09:18 [jzcallahan]
- jzcallahan has joined #auth-id
- 19:09:21 [wseltzer]
- [slide 7]
- 19:09:42 [wseltzer]
- ... Thanks to Pam for this map
- 19:09:59 [Mitja]
- Can you please reshare the link to the presentation?
- 19:10:03 [wseltzer]
- [slide 8: state of state]
- 19:10:29 [Mitja]
- thank you!
- 19:12:05 [wseltzer]
- [slide 9]
- 19:12:18 [wseltzer]
- TonyNad: IETF discussion of EAT
- 19:12:39 [wseltzer]
- ... device attestation about provenance, devices, ecosystem
- 19:13:02 [wseltzer]
- ... we use these attestations in WebAuthn and FIDO to understand key provenance and strength
- 19:13:05 [krystian_czesak]
- krystian_czesak has joined #auth-id
- 19:13:18 [wseltzer]
- ... you may not want to accept authentication from weak device, TEE
- 19:13:43 [wseltzer]
- ... At Prague IETF will probably try to form a WG
- 19:13:52 [wseltzer]
- ... CWT, JWT for devices, compact
- 19:14:21 [wseltzer]
- ... looking to do in generic way
- 19:14:27 [ken]
- ken has joined #auth-id
- 19:14:38 [wseltzer]
- ... data models for device, what type of device
- 19:14:44 [wseltzer]
- ... indirect and direct attestations
- 19:15:09 [wseltzer]
- ... want to be compatible with OAuth, JWT, CWT
- 19:15:17 [wseltzer]
- ... use existing verification libraries
- 19:15:51 [kimhd]
- kimhd has joined #auth-id
- 19:15:54 [kimhd]
- q?
- 19:15:56 [ChristopherA]
- q?
- 19:15:59 [ChristopherA]
- q+
- 19:16:07 [ChristopherA]
- Queue is closed
- 19:16:08 [wseltzer]
- zakim, reopen queue
- 19:16:08 [Zakim]
- ok, wseltzer, the speaker queue is open
- 19:16:11 [ChristopherA]
- q+
- 19:16:23 [wseltzer]
- dirk: deliberately lightweight
- 19:16:34 [wseltzer]
- ... 2 party system: authenticator on client, relying party
- 19:16:53 [wseltzer]
- ... by design , the keypair I generate for e.g. Google, will never be known to Github
- 19:17:08 [wseltzer]
- ... roaming authenticators, keyfobs, will be single-factor
- 19:17:12 [oliver-terbu]
- oliver-terbu has joined #auth-id
- 19:17:17 [oliver-terbu]
- q+
- 19:17:36 [wseltzer]
- ... second use case, bring touch ID, Windows Hello
- 19:17:38 [jeffh]
- scribenick jeffh
- 19:17:43 [wseltzer]
- ... to the web platform
- 19:17:49 [manu]
- scribenick: jeffh
- 19:17:54 [jeffh]
- ?: are there implecations on the challenge itself?
- 19:17:56 [ChristopherA]
- q?
- 19:17:58 [wseltzer]
- ack oliver-terbu
- 19:18:07 [wseltzer]
- s/?:/oliver-terbu:/
- 19:18:08 [BartW]
- BartW has joined #auth-id
- 19:18:15 [will]
- will has joined #auth-id
- 19:18:37 [weiler]
- q+
- 19:18:55 [jeffh]
- john_bradley: challenge is hashed, in clientdata you get orig back, ...
- 19:19:08 [wseltzer]
- ack ChristopherA
- 19:19:20 [weiler]
- q-
- 19:19:48 [jeffh]
- ChristopherA: how much of web stack are part of webauthn spec? can things that are not webservers leverage webauthn if they don't wanna leverage JS stacks?
- 19:19:48 [brentz]
- ChristopherA: can things that aren't web servers leverage Web Authn?
- 19:20:12 [SarahSquire]
- SarahSquire has joined #auth-id
- 19:20:17 [oliver-terbu]
- q+
- 19:20:20 [jeffh]
- john_bradley: it depends, and OS platform can impl webauthn-like APIs
- 19:21:21 [ChristopherA]
- q+ about How about additional key types, in particular secp256k1 used by bitcoin & ethereum
- 19:21:22 [wseltzer]
- jeffh: WebAuthn spec defines protocol between authenticator and relying party
- 19:21:30 [jeffh]
- ...:are they webauthn-like? windows' platform webauthn api is
- 19:21:34 [ChristopherA]
- q+ to How about additional key types, in particular secp256k1 used by bitcoin & ethereum
- 19:21:38 [wseltzer]
- ... it can pass through whatever stack is in the way
- 19:21:42 [wseltzer]
- ack oliver-terbu
- 19:21:59 [jeffh]
- ?: who is issueing these EAT attstns? are they some kind of certifcation for the authnr itself?
- 19:22:15 [burn]
- s/?:/oliver-terbu:/
- 19:23:00 [jeffh]
- john_bradley: at momement webauthn does not use eat attstn, we already have various attstn formats, can add EAT if its approp, can't have too many standards :)
- 19:23:23 [jeffh]
- chris boscoe (?): what if authnr is loast and one needs to re-register?
- 19:23:59 [manu]
- s/boscoe (?)/boscollo/
- 19:24:02 [jeffh]
- john_bradley: that's RP specific, but thinking is that one has both roaming and platform authnrs and one can use either or to re-register at the RPs
- 19:24:15 [weiler]
- q+\
- 19:24:25 [weiler]
- ack \
- 19:24:27 [weiler]
- q+
- 19:24:32 [jeffh]
- tonynad: webauthn wg working on this, one idea is to have a 'backup authnr' which allows one to re-reg
- 19:24:39 [burn]
- ack ChristopherA
- 19:24:39 [Zakim]
- ChristopherA, you wanted to How about additional key types, in particular secp256k1 used by bitcoin & ethereum
- 19:24:57 [markus_sabadello]
- q+
- 19:25:35 [jeffh]
- christophera: i have need for tyupe of crypto that uses SECP-256 curve, how do we ensure how we get those key flavors supported?
- 19:25:42 [tantek]
- tantek has joined #auth-id
- 19:26:03 [wseltzer]
- q?
- 19:26:10 [jeffh]
- john_bradley: we already have alg agility in the protocol, plus Mike Jones will be talking about this in a few min....
- 19:26:31 [wseltzer]
- ack weiler
- 19:26:32 [jeffh]
- sam wieler: <missed question>
- 19:26:46 [jeffh]
- john fontana: <mumble>
- 19:27:39 [wseltzer]
- ack mark
- 19:27:41 [jeffh]
- markus_sabadello: question wrt UX eg if one registers a DID rather than a public key, can leverage that in many ways.... thoughts?
- 19:27:55 [jeffh]
- john_bradley: in priciple, yes, tho much to sort out there
- 19:28:18 [jeffh]
- next speaker: Rae Hayward, fido
- 19:28:26 [wseltzer]
- Topic: FIDO and Authenticators
- 19:28:38 [wseltzer]
- [same slide deck]
- 19:29:15 [wseltzer]
- [slide 12]
- 19:29:21 [jeffh]
- Rae's slides are in the '05 - Day 1 - Understanding WebAuthn, CTAP, EAT, FIDO and Authenticators' deck
- 19:29:53 [dwaite]
- dwaite has joined #auth-id
- 19:31:30 [wseltzer]
- [slide 15]
- 19:32:30 [wseltzer]
- Rae: ROE=restricted operating environment
- 19:36:31 [wseltzer]
- [slide 19: Companion Programs]
- 19:36:35 [wseltzer]
- [slide 20: Labs]
- 19:37:48 [wseltzer]
- [slide 21: Expiration, derivative, and delta certification]
- 19:40:40 [jeffh]
- pamela: if a RP wants to accept only authnrs of L3 certif, how do they do that?
- 19:40:58 [Steven]
- Steven has joined #auth-id
- 19:41:20 [jeffh]
- rae: the certif level will be in metadata, plus fidoalliance.org lists certified devices
- 19:42:58 [jeffh]
- scott david: on the delta certif, when org learns cetif'd device is now different, what happens. e.g., pci "compensating controls", plus ecosystem feedback can be fed back into spec development -- what about FIDO's processes?
- 19:43:25 [jeffh]
- rae: the security secretariat has processes to notice such things and feed info into working group....
- 19:43:50 [jeffh]
- ? qualcomm: can u tell which lab did orig certif? <missed rest>
- 19:44:14 [jeffh]
- ...: can determine provenance of the lab that performed certif?
- 19:44:43 [jeffh]
- rae: no, that's not public info, do have internal mechs that would know this
- 19:44:52 [burn]
- s/? qualcomm/PindarHK/
- 19:44:58 [burn]
- s/...:/.../
- 19:45:27 [jeffh]
- topic: und06 - Understanding JWT/CWT, OpenID, and Related Ecosystemerstanding
- 19:45:46 [jeffh]
- Mike Jones presenting
- 19:46:00 [jeffh]
- + John_bradley
- 19:46:21 [wseltzer]
- -> https://docs.google.com/presentation/d/1XaCIGFCi4ILgXMzT3XUlSS51Vabb8-1gUGGpNCMD3D4/edit?usp=sharing Slides
- 19:47:07 [wseltzer]
- [slide 3]
- 19:47:36 [wseltzer]
- selfissued: (Mike Jones) JSON Web Token
- 19:48:00 [jeffh]
- [slide 4]
- 19:48:08 [tantek]
- speaker: "JSON-LD requires canonicalization to RDF in order to sign" [interesting I didn't know that.]
