W3C

- DRAFT -

Strong Authentication and Identity Workshop
10 Dec 2018

Agenda

Attendees

Present
Manu_Sporny(remote), Shigeya_Suzuki, achughes, Dan_Burnett, hober, jfontana, jeffh, Brent_Zundel, markus_sabadello, weiler, aaronpk, kimhd, JoeAndrieu, oliver_terbu
Regrets
Chair
Wendy_Seltzer
Scribe
manu

Contents

Introduction to Workshop

<scribe> scribe: manu

wseltzer: Hi, my name is Wendy Seltzer, W3C - glad to welcome you here.
... Thank you to Tony Nadalin and Microsoft for hosting us.
... We're looking forward to the next two days of discussion, brainstorming, and socializing around Strong Auth and Identity.

Tony N. covers location of emergency exists, bathrooms, and parking. Assistance help, medical emergencies help, etc.

wseltzer: Very briefly, introducing the day and goals of the workshop at a high level - logistics, getting conversation going, etc.
... We use IRC for realtime minuting and discussion... to connect to the wifi - MSFT Guest and use the code on the board.

<jeffh> :)

wseltzer: We are thrilled to have everyone here - just a quick intro to W3C - our goal is to lead Web to its full potential... we work on voluntary consensus standards.
... We put workshops like this on to bring people together, lots of work is happening here and outside of W3C - if we can be a forum for conversation, great, if it happens elsewhere, great.
... We are not the exclusive endpoint of work, but one possible place to bring that work.
... We are committed to Web for All.
... We operate under Royalty-Free patent policy - this workshop is not Recommendation track, contributions here ar enot yet contributions that are goverened by patent policy. Our goal is that specs should be implementatable RF wrt. patents / copyright, etc.
... We are a member consortium, we depend on members to participate - hope to keep that infrastructural work going - 475 members from all sorts of places.
... We operate workshops under a code of ethics and professional conduct - if anyone has an issue, find wseltzer or someone else in W3C Team. We want to make sure this environment enables everyone to feel safe, respected and heard.
... We are working in difficult areas, standards work well for technical problem, good enough technical problem, and find a common resolution.
... This all depends on you and the broader community to make sure these things work effectively.
... We want to hear from everyone - you have cards, on those cards, you can write down questions/comments/concerns - we will use those to fill into Q/A and discussion that follows... we will also have dots for voting, mark areas of particular interest/concern.
... We will have breakout sessions where we are gathering in smaller groups... W3C process for consensus ... these are preliminary directions/ideas... feel free to toss out ideas, but don't worry that if you're not in a group that you're going to miss the opportunity to provide critical input.
... Also another part of getting together is social - Tony has found us space in a nearby on campus restaurant.
... This is pay your own way, but pay your own way... ~$20 minimum - interested and expecting to come tonight?

tony-tr: There is good beer/wine.

wseltzer: Does anyone need a shuttle?

<aaronpk> looks like all hands raised except a few

<kenrb> almost everyone raised hands

tony-tr: I'll get a couple of shuttles.

Scribe notes roughly 60+ people raised their hands.

wseltzer: You can make off the record statements... let us know if you want something to be off the record.
... We can do queue management via q+
... We can capture what's going on at workshop... everyone is capable of adding things to minutes.

<chrisboscolo> sorry you can't be here in person, Manu!

wseltzer: Thanks to the PC and Manu and the rest of the PC for putting all of this together.
... Thanks to Tony and Microsoft for hosting us here... our goal is to move things quickly. Please add slides to google slide deck.
... You can email me to put material on Google Slide deck...

Kaliya: Hi, passed around cards to all of you - purpose of the workshop is to build mutual understanding across strong auth and identity projects, to do that, we're trying to gather as much input as possible.
... We want to find potential connections between your work and work being presented.

Slide Directory for presentations -- https://drive.google.com/drive/folders/1Oldmw0i1NKhJJwKflG4X9egqP6LLySA2

Kaliya: We want questions, concerns, connections that you're seeing - we'll collect them after each of 7 presentations, we want to get a sense of the room about each of these.
... Please put number on the card, and questions/concerns -- this can be made anonymously.
... We will collect them after each presentation.

Understanding Verifiable Credentials

burn: We are going to go through this quickly, this is a quick overview.
... When we talk about VCs, what do we mean by that?

Slides: https://docs.google.com/presentation/d/11hm-ajsLzroPmA-BcC2TryqAhKsF3jZ_wxHDnyUi_pg/edit

burn: There are all sorts of things we use today quite successfully - we wanted to duplicate that in an electronic form.
... We would show age/drivers license -- we're switching to education credentials - diplomas for example.
... Diploma is interesting... I have PhD from Oregon, which was acquired by another school... that school doesn't exist anymore... that org might not exist anymore in any form... we want to make sure we cover use cases like that... we are interested in cryptographically verifiable credentials.
... The work on VCs are just on a data model, not on protocol yet... issuer/verifier -- we don't define ecosystem normatively, but it's hard to talk about this w/o suggesting an ecosystem.

Slide 3

burn: When we talk about Verifiable credentials... issuer issues to holder... holder holds on to it... verifier asks for credential from holder.
... In this model, a VC contains credential metadata, claims, and proofs... the identifiers can be cryptographically controllers, but issuers can also be identified.

<achughes> burn: the verifier is the one seeking verification

burn: What is a claim - one statement about a subject, Pat is over 21, for example.

<wseltzer> i|welcome you here|Intro slides

burn: Here's an example in JSON-LD Syntax... we are defining a data model, and showing how you can use different syntaxes...
... At some point there is a realization of the syntax... the main thing I want you to see is that there is an ID for the credential, there is some type information... from perspective of user... they are just using ProofOfAgeCredential... etc... we have an issuer field, when it's issued, the part in red is the actual claim.
... We used to call this a "claim"... now we call this the "credentialSubject" - the id represents the subject of the claim... the property is ageOver and the value is 21.
... There is a proof... the details don't matter... there is just a proof on there... we do have some suggestions on cryptographic proofs, but lots of this is flexible/variable.
... We also talk about presentations... issuer, holder, verifier - it's actually a verifiable presentation by holder to verifier... it's for multiple credentials, often about same subject... identifier, some metadata, claims or some whole credentials... main idea w/ presentation is something that holder can pull from multiple credentials.
... What are verifiable credentials and what are they not?

Slide 8

burn: VCs allow an issuer provide a statement of fact... holders hold on to them, verifier can see if the statement hasn't been tampered with.
... VCs don't represent verified truth... just who claimed what

Slide 9

burn: This work is being standardized right now in VCWG... in scope is data model and syntaxes...
... We are looking at JSON-LD... and JWT...
... We do not have browsers in scope... we do not define protocol... we don't address "Identity on the Web"... we're just providing VCs.
... out of scope work could be chartered in future WG... Credentials CG is looking at these items...
... We have a spec, we're tryign to wrap up ZKP and JWT support... we have done some Horizontal Review (non official... expecting CR very soon.
... We have test suites, use cases... (slide 10)
... If you are curious about use cases... take a look at use cases document...
... Details of pictures are W3C Member Confidential... in commerce, there are governments, banks, large websites, usign VCs.
... In trade, DHS, CBP, Canadian Provinces... importer, exporter, etc. are some target use cases... real adoption here.

slide 13

burn: Are there questions?

<wseltzer> dirk_balfanz

dirk_balfanz: If you are conerned w/ data model - some credential, over 21, you want to know if *I* am over 21...

burn: There is plenty of discussion around subject != holder.

