<scribe> scribe: manu
wseltzer: Hi, my name is Wendy
Seltzer, W3C - glad to welcome you here.
... Thank you to Tony Nadalin and Microsoft for hosting
us.
... We're looking forward to the next two days of discussion,
brainstorming, and socializing around Strong Auth and
Identity.
Tony N. covers location of emergency exists, bathrooms, and parking. Assistance help, medical emergencies help, etc.
wseltzer: Very briefly,
introducing the day and goals of the workshop at a high level -
logistics, getting conversation going, etc.
... We use IRC for realtime minuting and discussion... to
connect to the wifi - MSFT Guest and use the code on the
board.
<jeffh> :)
wseltzer: We are thrilled to have
everyone here - just a quick intro to W3C - our goal is to lead
Web to its full potential... we work on voluntary consensus
standards.
... We put workshops like this on to bring people together,
lots of work is happening here and outside of W3C - if we can
be a forum for conversation, great, if it happens elsewhere,
great.
... We are not the exclusive endpoint of work, but one possible
place to bring that work.
... We are committed to Web for All.
... We operate under Royalty-Free patent policy - this workshop
is not Recommendation track, contributions here ar enot yet
contributions that are goverened by patent policy. Our goal is
that specs should be implementatable RF wrt. patents /
copyright, etc.
... We are a member consortium, we depend on members to
participate - hope to keep that infrastructural work going -
475 members from all sorts of places.
... We operate workshops under a code of ethics and
professional conduct - if anyone has an issue, find wseltzer or
someone else in W3C Team. We want to make sure this environment
enables everyone to feel safe, respected and heard.
... We are working in difficult areas, standards work well for
technical problem, good enough technical problem, and find a
common resolution.
... This all depends on you and the broader community to make
sure these things work effectively.
... We want to hear from everyone - you have cards, on those
cards, you can write down questions/comments/concerns - we will
use those to fill into Q/A and discussion that follows... we
will also have dots for voting, mark areas of particular
interest/concern.
... We will have breakout sessions where we are gathering in
smaller groups... W3C process for consensus ... these are
preliminary directions/ideas... feel free to toss out ideas,
but don't worry that if you're not in a group that you're going
to miss the opportunity to provide critical input.
... Also another part of getting together is social - Tony has
found us space in a nearby on campus restaurant.
... This is pay your own way, but pay your own way... ~$20
minimum - interested and expecting to come tonight?
tony-tr: There is good beer/wine.
wseltzer: Does anyone need a shuttle?
<aaronpk> looks like all hands raised except a few
<kenrb> almost everyone raised hands
tony-tr: I'll get a couple of shuttles.
Scribe notes roughly 60+ people raised their hands.
wseltzer: You can make off the
record statements... let us know if you want something to be
off the record.
... We can do queue management via q+
... We can capture what's going on at workshop... everyone is
capable of adding things to minutes.
<chrisboscolo> sorry you can't be here in person, Manu!
wseltzer: Thanks to the PC and
Manu and the rest of the PC for putting all of this
together.
... Thanks to Tony and Microsoft for hosting us here... our
goal is to move things quickly. Please add slides to google
slide deck.
... You can email me to put material on Google Slide
deck...
Kaliya: Hi, passed around cards
to all of you - purpose of the workshop is to build mutual
understanding across strong auth and identity projects, to do
that, we're trying to gather as much input as possible.
... We want to find potential connections between your work and
work being presented.
Slide Directory for presentations -- https://drive.google.com/drive/folders/1Oldmw0i1NKhJJwKflG4X9egqP6LLySA2
Kaliya: We want questions,
concerns, connections that you're seeing - we'll collect them
after each of 7 presentations, we want to get a sense of the
room about each of these.
... Please put number on the card, and questions/concerns --
this can be made anonymously.
... We will collect them after each presentation.
burn: We are going to go through
this quickly, this is a quick overview.
... When we talk about VCs, what do we mean by that?
Slides: https://docs.google.com/presentation/d/11hm-ajsLzroPmA-BcC2TryqAhKsF3jZ_wxHDnyUi_pg/edit
burn: There are all sorts of
things we use today quite successfully - we wanted to duplicate
that in an electronic form.
... We would show age/drivers license -- we're switching to
education credentials - diplomas for example.
... Diploma is interesting... I have PhD from Oregon, which was
acquired by another school... that school doesn't exist
anymore... that org might not exist anymore in any form... we
want to make sure we cover use cases like that... we are
interested in cryptographically verifiable credentials.
... The work on VCs are just on a data model, not on protocol
yet... issuer/verifier -- we don't define ecosystem
normatively, but it's hard to talk about this w/o suggesting an
ecosystem.
Slide 3
burn: When we talk about
Verifiable credentials... issuer issues to holder... holder
holds on to it... verifier asks for credential from
holder.
... In this model, a VC contains credential metadata, claims,
and proofs... the identifiers can be cryptographically
controllers, but issuers can also be identified.
<achughes> burn: the verifier is the one seeking verification
burn: What is a claim - one statement about a subject, Pat is over 21, for example.
<wseltzer> i|welcome you here|Intro slides
burn: Here's an example in
JSON-LD Syntax... we are defining a data model, and showing how
you can use different syntaxes...
... At some point there is a realization of the syntax... the
main thing I want you to see is that there is an ID for the
credential, there is some type information... from perspective
of user... they are just using ProofOfAgeCredential... etc...
we have an issuer field, when it's issued, the part in red is
the actual claim.
... We used to call this a "claim"... now we call this the
"credentialSubject" - the id represents the subject of the
claim... the property is ageOver and the value is 21.
... There is a proof... the details don't matter... there is
just a proof on there... we do have some suggestions on
cryptographic proofs, but lots of this is
flexible/variable.
... We also talk about presentations... issuer, holder,
verifier - it's actually a verifiable presentation by holder to
verifier... it's for multiple credentials, often about same
subject... identifier, some metadata, claims or some whole
credentials... main idea w/ presentation is something that
holder can pull from multiple credentials.
... What are verifiable credentials and what are they not?
Slide 8
burn: VCs allow an issuer provide
a statement of fact... holders hold on to them, verifier can
see if the statement hasn't been tampered with.
... VCs don't represent verified truth... just who claimed
what
Slide 9
burn: This work is being
standardized right now in VCWG... in scope is data model and
syntaxes...
... We are looking at JSON-LD... and JWT...
... We do not have browsers in scope... we do not define
protocol... we don't address "Identity on the Web"... we're
just providing VCs.
... out of scope work could be chartered in future WG...
Credentials CG is looking at these items...
... We have a spec, we're tryign to wrap up ZKP and JWT
support... we have done some Horizontal Review (non official...
expecting CR very soon.
... We have test suites, use cases... (slide 10)
... If you are curious about use cases... take a look at use
cases document...
... Details of pictures are W3C Member Confidential... in
commerce, there are governments, banks, large websites, usign
VCs.
... In trade, DHS, CBP, Canadian Provinces... importer,
exporter, etc. are some target use cases... real adoption
here.
slide 13
burn: Are there questions?
<wseltzer> dirk_balfanz
dirk_balfanz: If you are conerned w/ data model - some credential, over 21, you want to know if *I* am over 21...
burn: There is plenty of discussion around subject != holder.
JoeAndrieu: Use Cases talk about that use case - we are looking at things that are out of scope in protocol... but important to get a holistic view of things.
burn: Anyone can make any claim
about anything... if you look at the ID in red, that's a DID,
this is where you may start seeing use for DIDs.
