IRC log of auth-id on 2018-12-11

Timestamps are in UTC.

16:38:54 [RRSAgent]
RRSAgent has joined #auth-id
16:38:54 [RRSAgent]
logging to
16:39:02 [wseltzer]
rrsagent, this meeting spans midnight
16:39:13 [wseltzer]
Meeting: Strong Authentication and Identity, day 2
16:39:26 [wseltzer]
rrsagent, make logs public
16:39:44 [wseltzer]
rrsagent, draft minutes
16:39:44 [RRSAgent]
I have made the request to generate wseltzer
16:40:27 [wseltzer]
16:40:38 [wseltzer]
rrsagent, draft minutes
16:40:38 [RRSAgent]
I have made the request to generate wseltzer
16:41:06 [wseltzer]
Slides compendium:
16:52:24 [achughes]
achughes has joined #auth-id
16:55:59 [krystian_czesak]
krystian_czesak has joined #auth-id
16:56:17 [takashi]
takashi has joined #auth-id
17:01:32 [BartW]
BartW has joined #auth-id
17:06:10 [StevenL]
StevenL has joined #auth-id
17:06:42 [manu]
Topic: Introduction, Day 2
17:06:46 [manu]
scribe: manu
17:06:58 [shigeya_]
shigeya_ has joined #auth-id
17:07:04 [manu]
wseltzer: Welcome back everyone, we're tracking all input, we're going to start our day 2 of the workshop.
17:07:19 [kenrb]
kenrb has joined #auth-id
17:07:33 [manu]
wseltzer: We have taken cards from yesterday into questions/statements and we're going to do dot voting on those... Kaliya will explain what we're doing next.
17:08:14 [manu]
wseltzer: Great agenda of additional talks/breakouts - exploring cultural perspectives, avoiding mistakes/minefields, breakouts discussing ideas, one of our goals it to help W3C figure out what we should do next.
17:08:27 [Mitja]
Mitja has joined #auth-id
17:08:41 [manu]
wseltzer: That might be community groups, to incubate work, it might be working groups to standardize work, it might be work to be sent to other organizations, or input to other W3C WGs.
17:08:58 [burn]
burn has joined #auth-id
17:09:01 [manu]
wseltzer: A key takeaway here becomes the next directions of what we'd like to collectively do next with all of this input.
17:09:39 [manu]
wseltzer: Lots of place for discussion in the roadmap, where we see the future and how to get there. We wrap up at 4pm today so folks can catch flights.
17:10:56 [manu]
wseltzer: I heard lots of great ideas and still lots of tension, concerns from folks focused on authentication that the identity isn't necessarily tied into authentication, concerns on identifiers (work being characterized wrongly, misunderstood) - if we're not looking at the right use cases, people come to different conclusions. We have time to work out differences in understanding, where is the agreement on the components of the stack?
17:11:20 [manu]
wseltzer: One outcome could be that we're trying to solve different problems, perhaps the technologies can coexist... we can offer insights to one another even if we're not working on the same piece of the problem.
17:11:52 [manu]
wseltzer: If we have issues with things others are working on - let's focus on constructive criticism, how can we all help to make the Web work better by building the right components around authentication and identity.
17:12:05 [manu]
Topic: Dot Voting on concerns and potential work items.
17:12:39 [manu]
Kaliya: We took output from conversation yesterday and crystalized them into some statements and put them on these forms.
17:12:59 [manu]
Kaliya: This is what the form looks like --
17:12:59 [manu]
17:13:27 [manu]
Kaliya: Write your initials and then put a dot -- one dot only -- agree or disagree, add comments, and signatures - do not vote twice.
17:14:06 [manu]
achughes: Do we vote on all cards?
17:14:22 [manu]
Kaliya: Please vote on each card, we need to gather input - even if it's "I'm confused."
17:15:04 [JoeAndrieu]
JoeAndrieu has joined #auth-id
17:15:12 [manu]
Kaliya: Go around and vote - right now.