JoeAndrieu: Use Cases talk about that use case - we are looking at things that are out of scope in protocol... but important to get a holistic view of things.

burn: Anyone can make any claim about anything... if you look at the ID in red, that's a DID, this is where you may start seeing use for DIDs.
... Control over the identifier is an interesting question we're going to hear about soon...

tony: In looking at the current spec, it still looks like JSON-LD is the language, it looks like you're going to wrap regular JSOn or other types of JWTs/CWTs - get a little concerned... those get quite large, little concerned around size of expression.
... We're not looking for just users making these statements, we're looking for devices... concerned around size of claims.

burn: Is that a question or statement?
... I'm not going to talk about the merits of one format of the other... as a Chair, we have been asking for feedback from others for the entire lifetime of WG... we do have people looking at other formats.
... We do have folks that are looking to support other expression formats.

Oliver: We have a pull request in for JWTs - we do have some shorter expression avoid duplication in JSON-LD... issuer could become iss field.

<kimhd> Minutes and PR: https://www.w3.org/2018/11/19-vcwg-minutes.html

<kimhd> https://github.com/w3c/vc-data-model/pull/267

burn: We have welcomed participation, we would like more input... we'd like help wrapping up what we have... additional proposals to recharter.

Sarah_Squire: Proposal in Ethereum community ERC725 - are you working w/ them.

<Zakim> manu, you wanted to note that we're trying to be agnostic.

<wseltzer> manu: we're trying to be agnostic. Lots of experiments underway

<wseltzer> ... the model has proven to be flexible

<wseltzer> ... It's true that some formats have big payloads that won't work for small devices

<wseltzer> ... could be that cwt or jwt work at different layers of the stack

<wseltzer> ... and licensing has a bigger payload

<wseltzer> ... different tools in the toolbox

wseltzer: Any further questions for Dan Burnett.
... We're building up modules, understanding different components that are available - different places that they might be useful. Think about incompatibilities... ways we can work together.

Decentralized Identifiers

Slides are here -- https://docs.google.com/presentation/d/1BX8r1KoxvJSQIX3PtAOzOawirwBYyze9QlyIaAbBRrM/edit

kimhd: Hi, I'm Kim, CTO of Learning Machine - work in educational credentials... co-chair of W3C Credentials CG - also DIF Steering Committee.
... What is a DID? It's a new type of URl that is globally unique, highly available, presistent, cryptographically verifiable, and doesn't require a centralized admin.
... In education use cases, we want the recipient of a credential to be identified using a DID.
... A DID is an identifier for a subject.

<wseltzer> [slide 3]

kimhd: here we have did:x:123 as the identifier for the subject.
... What does a DID look like?

slide 4

kimhd: we have a scheme "did:", then "DID Method", then did specific string.
... There are examples of what these look like at the bottom of the page...
... Globally unique identifier - in many of these cases, you can self-create your identifier... prove that you control it, no central admin can take it away from you.
... Each DID Method must specify a set of mechanisms - Create, Read, Update, Delete (aka revoke)

<wseltzer> [slide 5]

kimhd: One critical part - DIDs resolve to DID Documents - we have a Veres One identifier here - document it resolves to - contains authentication mechanisms, public key material, services...
... markus_sabadello is goign to talk about that next... DID Resolver is retrieving DID Document.

<wseltzer> [slide 6]

kimhd: So, DIDs resolve to DID Documents... let's look at specific DID resolution process.
... This is saying we're using the BTCR method spec, run it through the universal resolver, produces a DID Document.
... identifier tells you which block, which transaction, to find the transaction in.
... Resolver knows, per method spec, how to get information, how to return this thing.
... so, DID Document has keys, authentication, services, signatures, timestamps.

slide DID Document

kimhd: This document has been incubated at RWoT and IIW, currently draft in W3C CCG, protocols and prototypes at DIF, there is a DID Method Registry, DID Auth, DID Resolver...
... We'd like to discuss a DID Working Group at this Workshop.

tonyn: What do you expect to standardize?
... There doesn't seem to be cross-blockchain interop... I need different DIDs on every blockchain... who is going to run the registry... concerned around transparency of resolvers...

kimhd: Interop first - that's the big part... what's the content of the DID Document, that describes how interop is possible...
... DID Auth, for example, needs that document....

ChristopherA: There are a couple of different issues here - DID authenticates DID DOcument, strongly make claim about DID Document... that document can contain other key material from other places... including keys that are compatible with say a different blockchain w/ different proof formats, PGP keys in there, information that lets you allow you to leverage FIDO.
... There are things like sigma proofs, ZKPs, private keys in one curve equivalent to private keys in antoehr group... it's premature to pick a method, maybe at some point the market will say there is one two or three that are dominate... but reality now is that there are multiple DID methods.

kimhd: We are starting to categorize DID Methods.. BTCR and IPLD are ones where, if you are comfortable w/ using that technology, you can create them and use them in some way... depending on registry authentication, you can start using that now... truly self-sovereign identifiers, I create them, no one can take them away from me.
... In other cases, private/permissioned blockchain, those enable different properties - for example Guardian models... batch registration of individuals... some depend on properties of the blockchain itself... which use cases argue for which... we don't do guidance yet, DIF may do that... W3C is not in that role.
... People will have those questions... you don't want to use something on a blockchain that can't be rewritten... part of strength of it, something we're getting feedback on ecosystem.

tony: Who is going to run the registry, how scalable is it, who would pick up the registry

ChristopherA: We are talking about the DID Registry - you can reserve the DID Method... not a DID Registry.
... The requirements to have a proposal are very small... as you move up the scale of maturity, we will have requirements for what you have to do to do that.

<shigeya__> BTCR DID Method https://w3c-ccg.github.io/didm-btcr/

ChristopherA: We need to allow for innovation right now... there is nothing that says one has to support every DID method, for example... don't use BTCR unless you need technology.

kimhd: We can come back to that - would like to focus on breadth

Kaliya: This dynamic is also what these cards are for
... If you have thoughts/comments/questions - please write them down on paper right now.

hober: Does the DID Method registry just let people know what an unregistered method is?
... Is it relatively straightforward to serve static JSON and hook into all of this?

kimhd: Yes, we can look into examples.

Pete: If I wanted to add a new DID, how do I get resolved?

kimhd: There are different resolvers - which methods support they support is up to each resolver... part of value is that each DID method and how you perform its operations... write any resolver to note your test case... it's not going to be prescriptive.

wseltzer: Thank you very much Kim... next up... Markus to talk about DID Auth...
... Keep questions and comments coming throughout two days here...

Understanding DID Auth

Slides -- https://docs.google.com/presentation/d/1TSMW5hckaaaybpV9OVeNbWO1QE_OsMP3Pc3GovAfvjw/edit

<Loqi> Slides has -1 karma over the last year

Markus: Hi, working in CCG and DIF, and Sovrin... DID Auth is more of a concept rather than a spec... makes a lot of sense to have a concept... DPKI for DIDs... and what they enable.
... Using a DID Resolver to authenticate - you have DID, you have key material associated with that... control the identifier... not about proving we're over the age of XYZ, we just prove that we have control over a DID.
... We worked on a paper around Rebooting the Web of Trust... looked at DID Auth - Kim noted authentication.
... Authentication block points to public key - who has control of the DID? If you have public key information, you can know that anyone that has private key is authenticated.