... Control over the identifier is an interesting question
we're going to hear about soon...
tony: In looking at the current
spec, it still looks like JSON-LD is the language, it looks
like you're going to wrap regular JSOn or other types of
JWTs/CWTs - get a little concerned... those get quite large,
little concerned around size of expression.
... We're not looking for just users making these statements,
we're looking for devices... concerned around size of
claims.
burn: Is that a question or
statement?
... I'm not going to talk about the merits of one format of the
other... as a Chair, we have been asking for feedback from
others for the entire lifetime of WG... we do have people
looking at other formats.
... We do have folks that are looking to support other
expression formats.
Oliver: We have a pull request in for JWTs - we do have some shorter expression avoid duplication in JSON-LD... issuer could become iss field.
<kimhd> Minutes and PR: https://www.w3.org/2018/11/19-vcwg-minutes.html
<kimhd> https://github.com/w3c/vc-data-model/pull/267
burn: We have welcomed participation, we would like more input... we'd like help wrapping up what we have... additional proposals to recharter.
Sarah_Squire: Proposal in Ethereum community ERC725 - are you working w/ them.
<Zakim> manu, you wanted to note that we're trying to be agnostic.
<wseltzer> manu: we're trying to be agnostic. Lots of experiments underway
<wseltzer> ... the model has proven to be flexible
<wseltzer> ... It's true that some formats have big payloads that won't work for small devices
<wseltzer> ... could be that cwt or jwt work at different layers of the stack
<wseltzer> ... and licensing has a bigger payload
<wseltzer> ... different tools in the toolbox
wseltzer: Any further questions
for Dan Burnett.
... We're building up modules, understanding different
components that are available - different places that they
might be useful. Think about incompatibilities... ways we can
work together.
Slides are here -- https://docs.google.com/presentation/d/1BX8r1KoxvJSQIX3PtAOzOawirwBYyze9QlyIaAbBRrM/edit
kimhd: Hi, I'm Kim, CTO of
Learning Machine - work in educational credentials... co-chair
of W3C Credentials CG - also DIF Steering Committee.
... What is a DID? It's a new type of URl that is globally
unique, highly available, presistent, cryptographically
verifiable, and doesn't require a centralized admin.
... In education use cases, we want the recipient of a
credential to be identified using a DID.
... A DID is an identifier for a subject.
<wseltzer> [slide 3]
kimhd: here we have did:x:123 as
the identifier for the subject.
... What does a DID look like?
slide 4
kimhd: we have a scheme "did:",
then "DID Method", then did specific string.
... There are examples of what these look like at the bottom of
the page...
... Globally unique identifier - in many of these cases, you
can self-create your identifier... prove that you control it,
no central admin can take it away from you.
... Each DID Method must specify a set of mechanisms - Create,
Read, Update, Delete (aka revoke)
<wseltzer> [slide 5]
kimhd: One critical part - DIDs
resolve to DID Documents - we have a Veres One identifier here
- document it resolves to - contains authentication mechanisms,
public key material, services...
... markus_sabadello is goign to talk about that next... DID
Resolver is retrieving DID Document.
<wseltzer> [slide 6]
kimhd: So, DIDs resolve to DID
Documents... let's look at specific DID resolution
process.
... This is saying we're using the BTCR method spec, run it
through the universal resolver, produces a DID Document.
... identifier tells you which block, which transaction, to
find the transaction in.
... Resolver knows, per method spec, how to get information,
how to return this thing.
... so, DID Document has keys, authentication, services,
signatures, timestamps.
slide DID Document
kimhd: This document has been
incubated at RWoT and IIW, currently draft in W3C CCG,
protocols and prototypes at DIF, there is a DID Method
Registry, DID Auth, DID Resolver...
... We'd like to discuss a DID Working Group at this
Workshop.
tonyn: What do you expect to
standardize?
... There doesn't seem to be cross-blockchain interop... I need
different DIDs on every blockchain... who is going to run the
registry... concerned around transparency of resolvers...
kimhd: Interop first - that's the
big part... what's the content of the DID Document, that
describes how interop is possible...
... DID Auth, for example, needs that document....
ChristopherA: There are a couple
of different issues here - DID authenticates DID DOcument,
strongly make claim about DID Document... that document can
contain other key material from other places... including keys
that are compatible with say a different blockchain w/
different proof formats, PGP keys in there, information that
lets you allow you to leverage FIDO.
... There are things like sigma proofs, ZKPs, private keys in
one curve equivalent to private keys in antoehr group... it's
premature to pick a method, maybe at some point the market will
say there is one two or three that are dominate... but reality
now is that there are multiple DID methods.
kimhd: We are starting to
categorize DID Methods.. BTCR and IPLD are ones where, if you
are comfortable w/ using that technology, you can create them
and use them in some way... depending on registry
authentication, you can start using that now... truly
self-sovereign identifiers, I create them, no one can take them
away from me.
... In other cases, private/permissioned blockchain, those
enable different properties - for example Guardian models...
batch registration of individuals... some depend on properties
of the blockchain itself... which use cases argue for which...
we don't do guidance yet, DIF may do that... W3C is not in that
role.
... People will have those questions... you don't want to use
something on a blockchain that can't be rewritten... part of
strength of it, something we're getting feedback on
ecosystem.
tony: Who is going to run the registry, how scalable is it, who would pick up the registry
ChristopherA: We are talking
about the DID Registry - you can reserve the DID Method... not
a DID Registry.
... The requirements to have a proposal are very small... as
you move up the scale of maturity, we will have requirements
for what you have to do to do that.
<shigeya__> BTCR DID Method https://w3c-ccg.github.io/didm-btcr/
ChristopherA: We need to allow for innovation right now... there is nothing that says one has to support every DID method, for example... don't use BTCR unless you need technology.
kimhd: We can come back to that - would like to focus on breadth
Kaliya: This dynamic is also what
these cards are for
... If you have thoughts/comments/questions - please write them
down on paper right now.
hober: Does the DID Method
registry just let people know what an unregistered method
is?
... Is it relatively straightforward to serve static JSON and
hook into all of this?
kimhd: Yes, we can look into examples.
Pete: If I wanted to add a new DID, how do I get resolved?
kimhd: There are different resolvers - which methods support they support is up to each resolver... part of value is that each DID method and how you perform its operations... write any resolver to note your test case... it's not going to be prescriptive.
wseltzer: Thank you very much
Kim... next up... Markus to talk about DID Auth...
... Keep questions and comments coming throughout two days
here...
Slides -- https://docs.google.com/presentation/d/1TSMW5hckaaaybpV9OVeNbWO1QE_OsMP3Pc3GovAfvjw/edit
<Loqi> Slides has -1 karma over the last year
Markus: Hi, working in CCG and
DIF, and Sovrin... DID Auth is more of a concept rather than a
spec... makes a lot of sense to have a concept... DPKI for
DIDs... and what they enable.
... Using a DID Resolver to authenticate - you have DID, you
have key material associated with that... control the
identifier... not about proving we're over the age of XYZ, we
just prove that we have control over a DID.
... We worked on a paper around Rebooting the Web of Trust...
looked at DID Auth - Kim noted authentication.
... Authentication block points to public key - who has control
of the DID? If you have public key information, you can know
that anyone that has private key is authenticated.