17:16:09 [craigspi_]
craigspi_ has joined #auth-id
17:18:17 [manu]
Scribe notes 55 people in the room doing the dot voting.
17:18:19 [kenrb]
kenrb has joined #auth-id
17:22:27 [gannan]
gannan has joined #auth-id
17:30:53 [JoeAndrieu]
17:30:59 [manu]
17:31:04 [manu]
rrsagent, draft minutes
17:31:04 [RRSAgent]
I have made the request to generate manu
17:31:48 [manu]
Scribe notes lots of discussion around voting/input.
17:45:40 [gannan]
gannan has joined #auth-id
17:47:32 [kenrb]
kenrb has joined #auth-id
17:49:17 [manu]
wseltzer: Ok, thanks for the input on the proposals... the Program Committee is going to take a look at the feedback and try to synthesize items moving forward.
17:49:43 [manu]
wseltzer: Next up are presentations on Cultural and Economic Perspectives... followed by avoiding mistakes/minefields discussion.
17:51:31 [manu]
Topic: Current Situation of Japanese Fragmented ID Platforms
17:51:39 [manu]
Slides --
17:52:17 [manu]
Takashi: Hi, Takashi from JCB -- before starting presentation, just noting that I am not a native English speaker.
17:52:22 [krystian_czesak]
krystian_czesak has joined #auth-id
17:52:27 [manu]
Slide 2
17:52:39 [Karen]
Karen has joined #auth-id
17:54:23 [Mitja]
Mitja has joined #auth-id
17:55:55 [manu]
Slide 4
17:56:40 [wseltzer]
slide 5
17:57:02 [manu]
Takashi: In ecommerce - in B2C - Amazong is close to Rakuten.
17:59:08 [manu]
Takashi: There are a number of fragmented identity platforms iN Japan.
17:59:25 [manu]
Takashi: Also, differnet payment methods.
18:00:00 [manu]
slide 7
18:00:23 [manu]
Takashi: Big Japanese companies have siloed solutions - six big companies - user has to know timetable... but just redirects to companies website.
18:02:06 [manu]
Takashi: Driving license has a dominant position in Japan... as an identity mechanism.
18:02:30 [wseltzer]
slide 9
18:02:38 [manu]
Takashi: Japanese government want to expand usage of "My Number" card for Japanese Social ID System... but most Japanese people don't use this card - only 10%.
18:05:21 [manu]
Takashi: We have a strong need for loose ID federation in Japanese Market...
18:05:35 [manu]
Slide 10
18:06:13 [manu]
Takashi: Large companies seem to want to take a dominant position on Social ID...
18:06:26 [manu]
Takashi: Governments seem to want Drivers license style approaches.
18:06:44 [manu]
Takashi: To achieve this, we need a scheme for DIDs and Self Sovereign identity especially consent management.
18:07:03 [manu]
Takashi: Thank you for your attention.
18:07:40 [manu]
MikeJones: Mike Jones from Microsoft, I know that Yahoo Japan and KDDI implement OpenID Connect. Are they using that to interoperably login at other Japanese sites, or is it mostly silos even though they are using that federation protocol?
18:08:26 [manu]
Takashi: Interop is not so great, in Japan, every company uses Social ID using Yahoo, ??, Facebook, and NTTDoCoMo...
18:09:00 [manu]
Topic: Automatic Identification Standards
18:09:14 [manu]
Slides --
18:09:26 [manu]
shigeya: Let me talk about structured IDs, little different from user identity
18:09:32 [craigspi]
craigspi has joined #auth-id
18:09:36 [tantek]
tantek has joined #auth-id
18:09:50 [wseltzer]
[presentation starts at slide 13]
18:09:52 [jzcallahan]
jzcallahan has joined #auth-id
18:10:10 [manu]
shigeya: you know about bar codes (slide: bag of mints -- comes from GS1)
18:10:49 [manu]
shigeya: GS1 - they do the UPC - GS1 has a database...