- 19:48:52 [jeffh]
- [slide 5]
- 19:49:05 [jeffh]
- [slide 6]
- 19:49:35 [manu]
- tantek -- well, no, that's not correct...
- 19:49:35 [Loqi]
- tantek has -1 karma in this channel over the last year (82 in all channels)
- 19:50:35 [jeffh]
- [slide 6]
- 19:50:40 [manu]
- tantek: You can dump JSON-LD in a JWT w/o needing normalization/canonicalization.
- 19:50:49 [manu]
- s/tantek: You/tantek, You/
- 19:51:33 [manu]
- tantek, if you want to do LD-Proofs, then we have chosen that it's best to do RDF Graph Canonicalization (the benefit being that you can have the same signature expressed in a variety of different syntaxes w/o having to recanonicalize)... so you sign the information.
- 19:51:33 [jeffh]
- [slide 9]
- 19:52:39 [jeffh]
- [slide 10]
- 19:54:11 [jeffh]
- [slide 11]
- 19:56:54 [wseltzer]
- John_Bradley: extensible. There's a set of core statements, and others can be added
- 19:57:11 [jeffh]
- [slide 12]
- 19:57:17 [wseltzer]
- selfissued: New work. THose interested should talk to us and participate
- 19:57:45 [jeffh]
- selfissued: specifically the CBOR web token (CWT)
- 19:57:54 [jeffh]
- ...: RFC 8392
- 19:58:07 [dlongley]
- dlongley has joined #auth-id
- 19:58:48 [burn]
- s/...:/.../
- 19:59:53 [wseltzer]
- John_Bradley: complementary to webauthn, not competitive
- 20:00:09 [wseltzer]
- ... OpenID Connect is about federated claims and API access
- 20:00:21 [wseltzer]
- ... should probably use WebAuthn for authentication
- 20:00:57 [shigeya_]
- shigeya_ has joined #auth-id
- 20:01:16 [wseltzer]
- Chrisboscolo: how do relying parties learn about self-issued identifiers?
- 20:01:18 [jeffh]
- ? briscoe: wrt self-soverign is there way for an individ to assert that they are speaking for themselves?
- 20:01:35 [manu]
- s/? briscoe/chris_boscolo/
- 20:02:54 [oliver-terbu]
- q+
- 20:03:00 [JoeAndrieu]
- q+
- 20:03:19 [jeffh]
- ?: aggregated claims? more about that?
- 20:03:32 [manu]
- s/?:/PeterWatkins/
- 20:03:50 [wseltzer]
- https://openid.net/specs/openid-connect-core-1_0.html#AggregatedDistributedClaims
- 20:04:20 [jeffh]
- selfissued: if you search for 'openid claim' you can find it
- 20:04:26 [jeffh]
- ...: see above
- 20:04:28 [wseltzer]
- q?
- 20:04:49 [wseltzer]
- JsckCallahan: How does mobileconnect differ?
- 20:04:50 [jeffh]
- ?: what're differences between mobile connect and openid connect
- 20:05:11 [manu]
- s/JsckCallahan/JackCallahan/
- 20:05:22 [manu]
- s/?:/JackCallahan/
- 20:06:16 [chirsboscolo]
- chirsboscolo has joined #auth-id
- 20:06:16 [wseltzer]
- q?
- 20:06:27 [jeffh]
- john_bradley: <describes nuanced facets of the relationship>
- 20:06:54 [jeffh]
- self_issued: gsma certified their core impl with the openid connect certif suite
- 20:07:18 [markus_sabadello]
- markus_sabadello has joined #auth-id
- 20:07:22 [wseltzer]
- ack oliver
- 20:07:48 [jeffh]
- oliver: w3c VC WG is working on JWT representation -- how <missed it> ?
- 20:07:50 [markus_sabadello]
- q+
- 20:08:02 [jeffh]
- selfissued: that's stuff we can discuss
- 20:08:35 [jeffh]
- joeandrieu: can i use my own crypto identifiers to make use of other's claims
- 20:08:46 [jeffh]
- selfissued: sure, that's an aggregated claim....
- 20:08:54 [wseltzer]
- q+ aaronpk
- 20:08:58 [wseltzer]
- ack Joe
- 20:09:20 [jzcallahan]
- q+
- 20:09:26 [jzcallahan]
- q-
- 20:09:31 [jeffh]
- john_bradley: the spec talks about how that's done syntactically, it is work for the reader as to how the relationships between the parties are actually arranged and maintained
- 20:10:10 [wseltzer]
- ack next
- 20:10:10 [jeffh]
- ...: you'd use some sort of proof-of-possess to logically tie the claims together
- 20:10:40 [jeffh]
- topic: Indie Auth: OAuth for the Open Web
- 20:10:50 [jeffh]
- aaron Parecki
- 20:11:01 [jeffh]
- [slide 13]
- 20:11:02 [wseltzer]
- [slide 13 begins AaronPK's presentation]
- 20:11:05 [jeffh]
- [slide 14]
- 20:11:09 [wseltzer]
- ack aaronpk
- 20:12:34 [jeffh]
- [slide 15]
- 20:12:39 [jeffh]
- [slide 16]
- 20:13:04 [jeffh]
- [slide 17, 18, 19]
- 20:13:29 [jeffh]
- [slide 20]
- 20:13:46 [jeffh]
- [slide 21, 22]
- 20:14:03 [jeffh]
- [slide 23]
- 20:14:23 [jeffh]
- [slide 24]
- 20:15:01 [jeffh]
- [slide 25]
- 20:15:39 [wseltzer]
- aaronpk: take OAuth and add constraints
- 20:15:55 [jeffh]
- slide 26]
- 20:16:31 [jeffh]
- [slide 27,28,29]
- 20:17:08 [jeffh]
- [29, 30]
- 20:17:52 [jeffh]
- [slide 31]
- 20:18:18 [markus_sabadello]
- markus_sabadello has joined #auth-id
- 20:18:30 [jeffh]
- pamela: how does client authn piece of this work?
- 20:19:42 [jeffh]
- aaronpk: clidents are all ident'd by URLs as well. instead of 'pre reg', it is just use the domain name
- 20:19:48 [markus_sabadello]
- q+
- 20:20:23 [jeffh]
- ...: taking the idea of 'public clients' and extending it to all clients
- 20:20:39 [jeffh]
- markus_sabadello: it is not openid connect, it is oauth, why?
- 20:21:16 [jeffh]
- aaronpk: this is solving smaller scoipe than OIDC -- is presenter of URL in control of url?
- 20:21:55 [jeffh]
- ...: wrt webfinger, we are using HTTP link-rels and so is more simple, dont see much use of webfinger in this
- 20:22:11 [jeffh]
- kaliya: how is this diff than openid 1.0?
- 20:22:40 [tantek]
- "OpenID [1.0] only solved half of that"
- 20:23:09 [wseltzer]
- q?
- 20:23:11 [wseltzer]
- ack mar
- 20:23:36 [tantek]
- "OpenID Connect went away from solving that problem [users bringing their own identity]"
- 20:23:45 [jeffh]
- aaronpk: is pretty similar. openid connect drifted away. indieweb adds in api access tokens to orig openid ideas
- 20:23:57 [Mitja]
- Mitja has joined #auth-id
- 20:25:28 [jeffh]
- kaliya: what do after lunch, invite room to chime in on what all we've heard this morning... everyone gets a white card, question we want u to answer by end of lunch is: from where you sit, what do you want to see happen in terms of work in next 2..5 yrs; alternative question: what is the biggest concern you have wrt what you heard this morning?
- 20:26:13 [jeffh]
- ...: then we will get together in groups and sort through this, and boil it down and discuss in the entire group.
- 20:26:27 [jeffh]
- ...: your job for lunch is to answer one or both of the above questions
- 20:26:57 [jeffh]
- ...: only 30 min for lunch and question answering
- 20:27:55 [wseltzer]
- [lunch]
- 21:02:33 [Jiewen]
- Jiewen has joined #auth-id
- 21:11:57 [tantek]
- rrsagent, make minutes
- 21:11:57 [RRSAgent]
- I have made the request to generate https://www.w3.org/2018/12/10-auth-id-minutes.html tantek
- 21:14:39 [Karen]
- Karen has joined #auth-id
- 21:17:56 [Karen]
- Karen has joined #auth-id
- 21:18:55 [manu]
- Topic: Breakout Sessions
- 21:19:23 [manu]
- Kaliya: What you're going to do in the groups... briefly say who you are, read out your card to the group, ask clarifying questions.
- 21:20:22 [manu]
- Kaliya: Talk about concerns, each person has two votes to give to two other cards... you're six people... you get to say "I think that idea is really important, or that concern is really important".