<wseltzer> [slide: DID Auth Example Architecture]
Markus: This is one example for
uPort - web page - mobile app authentication...
... With a mobile app, private key corresponding to DID, I can
provide response to QRCode - post it back to web page...
important, web page uses DID Resolver to find DID, then find
public key, then verify that the signature on the
authentication was signed correctly.
... This is just one of the possible flows.
... We tried to analyze this stuff - different scenarios /
different flows - there are many, so DID Auth isn't just one
thing... it's a family of things that are being explored.
... There are many transports, HTTP, QR, etc....
... There are many more flows... observation - we were able to
draw all of these flows where there are two parties... if we
look at traditional models, we usually have 3 parties... but
this one has 2.
<wseltzer> [slide 7]
Markus: I control a certain identifier - trust relying party - individual - all sorts of different transports...
<wseltzer> [slide 8]
Markus: There are also people
that are using different data formats internally... we will
reuse things, but as I said, DID Auth is not trying to come up
w/ a new authentication protocol... but reuse where
possible.
... I have seen JWTs... we can also see JSON-LD VCs...
self-issued VC....
... We have been thinking a lot about OIDC + DID... also
looking at WebAuthn + DID...
<wseltzer> [slide 10]
Markus: We've done some initial
thinking - working w/ OpenID Connect protocol, where we use
self-issued OpenID ... one way this could be done is to have
personal openID connect provider... protocol could be used,
similar with WebAuthn... FIDO... could reuse that.
... There are other experiments around DID-TLS, DID-based HTTP
Signatures... DID-based PGP... using DIDs in SSH.
<wseltzer> [slide 11]
Markus: Some things to consider
for the workshop - how would a DID Auth relate to VC exchange
protocol?
... Other DID Auth principles... We may want to meet some
principles, otherwise it's not DID Auth... for example,
identifier stays the same... rotate keys, change service
endpoints, change OID endpoints, authmethod, but we continue to
always be able to prove control of the same identifier.
wseltzer: Questions from the room?
JohnB: I may beat Tony to some of
these questions ... In a number of the flows that you put up,
potentially they are a step backwards from a security
perspective because they're phishable... we need to make sure
we're not going backwards from a security perspective.
... I would even step back a bit further and question - is the
use case for DID Auth actually authentication, or is it more
appropriately proving presentment of VCs.
... We do have pairwise privacy preserving WebAuthn... even
Apple is deploying it... do we actually need to present
correlatable claim, or should we look at the best
mixture?
... Some have said we need new authentication method when that
may not be the best path.
Markus: Lot of questions - let's keep the benefits of existing things... not be phishable... concept of DID Auth is that we have an identifier that cannot be taken away from me, I can rotate keys, I can rotate metadata out... I think OIDC or WebAuthn don't provide that out of the box.
JohnB: The argument that you need
to rotate credentials is making presumptions about how they're
stored... I don't buy into the premise that a DID is required
because you need to rotate private keys, not arguing that there
are not use cases for DIDs, let's find the right use cases for
them.
... For purely pairwise pseudonymous auth, I don't believe a
DID having a public key published is a requirement.
Daniel: A couple of things on the
business side (from Microsoft perspective)... would love it if
people used LinkedIn for everything (Microsoft property) -
Universities didn't really want to sign up to single entities,
because of corporate identifiers controlled by something other
than University.
... So, there is a strong business use case for DIDs... large
entities that don't want other large entities to lock them in
via identifiers.
... There are also use cases around progressive trust... you
start out pseudonymous, but then upgrade over time. For
example, FIDO doesn't cover the use case for expressing
services around DID Documents... granting access to my data
storage service.
Tony: I get concerned around methodology for DIDs... you don't actually know if person that created the key is doing the DID Auth itself... you can do this in FIDO... authenticators is a drvice that you control. I'm not seeing end to end comprehension of how you keep keys safe and to the actual creator of the keys. How do you prove that situation in DID Auth.
ChristopherA: I think part of the
problem here, we're overinflating the use of keys, for
simplicity purposes, you see DID Document up there - presuming
that private key is in a file some place...
... That is a gross simplifciation, we can keep separate
keys... we don't call it a signature block, there might be a
variety of different types of proof... for example, if I issue
Verifiable Credential covering you for 1 million dollars... I
want a higher spec of authenticator/proofs before I give you
that verifiable claim.
... DID Documents enable you to use all of this stuff... we
need people that have experience with these systems. All the
perils of mixing authn w/ authz... but at some point we need
something like a DID DOcument... just because someone asks for
a VC or other things, doens't mean I have to give it to
them/comply... or they have to accept.
Dirk: Where do you see DID and
DID Auth fit into the larger picture... I think I understand
VCs... I want to prove my age, SSN, I thought DIDs were a means
to an end...
... One way I could do that, who are you?, I could provide DID
and DID Auth, prove that's who I am... find something in DID
Document, claim I'm over 21? Am I seeing that right... how is
DID connected to VCs?
Markus: We don't put VCs in
public ledgers...
... DID Documents are for looking up key material and
services.... not VCs.
... There are no claims in DID Document, only metadata required
to verify VC material...
... DID Auth is just a high level concept so far...
... No assumptions about documents are in ledger, where keys
are stored, where hardware wallets are... etc.
wseltzer: We have a queue... and then break...
<wseltzer> JoeAndrieu: None of these components yet is identity assurance
<wseltzer> ... the proof that you are the person who can make these claims
<wseltzer> manu: it's not either or
<wseltzer> ... we're trying to combine elements of the prior art
<Zakim> manu, you wanted to note FIDO + DIDs are complementary.
<wseltzer> ... authentication flow that takes FIDO key material into a DID doc and uses HW token to identify
<weiler> manu: I hear in this discussion a perception of an either-or thing. the experiments going on right now .... there is an auth flow that takes a FIDO authenticator, puts the credentials in the DID document
JoeAndrieu: For VCs and DID and DID Auth - none of those is sufficient for identity assurance... whether the key is on a hard drive, or on a hardware authenticator, we can't prove that person controlling device is the person... it's a strong factor.
<weiler> ... There is a a lot of work around blending these models rather than picking one.
<oliver-terbu> +1 manu
markus_sabadello: We did quite a bit of work around blending models at IIW.
Everyone takes a break, socializing, expect to get back into OpenID, JWT/CWT, etc. use cases.
<wseltzer> [break for 30min]
<wseltzer> Slides, Modern Authentication
<inserted> scribenick: wseltzer
[slide 2:: How Security Keys Work]
JohnFontana: presenting slides
[slide 3: Registration]
JohnFontana: FIDO2 is an umbrella
term for WebAuthn and CTAP
... CTAP at FIDO, WebAuthn at W3C
[slide 4]
scribe: CBOR is the CTAP data format
[slide 5: WebAuthn]
scribe: create and get strong authentication
[slide 6]
[slide 7]
scribe: Thanks to Pam for this map
<Mitja> Can you please reshare the link to the presentation?
[slide 8: state of state]
<Mitja> thank you!