<wseltzer> [slide: DID Auth Example Architecture]

Markus: This is one example for uPort - web page - mobile app authentication...
... With a mobile app, private key corresponding to DID, I can provide response to QRCode - post it back to web page... important, web page uses DID Resolver to find DID, then find public key, then verify that the signature on the authentication was signed correctly.
... This is just one of the possible flows.
... We tried to analyze this stuff - different scenarios / different flows - there are many, so DID Auth isn't just one thing... it's a family of things that are being explored.
... There are many transports, HTTP, QR, etc....
... There are many more flows... observation - we were able to draw all of these flows where there are two parties... if we look at traditional models, we usually have 3 parties... but this one has 2.

<wseltzer> [slide 7]

Markus: I control a certain identifier - trust relying party - individual - all sorts of different transports...

<wseltzer> [slide 8]

Markus: There are also people that are using different data formats internally... we will reuse things, but as I said, DID Auth is not trying to come up w/ a new authentication protocol... but reuse where possible.
... I have seen JWTs... we can also see JSON-LD VCs... self-issued VC....
... We have been thinking a lot about OIDC + DID... also looking at WebAuthn + DID...

<wseltzer> [slide 10]

Markus: We've done some initial thinking - working w/ OpenID Connect protocol, where we use self-issued OpenID ... one way this could be done is to have personal openID connect provider... protocol could be used, similar with WebAuthn... FIDO... could reuse that.
... There are other experiments around DID-TLS, DID-based HTTP Signatures... DID-based PGP... using DIDs in SSH.

<wseltzer> [slide 11]

Markus: Some things to consider for the workshop - how would a DID Auth relate to VC exchange protocol?
... Other DID Auth principles... We may want to meet some principles, otherwise it's not DID Auth... for example, identifier stays the same... rotate keys, change service endpoints, change OID endpoints, authmethod, but we continue to always be able to prove control of the same identifier.

wseltzer: Questions from the room?

JohnB: I may beat Tony to some of these questions ... In a number of the flows that you put up, potentially they are a step backwards from a security perspective because they're phishable... we need to make sure we're not going backwards from a security perspective.
... I would even step back a bit further and question - is the use case for DID Auth actually authentication, or is it more appropriately proving presentment of VCs.
... We do have pairwise privacy preserving WebAuthn... even Apple is deploying it... do we actually need to present correlatable claim, or should we look at the best mixture?
... Some have said we need new authentication method when that may not be the best path.

Markus: Lot of questions - let's keep the benefits of existing things... not be phishable... concept of DID Auth is that we have an identifier that cannot be taken away from me, I can rotate keys, I can rotate metadata out... I think OIDC or WebAuthn don't provide that out of the box.

JohnB: The argument that you need to rotate credentials is making presumptions about how they're stored... I don't buy into the premise that a DID is required because you need to rotate private keys, not arguing that there are not use cases for DIDs, let's find the right use cases for them.
... For purely pairwise pseudonymous auth, I don't believe a DID having a public key published is a requirement.

Daniel: A couple of things on the business side (from Microsoft perspective)... would love it if people used LinkedIn for everything (Microsoft property) - Universities didn't really want to sign up to single entities, because of corporate identifiers controlled by something other than University.
... So, there is a strong business use case for DIDs... large entities that don't want other large entities to lock them in via identifiers.
... There are also use cases around progressive trust... you start out pseudonymous, but then upgrade over time. For example, FIDO doesn't cover the use case for expressing services around DID Documents... granting access to my data storage service.

Tony: I get concerned around methodology for DIDs... you don't actually know if person that created the key is doing the DID Auth itself... you can do this in FIDO... authenticators is a drvice that you control. I'm not seeing end to end comprehension of how you keep keys safe and to the actual creator of the keys. How do you prove that situation in DID Auth.

ChristopherA: I think part of the problem here, we're overinflating the use of keys, for simplicity purposes, you see DID Document up there - presuming that private key is in a file some place...
... That is a gross simplifciation, we can keep separate keys... we don't call it a signature block, there might be a variety of different types of proof... for example, if I issue Verifiable Credential covering you for 1 million dollars... I want a higher spec of authenticator/proofs before I give you that verifiable claim.
... DID Documents enable you to use all of this stuff... we need people that have experience with these systems. All the perils of mixing authn w/ authz... but at some point we need something like a DID DOcument... just because someone asks for a VC or other things, doens't mean I have to give it to them/comply... or they have to accept.

Dirk: Where do you see DID and DID Auth fit into the larger picture... I think I understand VCs... I want to prove my age, SSN, I thought DIDs were a means to an end...
... One way I could do that, who are you?, I could provide DID and DID Auth, prove that's who I am... find something in DID Document, claim I'm over 21? Am I seeing that right... how is DID connected to VCs?

Markus: We don't put VCs in public ledgers...
... DID Documents are for looking up key material and services.... not VCs.
... There are no claims in DID Document, only metadata required to verify VC material...
... DID Auth is just a high level concept so far...
... No assumptions about documents are in ledger, where keys are stored, where hardware wallets are... etc.

wseltzer: We have a queue... and then break...

<wseltzer> JoeAndrieu: None of these components yet is identity assurance

<wseltzer> ... the proof that you are the person who can make these claims

<wseltzer> manu: it's not either or

<wseltzer> ... we're trying to combine elements of the prior art

<Zakim> manu, you wanted to note FIDO + DIDs are complementary.

<wseltzer> ... authentication flow that takes FIDO key material into a DID doc and uses HW token to identify

<weiler> manu: I hear in this discussion a perception of an either-or thing. the experiments going on right now .... there is an auth flow that takes a FIDO authenticator, puts the credentials in the DID document

JoeAndrieu: For VCs and DID and DID Auth - none of those is sufficient for identity assurance... whether the key is on a hard drive, or on a hardware authenticator, we can't prove that person controlling device is the person... it's a strong factor.

<weiler> ... There is a a lot of work around blending these models rather than picking one.

<oliver-terbu> +1 manu

markus_sabadello: We did quite a bit of work around blending models at IIW.

Everyone takes a break, socializing, expect to get back into OpenID, JWT/CWT, etc. use cases.

<wseltzer> [break for 30min]

WebAuthn, CTAP

<wseltzer> Slides, Modern Authentication

<inserted> scribenick: wseltzer

[slide 2:: How Security Keys Work]

JohnFontana: presenting slides

[slide 3: Registration]

JohnFontana: FIDO2 is an umbrella term for WebAuthn and CTAP
... CTAP at FIDO, WebAuthn at W3C

[slide 4]

scribe: CBOR is the CTAP data format

[slide 5: WebAuthn]

scribe: create and get strong authentication

[slide 6]

[slide 7]

scribe: Thanks to Pam for this map

<Mitja> Can you please reshare the link to the presentation?

[slide 8: state of state]

<Mitja> thank you!

[slide 9]

TonyNad: IETF discussion of EAT
... device attestation about provenance, devices, ecosystem
... we use these attestations in WebAuthn and FIDO to understand key provenance and strength
... you may not want to accept authentication from weak device, TEE
... At Prague IETF will probably try to form a WG
... CWT, JWT for devices, compact
... looking to do in generic way
... data models for device, what type of device
... indirect and direct attestations
... want to be compatible with OAuth, JWT, CWT
... use existing verification libraries

<ChristopherA> Queue is closed

dirk: deliberately lightweight
... 2 party system: authenticator on client, relying party
... by design , the keypair I generate for e.g. Google, will never be known to Github
... roaming authenticators, keyfobs, will be single-factor
... second use case, bring touch ID, Windows Hello

<jeffh> scribenick jeffh

dirk: to the web platform

<manu> scribenick: jeffh

oliver-terbu: are there implecations on the challenge itself?

john_bradley: challenge is hashed, in clientdata you get orig back, ...