- 21:20:24 [manu]
- Kaliya: 12 votes in each circle.
- 21:20:33 [manu]
- i/Topic: Breakout Sessions/scribenick: manu/
- 21:20:39 [manu]
- Kaliya: You don't vote for your own card. :)
- 21:21:23 [manu]
- Kaliya: So, out of the six things, you get to pick your favorite.
- 21:21:29 [manu]
- Kaliya: Don't vote twice for the same one.
- 21:21:51 [manu]
- Kaliya: Someone else might share your concerns, keep that in mind.
- 21:21:57 [manu]
- rrsagent, draft minutes
- 21:21:57 [RRSAgent]
- I have made the request to generate https://www.w3.org/2018/12/10-auth-id-minutes.html manu
- 21:22:26 [manu]
- Kaliya: You're going to be in a group of six, then discuss for 20 minutes, then scramble the room. talk to six new people, do the same thing... find out whose card had the most votes on it.
- 21:23:19 [manu]
- Kaliya: The point here is to get group intelligence to work... I will track time, will check in with the groups... close computers completely, groups gather, etc.
- 21:23:34 [manu]
- Kaliya: If you create new ideas, we'd love to hear about them. Write them down.
- 21:23:48 [manu]
- Kaliya: Each card with a tally, any additional outputs, we're happy to receive them.
- 21:24:09 [manu]
- Kaliya: If you came from the same company, you cannot be in the same group. Six people in a group.
- 21:24:38 [manu]
- rrsagent, draft minutes
- 21:24:38 [RRSAgent]
- I have made the request to generate https://www.w3.org/2018/12/10-auth-id-minutes.html manu
- 21:25:08 [manu]
- Breakout sessions are forming... magic is happening.
- 22:27:41 [Karen]
- Karen has joined #auth-id
- 22:27:48 [takashi]
- takashi has joined #auth-id
- 22:28:52 [wseltzer]
- Topic: Report-out from breakouts
- 22:29:44 [manu]
- Kaliya: First segment, we'll hear all concerns... let's hear work items.
- 22:29:50 [manu]
- rrsagent, make minutes
- 22:29:50 [RRSAgent]
- I have made the request to generate https://www.w3.org/2018/12/10-auth-id-minutes.html manu
- 22:30:23 [manu]
- achughes: Within next 2-5 years, in industry and psychology circles, identification and authentication are different things.
- 22:30:33 [manu]
- achughes: Saying that you're doing authentication when you're doing identification is not useful for market clarity.
- 22:31:20 [manu]
- JohnB: Separation of concerns - separate authentication and attribute provisioning ceremony so they're understandable.
- 22:31:38 [manu]
- Kaliya: Any other cards that are similar to this?
- 22:31:43 [Zakim]
- Zakim has left #auth-id
- 22:32:14 [Zakim]
- Zakim has joined #auth-id
- 22:32:45 [manu]
- Jill?: Privacy - do privacy by design - concerned that I didn't hear that.
- 22:32:59 [wseltzer]
- s/Jill?/Rae/
- 22:33:19 [jzcallahan]
- jzcallahan has joined #auth-id
- 22:33:42 [manu]
- @@@: We brushed away identity assurance facility today -- what about end use case, verify identity -- how do you trust the identifiers, the exchanges?
- 22:34:28 [manu]
- Dirk: I want my browser to know who I am, and responsibly surface that based on who I am.
- 22:34:45 [manu]
- s/who I am/my instruction./
- 22:35:34 [manu]
- Jiewen: Concern and work item - for web authentication - how do we provide for small parties, small providers - could we bridge OAuth and OpenID?
- 22:36:11 [wseltzer]
- rrsagent, draft minutes
- 22:36:11 [RRSAgent]
- I have made the request to generate https://www.w3.org/2018/12/10-auth-id-minutes.html wseltzer
- 22:36:37 [aaronpk]
- s/my instruction.,/who I am/
- 22:36:44 [manu]
- kimhd: Interop prototypes - educational credentials, I don't want to use a specific identity provider - think there is value in DIDs, enable people to have lifelong claims that they can prove control over... bootstrapping DIDs using WebAuthn or other identity solutions.
- 22:37:53 [manu]
- @4@: I'd like to see relying parties have a much richer and more diverse set of federation/identities... get away from Signon with Google/Facebook/etc.
- 22:38:19 [manu]
- @5@: Would like to take this not just for identity aspect, but for storage aspect as well.
- 22:38:32 [wseltzer]
- s/@5@/aaronpk
- 22:38:40 [shigeya_]
- shigeya_ has joined #auth-id
- 22:38:59 [achughes]
- achughes has joined #auth-id
- 22:39:04 [manu]
- Pam: Difference between having user be in one paradigm, or have a user choose between two paradigms... concerned we're going to the latter... discovery, registration, resolution, feel like we need to focus on these pieces.
- 22:39:11 [wseltzer]
- rrsagent, make logs public
- 22:40:01 [manu]
- @5@: Some of the conversations were going past each other - some people are operating in a different scenario... some want a peer-to-peer model, no parties involved in transaction that don't belong there... other people use existing systems, but very little that we own/control.
- 22:40:31 [manu]
- ... I'm not here with the view that we're going to try to extinguish those... would rather run things through both scenarios, see how they do... vs. zero sum trade off.
- 22:40:34 [BartW]
- BartW has joined #auth-id
- 22:40:34 [wseltzer]
- s/@5@/PeterWatkins/
- 22:41:05 [manu]
- ChristopherA: I'm wondering almost the reverse - where is the line? Aadhaar, social credit, etc... those are the biggest identity systems today.
- 22:41:07 [wseltzer]
- ChristopherA: some places we don't want coexistence, e.g. social credit
- 22:41:15 [manu]
- rrsagent, make minutes
- 22:41:15 [RRSAgent]
- I have made the request to generate https://www.w3.org/2018/12/10-auth-id-minutes.html manu
- 22:42:13 [manu]
- @6@: Hoping to see alignment for WebAuthn and DIDs.
- 22:42:22 [wseltzer]
- s/@6@/Dalys/
- 22:42:52 [manu]
- @6@: Would like to see alignment that gives unified experience for subject that is trying to authenticate.
- 22:43:06 [manu]
- @7@: I'm concerned with conflict between two groups...
- 22:43:36 [aaronpk]
- s/@7@/Will Abramson/
- 22:43:45 [manu]
- Oliver: This isn't about WebAuthn and DIDs... don't reinvent the wheel... should we use mature standards like OpenID Connect and WebAuthn or something else?
- 22:43:57 [Jiewen]
- Jiewen has joined #auth-id
- 22:44:05 [manu]
- Markus: How can we align DIDs w/ stuff that works already such as WebAuthn and OpenID Connect
- 22:44:49 [manu]
- @8@: I'd like to see industry adoption of DID-based identities...
- 22:45:17 [manu]
- TonyN: Clarity on why DIDs need to be standardized...
- 22:45:24 [Jim_Masloski]
- Jim_Masloski has joined #auth-id
- 22:45:41 [manu]
- burn: Would like to see a DID WG formed at W3C.
- 22:46:20 [manu]
- Jack: Usability of these systems... thinking about it from the user's perspective.
- 22:46:46 [manu]
- Jack: Approaching it from the users perspective - registration, recovery, etc.
- 22:46:53 [manu]
- @9@: Usability that doesn't suck :)
- 22:47:02 [wseltzer]
- s/@9@/Tom/
- 22:47:23 [manu]
- @10@: More along the lines of what I didn't hear - how are these bound/linked to a known and real person, if at all?
- 22:47:25 [jzcallahan]
- jzcallahan has joined #auth-id
- 22:47:34 [manu]
- ... consistency and trust in the bindings?
- 22:47:46 [manu]
- Kaliya: That's close to identity assurance...
- 22:48:24 [manu]
- @11@:: Selective, permissinless, delegation - want WebAuthn and FIDO to have support for allow people to have one of the credentials w/o entity saying no.
- 22:48:39 [weiler]
- s/entity/relying party/
- 22:48:41 [wseltzer]
- s/@11@/weiler
- 22:49:06 [manu]
- @12@: I'd like to see OpenID Connect community working with Ethereum community - gamification and incentives... there is no financial incentive
- 22:49:08 [weiler]
- I think solutions in this space will help improve backup and recovery, also.
- 22:49:15 [weiler]
- s/@12@/Sarah Squire/
- 22:50:28 [manu]
- @13@: Interested in seeing use cases clear - context of value propositions, use cases clear of sub data flows that are involved because each of those are gamable from use cases perspective.
- 22:50:38 [manu]
- s/use cases/business model, legal, etc/
- 22:50:43 [wseltzer]
- s/@13@/Scott
- 22:51:06 [manu]
- @14@: My question was a meta question for the group - don't know how to place everything going on - what is framework for thinking about problem set and what does success look like?
- 22:51:19 [wseltzer]
- s/@14@/Mary_Hodder
- 22:51:36 [manu]
- @15@: How do all of these building blocks work together?
- 22:51:52 [wseltzer]
- s/@15@/karen/
- 22:52:34 [manu]
- @16@: Tightly scoped, standards based efforts, interoperable pieces ... how do we find those?