[slide 9]
TonyNad: IETF discussion of
EAT
... device attestation about provenance, devices,
ecosystem
... we use these attestations in WebAuthn and FIDO to
understand key provenance and strength
... you may not want to accept authentication from weak device,
TEE
... At Prague IETF will probably try to form a WG
... CWT, JWT for devices, compact
... looking to do in generic way
... data models for device, what type of device
... indirect and direct attestations
... want to be compatible with OAuth, JWT, CWT
... use existing verification libraries
<ChristopherA> Queue is closed
dirk: deliberately
lightweight
... 2 party system: authenticator on client, relying
party
... by design , the keypair I generate for e.g. Google, will
never be known to Github
... roaming authenticators, keyfobs, will be
single-factor
... second use case, bring touch ID, Windows Hello
<jeffh> scribenick jeffh
dirk: to the web platform
<manu> scribenick: jeffh
oliver-terbu: are there implecations on the challenge itself?
john_bradley: challenge is hashed, in clientdata you get orig back, ...
ChristopherA: how much of web stack are part of webauthn spec? can things that are not webservers leverage webauthn if they don't wanna leverage JS stacks?
<brentz> ChristopherA: can things that aren't web servers leverage Web Authn?
john_bradley: it depends, and OS platform can impl webauthn-like APIs
<wseltzer> jeffh: WebAuthn
spec defines protocol between authenticator and relying
party
...: are they webauthn-like? windows' platform webauthn api
is
<wseltzer> ... it can pass through whatever stack is in the way
oliver-terbu: who is issueing these EAT attstns? are they some kind of certifcation for the authnr itself?
john_bradley: at momement webauthn does not use eat attstn, we already have various attstn formats, can add EAT if its approp, can't have too many standards :)
chris boscollo: what if authnr is loast and one needs to re-register?
john_bradley: that's RP specific, but thinking is that one has both roaming and platform authnrs and one can use either or to re-register at the RPs
<weiler> ack \
tonynad: webauthn wg working on this, one idea is to have a 'backup authnr' which allows one to re-reg
<Zakim> ChristopherA, you wanted to How about additional key types, in particular secp256k1 used by bitcoin & ethereum
christophera: i have need for tyupe of crypto that uses SECP-256 curve, how do we ensure how we get those key flavors supported?
john_bradley: we already have alg agility in the protocol, plus Mike Jones will be talking about this in a few min....
sam wieler: <missed question>
john fontana: <mumble>
markus_sabadello: question wrt UX eg if one registers a DID rather than a public key, can leverage that in many ways.... thoughts?
john_bradley: in priciple, yes, tho much to sort out there
next speaker: Rae Hayward, fido
<wseltzer> [same slide deck]
<wseltzer> [slide 12]
Rae's slides are in the '05 - Day 1 - Understanding WebAuthn, CTAP, EAT, FIDO and Authenticators' deck
<wseltzer> [slide 15]
<wseltzer> Rae: ROE=restricted operating environment
<wseltzer> [slide 19: Companion Programs]
<wseltzer> [slide 20: Labs]
<wseltzer> [slide 21: Expiration, derivative, and delta certification]
pamela: if a RP wants to accept only authnrs of L3 certif, how do they do that?
rae: the certif level will be in metadata, plus fidoalliance.org lists certified devices
scott david: on the delta certif, when org learns cetif'd device is now different, what happens. e.g., pci "compensating controls", plus ecosystem feedback can be fed back into spec development -- what about FIDO's processes?
rae: the security secretariat has processes to notice such things and feed info into working group....
PindarHK: can u tell which lab
did orig certif? <missed rest>
... can determine provenance of the lab that performed
certif?
rae: no, that's not public info, do have internal mechs that would know this
Mike Jones presenting
+ John_bradley
<wseltzer> Slides
<wseltzer> [slide 3]
<wseltzer> selfissued: (Mike Jones) JSON Web Token
[slide 4]
<tantek> speaker: "JSON-LD requires canonicalization to RDF in order to sign" [interesting I didn't know that.]
[slide 5]
[slide 6]
<manu> tantek -- well, no, that's not correct...
<Loqi> tantek has -1 karma in this channel over the last year (82 in all channels)
[slide 6]
<manu> tantek, You can dump JSON-LD in a JWT w/o needing normalization/canonicalization.
<manu> tantek, if you want to do LD-Proofs, then we have chosen that it's best to do RDF Graph Canonicalization (the benefit being that you can have the same signature expressed in a variety of different syntaxes w/o having to recanonicalize)... so you sign the information.
[slide 9]
[slide 10]
[slide 11]
<wseltzer> John_Bradley: extensible. There's a set of core statements, and others can be added
[slide 12]
<wseltzer> selfissued: New work. THose interested should talk to us and participate
selfissued: specifically the CBOR
web token (CWT)
... RFC 8392
<wseltzer> John_Bradley: complementary to webauthn, not competitive
<wseltzer> ... OpenID Connect is about federated claims and API access
<wseltzer> ... should probably use WebAuthn for authentication
<wseltzer> Chrisboscolo: how do relying parties learn about self-issued identifiers?
chris_boscolo: wrt self-soverign is there way for an individ to assert that they are speaking for themselves?
PeterWatkins aggregated claims? more about that?
<wseltzer> https://openid.net/specs/openid-connect-core-1_0.html#AggregatedDistributedClaims
selfissued: if you search for
'openid claim' you can find it
...: see above
<wseltzer> JackCallahan: How does mobileconnect differ?
JackCallahan what're differences between mobile connect and openid connect
john_bradley: <describes nuanced facets of the relationship>
self_issued: gsma certified their core impl with the openid connect certif suite
oliver: w3c VC WG is working on JWT representation -- how <missed it> ?
selfissued: that's stuff we can discuss
joeandrieu: can i use my own crypto identifiers to make use of other's claims
selfissued: sure, that's an aggregated claim....
john_bradley: the spec talks
about how that's done syntactically, it is work for the reader
as to how the relationships between the parties are actually
arranged and maintained
...: you'd use some sort of proof-of-possess to logically tie
the claims together
aaron Parecki
[slide 13]
<wseltzer> [slide 13 begins AaronPK's presentation]
[slide 14]
[slide 15]
[slide 16]
[slide 17, 18, 19]
[slide 20]
[slide 21, 22]
[slide 23]
[slide 24]
[slide 25]
<wseltzer> aaronpk: take OAuth and add constraints
slide 26]
[slide 27,28,29]
[29, 30]
[slide 31]
pamela: how does client authn piece of this work?
aaronpk: clidents are all ident'd
by URLs as well. instead of 'pre reg', it is just use the
domain name
...: taking the idea of 'public clients' and extending it to
all clients
markus_sabadello: it is not openid connect, it is oauth, why?
aaronpk: this is solving smaller
scoipe than OIDC -- is presenter of URL in control of
url?
...: wrt webfinger, we are using HTTP link-rels and so is more
simple, dont see much use of webfinger in this
kaliya: how is this diff than openid 1.0?
<tantek> "OpenID [1.0] only solved half of that"
<tantek> "OpenID Connect went away from solving that problem [users bringing their own identity]"
aaronpk: is pretty similar. openid connect drifted away. indieweb adds in api access tokens to orig openid ideas
kaliya: what do after lunch,
invite room to chime in on what all we've heard this morning...
everyone gets a white card, question we want u to answer by end
of lunch is: from where you sit, what do you want to see happen
in terms of work in next 2..5 yrs; alternative question: what
is the biggest concern you have wrt what you heard this
morning?
...: then we will get together in groups and sort through this,
and boil it down and discuss in the entire group.
... your job for lunch is to answer one or both of the above
questions
... only 30 min for lunch and question answering
<wseltzer> [lunch]
<inserted> scribenick: manu
Kaliya: What you're going to do
in the groups... briefly say who you are, read out your card to
the group, ask clarifying questions.