ChristopherA: how much of web stack are part of webauthn spec? can things that are not webservers leverage webauthn if they don't wanna leverage JS stacks?

<brentz> ChristopherA: can things that aren't web servers leverage Web Authn?

john_bradley: it depends, and OS platform can impl webauthn-like APIs

<wseltzer> jeffh: WebAuthn spec defines protocol between authenticator and relying party
...: are they webauthn-like? windows' platform webauthn api is

<wseltzer> ... it can pass through whatever stack is in the way

oliver-terbu: who is issueing these EAT attstns? are they some kind of certifcation for the authnr itself?

john_bradley: at momement webauthn does not use eat attstn, we already have various attstn formats, can add EAT if its approp, can't have too many standards :)

chris boscollo: what if authnr is loast and one needs to re-register?

john_bradley: that's RP specific, but thinking is that one has both roaming and platform authnrs and one can use either or to re-register at the RPs

<weiler> ack \

tonynad: webauthn wg working on this, one idea is to have a 'backup authnr' which allows one to re-reg

<Zakim> ChristopherA, you wanted to How about additional key types, in particular secp256k1 used by bitcoin & ethereum

christophera: i have need for tyupe of crypto that uses SECP-256 curve, how do we ensure how we get those key flavors supported?

john_bradley: we already have alg agility in the protocol, plus Mike Jones will be talking about this in a few min....

sam wieler: <missed question>

john fontana: <mumble>

markus_sabadello: question wrt UX eg if one registers a DID rather than a public key, can leverage that in many ways.... thoughts?

john_bradley: in priciple, yes, tho much to sort out there

next speaker: Rae Hayward, fido

FIDO and Authenticators

<wseltzer> [same slide deck]

<wseltzer> [slide 12]

Rae's slides are in the '05 - Day 1 - Understanding WebAuthn, CTAP, EAT, FIDO and Authenticators' deck

<wseltzer> [slide 15]

<wseltzer> Rae: ROE=restricted operating environment

<wseltzer> [slide 19: Companion Programs]

<wseltzer> [slide 20: Labs]

<wseltzer> [slide 21: Expiration, derivative, and delta certification]

pamela: if a RP wants to accept only authnrs of L3 certif, how do they do that?

rae: the certif level will be in metadata, plus fidoalliance.org lists certified devices

scott david: on the delta certif, when org learns cetif'd device is now different, what happens. e.g., pci "compensating controls", plus ecosystem feedback can be fed back into spec development -- what about FIDO's processes?

rae: the security secretariat has processes to notice such things and feed info into working group....

PindarHK: can u tell which lab did orig certif? <missed rest>
... can determine provenance of the lab that performed certif?

rae: no, that's not public info, do have internal mechs that would know this

und06 - Understanding JWT/CWT, OpenID, and Related Ecosystemerstanding

Mike Jones presenting

+ John_bradley

<wseltzer> Slides

<wseltzer> [slide 3]

<wseltzer> selfissued: (Mike Jones) JSON Web Token

[slide 4]

<tantek> speaker: "JSON-LD requires canonicalization to RDF in order to sign" [interesting I didn't know that.]

[slide 5]

[slide 6]

<manu> tantek -- well, no, that's not correct...

<Loqi> tantek has -1 karma in this channel over the last year (82 in all channels)

[slide 6]

<manu> tantek, You can dump JSON-LD in a JWT w/o needing normalization/canonicalization.

<manu> tantek, if you want to do LD-Proofs, then we have chosen that it's best to do RDF Graph Canonicalization (the benefit being that you can have the same signature expressed in a variety of different syntaxes w/o having to recanonicalize)... so you sign the information.

[slide 9]

[slide 10]

[slide 11]

<wseltzer> John_Bradley: extensible. There's a set of core statements, and others can be added

[slide 12]

<wseltzer> selfissued: New work. THose interested should talk to us and participate

selfissued: specifically the CBOR web token (CWT)
... RFC 8392

<wseltzer> John_Bradley: complementary to webauthn, not competitive

<wseltzer> ... OpenID Connect is about federated claims and API access

<wseltzer> ... should probably use WebAuthn for authentication

<wseltzer> Chrisboscolo: how do relying parties learn about self-issued identifiers?

chris_boscolo: wrt self-soverign is there way for an individ to assert that they are speaking for themselves?

PeterWatkins aggregated claims? more about that?

<wseltzer> https://openid.net/specs/openid-connect-core-1_0.html#AggregatedDistributedClaims

selfissued: if you search for 'openid claim' you can find it
...: see above

<wseltzer> JackCallahan: How does mobileconnect differ?

JackCallahan what're differences between mobile connect and openid connect

john_bradley: <describes nuanced facets of the relationship>

self_issued: gsma certified their core impl with the openid connect certif suite

oliver: w3c VC WG is working on JWT representation -- how <missed it> ?

selfissued: that's stuff we can discuss

joeandrieu: can i use my own crypto identifiers to make use of other's claims

selfissued: sure, that's an aggregated claim....

john_bradley: the spec talks about how that's done syntactically, it is work for the reader as to how the relationships between the parties are actually arranged and maintained
...: you'd use some sort of proof-of-possess to logically tie the claims together

Indie Auth: OAuth for the Open Web

aaron Parecki

[slide 13]

<wseltzer> [slide 13 begins AaronPK's presentation]

[slide 14]

[slide 15]

[slide 16]

[slide 17, 18, 19]

[slide 20]

[slide 21, 22]

[slide 23]

[slide 24]

[slide 25]

<wseltzer> aaronpk: take OAuth and add constraints

slide 26]

[slide 27,28,29]

[29, 30]

[slide 31]

pamela: how does client authn piece of this work?

aaronpk: clidents are all ident'd by URLs as well. instead of 'pre reg', it is just use the domain name
...: taking the idea of 'public clients' and extending it to all clients

markus_sabadello: it is not openid connect, it is oauth, why?

aaronpk: this is solving smaller scoipe than OIDC -- is presenter of URL in control of url?
...: wrt webfinger, we are using HTTP link-rels and so is more simple, dont see much use of webfinger in this

kaliya: how is this diff than openid 1.0?

<tantek> "OpenID [1.0] only solved half of that"

<tantek> "OpenID Connect went away from solving that problem [users bringing their own identity]"

aaronpk: is pretty similar. openid connect drifted away. indieweb adds in api access tokens to orig openid ideas

kaliya: what do after lunch, invite room to chime in on what all we've heard this morning... everyone gets a white card, question we want u to answer by end of lunch is: from where you sit, what do you want to see happen in terms of work in next 2..5 yrs; alternative question: what is the biggest concern you have wrt what you heard this morning?
...: then we will get together in groups and sort through this, and boil it down and discuss in the entire group.
... your job for lunch is to answer one or both of the above questions
... only 30 min for lunch and question answering

<wseltzer> [lunch]

<inserted> scribenick: manu

Breakout Sessions

Kaliya: What you're going to do in the groups... briefly say who you are, read out your card to the group, ask clarifying questions.
... Talk about concerns, each person has two votes to give to two other cards... you're six people... you get to say "I think that idea is really important, or that concern is really important".
... 12 votes in each circle.
... You don't vote for your own card. :)
... So, out of the six things, you get to pick your favorite.
... Don't vote twice for the same one.
... Someone else might share your concerns, keep that in mind.
... You're going to be in a group of six, then discuss for 20 minutes, then scramble the room. talk to six new people, do the same thing... find out whose card had the most votes on it.
... The point here is to get group intelligence to work... I will track time, will check in with the groups... close computers completely, groups gather, etc.
... If you create new ideas, we'd love to hear about them. Write them down.
... Each card with a tally, any additional outputs, we're happy to receive them.
... If you came from the same company, you cannot be in the same group. Six people in a group.