- 22:52:53 [manu]
- @17@: I'd like to see standards support for Decentralized Identity stack - we need multiple things in place for that to happen.
- 22:53:08 [manu]
- JimM: Layering of ID management, different rules for that.
- 22:53:29 [manu]
- @18@: Oftentimes in designs, there is a service that affects wallet, that should become clear, how wallets work.
- 22:54:08 [manu]
- @19@: Ensure adoption among private, public, and across both domains.
- 22:54:37 [manu]
- @20@: Remote authentication support for webauthn webauthz frameworks.
- 22:54:52 [manu]
- @21@: Validating identity proofing, risk of synthetic IDs...
- 22:54:57 [BartW]
- s/@19@/BartW
- 22:55:01 [manu]
- ... fabricated ID that someone creates...
- 22:55:13 [manu]
- ... online proofing vs. physical proofing.
- 22:55:25 [manu]
- achughes: We should probably say "identity assurance"
- 22:56:00 [achughes]
- achughes: The synthetic identity card should go with the ‘identity assurance’ card
- 22:56:01 [manu]
- @22@: Other schemes, like GS1 ecosystem... GLNs, GTINs, LEIs.
- 22:56:23 [manu]
- s/Other/Interop with other/
- 22:57:36 [manu]
- @23@: Concerned to have centralized authorities onboard rather than blocking... centralized authorities are not always excited about decentralized solutions.
- 22:58:31 [manu]
- Pindar: Scalability - at what scale are we talking about... we're doing things about Internet scale... also concerned about Know Your Machine...
- 22:58:52 [manu]
- @24@: Adoption - will end users understand value proposition of DIDs, what they get?
- 22:59:34 [manu]
- @25@: Interop from perspective of web developers - help browsers understand what APIs they should be understanding so developers can focus on clear stories so developers can focus on stuff that's not passwords or authn.
- 23:00:26 [manu]
- @26@: Preserving privacy, let the user determine how that privacy is preserved.
- 23:00:35 [manu]
- s/@26@/Ken/
- 23:01:07 [manu]
- rrsagent, draft minutes
- 23:01:07 [RRSAgent]
- I have made the request to generate https://www.w3.org/2018/12/10-auth-id-minutes.html manu
- 23:01:23 [Karen]
- Karen has joined #auth-id
- 23:19:18 [tantek]
- tantek has joined #auth-id
- 23:29:22 [Karen]
- [Break Ends]
- 23:29:33 [Karen]
- scribenick: Karen
- 23:29:47 [Karen]
- Topic: Market Verticals: Current and Future Challenges
- 23:31:34 [Karen]
- Government Segment Speaker: Peter Watkins, Province of British Columbia
- 23:32:32 [kenrb]
- kenrb has joined #auth-id
- 23:32:42 [Karen]
- Peter: I am with the gov't of BC; I don't view myself representing a vertical, but a government
- 23:32:47 [burn]
- burn has joined #auth-id
- 23:32:49 [Didier]
- Didier has joined #auth-id
- 23:32:51 [jzcallahan]
- jzcallahan has joined #auth-id
- 23:32:59 [Karen]
- ...I cannot speak on behalf of the gov't or other gov'ts but happy to bring my perspectives as a government guy
- 23:33:05 [Karen]
- ...first, you have to be precise
- 23:33:13 [Jiewen]
- Jiewen has joined #auth-id
- 23:33:15 [Karen]
- ...In Canada, gov't can mean many things; different levels, peoples
- 23:33:22 [wseltzer]
- -> https://docs.google.com/presentation/d/1VtA4Twjk3OKy9PhOZiPE_4eVxzmIRtqTrgVRcDMPNUc/edit?usp=sharing Slides for the Market Verticals discussions
- 23:33:29 [Karen]
- ...indigenous peoples also act as own governments
- 23:33:38 [BartW]
- BartW has joined #auth-id
- 23:33:43 [krystian_czesak]
- krystian_czesak has joined #auth-id
- 23:33:46 [Karen]
- ...educational systems as well
- 23:33:56 [wseltzer]
- [slide 5]
- 23:34:06 [Karen]
- ...We are small, 4 million, but we operate across a great number of areas [reads slides]
- 23:34:14 [Karen]
- ...and it's not an exhaustive list
- 23:34:21 [Karen]
- ...from and identity perspective, we operate at the base
- 23:34:36 [Karen]
- ...As it relates to the law; important to understand that context
- 23:34:42 [Karen]
- ...We register births and deaths
- 23:34:57 [Karen]
- ...you don't exist or die until we say so [laughs]
- 23:35:01 [Karen]
- ...we run the corporate registry
- 23:35:03 [wseltzer]
- "legally, you're not born until we say you're born."
- 23:35:09 [Karen]
- ...we create corporations, societies
- 23:35:23 [Karen]
- ...we have a whole set of laws, each of which created self-regulating bodies
- 23:35:32 [Karen]
- ...we say if you are a lawyer, doctor, nurse, accountant, etc.
- 23:35:39 [Karen]
- ...all of thes associations, affiliations, etc.
- 23:35:44 [Karen]
- ...and licenses and permits
- 23:36:01 [Karen]
- ...drive a car, commercial vehicle; dig a hole, inspect machinery, etc.
- 23:36:14 [Karen]
- ...we have gov't machinery, processes and policies
- 23:36:19 [Karen]
- ...we operate the land title searches
- 23:36:27 [Karen]
- ...who owns what land; very important function
- 23:36:35 [Karen]
- ...and we allow registration of liens
- 23:36:46 [Karen]
- ...so a lot going on in our world for identity information
- 23:37:00 [wseltzer]
- [slide 6]
- 23:37:05 [Karen]
- [slide 6]
- 23:37:17 [kenrb]
- kenrb has joined #auth-id
- 23:37:23 [Karen]
- ...We have a legacy system
- 23:37:35 [Karen]
- ...so we looked for something to scale
- 23:37:50 [Karen]
- ...we invented a BC services card and a provincial identity management info program
- 23:37:58 [Karen]
- ...we leverage two things; the popularity of driving
- 23:38:05 [Karen]
- ...and we run one universal program, healthcare
- 23:38:21 [Karen]
- ...we created a drivers license and health care card combined
- 23:38:26 [Karen]
- ...one card, one chip to authenticate
- 23:38:32 [Karen]
- ...no personal information other than the chip number
- 23:38:48 [wseltzer]
- s/one chip/one EMV chip/
- 23:38:49 [Karen]
- ...at this point we have enrolled 4.3 million BC citizens; looking at a mobile app now
- 23:39:02 [Karen]
- ...we want people to be self0-deterministic; and do it digitally
- 23:39:06 [Karen]
- ...you met John Jordan and team
- 23:39:13 [Karen]
- ...they are advance hyperledger service
- 23:39:33 [Karen]
- ...take corporate registration records and encoded them into @...set up for a digital platform
- 23:39:41 [Karen]
- ...So gov't perspective on strong authentication
- 23:39:47 [Karen]
- ...We are damned if we don't do it
- 23:39:57 [Karen]
- ...your land registry is tied to Google account?
- 23:39:58 [wseltzer]
- [slide 7]
- 23:40:05 [Karen]
- ...we don't own, control or have accountability over that
- 23:40:09 [Karen]
- ...no effective resource
- 23:40:26 [Karen]
- ...not clear to us what happens when things are lost, account recovery process is difficult
- 23:40:43 [burn]
- s/resource/recourse/
- 23:40:43 [Karen]
- ...authentication tech can become a party to all of the transactions that unfold; we don't think that should happen that way
- 23:40:50 [Karen]
- ...public does not view they have much choise
- 23:41:14 [Karen]
- ...when we make our tech dependent upon others, they feel they are forced to adopt something; gets us on the wrong side
- 23:41:21 [Karen]
- ...If we do it, we're also damned
- 23:41:26 [Karen]
- ...but this is important technology
- 23:41:43 [Karen]
- ...our small province cannot defend against the threat model
- 23:41:48 [Karen]
- ...it is frightening
- 23:41:57 [Karen]
- ...You don't interact with gov't as much as other entities
- 23:42:07 [Karen]
- ...every transaction can be spin through account recovery
- 23:42:17 [Karen]
- ...We don't like that our services would be party to the transactions
- 23:42:18 [wseltzer]
- "every trqnsaction is a spin through the recovery flow"
- 23:42:30 [wseltzer]
- s/trqn/tran/
- 23:42:36 [Karen]
- ...if we did verify your identity, we can remember you at our counter and restore our services
- 23:42:41 [Karen]
- ...but is that a bug or a feature
- 23:42:50 [Karen]
- ...our businesses are entwined globally
- 23:43:02 [Karen]
- ...we would not know how our own unique approach would scale
- 23:43:14 [Karen]
- ...you don't sell provision it
- 23:43:20 [Karen]
- ...Lastly, there is a lending problem
- 23:43:35 [Karen]
- ...no one has mounted an argument about your traffic ticket
- 23:43:42 [Karen]
- ...but if tied to benefits, then it's another story
- 23:44:15 [Karen]
- [slide @] ...On identity information, there is Lou the person who wants to interact with digital services.com; dialogue box
- 23:44:24 [wseltzer]
- s/@]/8]/
- 23:44:31 [Karen]
- ...dialogue box; we know we will get called
- 23:44:38 [Karen]
- ...information disclosure related to that
- 23:44:45 [Karen]
- ...that we don't have in the real world
- 23:44:56 [Karen]
- ...we are looking for an architecture that would operate more like real world
- 23:45:07 [Karen]
- ...last thing to bring is a sense of urgency
- 23:45:08 [wseltzer]
- [slide 9]
- 23:45:24 [Karen]
- ...divide things into things that are less or super important
- 23:45:28 [Mitja]
- Mitja has joined #auth-id
- 23:45:37 [Karen]
- ...super important we are stuck in old world on important things
- 23:45:48 [Karen]
- ...to light up upper box, we need trustworthy ID
- 23:45:54 [Karen]
- ...and we need better technical solutions
- 23:45:56 [Karen]
- ...That is my talk
- 23:46:08 [Karen]
- Wendy: Do we have some quick questions for Peter on that use case?