... Talk about concerns, each person has two votes to give to
two other cards... you're six people... you get to say "I think
that idea is really important, or that concern is really
important".
... 12 votes in each circle.
... You don't vote for your own card. :)
... So, out of the six things, you get to pick your
favorite.
... Don't vote twice for the same one.
... Someone else might share your concerns, keep that in
mind.
... You're going to be in a group of six, then discuss for 20
minutes, then scramble the room. talk to six new people, do the
same thing... find out whose card had the most votes on
it.
... The point here is to get group intelligence to work... I
will track time, will check in with the groups... close
computers completely, groups gather, etc.
... If you create new ideas, we'd love to hear about them.
Write them down.
... Each card with a tally, any additional outputs, we're happy
to receive them.
... If you came from the same company, you cannot be in the
same group. Six people in a group.
Breakout sessions are forming... magic is happening.
Kaliya: First segment, we'll hear all concerns... let's hear work items.
achughes: Within next 2-5 years,
in industry and psychology circles, identification and
authentication are different things.
... Saying that you're doing authentication when you're doing
identification is not useful for market clarity.
JohnB: Separation of concerns - separate authentication and attribute provisioning ceremony so they're understandable.
Kaliya: Any other cards that are similar to this?
Rae: Privacy - do privacy by design - concerned that I didn't hear that.
@@@: We brushed away identity assurance facility today -- what about end use case, verify identity -- how do you trust the identifiers, the exchanges?
Dirk: I want my browser to know who I am, and responsibly surface that based on my instruction..
Jiewen: Concern and work item - for web authentication - how do we provide for small parties, small providers - could we bridge OAuth and OpenID?
<aaronpk> s/my instruction.,/who I am/
kimhd: Interop prototypes - educational credentials, I don't want to use a specific identity provider - think there is value in DIDs, enable people to have lifelong claims that they can prove control over... bootstrapping DIDs using WebAuthn or other identity solutions.
@4@: I'd like to see relying parties have a much richer and more diverse set of federation/identities... get away from Signon with Google/Facebook/etc.
aaronpk: Would like to take this not just for identity aspect, but for storage aspect as well.
Pam: Difference between having user be in one paradigm, or have a user choose between two paradigms... concerned we're going to the latter... discovery, registration, resolution, feel like we need to focus on these pieces.
PeterWatkins: Some of the
conversations were going past each other - some people are
operating in a different scenario... some want a peer-to-peer
model, no parties involved in transaction that don't belong
there... other people use existing systems, but very little
that we own/control.
... I'm not here with the view that we're going to try to
extinguish those... would rather run things through both
scenarios, see how they do... vs. zero sum trade off.
ChristopherA: I'm wondering almost the reverse - where is the line? Aadhaar, social credit, etc... those are the biggest identity systems today.
<wseltzer> ChristopherA: some places we don't want coexistence, e.g. social credit
Dalys: Hoping to see alignment for WebAuthn and DIDs.
@6@: Would like to see alignment that gives unified experience for subject that is trying to authenticate.
Will Abramson: I'm concerned with conflict between two groups...
Oliver: This isn't about WebAuthn and DIDs... don't reinvent the wheel... should we use mature standards like OpenID Connect and WebAuthn or something else?
Markus: How can we align DIDs w/ stuff that works already such as WebAuthn and OpenID Connect
@8@: I'd like to see industry adoption of DID-based identities...
TonyN: Clarity on why DIDs need to be standardized...
burn: Would like to see a DID WG formed at W3C.
Jack: Usability of these
systems... thinking about it from the user's perspective.
... Approaching it from the users perspective - registration,
recovery, etc.
Tom: Usability that doesn't suck :)
@10@: More along the lines of what I didn't hear - how are these bound/linked to a known and real person, if at all?
scribe: consistency and trust in the bindings?
Kaliya: That's close to identity assurance...
weiler: : Selective, permissinless, delegation - want WebAuthn and FIDO to have support for allow people to have one of the credentials w/o relying party saying no.
Sarah Squire: I'd like to see OpenID Connect community working with Ethereum community - gamification and incentives... there is no financial incentive
<weiler> I think solutions in this space will help improve backup and recovery, also.
Scott: Interested in seeing use cases clear - context of value propositions, use cases clear of sub data flows that are involved because each of those are gamable from business model, legal, etc perspective.
Mary_Hodder: My question was a meta question for the group - don't know how to place everything going on - what is framework for thinking about problem set and what does success look like?
karen: How do all of these building blocks work together?
@16@: Tightly scoped, standards based efforts, interoperable pieces ... how do we find those?
@17@: I'd like to see standards support for Decentralized Identity stack - we need multiple things in place for that to happen.
JimM: Layering of ID management, different rules for that.
@18@: Oftentimes in designs, there is a service that affects wallet, that should become clear, how wallets work.
BartW: Ensure adoption among private, public, and across both domains.
@20@: Remote authentication support for webauthn webauthz frameworks.
@21@: Validating identity proofing, risk of synthetic IDs...
scribe: fabricated ID that
someone creates...
... online proofing vs. physical proofing.
achughes: We should probably say "identity assurance"
<achughes> achughes: The synthetic identity card should go with the ‘identity assurance’ card
@22@: Interop with other schemes, like GS1 ecosystem... GLNs, GTINs, LEIs.
@23@: Concerned to have centralized authorities onboard rather than blocking... centralized authorities are not always excited about decentralized solutions.
Pindar: Scalability - at what scale are we talking about... we're doing things about Internet scale... also concerned about Know Your Machine...
@24@: Adoption - will end users understand value proposition of DIDs, what they get?
@25@: Interop from perspective of web developers - help browsers understand what APIs they should be understanding so developers can focus on clear stories so developers can focus on stuff that's not passwords or authn.
Ken: Preserving privacy, let the user determine how that privacy is preserved.
<Karen> [Break Ends]
<Karen> scribenick: Karen
Government Segment Speaker: Peter Watkins, Province of British Columbia
Peter: I am with the gov't of BC;
I don't view myself representing a vertical, but a
government
... I cannot speak on behalf of the gov't or other gov'ts but
happy to bring my perspectives as a government guy
... first, you have to be precise
... In Canada, gov't can mean many things; different levels,
peoples
<wseltzer> Slides for the Market Verticals discussions
Peter: indigenous peoples also
act as own governments
... educational systems as well
<wseltzer> [slide 5]
Peter: We are small, 4 million,
but we operate across a great number of areas [reads
slides]
... and it's not an exhaustive list
... from and identity perspective, we operate at the base
... As it relates to the law; important to understand that
context
... We register births and deaths
... you don't exist or die until we say so [laughs]
... we run the corporate registry
<wseltzer> "legally, you're not born until we say you're born."
Peter: we create corporations,
societies
... we have a whole set of laws, each of which created
self-regulating bodies
... we say if you are a lawyer, doctor, nurse, accountant,
etc.
... all of thes associations, affiliations, etc.
... and licenses and permits
... drive a car, commercial vehicle; dig a hole, inspect
machinery, etc.