Breakout sessions are forming... magic is happening.

Report-out from breakouts

Kaliya: First segment, we'll hear all concerns... let's hear work items.

achughes: Within next 2-5 years, in industry and psychology circles, identification and authentication are different things.
... Saying that you're doing authentication when you're doing identification is not useful for market clarity.

JohnB: Separation of concerns - separate authentication and attribute provisioning ceremony so they're understandable.

Kaliya: Any other cards that are similar to this?

Rae: Privacy - do privacy by design - concerned that I didn't hear that.

@@@: We brushed away identity assurance facility today -- what about end use case, verify identity -- how do you trust the identifiers, the exchanges?

Dirk: I want my browser to know who I am, and responsibly surface that based on my instruction..

Jiewen: Concern and work item - for web authentication - how do we provide for small parties, small providers - could we bridge OAuth and OpenID?

<aaronpk> s/my instruction.,/who I am/

kimhd: Interop prototypes - educational credentials, I don't want to use a specific identity provider - think there is value in DIDs, enable people to have lifelong claims that they can prove control over... bootstrapping DIDs using WebAuthn or other identity solutions.

@4@: I'd like to see relying parties have a much richer and more diverse set of federation/identities... get away from Signon with Google/Facebook/etc.

aaronpk: Would like to take this not just for identity aspect, but for storage aspect as well.

Pam: Difference between having user be in one paradigm, or have a user choose between two paradigms... concerned we're going to the latter... discovery, registration, resolution, feel like we need to focus on these pieces.

PeterWatkins: Some of the conversations were going past each other - some people are operating in a different scenario... some want a peer-to-peer model, no parties involved in transaction that don't belong there... other people use existing systems, but very little that we own/control.
... I'm not here with the view that we're going to try to extinguish those... would rather run things through both scenarios, see how they do... vs. zero sum trade off.

ChristopherA: I'm wondering almost the reverse - where is the line? Aadhaar, social credit, etc... those are the biggest identity systems today.

<wseltzer> ChristopherA: some places we don't want coexistence, e.g. social credit

Dalys: Hoping to see alignment for WebAuthn and DIDs.

@6@: Would like to see alignment that gives unified experience for subject that is trying to authenticate.

Will Abramson: I'm concerned with conflict between two groups...

Oliver: This isn't about WebAuthn and DIDs... don't reinvent the wheel... should we use mature standards like OpenID Connect and WebAuthn or something else?

Markus: How can we align DIDs w/ stuff that works already such as WebAuthn and OpenID Connect

@8@: I'd like to see industry adoption of DID-based identities...

TonyN: Clarity on why DIDs need to be standardized...

burn: Would like to see a DID WG formed at W3C.

Jack: Usability of these systems... thinking about it from the user's perspective.
... Approaching it from the users perspective - registration, recovery, etc.

Tom: Usability that doesn't suck :)

@10@: More along the lines of what I didn't hear - how are these bound/linked to a known and real person, if at all?

scribe: consistency and trust in the bindings?

Kaliya: That's close to identity assurance...

weiler: : Selective, permissinless, delegation - want WebAuthn and FIDO to have support for allow people to have one of the credentials w/o relying party saying no.

Sarah Squire: I'd like to see OpenID Connect community working with Ethereum community - gamification and incentives... there is no financial incentive

<weiler> I think solutions in this space will help improve backup and recovery, also.

Scott: Interested in seeing use cases clear - context of value propositions, use cases clear of sub data flows that are involved because each of those are gamable from business model, legal, etc perspective.

Mary_Hodder: My question was a meta question for the group - don't know how to place everything going on - what is framework for thinking about problem set and what does success look like?

karen: How do all of these building blocks work together?

@16@: Tightly scoped, standards based efforts, interoperable pieces ... how do we find those?

@17@: I'd like to see standards support for Decentralized Identity stack - we need multiple things in place for that to happen.

JimM: Layering of ID management, different rules for that.

@18@: Oftentimes in designs, there is a service that affects wallet, that should become clear, how wallets work.

BartW: Ensure adoption among private, public, and across both domains.

@20@: Remote authentication support for webauthn webauthz frameworks.

@21@: Validating identity proofing, risk of synthetic IDs...

scribe: fabricated ID that someone creates...
... online proofing vs. physical proofing.

achughes: We should probably say "identity assurance"

<achughes> achughes: The synthetic identity card should go with the ‘identity assurance’ card

@22@: Interop with other schemes, like GS1 ecosystem... GLNs, GTINs, LEIs.

@23@: Concerned to have centralized authorities onboard rather than blocking... centralized authorities are not always excited about decentralized solutions.

Pindar: Scalability - at what scale are we talking about... we're doing things about Internet scale... also concerned about Know Your Machine...

@24@: Adoption - will end users understand value proposition of DIDs, what they get?

@25@: Interop from perspective of web developers - help browsers understand what APIs they should be understanding so developers can focus on clear stories so developers can focus on stuff that's not passwords or authn.

Ken: Preserving privacy, let the user determine how that privacy is preserved.

<Karen> [Break Ends]

<Karen> scribenick: Karen

Market Verticals: Current and Future Challenges

Government Segment Speaker: Peter Watkins, Province of British Columbia

Peter: I am with the gov't of BC; I don't view myself representing a vertical, but a government
... I cannot speak on behalf of the gov't or other gov'ts but happy to bring my perspectives as a government guy
... first, you have to be precise
... In Canada, gov't can mean many things; different levels, peoples

<wseltzer> Slides for the Market Verticals discussions

Peter: indigenous peoples also act as own governments
... educational systems as well

<wseltzer> [slide 5]

Peter: We are small, 4 million, but we operate across a great number of areas [reads slides]
... and it's not an exhaustive list
... from and identity perspective, we operate at the base
... As it relates to the law; important to understand that context
... We register births and deaths
... you don't exist or die until we say so [laughs]
... we run the corporate registry

<wseltzer> "legally, you're not born until we say you're born."

Peter: we create corporations, societies
... we have a whole set of laws, each of which created self-regulating bodies
... we say if you are a lawyer, doctor, nurse, accountant, etc.
... all of thes associations, affiliations, etc.
... and licenses and permits
... drive a car, commercial vehicle; dig a hole, inspect machinery, etc.
... we have gov't machinery, processes and policies
... we operate the land title searches
... who owns what land; very important function
... and we allow registration of liens
... so a lot going on in our world for identity information

<wseltzer> [slide 6]

[slide 6]

scribe: We have a legacy system
... so we looked for something to scale
... we invented a BC services card and a provincial identity management info program
... we leverage two things; the popularity of driving
... and we run one universal program, healthcare
... we created a drivers license and health care card combined
... one card, one EMV chip to authenticate
... no personal information other than the chip number
... at this point we have enrolled 4.3 million BC citizens; looking at a mobile app now
... we want people to be self0-deterministic; and do it digitally
... you met John Jordan and team
... they are advance hyperledger service
... take corporate registration records and encoded them into @...set up for a digital platform
... So gov't perspective on strong authentication
... We are damned if we don't do it
... your land registry is tied to Google account?