- 23:46:21 [Karen]
- Pindar: You highlighted legal views
- 23:46:29 [Karen]
- ...for individuals and corporates
- 23:46:30 [wseltzer]
- q+ ScottDavid
- 23:46:44 [Karen]
- ...have you talked about smart contracts?
- 23:46:47 [Karen]
- Peter: I don't know
- 23:46:52 [wseltzer]
- ack Scott
- 23:46:55 [Karen]
- Scott: critical infrastructure
- 23:47:15 [Karen]
- ...often those are privately owned; have you run into arrangements with private infrastructure that will be more reliable?
- 23:47:29 [wseltzer]
- q+ TonyNadalin
- 23:47:41 [Karen]
- ...services different in other contexts, but any analogies used for critical infrastructure that could be used reliability for gov't
- 23:47:54 [Karen]
- Peter: In BC, we see emergence of pan-Canadian trust framework
- 23:48:12 [Karen]
- ...gov'ts should be positioned as an effective regulator rather than a direct provider
- 23:48:17 [Karen]
- ...you see that in financial services
- 23:48:29 [Mitja]
- can the link to all presentations (no google drive) be shared? IRC seems to break after a while and I'm not able to see history
- 23:48:30 [Karen]
- ...but it is a mind bender to set up to regular identity providers
- 23:48:33 [Karen]
- ...that is my opinion
- 23:48:40 [Karen]
- Scott: Maybe look at insurance which is a risk issue
- 23:49:01 [Karen]
- Gregory: How much would be regulation v. standardization and endorsement
- 23:49:14 [Karen]
- ...you mentioned the pan-Canadian trust framework, I am here representing DIACC
- 23:49:24 [Karen]
- Peter: Payment industry did a summary on payment
- 23:49:27 [wseltzer]
- q- Tony
- 23:49:44 [Karen]
- ...they discovered self regulating would be better; way better for the industry to take over; far better way to go
- 23:50:00 [Karen]
- Pam: you are unique in that you have an ecosystem adopt your services
- 23:50:15 [Karen]
- ...how does it work that Police services adopt anything different, such as the drivers' licenses
- 23:50:21 [Karen]
- ...how did you get people to buy in?
- 23:50:30 [Karen]
- Peter: not a large digital component; just starting this year
- 23:50:33 [Karen]
- ...healthcare, social services
- 23:50:44 [Karen]
- ...without the services card, they have gone done the road as far as they can go
- 23:50:48 [Karen]
- ...light bulb is going on
- 23:50:55 [Karen]
- ...and they recognize they need the services card
- 23:51:05 [Karen]
- ...I think you will see services card adoption
- 23:51:11 [Karen]
- ...I started work on this in 2007
- 23:51:18 [Karen]
- ...program started officially in 2013
- 23:51:24 [Karen]
- ...now in renewal cycle
- 23:51:26 [Karen]
- ...have to go long
- 23:51:36 [Karen]
- ...you cannot push the public to this; you will get on the wrong side of PR
- 23:51:51 [Karen]
- ...we used the natural expiration rate of the drivers' licenses; just waited it out
- 23:51:56 [Karen]
- Wendy: Thanks so much Peter
- 23:52:03 [Karen]
- ...next up is Allen Brown to talk about healthcare
- 23:52:23 [Karen]
- Speaker: Allen Brown
- 23:52:31 [Karen]
- Topic: Health Care IDology
- 23:52:43 [Karen]
- Allen: my personal interest is ID with respect to digital contracts
- 23:52:58 [Karen]
- ...Manu knows I worked on healthcare and life sciences systems and asked me talk about that in this space
- 23:53:02 [Karen]
- ...start with an anecdote
- 23:53:16 [Karen]
- ...at Microsoft I worked five years for the @ solutions group
- 23:53:24 [Karen]
- ...in 2009 there was a NATO delegation
- 23:53:25 [wseltzer]
- s/@/Health/
- 23:53:32 [Karen]
- ...those of us interested in healthcare invited us
- 23:53:42 [Karen]
- ...delegation was lead by an assistant secretary general of NATO
- 23:53:50 [Karen]
- ...in another life he was a trauma surgeon
- 23:54:01 [Karen]
- ...his remit included field hospitals
- 23:54:14 [Karen]
- ...at time of Afganistan there were only 7 hospitals
- 23:54:28 [Karen]
- ...most NATO military orgs medical services are integrated with national health services
- 23:54:40 [Karen]
- ...and field hospitals are meant to be the health services
- 23:54:47 [Karen]
- ...so there were 7 field hospitals
- 23:54:53 [wseltzer]
- s/only//
- 23:55:08 [Karen]
- ...Secy General went on to talk about two Dutch marines and two American operating in squads
- 23:55:25 [Karen]
- ...interoperations were walking over from one tent to another
- 23:55:42 [Karen]
- ...Afganistan had 1200 operational aircraft that knows how to broadcast communications
- 23:55:50 [Karen]
- ...but you could not do this for Marines was a standing joke
- 23:56:08 [Karen]
- ...I want to specifically talk about a system we developed at Microsoft called Malga
- 23:56:17 [Karen]
- ...you have lots of patient data and you want to assemble a data cube
- 23:56:27 [Karen]
- ...to have a single view of everything about the patient
- 23:56:39 [Karen]
- ...in doing that you quickly come up against lots of issues about identity
- 23:56:44 [Karen]
- ...I will talk about four of them
- 23:57:04 [Karen]
- ...while Amalga was meant to extract data about patients from electronic medical systems as well as from real time feeds
- 23:57:16 [Karen]
- ...extract EMR, many systems are oriented around payments
- 23:57:22 [Karen]
- ...have to go through payer who was paying for this
- 23:57:31 [Karen]
- ...or else it is difficult to extract certain kinds of data
- 23:57:41 [Karen]
- ...have to extract the payer first to get to the diagnosis
- 23:57:48 [Karen]
- ...Identity for providers is obvious
- 23:57:54 [Karen]
- ...give them access to patient information
- 23:58:00 [Karen]
- ...but something else goes on here
- 23:58:07 [Karen]
- ...much patient data is subject to interpretation
- 23:58:18 [Karen]
- ...you need to know who the interpreter is
- 23:58:22 [Karen]
- ...next is the data itself
- 23:58:44 [Karen]
- ...Amalga had origins in system done at George Washington School of Medicine and Life Sciences
- 23:58:56 [Karen]
- ...because of its geo location in Washington DC
- 23:59:03 [Karen]
- ...it has access to many kinds of patients
- 23:59:29 [Karen]
- ...one CATScan file was originated at one hospital and passed to another
- 23:59:38 [Karen]
- ...need to make sure it's same patient and scan
- 23:59:47 [Karen]
- ...Amalga collecting data from many sources
- 00:00:03 [Karen]
- ...and identities of patients were different; mechanism to coalesce identities is needed
- 00:00:25 [Karen]
- ...Patients who are largely treated through emergency rooms, and each ER visit generates a new ID
- 00:00:53 [Karen]
- ...I created for them an inference system to assemble IDs into a single individual
- 00:01:00 [Karen]
- ...that is story and the state of affairs as of 2016
- 00:01:11 [Karen]
- ...to the best of my knowledge, this situation has not changed
- 00:01:18 [Karen]
- ...so I hope folks in this room can fix this problem
- 00:01:24 [Karen]
- Wendy: We have a challenge in front of us
- 00:01:28 [Karen]
- ...any questions for Allen?
- 00:01:54 [Karen]
- Scott: economic challenges inherent...providers don't want to share patients
- 00:02:10 [Karen]
- ...is there a threshold; how to get over the economic disincentives
- 00:02:16 [Karen]
- Allen: I don't see how it can improve
- 00:02:22 [Karen]
- ...no amount of tech will fix the problem
- 00:02:41 [Karen]
- Pindar: some kinds of data you want people to see, but not change it
- 00:02:45 [Karen]
- Allen: not change the data
- 00:02:52 [Karen]
- ...it's about the five different IDs
- 00:03:13 [Karen]
- ...with IDs you want to infer they are equal and do in a probabilistic fashion
- 00:03:16 [Karen]
- ...one set may be higher
- 00:03:23 [wseltzer]
- q?