... we have gov't machinery, processes and policies
... we operate the land title searches
... who owns what land; very important function
... and we allow registration of liens
... so a lot going on in our world for identity information
<wseltzer> [slide 6]
[slide 6]
scribe: We have a legacy
system
... so we looked for something to scale
... we invented a BC services card and a provincial identity
management info program
... we leverage two things; the popularity of driving
... and we run one universal program, healthcare
... we created a drivers license and health care card
combined
... one card, one EMV chip to authenticate
... no personal information other than the chip number
... at this point we have enrolled 4.3 million BC citizens;
looking at a mobile app now
... we want people to be self0-deterministic; and do it
digitally
... you met John Jordan and team
... they are advance hyperledger service
... take corporate registration records and encoded them into
@...set up for a digital platform
... So gov't perspective on strong authentication
... We are damned if we don't do it
... your land registry is tied to Google account?
<wseltzer> [slide 7]
scribe: we don't own, control or
have accountability over that
... no effective recourse
... not clear to us what happens when things are lost, account
recovery process is difficult
... authentication tech can become a party to all of the
transactions that unfold; we don't think that should happen
that way
... public does not view they have much choise
... when we make our tech dependent upon others, they feel they
are forced to adopt something; gets us on the wrong side
... If we do it, we're also damned
... but this is important technology
... our small province cannot defend against the threat
model
... it is frightening
... You don't interact with gov't as much as other
entities
... every transaction can be spin through account
recovery
... We don't like that our services would be party to the
transactions
<wseltzer> "every transaction is a spin through the recovery flow"
scribe: if we did verify your
identity, we can remember you at our counter and restore our
services
... but is that a bug or a feature
... our businesses are entwined globally
... we would not know how our own unique approach would
scale
... you don't sell provision it
... Lastly, there is a lending problem
... no one has mounted an argument about your traffic
ticket
... but if tied to benefits, then it's another story
[slide 8] ...On identity information, there is Lou the person who wants to interact with digital services.com; dialogue box
scribe: dialogue box; we know we
will get called
... information disclosure related to that
... that we don't have in the real world
... we are looking for an architecture that would operate more
like real world
... last thing to bring is a sense of urgency
<wseltzer> [slide 9]
scribe: divide things into things
that are less or super important
... super important we are stuck in old world on important
things
... to light up upper box, we need trustworthy ID
... and we need better technical solutions
... That is my talk
Wendy: Do we have some quick questions for Peter on that use case?
Pindar: You highlighted legal
views
... for individuals and corporates
... have you talked about smart contracts?
Peter: I don't know
Scott: critical
infrastructure
... often those are privately owned; have you run into
arrangements with private infrastructure that will be more
reliable?
... services different in other contexts, but any analogies
used for critical infrastructure that could be used reliability
for gov't
Peter: In BC, we see emergence of
pan-Canadian trust framework
... gov'ts should be positioned as an effective regulator
rather than a direct provider
... you see that in financial services
<Mitja> can the link to all presentations (no google drive) be shared? IRC seems to break after a while and I'm not able to see history
Peter: but it is a mind bender to
set up to regular identity providers
... that is my opinion
Scott: Maybe look at insurance which is a risk issue
Gregory: How much would be
regulation v. standardization and endorsement
... you mentioned the pan-Canadian trust framework, I am here
representing DIACC
Peter: Payment industry did a
summary on payment
... they discovered self regulating would be better; way better
for the industry to take over; far better way to go
Pam: you are unique in that you
have an ecosystem adopt your services
... how does it work that Police services adopt anything
different, such as the drivers' licenses
... how did you get people to buy in?
Peter: not a large digital
component; just starting this year
... healthcare, social services
... without the services card, they have gone done the road as
far as they can go
... light bulb is going on
... and they recognize they need the services card
... I think you will see services card adoption
... I started work on this in 2007
... program started officially in 2013
... now in renewal cycle
... have to go long
... you cannot push the public to this; you will get on the
wrong side of PR
... we used the natural expiration rate of the drivers'
licenses; just waited it out
Wendy: Thanks so much Peter
... next up is Allen Brown to talk about healthcare
Speaker: Allen Brown
Allen: my personal interest is ID
with respect to digital contracts
... Manu knows I worked on healthcare and life sciences systems
and asked me talk about that in this space
... start with an anecdote
... at Microsoft I worked five years for the Health solutions
group
... in 2009 there was a NATO delegation
... those of us interested in healthcare invited us
... delegation was lead by an assistant secretary general of
NATO
... in another life he was a trauma surgeon
... his remit included field hospitals
... at time of Afganistan there were 7 hospitals
... most NATO military orgs medical services are integrated
with national health services
... and field hospitals are meant to be the health
services
... so there were 7 field hospitals
... Secy General went on to talk about two Dutch marines and
two American operating in squads
... interoperations were walking over from one tent to
another
... Afganistan had 1200 operational aircraft that knows how to
broadcast communications
... but you could not do this for Marines was a standing
joke
... I want to specifically talk about a system we developed at
Microsoft called Malga
... you have lots of patient data and you want to assemble a
data cube
... to have a single view of everything about the patient
... in doing that you quickly come up against lots of issues
about identity
... I will talk about four of them
... while Amalga was meant to extract data about patients from
electronic medical systems as well as from real time
feeds
... extract EMR, many systems are oriented around
payments
... have to go through payer who was paying for this
... or else it is difficult to extract certain kinds of
data
... have to extract the payer first to get to the
diagnosis
... Identity for providers is obvious
... give them access to patient information
... but something else goes on here
... much patient data is subject to interpretation
... you need to know who the interpreter is
... next is the data itself
... Amalga had origins in system done at George Washington
School of Medicine and Life Sciences
... because of its geo location in Washington DC
... it has access to many kinds of patients
... one CATScan file was originated at one hospital and passed
to another
... need to make sure it's same patient and scan
... Amalga collecting data from many sources
... and identities of patients were different; mechanism to
coalesce identities is needed
... Patients who are largely treated through emergency rooms,
and each ER visit generates a new ID
... I created for them an inference system to assemble IDs into
a single individual
... that is story and the state of affairs as of 2016
... to the best of my knowledge, this situation has not
changed
... so I hope folks in this room can fix this problem
Wendy: We have a challenge in
front of us
... any questions for Allen?
Scott: economic challenges
inherent...providers don't want to share patients
... is there a threshold; how to get over the economic
disincentives
Allen: I don't see how it can
improve
... no amount of tech will fix the problem
Pindar: some kinds of data you want people to see, but not change it
Allen: not change the data
... it's about the five different IDs
... with IDs you want to infer they are equal and do in a
probabilistic fashion
... one set may be higher
... how you associate data, not change data
Mathias: how do you handle
privacy?
... different providers and data; how do you handle
privacy?