<wseltzer> [slide 7]

scribe: we don't own, control or have accountability over that
... no effective recourse
... not clear to us what happens when things are lost, account recovery process is difficult
... authentication tech can become a party to all of the transactions that unfold; we don't think that should happen that way
... public does not view they have much choise
... when we make our tech dependent upon others, they feel they are forced to adopt something; gets us on the wrong side
... If we do it, we're also damned
... but this is important technology
... our small province cannot defend against the threat model
... it is frightening
... You don't interact with gov't as much as other entities
... every transaction can be spin through account recovery
... We don't like that our services would be party to the transactions

<wseltzer> "every transaction is a spin through the recovery flow"

scribe: if we did verify your identity, we can remember you at our counter and restore our services
... but is that a bug or a feature
... our businesses are entwined globally
... we would not know how our own unique approach would scale
... you don't sell provision it
... Lastly, there is a lending problem
... no one has mounted an argument about your traffic ticket
... but if tied to benefits, then it's another story

[slide 8] ...On identity information, there is Lou the person who wants to interact with digital services.com; dialogue box

scribe: dialogue box; we know we will get called
... information disclosure related to that
... that we don't have in the real world
... we are looking for an architecture that would operate more like real world
... last thing to bring is a sense of urgency

<wseltzer> [slide 9]

scribe: divide things into things that are less or super important
... super important we are stuck in old world on important things
... to light up upper box, we need trustworthy ID
... and we need better technical solutions
... That is my talk

Wendy: Do we have some quick questions for Peter on that use case?

Pindar: You highlighted legal views
... for individuals and corporates
... have you talked about smart contracts?

Peter: I don't know

Scott: critical infrastructure
... often those are privately owned; have you run into arrangements with private infrastructure that will be more reliable?
... services different in other contexts, but any analogies used for critical infrastructure that could be used reliability for gov't

Peter: In BC, we see emergence of pan-Canadian trust framework
... gov'ts should be positioned as an effective regulator rather than a direct provider
... you see that in financial services

<Mitja> can the link to all presentations (no google drive) be shared? IRC seems to break after a while and I'm not able to see history

Peter: but it is a mind bender to set up to regular identity providers
... that is my opinion

Scott: Maybe look at insurance which is a risk issue

Gregory: How much would be regulation v. standardization and endorsement
... you mentioned the pan-Canadian trust framework, I am here representing DIACC

Peter: Payment industry did a summary on payment
... they discovered self regulating would be better; way better for the industry to take over; far better way to go

Pam: you are unique in that you have an ecosystem adopt your services
... how does it work that Police services adopt anything different, such as the drivers' licenses
... how did you get people to buy in?

Peter: not a large digital component; just starting this year
... healthcare, social services
... without the services card, they have gone done the road as far as they can go
... light bulb is going on
... and they recognize they need the services card
... I think you will see services card adoption
... I started work on this in 2007
... program started officially in 2013
... now in renewal cycle
... have to go long
... you cannot push the public to this; you will get on the wrong side of PR
... we used the natural expiration rate of the drivers' licenses; just waited it out

Wendy: Thanks so much Peter
... next up is Allen Brown to talk about healthcare

Speaker: Allen Brown

Health Care IDology

Allen: my personal interest is ID with respect to digital contracts
... Manu knows I worked on healthcare and life sciences systems and asked me talk about that in this space
... start with an anecdote
... at Microsoft I worked five years for the Health solutions group
... in 2009 there was a NATO delegation
... those of us interested in healthcare invited us
... delegation was lead by an assistant secretary general of NATO
... in another life he was a trauma surgeon
... his remit included field hospitals
... at time of Afganistan there were 7 hospitals
... most NATO military orgs medical services are integrated with national health services
... and field hospitals are meant to be the health services
... so there were 7 field hospitals
... Secy General went on to talk about two Dutch marines and two American operating in squads
... interoperations were walking over from one tent to another
... Afganistan had 1200 operational aircraft that knows how to broadcast communications
... but you could not do this for Marines was a standing joke
... I want to specifically talk about a system we developed at Microsoft called Malga
... you have lots of patient data and you want to assemble a data cube
... to have a single view of everything about the patient
... in doing that you quickly come up against lots of issues about identity
... I will talk about four of them
... while Amalga was meant to extract data about patients from electronic medical systems as well as from real time feeds
... extract EMR, many systems are oriented around payments
... have to go through payer who was paying for this
... or else it is difficult to extract certain kinds of data
... have to extract the payer first to get to the diagnosis
... Identity for providers is obvious
... give them access to patient information
... but something else goes on here
... much patient data is subject to interpretation
... you need to know who the interpreter is
... next is the data itself
... Amalga had origins in system done at George Washington School of Medicine and Life Sciences
... because of its geo location in Washington DC
... it has access to many kinds of patients
... one CATScan file was originated at one hospital and passed to another
... need to make sure it's same patient and scan
... Amalga collecting data from many sources
... and identities of patients were different; mechanism to coalesce identities is needed
... Patients who are largely treated through emergency rooms, and each ER visit generates a new ID
... I created for them an inference system to assemble IDs into a single individual
... that is story and the state of affairs as of 2016
... to the best of my knowledge, this situation has not changed
... so I hope folks in this room can fix this problem

Wendy: We have a challenge in front of us
... any questions for Allen?

Scott: economic challenges inherent...providers don't want to share patients
... is there a threshold; how to get over the economic disincentives

Allen: I don't see how it can improve
... no amount of tech will fix the problem

Pindar: some kinds of data you want people to see, but not change it

Allen: not change the data
... it's about the five different IDs
... with IDs you want to infer they are equal and do in a probabilistic fashion
... one set may be higher
... how you associate data, not change data

Mathias: how do you handle privacy?
... different providers and data; how do you handle privacy?

Allen: I am hearing more problems [laughs]

Wendy: thank you very much for that presentation
... next up is Jim Maslowski

Speaker: Jim Masloski
... I work with DHS
... we were developing proof of concept for certificates of origin
... doing input process
... a group was tasked with process

<wseltzer> [slide 12 from group deck]

Speaker: brought in different people, US Customs, trade people, customs brokers, importers
... parties responsible for capturing and setting the information
... sat down to figure out how to do this on a distributed ledger
... We were in a room for a day and a half to outline our taskst
... how to target this process
... we started with 35 ideas and narrowed down to 5-6 simplistic ideas
... we found out who the actors were, what you would need who would help develop the process
... Looking at import and export processes
... it was an eye opener for the group to see how to capture that information, how it comes to you, and what the legal requirements are
... we had the legal group with us
... always interesting when we say we want to capture x but legal says it's against the law to do so
... we went in knowing it would be a challenge and a work-in-progress proof of concept
... when we got through ti
... I have put a transportation document up on the screen

<wseltzer> [slide 13]