- 00:03:23 [Karen]
- ...how you associate data, not change data
- 00:03:42 [Karen]
- Mathias: how do you handle privacy?
- 00:03:56 [Karen]
- ...different providers and data; how do you handle privacy?
- 00:04:05 [Karen]
- Allen: I am hearing more problems [laughs]
- 00:04:16 [Karen]
- Wendy: thank you very much for that presentation
- 00:04:46 [Karen]
- ...next up is Jim Maslowski
- 00:04:55 [Karen]
- Speaker: Jim Mislowski
- 00:05:05 [Karen]
- ...I work with DHS
- 00:05:12 [elbowspeak]
- elbowspeak has joined #auth-id
- 00:05:16 [Karen]
- ...we were developing proof of concept for certificates of origin
- 00:05:21 [wseltzer]
- s/Mislowski/Masloski/G
- 00:05:23 [Karen]
- ...doing input process
- 00:05:37 [Karen]
- ...a group was tasked with process
- 00:05:43 [wseltzer]
- [slide 12 from group deck]
- 00:05:53 [Karen]
- ...brought in different people, US Customs, trade people, customs brokers, importers
- 00:06:01 [Karen]
- ...parties responsible for capturing and setting the information
- 00:06:11 [Karen]
- ...sat down to figure out how to do this on a distributed ledger
- 00:06:20 [Karen]
- ...We were in a room for a day and a half to outline our taskst
- 00:06:28 [Karen]
- ...how to target this process
- 00:06:40 [Karen]
- ...we started with 35 ideas and narrowed down to 5-6 simplistic ideas
- 00:07:02 [Karen]
- ...we found out who the actors were, what you would need who would help develop the process
- 00:07:09 [Karen]
- ...Looking at import and export processes
- 00:07:28 [Karen]
- ...it was an eye opener for the group to see how to capture that information, how it comes to you, and what the legal requirements are
- 00:07:33 [Karen]
- ...we had the legal group with us
- 00:07:53 [Karen]
- ...always interesting when we say we want to capture x but legal says it's against the law to do so
- 00:08:07 [Karen]
- ...we went in knowing it would be a challenge and a work-in-progress proof of concept
- 00:08:11 [Karen]
- ...when we got through ti
- 00:08:21 [Karen]
- ...I have put a transportation document up on the screen
- 00:08:25 [wseltzer]
- [slide 13]
- 00:08:33 [Karen]
- ...we focused on the verifiable credentials and ID management
- 00:08:43 [Karen]
- ...how to verify who was making claim and capture that information
- 00:08:50 [Karen]
- ...this happens to be a load of light bulbs
- 00:09:01 [Karen]
- ...certain data a gov't makes available, certain information stays private
- 00:09:20 [Karen]
- ...had to figure out how to make a legal, compliant distributed ledger that improves the supply chain
- 00:09:29 [Karen]
- ...too agnostic approach
- 00:09:35 [Karen]
- ...cross-platform
- 00:09:49 [wseltzer]
- s/too/took/
- 00:10:08 [Karen]
- ...look at number of parties needing access to the system; we used DIDs to identify the brokers, suppliers, US customers, and used Verifiable Credentials
- 00:10:27 [Karen]
- ...with distributed ledger we could identity products coming in, the provenance
- 00:10:42 [Karen]
- ...communication between agency and supplier
- 00:10:52 [Karen]
- ...supply chain side, we could get supplier into the front end
- 00:11:01 [Karen]
- ...supplier certified
- 00:11:21 [Karen]
- ...we added to transaction that crossed border, ID who owned, who is responsible, so then US Customs could ask questions on it
- 00:11:31 [Karen]
- ...we provided supporting documentation
- 00:11:35 [Karen]
- ...as a valid pre-trade claim
- 00:11:40 [Karen]
- ...from that standpoint it went well
- 00:11:55 [Karen]
- ...Biggest challenge was taking into consideration the legal side
- 00:12:03 [Karen]
- ...hard to grab the information the way the laws are written
- 00:12:20 [Karen]
- ...we were able to take advantage of the distributed ledger to make these claims
- 00:12:37 [Karen]
- ...Looking at clusters of information; does that org exists and is it an importer
- 00:12:47 [Karen]
- ...how do you certify this is a load of lumber, or an automobile
- 00:13:07 [Karen]
- ...it all hinged on the DIDs, Verifiable Credentials and have a process to capture the information and the proof
- 00:13:15 [Karen]
- ...there was significant time savings on these requests
- 00:13:27 [Karen]
- ...for example, where is the T-shirt manufacturer
- 00:13:31 [Karen]
- ...one invoice, one sku
- 00:13:49 [Karen]
- ...to claim differential rate; they would supply a pallet worth of documentation
- 00:14:02 [Karen]
- ...with this process they could make the claim with info that was on the ledger
- 00:14:07 [Karen]
- ...a huge advantage
- 00:14:12 [Karen]
- ...I liked it
- 00:14:24 [Karen]
- .,..from a trade standpoint, we look forward to see what W3C does for DIDs
- 00:14:31 [Karen]
- ...we think it's a neat way to go
- 00:14:34 [Karen]
- Wendy: thank you
- 00:14:46 [Karen]
- Joe: What were some of the legal requirements?
- 00:15:14 [Karen]
- Jim: parties to the transaction for example
- 00:15:43 [Karen]
- ...done in DIDs and Verifiable Credentials; participation from brokers, suppliers
- 00:16:09 [Karen]
- Markus: what DID method did you use and what ledger?
- 00:16:21 [Karen]
- Jim: I am a customs broker; I think it was a @ blockchain
- 00:16:33 [Karen]
- Markus: but you used real DIDs
- 00:16:46 [Karen]
- Jim: we had IBM participating with Walmart
- 00:17:10 [Karen]
- ...we used customs data, transactions that were current and processed them through this system
- 00:17:10 [manu]
- s/Jim: we had IBM participating with Walmart//
- 00:17:14 [Karen]
- ...took real data
- 00:17:21 [Karen]
- ...each data posted
- 00:17:26 [kimhd]
- kimhd has joined #auth-id
- 00:17:29 [Karen]
- ...US customs used blockchain
- 00:17:33 [Karen]
- ...supplied response back to us
- 00:17:45 [Karen]
- ...I used my software, retailer used its own
- 00:18:03 [Karen]
- Ken: from chain of custody
- 00:18:12 [Karen]
- ...regulations require signatures of taking custody
- 00:18:15 [wseltzer]
- s/Ken/Jack/
- 00:18:17 [Karen]
- ...any thought of using other forms
- 00:18:24 [Karen]
- ...law states we needed a signature
- 00:18:30 [Karen]
- ...lawyers said we needed a signature
- 00:18:35 [Karen]
- ...we had supplier go online to application
- 00:18:38 [wseltzer]
- q?
- 00:18:44 [Karen]
- ...they certified who they were
- 00:18:49 [Karen]
- Jack: how did they do that?
- 00:19:09 [Karen]
- Jim: we filled in the appropriate information; electronic signature
- 00:19:13 [Karen]
- ...certified by the individual
- 00:19:17 [Karen]
- ...company level, the same way
- 00:19:25 [Karen]
- ...importer; the broker made the claim
- 00:19:32 [Karen]
- ...I am FedEx or UPS
- 00:19:36 [Karen]
- Wendy: Tony and Pindar
- 00:19:45 [Karen]
- TonY: how did you deal with @
- 00:19:53 [aaronpk]
- s/@/errors/
- 00:20:07 [Karen]
- ...with blockchain, can you say how you dealt with the errors
- 00:20:10 [Karen]
- ...that need to be fixed
- 00:20:28 [Karen]
- Jim: we talked about the two meetings with the 35 ideas; narrowed down to 5 scenarios
- 00:20:34 [Karen]
- ...and we talked about the correction process
- 00:20:44 [Karen]
- ...public data was not as granular so you would not see the erros
- 00:20:48 [Karen]
- s/errors
- 00:20:55 [Karen]
- ...but you could make a private correction
- 00:21:02 [Karen]
- ...and post to the ledger as an amendment
- 00:21:14 [Karen]
- Pindar: Was there only one customs involved here?