18:10:57 [tomj]
tomj has joined #auth-id
18:11:01 [manu]
shigeya: GS1 standards - identify, capture, and share - slide 16
18:11:03 [manu]
Slide 16
18:11:52 [manu]
shigeya: There are multiple formats to identify, capture, and share... barcode is only one of them, can be expressed in URLs.
18:12:54 [manu]
shigeya: GS1 has identification keys - domains... trade items (GTIN), logistics (SSCC), Assets (GIAI), and locations (GLNs)
18:13:07 [pamela]
pamela has joined #auth-id
18:14:04 [gannan]
gannan has joined #auth-id
18:14:35 [manu]
shigeya: Companies assign GLNs to locatins like factories... examples of GS1 identifiers.
18:14:57 [manu]
shigeya: These are all expressible as URNs... urn:epc:id:...
18:15:11 [manu]
shigeya: These are not DIDs, but they kind of look the same, different domain.
18:15:35 [manu]
shigeya: There are also physical representations - barcodes, RFID, there are different formats/syntaxes.
18:16:28 [manu]
shigeya: So let's look at applications... GS1 Lightweight Messaging Standard for Verification... RESTful interface to resolve GS1 IDs... use case - US Drug Supply Chain.
18:16:42 [manu]
shigeya: We're interested in using Verifiable Credentials for this.
18:17:09 [manu]
Slide 21
18:17:28 [manu]
shigeya: Here are some difficulties with resolution services - Object Naming System... DNS based pat of GS1 key to server mapping... not used other than for research purposes.
18:17:52 [manu]
shigeya: GS1 Discovery Services - centrlaized - map keys to servers, suspended until well-defined demands from industry.
18:18:14 [manu]
shigeya: but lately, there is renewed interest in mapping between identifiers and associated data, together with verification of identifiers.
18:19:06 [manu]
shigeya: GS1 is the standard on product and business entity identification,DID focuses on digital identity, we need a cyber-physical link other than humans.
18:19:19 [manu]
shigeya: DIDs could be used in the "id" fields in DID related standards.
18:19:28 [manu]
shigeya: There is a good intersection between DIDs and GS1 work.
18:20:00 [manu]
Pam: You talked about resolution and mapping - are those different things in your taxonomy?
18:20:37 [manu]
shigeya: Mapping and discovery is ... different.
18:21:23 [manu]
shigeya: RFID is ... RFID leaks information... but information record is somewhere else, stored on the server, that information may be on a single server or multiple servers... discovery service integrates all these data flows together.
18:22:13 [manu]
Topic: Laws and Borders: Self-Administered Identifiers and NextPats
18:22:17 [manu]
Slides --
18:22:41 [manu]
Pindar: What can this technology do to make things faster, safer, cheaper... what can it not do?
18:22:45 [kenrb]
kenrb has joined #auth-id
18:22:48 [wseltzer]
-> Pindar's slides
18:23:04 [manu]
Pindar: What about NETizen eXpatriates -- people that want to transact across borders.
18:23:13 [manu]
Slide 2
18:23:25 [manu]
Pindar: There are more people on this circle than the rest of the planet... lots of people
18:23:35 [manu]
Pindar: 50 billion machines coming down the pipeline.
18:23:47 [manu]
Pindar: The Right to Work Online -- cannot be done w/o this technologies...
18:24:07 [manu]
Pindar: I work w/ displaced people - there are more people displaced today than after WW2... 70M
18:24:08 [manu]
Slide 3
18:24:40 [manu]
Pindar: These people are away from their home countries... global climate change makes it worse... legal certainty - do they have it... these people are going to grow to 700M in the future
18:25:13 [manu]
Pindar: There is a potential billion person market here covering ... what about the lawful approach (there are non-lawful approaches to solve these problems)
18:25:44 [wseltzer]
"We're all migrants, we just don't know it yet"
18:25:46 [manu]
Pindar: Examples of this, after WWI, if your country no longer existed, passports doesn't work. How can we create a "Right to Work Online"? It's not a Sovereign view, it's not about borders, it's about topology.
18:25:58 [manu]
Pindar: How many people are in My Number? 10% of Japan.