Allen: I am hearing more problems [laughs]
Wendy: thank you very much for
that presentation
... next up is Jim Maslowski
Speaker: Jim Masloski
... I work with DHS
... we were developing proof of concept for certificates of
origin
... doing input process
... a group was tasked with process
<wseltzer> [slide 12 from group deck]
Speaker: brought in different
people, US Customs, trade people, customs brokers,
importers
... parties responsible for capturing and setting the
information
... sat down to figure out how to do this on a distributed
ledger
... We were in a room for a day and a half to outline our
taskst
... how to target this process
... we started with 35 ideas and narrowed down to 5-6
simplistic ideas
... we found out who the actors were, what you would need who
would help develop the process
... Looking at import and export processes
... it was an eye opener for the group to see how to capture
that information, how it comes to you, and what the legal
requirements are
... we had the legal group with us
... always interesting when we say we want to capture x but
legal says it's against the law to do so
... we went in knowing it would be a challenge and a
work-in-progress proof of concept
... when we got through ti
... I have put a transportation document up on the screen
<wseltzer> [slide 13]
Speaker: we focused on the
verifiable credentials and ID management
... how to verify who was making claim and capture that
information
... this happens to be a load of light bulbs
... certain data a gov't makes available, certain information
stays private
... had to figure out how to make a legal, compliant
distributed ledger that improves the supply chain
... took agnostic approach
... cross-platform
... look at number of parties needing access to the system; we
used DIDs to identify the brokers, suppliers, US customers, and
used Verifiable Credentials
... with distributed ledger we could identity products coming
in, the provenance
... communication between agency and supplier
... supply chain side, we could get supplier into the front
end
... supplier certified
... we added to transaction that crossed border, ID who owned,
who is responsible, so then US Customs could ask questions on
it
... we provided supporting documentation
... as a valid pre-trade claim
... from that standpoint it went well
... Biggest challenge was taking into consideration the legal
side
... hard to grab the information the way the laws are
written
... we were able to take advantage of the distributed ledger to
make these claims
... Looking at clusters of information; does that org exists
and is it an importer
... how do you certify this is a load of lumber, or an
automobile
... it all hinged on the DIDs, Verifiable Credentials and have
a process to capture the information and the proof
... there was significant time savings on these requests
... for example, where is the T-shirt manufacturer
... one invoice, one sku
... to claim differential rate; they would supply a pallet
worth of documentation
... with this process they could make the claim with info that
was on the ledger
... a huge advantage
... I liked it
scribe: we think it's a neat way to go
Wendy: thank you
Joe: What were some of the legal requirements?
Jim: parties to the transaction for example
<scribe> ...done in DIDs and Verifiable Credentials; participation from brokers, suppliers
Markus: what DID method did you use and what ledger?
Jim: I am a customs broker; I think it was a @ blockchain
Markus: but you used real
DIDs
... we used customs data, transactions that were current and
processed them through this system
... took real data
... each data posted
... US customs used blockchain
... supplied response back to us
... I used my software, retailer used its own
Jack: from chain of custody
... regulations require signatures of taking custody
... any thought of using other forms
... law states we needed a signature
... lawyers said we needed a signature
... we had supplier go online to application
... they certified who they were
... how did they do that?
Jim: we filled in the appropriate
information; electronic signature
... certified by the individual
... company level, the same way
... importer; the broker made the claim
... I am FedEx or UPS
Wendy: Tony and Pindar
TonY: how did you deal with
errors
... with blockchain, can you say how you dealt with the
errors
... that need to be fixed
Jim: we talked about the two
meetings with the 35 ideas; narrowed down to 5 scenarios
... and we talked about the correction process
... public data was not as granular so you would not see the
erros
s/errors
scribe: but you could make a
private correction
... and post to the ledger as an amendment
Pindar: Was there only one customs involved here?
Jim: just one; NAFTA province of origin, one lifecycle
Speaker: Scott David
Wendy: we have 10 mintues
Scott: slides will be
available
... we learned about "some other guy did it" defense
... all attorneys talk about mild and wild law
<wseltzer> [starts at slide 15 of shared deck]
Scott: mild is driving and
looking forward through windshield
... most data practices are about data practices
... that is old stuff, going back 50 years
... authorities are past
... old notions of authority
... concepts of what we did in the past
... but we did not have the same problems, different in
kind
<wseltzer> "the problem is that in the past we didn't have a lot of these problems"
Scott: problems are now more
about risk
... how to de-risk these new propositions
... notion of identity is locust of duty and liability and
rights and value drive identity
... some solutions don't always work
... Now looking at Wild Law -- being asked to speculate
... the nature of the challenge
<wseltzer> caption: "and by tomorrow, I'll need a list of specific unknown risks that we'll encounter with this project"
Scott: Moore's law resulted in
increase in interaction volumes and densities
... when trying to de-risk at time of exponential increase,
it's very difficult
... more push to interoperability
... comparison slide
<wseltzer> [slide 21]
Scott: legal products, economic
products and services
... structure the product to de-risk certain behaviors
... will open up new markets and products
... authority is future opportunity
... old value was cost limitation
... being in a cost center is not a great place to be; you want
to be in a profit center
... want to be selling things
... advocating that in terms of DIDs
... Identity not so much a node thing
... it comes back to relationship with community; efficiecny;
ability to measure nodes
... Identities are key
... Talk about the trends that will affect the
measurements
... problem of de-risk things but we don't know what the terms
are and their definitions
... Sic Hunt Draones
s/Dracones
scribe: Talk about the 13 global
risk trends
... Secrecy is Dead
... you are seaking insights; but there is also intrusion
... distributed info architectures render hierarchies
blind
... same people who go on Facebook are connected and yet the
CEO is blind about thins
... Soverignty of Complexity
... Socio-Technical systems force non-technical variables into
ssecurity design
... look at risk not just in the lab, but also in the context
of the entire system
... Informaiton Democratization Collapses Scale
... controls can be done by crossing over among elements
... stopping at a traffic light
... business, legal and technical elements can get
adjusted
... Data tech is "dual use"
... constraining data is an old law
... people are data producers
... used to have institutional support for data producers
... Big Data insights invert critical analysis
... in genetics they are finding ocean organisms; but fewer
pathways involved; we don't have to treat each one as
unique
... Synthetic intelligence is sharing ideas
... Internet is not a public park; it is a privately operated
commercial space
... Internet is not a public park
... Data is not Information
<wseltzer> "meaning security"
scribe: educate into meaning
security
... question of bureaucracies
... AAAA threats
... attacks, accidents, and acts of nature
... different vectors of attack
... if you don't know nature of system you cannot deal with it
as well
... AI is between attack and act of nature
... that's it
... Good luck
Wendy: any questions to following that lightening talk?
Mike: Which was the attack and which was the act of nature?
Speaker: John Fontana
John: I spent 25 years as a tech
journalist
... saw this directory, saw a lot about identity
<Mitja> Can someone please share the google drive link to the presentations?
John: I covered security
... I recorded every conversation because everyone spoke in
acronyms and numbers
... then I got off security beat
... and started to cover directories and messaging
... I went to conference in Philadephia; sessions on X509
... other side were LDAP guys yelling at each other
... replication issues on the LDAP side, X509 is dead; they are
still both around
... directories started to take on a persona
... I got sent to Burton Group conferences
... talked about directories for three days
... then I heard talk about directories and Pam stood up and
said 'you're full of it'
... so I talked to her
... All these big companies dictated the reference architecture
that the Burton Group would build
... and every year they would carve out time for me to talk to
them
... it gave me the lay of the land to cover this stuff
... at the time, Novell, Netscape had directories
... those were hot topics
... asked about multiple forests
... Microsoft gave an hour lecture
... I identified myself
... and asked about 'what about multiple forests'
... so the lede of my story was 'if you want to go to hell,
talk about multiple forests'
... got a call from the product manager who was not happy
... that morphed into the Liberty Alliance
... that was in 2001
... remember the WSStar stuff
... where I met Tony from IBM
... he explained passport, infocards, what has morphed into
azure infrastructure
... Kim Cameron
... loss of identity
... talking about directoy
... hooked onto SAML
... became popular; Andre Duran, CEO of Ping
... he gave nice 45 minutes talk about SAML
... he said he had no clue what he was talking about...