Speaker: we focused on the verifiable credentials and ID management
... how to verify who was making claim and capture that information
... this happens to be a load of light bulbs
... certain data a gov't makes available, certain information stays private
... had to figure out how to make a legal, compliant distributed ledger that improves the supply chain
... took agnostic approach
... cross-platform
... look at number of parties needing access to the system; we used DIDs to identify the brokers, suppliers, US customers, and used Verifiable Credentials
... with distributed ledger we could identity products coming in, the provenance
... communication between agency and supplier
... supply chain side, we could get supplier into the front end
... supplier certified
... we added to transaction that crossed border, ID who owned, who is responsible, so then US Customs could ask questions on it
... we provided supporting documentation
... as a valid pre-trade claim
... from that standpoint it went well
... Biggest challenge was taking into consideration the legal side
... hard to grab the information the way the laws are written
... we were able to take advantage of the distributed ledger to make these claims
... Looking at clusters of information; does that org exists and is it an importer
... how do you certify this is a load of lumber, or an automobile
... it all hinged on the DIDs, Verifiable Credentials and have a process to capture the information and the proof
... there was significant time savings on these requests
... for example, where is the T-shirt manufacturer
... one invoice, one sku
... to claim differential rate; they would supply a pallet worth of documentation
... with this process they could make the claim with info that was on the ledger
... a huge advantage
... I liked it


.,..from a trade standpoint, we look forward to see what W3C does for DIDs

scribe: we think it's a neat way to go

Wendy: thank you

Joe: What were some of the legal requirements?

Jim: parties to the transaction for example

<scribe> ...done in DIDs and Verifiable Credentials; participation from brokers, suppliers

Markus: what DID method did you use and what ledger?

Jim: I am a customs broker; I think it was a @ blockchain

Markus: but you used real DIDs
... we used customs data, transactions that were current and processed them through this system
... took real data
... each data posted
... US customs used blockchain
... supplied response back to us
... I used my software, retailer used its own

Jack: from chain of custody
... regulations require signatures of taking custody
... any thought of using other forms
... law states we needed a signature
... lawyers said we needed a signature
... we had supplier go online to application
... they certified who they were
... how did they do that?

Jim: we filled in the appropriate information; electronic signature
... certified by the individual
... company level, the same way
... importer; the broker made the claim
... I am FedEx or UPS

Wendy: Tony and Pindar

TonY: how did you deal with errors
... with blockchain, can you say how you dealt with the errors
... that need to be fixed

Jim: we talked about the two meetings with the 35 ideas; narrowed down to 5 scenarios
... and we talked about the correction process
... public data was not as granular so you would not see the erros

s/errors

scribe: but you could make a private correction
... and post to the ledger as an amendment

Pindar: Was there only one customs involved here?

Jim: just one; NAFTA province of origin, one lifecycle

Speaker: Scott David

Wendy: we have 10 mintues

Law and DIDs

Scott: slides will be available
... we learned about "some other guy did it" defense
... all attorneys talk about mild and wild law

<wseltzer> [starts at slide 15 of shared deck]

Scott: mild is driving and looking forward through windshield
... most data practices are about data practices
... that is old stuff, going back 50 years
... authorities are past
... old notions of authority
... concepts of what we did in the past
... but we did not have the same problems, different in kind

<wseltzer> "the problem is that in the past we didn't have a lot of these problems"

Scott: problems are now more about risk
... how to de-risk these new propositions
... notion of identity is locust of duty and liability and rights and value drive identity
... some solutions don't always work
... Now looking at Wild Law -- being asked to speculate
... the nature of the challenge

<wseltzer> caption: "and by tomorrow, I'll need a list of specific unknown risks that we'll encounter with this project"

Scott: Moore's law resulted in increase in interaction volumes and densities
... when trying to de-risk at time of exponential increase, it's very difficult
... more push to interoperability
... comparison slide

<wseltzer> [slide 21]

Scott: legal products, economic products and services
... structure the product to de-risk certain behaviors
... will open up new markets and products
... authority is future opportunity
... old value was cost limitation
... being in a cost center is not a great place to be; you want to be in a profit center
... want to be selling things
... advocating that in terms of DIDs
... Identity not so much a node thing
... it comes back to relationship with community; efficiecny; ability to measure nodes
... Identities are key
... Talk about the trends that will affect the measurements
... problem of de-risk things but we don't know what the terms are and their definitions
... Sic Hunt Draones

s/Dracones

scribe: Talk about the 13 global risk trends
... Secrecy is Dead
... you are seaking insights; but there is also intrusion
... distributed info architectures render hierarchies blind
... same people who go on Facebook are connected and yet the CEO is blind about thins
... Soverignty of Complexity
... Socio-Technical systems force non-technical variables into ssecurity design
... look at risk not just in the lab, but also in the context of the entire system
... Informaiton Democratization Collapses Scale
... controls can be done by crossing over among elements
... stopping at a traffic light
... business, legal and technical elements can get adjusted
... Data tech is "dual use"
... constraining data is an old law
... people are data producers
... used to have institutional support for data producers
... Big Data insights invert critical analysis
... in genetics they are finding ocean organisms; but fewer pathways involved; we don't have to treat each one as unique
... Synthetic intelligence is sharing ideas
... Internet is not a public park; it is a privately operated commercial space
... Internet is not a public park
... Data is not Information

<wseltzer> "meaning security"

scribe: educate into meaning security
... question of bureaucracies
... AAAA threats
... attacks, accidents, and acts of nature
... different vectors of attack
... if you don't know nature of system you cannot deal with it as well
... AI is between attack and act of nature
... that's it
... Good luck

Wendy: any questions to following that lightening talk?

Mike: Which was the attack and which was the act of nature?

Speaker: John Fontana

The Enterprise

John: I spent 25 years as a tech journalist
... saw this directory, saw a lot about identity

<Mitja> Can someone please share the google drive link to the presentations?

John: I covered security
... I recorded every conversation because everyone spoke in acronyms and numbers
... then I got off security beat
... and started to cover directories and messaging
... I went to conference in Philadephia; sessions on X509
... other side were LDAP guys yelling at each other
... replication issues on the LDAP side, X509 is dead; they are still both around
... directories started to take on a persona
... I got sent to Burton Group conferences
... talked about directories for three days
... then I heard talk about directories and Pam stood up and said 'you're full of it'
... so I talked to her
... All these big companies dictated the reference architecture that the Burton Group would build
... and every year they would carve out time for me to talk to them
... it gave me the lay of the land to cover this stuff
... at the time, Novell, Netscape had directories
... those were hot topics
... asked about multiple forests
... Microsoft gave an hour lecture
... I identified myself
... and asked about 'what about multiple forests'
... so the lede of my story was 'if you want to go to hell, talk about multiple forests'
... got a call from the product manager who was not happy
... that morphed into the Liberty Alliance
... that was in 2001
... remember the WSStar stuff
... where I met Tony from IBM
... he explained passport, infocards, what has morphed into azure infrastructure
... Kim Cameron
... loss of identity
... talking about directoy
... hooked onto SAML
... became popular; Andre Duran, CEO of Ping
... he gave nice 45 minutes talk about SAML
... he said he had no clue what he was talking about...
... Since 2010
... I had column on ZDNET on data breaches and how that was falling apart
... data breaches is a tired story; same things keep happening
... I wrote down all of the things I covered
... groupware, collaboration,
... I've seen a lot of water under the bridge
... these iterations on these technologies
... nothing seems to go away
... some things rise to the top
... a testament to what folks in this room do; it takes a lot of time
... wild ride from an LDAP directory to where we are now, and how much has been accomplished
... great things going on in this space
... closest we are working on standards
... thank everybody for their hard work
... hope this will be a milestone for what we have today
... thank you