18:26:22 [manu]
Pindar: Aadhaar is over 1 billion users... great stats, interesting ruling on constitutionality.
18:26:40 [manu]
Pindar: Aadhaar has issues, but it's deployed.
18:26:53 [manu]
Pindar: 50B devices online - we need to be concerned about scale.
18:27:29 [manu]
Pindar: There are other mechanisms in China - Social Credit System, Real Name Electronic ID, Fintech, Common CLOUD.... identities issued by governments to citizens.
18:28:49 [manu]
Pindar: There is the Belt and Road Initiative - when you cross borders, law is defined by borders - when you cross 65-68 legal jurisdiction... Hong Kong is looking at digital roots.
18:29:08 [manu]
Pindar: We have 3-5 times more internet capacity into Hong Kong than all of China combined - how is this leveraged?
18:29:30 [manu]
Pindar: What is the competitive landscale, market structure, business models... what are the fundamental tensions between geography and topology?
18:30:21 [manu]
Pindar: We are mixing fire and ice - government issued - year 1648... in Hong Kong year 2047 -- self administered
18:30:35 [manu]
Pindar: No nation below mathematics... physical border in borderless world... self-administered IDs...
18:31:17 [manu]
Pindar: Here's the belt and road blockchain - only deals w/ corporate identifiers, legal in switzerland, identifier system for corporates, self administered IDs, the most important thing is Self-Administered IDs, why do you need them?
18:31:26 [manu]
Pindar: Companies don't have a right to anonymity - they have to be registered, they have to pay tax.
18:31:53 [manu]
Pindar: We need a golden source of data, we need to know where law applies, that's one of the things that Hong Kong is famous for...
18:32:51 [manu]
Pindar: As a technical community - consistency - Hong Kong - golden copies, grounded by government institutions, use it, assign copies of data, have less legal responsibility and liability.
18:33:03 [manu]
Pindar: to scale cloud services, need identifiers system to allow different cloud systems to scale.
18:33:25 [manu]
Pindar: This is why we call them Self-Administered Identifiers - corporates/individuals... Sovrerign states - Fire... dynamic violence.
18:33:51 [manu]
Pindar: in our Internet view - borderless... ice... cryptographically strong static violence...
18:34:19 [manu]
Pindar: We need to understand consent - freeze, not move - different property that does not require rule of law -
18:35:02 [manu]
Pindar: legal certainty - many of us that do contracts don't see the light of day - computing engine of court system - interpret run legal code... computational code - cryptographic consistency - we can have a different type of discussion.
18:35:21 [wseltzer]
[slide 16]
18:35:24 [manu]
Pindar: Fundamental assumptions - distance != cost, centralized != trusted, time != money
18:35:47 [manu]
Pindar: What are assumptions implicit in our discussions... - digital trade and digital work online is different.
18:35:59 [wseltzer]
[slide 18]
18:36:03 [manu]
Pindar: We've had Cyber Monday / Black Friday - different by an order of magnitude.
18:36:18 [manu]
Pindar: Singles day is way bigger.
18:37:18 [manu]
Topic: Trusted ID
18:37:30 [manu]
Tom: We've been doing work in Kantara - a Trusted Identity
18:37:38 [wseltzer]
-> Tom Jones and Mary Hodder's slides
18:38:17 [manu]
Tom: What you see when you look at this, Authentication of a User has to be different ... Decentralized Identity on steroids - pieces of identity are spread throughout space.
18:38:42 [manu]
Tom: How to bring things back together again... talks to strong enough idea that we're trying to present to this group.
18:38:52 [manu]
Tom: Authentication and Authorization - separate and needs to stay separate.
18:39:06 [manu]
Tom: WebAuthn comes up more like Authorization...
18:39:25 [manu]
Tom: The idea is that in this use case, pretty high assurance that someone is over 21 if they need to buy some alcohol or some other restricted element online.