- 00:21:25 [gannan]
- gannan has joined #auth-id
- 00:21:28 [Karen]
- Jim: just one; NAFTA province of origin, one lifecycle
- 00:21:44 [Karen]
- Speaker: Scott David
- 00:21:50 [Karen]
- Wendy: we have 10 mintues
- 00:22:10 [Karen]
- Topic: Law and DIDs
- 00:22:16 [Karen]
- Scott: slides will be available
- 00:22:17 [kenrb]
- kenrb has joined #auth-id
- 00:22:39 [Karen]
- ...we learned about "some other guy did it" defense
- 00:22:51 [Karen]
- ...all attorneys talk about mild and wild law
- 00:23:02 [wseltzer]
- [starts at slide 15 of shared deck]
- 00:23:07 [Karen]
- ...mild is driving and looking forward through windshield
- 00:23:15 [Karen]
- ...most data practices are about data practices
- 00:23:20 [Karen]
- ...that is old stuff, going back 50 years
- 00:23:24 [Karen]
- ...authorities are past
- 00:23:29 [Karen]
- ...old notions of authority
- 00:23:44 [Karen]
- ...concepts of what we did in the past
- 00:23:53 [Karen]
- ...but we did not have the same problems, different in kind
- 00:23:56 [wseltzer]
- "the problem is that in the past we didn't have a lot of these problems"
- 00:24:00 [Karen]
- ...problems are now more about risk
- 00:24:07 [Karen]
- ...how to de-risk these new propositions
- 00:24:29 [Karen]
- ...notion of identity is locust of duty and liability and rights and value drive identity
- 00:24:42 [Karen]
- ...some solutions don't always work
- 00:24:56 [Karen]
- ...Now looking at Wild Law -- being asked to speculate
- 00:24:59 [Karen]
- ...the nature of the challenge
- 00:25:10 [wseltzer]
- caption: "and by tomorrow, I'll need a list of specific unknown risks that we'll encounter with this project"
- 00:25:21 [Karen]
- ...Moore's law resulted in increase in interaction volumes and densities
- 00:25:38 [Karen]
- ...when trying to de-risk at time of exponential increase, it's very difficult
- 00:25:44 [Karen]
- ...more push to interoperability
- 00:25:52 [Karen]
- ...comparison slide
- 00:26:06 [wseltzer]
- [slide 21]
- 00:26:07 [Karen]
- ...legal products, economic products and services
- 00:26:21 [Karen]
- ...structure the product to de-risk certain behaviors
- 00:26:26 [Karen]
- ...will open up new markets and products
- 00:26:33 [Karen]
- ...authority is future opportunity
- 00:26:45 [Karen]
- ...old value was cost limitation
- 00:26:59 [Karen]
- ...being in a cost center is not a great place to be; you want to be in a profit center
- 00:27:04 [Karen]
- ...want to be selling things
- 00:27:11 [Karen]
- ...advocating that in terms of DIDs
- 00:27:17 [Karen]
- ...Identity not so much a node thing
- 00:27:32 [Karen]
- ...it comes back to relationship with community; efficiecny; ability to measure nodes
- 00:27:42 [Karen]
- ...Identities are key
- 00:28:05 [Karen]
- ...Talk about the trends that will affect the measurements
- 00:28:25 [Karen]
- ...problem of de-risk things but we don't know what the terms are and their definitions
- 00:28:34 [Karen]
- ...Sic Hunt Draones
- 00:28:42 [Karen]
- s/Dracones
- 00:28:53 [Karen]
- ...Talk about the 13 global risk trends
- 00:29:00 [Karen]
- ...Secrecy is Dead
- 00:29:24 [Karen]
- ...you are seaking insights; but there is also intrusion
- 00:29:39 [Karen]
- ...distributed info architectures render hierarchies blind
- 00:30:07 [Karen]
- ...same people who go on Facebook are connected and yet the CEO is blind about thins
- 00:30:13 [Karen]
- ....Soverignty of Complexity
- 00:30:37 [Karen]
- ...Socio-Technical systems force non-technical variables into ssecurity design
- 00:30:49 [Karen]
- ...look at risk not just in the lab, but also in the context of the entire system
- 00:30:58 [Karen]
- ...Informaiton Democratization Collapses Scale
- 00:31:06 [Karen]
- ...controls can be done by crossing over among elements
- 00:31:12 [Karen]
- ...stopping at a traffic light
- 00:31:26 [Karen]
- ...business, legal and technical elements can get adjusted
- 00:31:32 [Karen]
- ...Data tech is "dual use"
- 00:31:48 [Karen]
- ...constraining data is an old law
- 00:31:56 [Karen]
- ...people are data producers
- 00:32:15 [Karen]
- ...used to have institutional support for data producers
- 00:32:28 [Karen]
- ...Big Data insights invert critical analysis
- 00:33:05 [Karen]
- ...in genetics they are finding ocean organisms; but fewer pathways involved; we don't have to treat each one as unique
- 00:33:12 [Karen]
- ...Synthetic intelligence is sharing ideas
- 00:33:28 [Karen]
- ...Internet is not a public park; it is a privately operated commercial space
- 00:33:34 [Karen]
- ...Internet is not a public park
- 00:33:39 [Karen]
- ...Data is not Information
- 00:33:58 [wseltzer]
- "meaning security"
- 00:33:59 [Karen]
- ...educate into meaning security
- 00:34:19 [Karen]
- ...question of bureaucracies
- 00:34:24 [Karen]
- ...AAAA threats
- 00:34:35 [Karen]
- ...attacks, accidents, and acts of nature
- 00:34:42 [Karen]
- ...different vectors of attack
- 00:34:50 [kenrb]
- kenrb has joined #auth-id
- 00:34:53 [Karen]
- ...if you don't know nature of system you cannot deal with it as well
- 00:34:57 [Karen]
- ...AI is between here and here
- 00:35:02 [Karen]
- ...that's it
- 00:35:05 [Karen]
- ...Good luck
- 00:35:19 [Karen]
- Wendy: any questions to following that lightening talk?
- 00:35:43 [Karen]
- Mike: Which was the attack and which was the act of nature?
- 00:35:54 [Karen]
- Speaker: John Fontana
- 00:36:27 [burn]
- s/here and here/attack and act of nature/
- 00:36:33 [Mitja]
- Mitja has joined #auth-id
- 00:36:41 [Karen]
- Topic: The Enterprise
- 00:36:51 [Karen]
- John: I spent 25 years as a tech journalist
- 00:37:06 [Karen]
- ...saw this directory, saw a lot about identity
- 00:37:08 [Mitja]
- Can someone please share the google drive link to the presentations?
- 00:37:09 [Karen]
- ...I covered security
- 00:37:27 [Karen]
- ...I recorded every conversation because everyone spoke in acronyms and numbers
- 00:37:32 [Karen]
- ...then I got off security beat
- 00:37:38 [Karen]
- ...and started to cover directories and messaging
- 00:37:52 [Karen]
- ...I went to conference in Philadephia; sessions on X509
- 00:38:01 [Karen]
- ...other side were LDAP guys yelling at each other
- 00:38:17 [Karen]
- ...replication issues on the LDAP side, X509 is dead; they are still both around
- 00:38:27 [Karen]
- ...directories started to take on a persona
- 00:38:35 [Karen]
- ...I got sent to Burton Group conferences
- 00:38:42 [Karen]
- ...talked about directories for three days
- 00:39:06 [Karen]
- ...then I heard talk about directories and Pam stood up and said 'you're full of it'
- 00:39:08 [Karen]
- ...so I talked to her
- 00:39:26 [Karen]
- ...All these big companies dictated the reference architecture that the Burton Group would build
- 00:39:37 [Karen]
- ...and every year they would carve out time for me to talk to them
- 00:39:45 [Karen]
- ...it gave me the lay of the land to cover this stuff
- 00:39:57 [Karen]
- ...at the time, Novell, Netscape had directories
- 00:40:01 [Karen]
- ...those were hot topics
- 00:40:16 [Karen]
- ...asked about multiple forests
- 00:40:21 [Karen]
- ...Microsoft gave an hour lecture
- 00:40:26 [Karen]
- ...I identified myself
- 00:40:38 [Karen]
- ...and asked about 'what about multiple forests'
- 00:40:57 [Karen]
- ...so the lede of my story was 'if you want to go to hell, talk about multiple forests'
- 00:41:06 [Karen]
- ...got a call from the product manager who was not happy
- 00:41:13 [Karen]
- ...that morphed into the Liberty Alliance
- 00:41:19 [Karen]
- ...that was in 2001
- 00:41:25 [Karen]
- ...remember the WSStar stuff
- 00:41:30 [Karen]
- ...where I met Tony from IBM
- 00:41:51 [Karen]
- ...he explained passport, infocards, what has morphed into azure infrastructure
- 00:41:56 [Karen]
- ...Kim Cameron
- 00:42:01 [Karen]
- ...loss of identity
- 00:42:04 [Karen]
- ...talking about directoy
- 00:42:09 [Karen]
- ...hooked onto SAML
- 00:42:23 [Karen]
- ...became popular; Andre Duran, CEO of Ping
- 00:42:35 [Karen]
- ...he gave nice 45 minutes talk about SAML
- 00:42:51 [Karen]
- ...he said he had no clue what he was talking about...