Wendy: thanks a lot, John
... hard to follow that with an agenda bashing session for tomorrow

Tony: what do you see as trends there? you have seen things fail and succeed
... you must see trends come

John: I talked today in our group
... there is a purity when you are developing the specs
... people in room see the challenge
... get something going
... then bring in the business strategy piece and things go wonky
... hard to drive the spec down to the finishing point
... from experience, that is best avoided
... can be detrimental and leave you with ragged edges
... boils down to the commitment of the people involved before the business guys come in

Pindar: what advice you have to this group based on their experience
... I am hearing you say get the tech work done and keep business people at bay

John: it boils down to hard work
... like kids PTA, bunch of people but only 3 do all the work
... in a volunteer environment, it is difficult to get the people to do the work, and motivate them to do it
... it is difficult

Pam: I would add one thing
... from stuff I have seen; ambiguity is your enemy
... if people want to make things more ambiguous, walk away

John: we talked about scoping
... and let things get out of hand
... FIDO is an example
... has a definable thing to do
... nut is pretty simple

Wendy: fantastic
... if you have other comments to write on cards
... please do
... we have been gathering the cards and clustering them to think about what else to discuss
... John, thank you

[applause]

scribe: that brings us to the end of the day
... we had scheduled some agenda bashing
... looking over tomorrow's agenda
... we hope you will generate more ideas
... and as we talk over dinner and dream tonight, write them down and share them tomorrow morning
... and we will look at these clusters
... and see if we are capturing the high points of what we should discuss
... and what do you want to take away from this meeting tomorrow
... we will get a sense of a heat map of the group's interests
... tomorrow we will vote with red and green dots
... if you are motivated, concerned, frightened, want to work on an idea
... what is it we want to drive our energies toward
... Some of that
... and a survey of current work; avoid mistakes and mindfields
... breakout sessions
... At W3C we have incubation and spec development
... many members want to see fleshed out ideas for specs before moving to working group
... we have heard form different Community Groups
... see what is ready to move to WG, what is ready for incubation
... come back to more discussion of that
... any warnings or concerns; anything that makes you jump up
... what are your biggest fears about this tech, interop, breakage, warnings we should be hearing
... Agenda also includes discussion on different cultural and economic perspectives
... we hear a lot of Western and first world perspectives
... we need to hear from other regions and other perspectives there
... we have some roadmaps for some future looking into DIDs and Verifiable Claims
... authenticators
... where folks from browsers
... where identity intersects with their work
... where should we all be going inside and outside of W3C
... to help lead the web to its full potential
... If there is something you don't see
... should it out now, write it down on a card
... I am emphasizing the cards
... we want to hear from people who are not participating in the Q&A; we want to hear from everyone in the room
... Whether or not we do or do not hear more questions
... regarding dinner, we have 6:30pm reservations
... Tony, anything about logistics about shuttles?

Tony: We will have to order shuttle
... the restaurant is called The Boardwalk
... as far as agenda is concerned
... I would like to see more use cases presented
... @ submitted one to list that I would like to see presented
... I think Mary had some work to do

Mary: some time tomorrow

Wendy: thank you

<aaronpk> is it "Boardwalk by Maria Hines"?

Wendy: anything else for general discussion?
... Thank you everyone
... Thank you, Manu for scribing remotely
... and Jeff and Karen for scribing
... and all who have shared in the discussions
... look forward to a great second day

[adjourned]

Summary of Action Items

Summary of Resolutions

[End of minutes]
Minutes manually created (not a transcript), formatted by David Booth's scribe.perl version 1.154 (CVS log)
$Date: 2018/12/11 00:58:23 $

Scribe.perl diagnostic output

[Delete this section before finalizing the minutes.]
This is scribe.perl Revision: 1.154  of Date: 2018/09/25 16:35:56  
Check for newer version at http://dev.w3.org/cvsweb/~checkout~/2002/scribe/

Guessing input format: Irssi_ISO8601_Log_Text_Format (score 1.00)

Succeeded: s/wseltzer: no audio yet...//
Succeeded: i/scribe: manu/Topic: Introduction to Workshop
Succeeded: s/heart/heard/
FAILED: i|welcome you here|Intro slides
Succeeded: s/ther eis/there is/
Succeeded: s/@@@/dirk_balfanz/
Succeeded: s/write simple/serve static/
Succeeded: s/th epossible/the possible/
Succeeded: i/slide 2::/scribenick: wseltzer
Succeeded: s/?:/oliver-terbu:/
Succeeded: s/?:/oliver-terbu:/
Succeeded: s/boscoe (?)/boscollo/
Succeeded: s/? qualcomm/PindarHK/
Succeeded: s/...:/.../
Succeeded: s/tantek: You/tantek, You/
Succeeded: s/...:/.../
Succeeded: s/? briscoe/chris_boscolo/
Succeeded: s/?:/PeterWatkins/
Succeeded: s/JsckCallahan/JackCallahan/
Succeeded: s/?:/JackCallahan/
Succeeded: i/Topic: Breakout Sessions/scribenick: manu
Succeeded: s/Jill?/Rae/
Succeeded: s/who I am/my instruction./
FAILED: s/my instruction.,/who I am/
Succeeded: s/@5@/aaronpk/
Succeeded: s/@5@/PeterWatkins/
Succeeded: s/@6@/Dalys/
Succeeded: s/@7@/Will Abramson/
Succeeded: s/@9@/Tom/
Succeeded: s/entity/relying party/
Succeeded: s/@11@/weiler/
Succeeded: s/@12@/Sarah Squire/
Succeeded: s/use cases/business model, legal, etc/
Succeeded: s/@13@/Scott/
Succeeded: s/@14@/Mary_Hodder/
Succeeded: s/@15@/karen/
Succeeded: s/@19@/BartW/
Succeeded: s/Other/Interop with other/
Succeeded: s/@26@/Ken/
Succeeded: s/one chip/one EMV chip/
Succeeded: s/resource/recourse/
Succeeded: s/trqn/tran/
Succeeded: s/@]/8]/
Succeeded: s/@/Health/
Succeeded: s/only//
Succeeded: s/Mislowski/Masloski/G
Succeeded: s/too/took/
Succeeded: s/Jim: we had IBM participating with Walmart//
Succeeded: s/Ken/Jack/
Succeeded: s/@/errors/
WARNING: Bad s/// command: s/errors
WARNING: Bad s/// command: s/Dracones
Succeeded: s/here and here/attack and act of nature/
Present: Manu_Sporny(remote) Shigeya_Suzuki achughes Dan_Burnett hober jfontana jeffh Brent_Zundel markus_sabadello weiler aaronpk kimhd JoeAndrieu oliver_terbu
Found Scribe: manu
Inferring ScribeNick: manu
Found ScribeNick: wseltzer
Found ScribeNick: jeffh
Found ScribeNick: manu
Found ScribeNick: Karen
ScribeNicks: manu, wseltzer, jeffh, Karen
Agenda: https://www.w3.org/Security/strong-authentication-and-identity-workshop/schedule.html

WARNING: No date found!  Assuming today.  (Hint: Specify
the W3C IRC log URL, and the date will be determined from that.)
Or specify the date like this:
<dbooth> Date: 12 Sep 2002

People with action items: 

WARNING: IRC log location not specified!  (You can ignore this 
warning if you do not want the generated minutes to contain 
a link to the original IRC log.)
[End of scribe.perl diagnostic output]