... Since 2010
... I had column on ZDNET on data breaches and how that was
falling apart
... data breaches is a tired story; same things keep
happening
... I wrote down all of the things I covered
... groupware, collaboration,
... I've seen a lot of water under the bridge
... these iterations on these technologies
... nothing seems to go away
... some things rise to the top
... a testament to what folks in this room do; it takes a lot
of time
... wild ride from an LDAP directory to where we are now, and
how much has been accomplished
... great things going on in this space
... closest we are working on standards
... thank everybody for their hard work
... hope this will be a milestone for what we have today
... thank you
Wendy: thanks a lot, John
... hard to follow that with an agenda bashing session for
tomorrow
Tony: what do you see as trends
there? you have seen things fail and succeed
... you must see trends come
John: I talked today in our
group
... there is a purity when you are developing the specs
... people in room see the challenge
... get something going
... then bring in the business strategy piece and things go
wonky
... hard to drive the spec down to the finishing point
... from experience, that is best avoided
... can be detrimental and leave you with ragged edges
... boils down to the commitment of the people involved before
the business guys come in
Pindar: what advice you have to
this group based on their experience
... I am hearing you say get the tech work done and keep
business people at bay
John: it boils down to hard
work
... like kids PTA, bunch of people but only 3 do all the
work
... in a volunteer environment, it is difficult to get the
people to do the work, and motivate them to do it
... it is difficult
Pam: I would add one thing
... from stuff I have seen; ambiguity is your enemy
... if people want to make things more ambiguous, walk away
John: we talked about
scoping
... and let things get out of hand
... FIDO is an example
... has a definable thing to do
... nut is pretty simple
Wendy: fantastic
... if you have other comments to write on cards
... please do
... we have been gathering the cards and clustering them to
think about what else to discuss
... John, thank you
[applause]
scribe: that brings us to the end
of the day
... we had scheduled some agenda bashing
... looking over tomorrow's agenda
... we hope you will generate more ideas
... and as we talk over dinner and dream tonight, write them
down and share them tomorrow morning
... and we will look at these clusters
... and see if we are capturing the high points of what we
should discuss
... and what do you want to take away from this meeting
tomorrow
... we will get a sense of a heat map of the group's
interests
... tomorrow we will vote with red and green dots
... if you are motivated, concerned, frightened, want to work
on an idea
... what is it we want to drive our energies toward
... Some of that
... and a survey of current work; avoid mistakes and
mindfields
... breakout sessions
... At W3C we have incubation and spec development
... many members want to see fleshed out ideas for specs before
moving to working group
... we have heard form different Community Groups
... see what is ready to move to WG, what is ready for
incubation
... come back to more discussion of that
... any warnings or concerns; anything that makes you jump
up
... what are your biggest fears about this tech, interop,
breakage, warnings we should be hearing
... Agenda also includes discussion on different cultural and
economic perspectives
... we hear a lot of Western and first world perspectives
... we need to hear from other regions and other perspectives
there
... we have some roadmaps for some future looking into DIDs and
Verifiable Claims
... authenticators
... where folks from browsers
... where identity intersects with their work
... where should we all be going inside and outside of
W3C
... to help lead the web to its full potential
... If there is something you don't see
... should it out now, write it down on a card
... I am emphasizing the cards
... we want to hear from people who are not participating in
the Q&A; we want to hear from everyone in the room
... Whether or not we do or do not hear more questions
... regarding dinner, we have 6:30pm reservations
... Tony, anything about logistics about shuttles?
Tony: We will have to order
shuttle
... the restaurant is called The Boardwalk
... as far as agenda is concerned
... I would like to see more use cases presented
... @ submitted one to list that I would like to see
presented
... I think Mary had some work to do
Mary: some time tomorrow
Wendy: thank you
<aaronpk> is it "Boardwalk by Maria Hines"?
Wendy: anything else for general
discussion?
... Thank you everyone
... Thank you, Manu for scribing remotely
... and Jeff and Karen for scribing
... and all who have shared in the discussions
... look forward to a great second day
[adjourned]
This is scribe.perl Revision: 1.154 of Date: 2018/09/25 16:35:56 Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/ Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00) Succeeded: s/wseltzer: no audio yet...// Succeeded: i/scribe: manu/Topic: Introduction to Workshop Succeeded: s/heart/heard/ FAILED: i|welcome you here|Intro slides Succeeded: s/ther eis/there is/ Succeeded: s/@@@/dirk_balfanz/ Succeeded: s/write simple/serve static/ Succeeded: s/th epossible/the possible/ Succeeded: i/slide 2::/scribenick: wseltzer Succeeded: s/?:/oliver-terbu:/ Succeeded: s/?:/oliver-terbu:/ Succeeded: s/boscoe (?)/boscollo/ Succeeded: s/? qualcomm/PindarHK/ Succeeded: s/...:/.../ Succeeded: s/tantek: You/tantek, You/ Succeeded: s/...:/.../ Succeeded: s/? briscoe/chris_boscolo/ Succeeded: s/?:/PeterWatkins/ Succeeded: s/JsckCallahan/JackCallahan/ Succeeded: s/?:/JackCallahan/ Succeeded: i/Topic: Breakout Sessions/scribenick: manu Succeeded: s/Jill?/Rae/ Succeeded: s/who I am/my instruction./ FAILED: s/my instruction.,/who I am/ Succeeded: s/@5@/aaronpk/ Succeeded: s/@5@/PeterWatkins/ Succeeded: s/@6@/Dalys/ Succeeded: s/@7@/Will Abramson/ Succeeded: s/@9@/Tom/ Succeeded: s/entity/relying party/ Succeeded: s/@11@/weiler/ Succeeded: s/@12@/Sarah Squire/ Succeeded: s/use cases/business model, legal, etc/ Succeeded: s/@13@/Scott/ Succeeded: s/@14@/Mary_Hodder/ Succeeded: s/@15@/karen/ Succeeded: s/@19@/BartW/ Succeeded: s/Other/Interop with other/ Succeeded: s/@26@/Ken/ Succeeded: s/one chip/one EMV chip/ Succeeded: s/resource/recourse/ Succeeded: s/trqn/tran/ Succeeded: s/@]/8]/ Succeeded: s/@/Health/ Succeeded: s/only// Succeeded: s/Mislowski/Masloski/G Succeeded: s/too/took/ Succeeded: s/Jim: we had IBM participating with Walmart// Succeeded: s/Ken/Jack/ Succeeded: s/@/errors/ WARNING: Bad s/// command: s/errors WARNING: Bad s/// command: s/Dracones Succeeded: s/here and here/attack and act of nature/ Present: Manu_Sporny(remote) Shigeya_Suzuki achughes Dan_Burnett hober jfontana jeffh Brent_Zundel markus_sabadello weiler aaronpk kimhd JoeAndrieu oliver_terbu Found Scribe: manu Inferring ScribeNick: manu Found ScribeNick: wseltzer Found ScribeNick: jeffh Found ScribeNick: manu Found ScribeNick: Karen ScribeNicks: manu, wseltzer, jeffh, Karen Agenda: https://www.w3.org/Security/strong-authentication-and-identity-workshop/schedule.html WARNING: No date found! Assuming today. (Hint: Specify the W3C IRC log URL, and the date will be determined from that.) Or specify the date like this: <dbooth> Date: 12 Sep 2002 People with action items: WARNING: IRC log location not specified! (You can ignore this warning if you do not want the generated minutes to contain a link to the original IRC log.)[End of scribe.perl diagnostic output]