- 00:42:57 [Karen]
- ...Since 2010
- 00:43:14 [Karen]
- ...I had column on ZDNET on data breaches and how that was falling apart
- 00:43:23 [Karen]
- ...data breaches is a tired story; same things keep happening
- 00:43:30 [Karen]
- ...I wrote down all of the things I covered
- 00:43:39 [Karen]
- ...groupware, collaboration,
- 00:43:52 [Karen]
- ...I've seen a lot of water under the bridge
- 00:43:56 [Karen]
- ...these iterations on these technologies
- 00:44:01 [Karen]
- ...nothing seems to go away
- 00:44:07 [Karen]
- ...some things rise to the top
- 00:44:26 [Karen]
- ...a testament to what folks in this room do; it takes a lot of time
- 00:44:40 [Karen]
- ...wild ride from an LDAP directory to where we are now, and how much has been accomplished
- 00:44:47 [Karen]
- ...great things going on in this space
- 00:44:55 [Karen]
- ...closest we are working on standards
- 00:45:01 [Karen]
- ...thank everybody for their hard work
- 00:45:11 [Karen]
- ...hope this will be a milestone for what we have today
- 00:45:12 [Karen]
- ...thank you
- 00:45:21 [Karen]
- Wendy: thanks a lot, John
- 00:45:32 [Karen]
- ...hard to follow that with an agenda bashing session for tomorrow
- 00:45:50 [Karen]
- Tony: what do you see as trends there? you have seen things fail and succeed
- 00:45:54 [Karen]
- ...you must see trends come
- 00:45:58 [Karen]
- John: I talked today in our group
- 00:46:05 [Karen]
- ...there is a purity when you are developing the specs
- 00:46:11 [Karen]
- ...people in room see the challenge
- 00:46:14 [Karen]
- ...get something going
- 00:46:24 [Karen]
- ...then bring in the business strategy piece and things go wonky
- 00:46:36 [Karen]
- ...hard to drive the spec down to the finishing point
- 00:46:41 [Karen]
- ...from experience, that is best avoided
- 00:46:51 [Karen]
- ...can be detrimental and leave you with ragged edges
- 00:47:07 [Karen]
- ...boils down to the commitment of the people involved before the business guys come in
- 00:47:21 [Karen]
- Pindar: what advice you have to this group based on their experience
- 00:47:36 [Karen]
- ...I am hearing you say get the tech work done and keep business people at bay
- 00:47:41 [Karen]
- John: it boils down to hard work
- 00:47:53 [Karen]
- ...like kids PTA, bunch of people but only 3 do all the work
- 00:48:13 [Karen]
- ...in a volunteer environment, it is difficult to get the people to do the work, and motivate them to do it
- 00:48:16 [Karen]
- ...it is difficult
- 00:48:20 [Karen]
- Pam: I would add one thing
- 00:48:36 [Karen]
- ...from stuff I have seen; ambiguity is your enemy
- 00:48:48 [Karen]
- ...if people want to make things more ambiguous, walk away
- 00:48:53 [Karen]
- John: we talked about scoping
- 00:48:58 [Karen]
- ...and let things get out of hand
- 00:49:03 [Karen]
- ...FIDO is an example
- 00:49:09 [Karen]
- ...has a definable thing to do
- 00:49:13 [Karen]
- ...nut is pretty simple
- 00:49:18 [Karen]
- Wendy: fantastic
- 00:49:24 [Karen]
- ...if you have other comments to write on cards
- 00:49:27 [Karen]
- ...please do
- 00:49:40 [Karen]
- ...we have been gathering the cards and clustering them to think about what else to discuss
- 00:49:43 [Karen]
- ...John, thank you
- 00:49:47 [Karen]
- [applause]
- 00:49:53 [Karen]
- ...that brings us to the end of the day
- 00:49:58 [Karen]
- ...we had scheduled some agenda bashing
- 00:50:07 [Karen]
- ...looking over tomorrow's agenda
- 00:50:13 [Karen]
- ...we hope you will generate more ideas
- 00:50:27 [Karen]
- ...and as we talk over dinner and dream tonight, write them down and share them tomorrow morning
- 00:50:31 [Karen]
- ...and we will look at these clusters
- 00:50:41 [Karen]
- ...and see if we are capturing the high points of what we should discuss
- 00:50:45 [SarahSquire]
- SarahSquire has joined #auth-id
- 00:50:49 [Karen]
- ...and what do you want to take away from this meeting tomorrow
- 00:50:58 [Karen]
- ...we will get a sense of a heat map of the group's interests
- 00:51:05 [Karen]
- ...tomorrow we will vote with red and green dots
- 00:51:16 [Karen]
- ...if you are motivated, concerned, frightened, want to work on an idea
- 00:51:22 [Karen]
- ...what is it we want to drive our energies toward
- 00:51:25 [Karen]
- ...Some of that
- 00:51:35 [Karen]
- ...and a survey of current work; avoid mistakes and mindfields
- 00:51:37 [kenrb]
- kenrb has joined #auth-id
- 00:51:38 [Karen]
- ...breakout sessions
- 00:51:48 [Karen]
- ...At W3C we have incubation and spec development
- 00:52:06 [Karen]
- ...many members want to see fleshed out ideas for specs before moving to working group
- 00:52:14 [Karen]
- ...we have heard form different Community Groups
- 00:52:24 [Karen]
- ...see what is ready to move to WG, what is ready for incubation
- 00:52:29 [Karen]
- ...come back to more discussion of that
- 00:52:39 [Karen]
- ...any warnings or concerns; anything that makes you jump up
- 00:52:56 [Karen]
- ...what are your biggest fears about this tech, interop, breakage, warnings we should be hearing
- 00:53:19 [Karen]
- ...Agenda also includes discussion on different cultural and economic perspectives
- 00:53:31 [Karen]
- ...we hear a lot of Western and first world perspectives
- 00:53:35 [manu]
- q+ to note that sarah was supposed to speak after john...
- 00:53:44 [Karen]
- ...we need to hear from other regions and other perspectives there
- 00:54:00 [Karen]
- ...we have some roadmaps for some future looking into DIDs and Verifiable Claims
- 00:54:02 [manu]
- q-
- 00:54:03 [Karen]
- ...authenticators
- 00:54:09 [Karen]
- ...where folks from browsers
- 00:54:17 [Karen]
- ...where identity intersects with their work
- 00:54:26 [Karen]
- ...where should we all be going inside and outside of W3C
- 00:54:35 [Karen]
- ...to help lead the web to its full potential
- 00:54:40 [Karen]
- ...If there is something you don't see
- 00:54:46 [Karen]
- ...should it out now, write it down on a card
- 00:54:51 [Karen]
- ...I am emphasizing the cards
- 00:55:08 [Karen]
- ...we want to hear from people who are not participating in the Q&A; we want to hear from everyone in the room
- 00:55:17 [Karen]
- ...Whether or not we do or do not hear more questions
- 00:55:27 [Karen]
- ...regarding dinner, we have 6:30pm reservations
- 00:55:33 [Karen]
- ...Tony, anything about logistics about shuttles?
- 00:55:40 [Karen]
- Tony: We will have to order shuttle
- 00:56:12 [Karen]
- Tony: the restaurant is called The Boardwalk
- 00:56:34 [Karen]
- Tony: as far as agenda is concerned
- 00:56:44 [Karen]
- ...I would like to see more use cases presented
- 00:56:56 [Karen]
- ...@ submitted one to list that I would like to see presented
- 00:57:04 [Karen]
- ...I think Mary had some work to do
- 00:57:09 [Karen]
- Mary: some time tomorrow
- 00:57:14 [Karen]
- Wendy: thank you
- 00:57:25 [aaronpk]
- is it "Boardwalk by Maria Hines"?
- 00:57:39 [Karen]
- Wendy: anything else for general discussion?
- 00:57:42 [Karen]
- ...Thank you everyone
- 00:57:50 [Karen]
- ...Thank you, Manu for scribing remotely
- 00:57:56 [Karen]
- ...and Jeff and Karen for scribing
- 00:58:04 [Karen]
- ...and all who have shared in the discussions
- 00:58:10 [Karen]
- ...look forward to a great second day
- 00:58:13 [Karen]
- [adjourned]
- 00:58:18 [Karen]
- rrsagent, draft minutes
- 00:58:18 [RRSAgent]
- I have made the request to generate https://www.w3.org/2018/12/10-auth-id-minutes.html Karen
- 01:10:08 [gannan]
- gannan has joined #auth-id
- 02:56:43 [gannan]
- gannan has joined #auth-id
- 02:57:27 [gannan]
- gannan has joined #auth-id
- 03:17:56 [gannan]
- gannan has joined #auth-id
- 03:18:13 [gannan]
- gannan has left #auth-id
- 04:28:17 [Jiewen]
- Jiewen has joined #auth-id
- 04:53:13 [kenrb]
- kenrb has joined #auth-id
- 04:54:46 [jzcallahan]
- jzcallahan has joined #auth-id
- 07:44:09 [kenrb]
- kenrb has joined #auth-id
- 08:11:12 [Zakim]
- Zakim has left #auth-id
- 09:01:23 [kenrb]
- kenrb has joined #auth-id
- 11:03:26 [jzcallahan]
- jzcallahan has joined #auth-id
- 13:25:32 [kenrb]
- kenrb has joined #auth-id
- 13:26:35 [kenrb]
- kenrb has joined #auth-id
- 14:08:25 [kenrb]
- kenrb has joined #auth-id
- 15:57:36 [gannan]
- gannan has joined #auth-id
- 16:13:37 [kenrb]
- kenrb has joined #auth-id
- 16:38:40 [Zakim]
- Zakim has joined #auth-id
- 16:38:47 [wseltzer]
- rrsagent, bye
- 16:38:47 [RRSAgent]
- I see no action items