18:40:05 [manu]
Tom: We're going to talk about these 4 actors - consumer that wants restricted resource, supplier that has resource, verifier of claim of majority (sort of like Verifiable Credentials meaning), this verifier can validate binding between user and claim.
18:40:23 [manu]
Tom: I'll try to use validate when I say that and verified when I say verified claim.
18:40:30 [manu]
Tom: What about the right of a regulator agency?
18:40:53 [manu]
Tom: One of the most interesting cases is DEA position on drugs...
18:41:08 [manu]
Kaliya: When you say regulatory agency, do you mean provider of claim?
18:41:19 [manu]
18:41:24 [manu]
JohnB: What requirements are there?
18:42:13 [manu]
MaryHodder: For state of California, board of brewery, had to do a deep identity verification for brewing... tap room, physical location, sell things through website and people can come in and pick up... brewing operations, they spot check, they don't look at our records for every single sale.
18:42:37 [manu]
MaryHodder: Often people flash a license... employees ar edoing that check, there is no recording except through website purchases... no one is even providing this.
18:43:12 [manu]
MaryHodder: They are literally clicking a button, which is not good, flashing license... but there is no real recording/requirement that feds and state of california require for alcohol purchases.
18:43:37 [manu]
Tom: If you are buying alcohol, you can have different requirements for different types of purchases.
18:43:53 [manu]
Tom: The specific rules differ by state - online use case, they will try to find rules that will work for all states.
18:44:08 [manu]
Tom: Last part - provider of late binding tokens and client-side code.
18:44:13 [craigspi_]
craigspi_ has joined #auth-id
18:44:41 [manu]
Tom: Smart card, TPM, etc. precondition is that you have a consumer that has a late binding token that has it, they have an over 21 claim, and finally they have a consumer that already established an ID with some supplier.
18:45:11 [manu]
Tom: They are already online... that's where we are ... two different use cases to look at this - supplier sends request through user asking for a claim... user has a claim... user sends it back.
18:45:51 [manu]
Tom: It's not verified - typically, supplier ... use late binding token to be attached to claim, late binding token is attached.
18:46:20 [manu]
Tom: If you are an OpenID person, this is just front-channel authentication... at this point, we have provided a service to supplier, we expect supplier to receive validated claim.
18:46:35 [manu]
Tom: This is small, 5-10 cents - standard practice - fraud detection circuit.
18:46:55 [manu]
Tom: Second scenario, something that looks like a back channel - consumer himself has to go and get validated claim.
18:47:03 [manu]
Tom: Gets validation, gets claim, supplier gets it.
18:47:25 [manu]
Tom: This is traditional advertising model... bound to session.
18:47:41 [oliver-terbu]
oliver-terbu has joined #auth-id
18:47:49 [manu]
Tom: Fail paths - fairly obvious, user doesn't get verified, or fails validation at supplier
18:48:11 [oliver-terbu]
could you please again share the link to the google slides?
18:48:27 [oliver-terbu]
18:48:35 [manu]
s/could you please again share the link to the google slides?//
18:48:39 [manu]
18:49:02 [manu]
Tom: The real point is that the user gets to decide what attributes he sends based on what he's doing at the current moment.
18:49:40 [manu]
Tom: Examples of what could be used, client side code
18:50:16 [manu]
Tom: users shouldn't expose stuff to websites ... so we need a way for websites to identify themselves... trust federations apply to what we're talking about... alcohol... drugs, different rules, different conditions.
18:50:35 [jzcallahan]
jzcallahan has joined #auth-id
18:50:58 [manu]
ChristopherA: The VC and DID community has been using the "Over 21" story over the last couple of years.
18:51:19 [manu]
ChristopherA: There are major differences in some places - for example item 6 - we're not trusting that the user makes the choice, the absolute minimum inormation should be given.
18:51:35 [manu]
ChristopherA: Data Minimization story there.
18:51:51 [manu]
ChristopherA: There is a separate selective disclosure story - there shouldn't be a backchannel where the bar can correlate information.
18:52:35 [manu]
ChristopherA: This is in our whitepaper on data minimization an dselective disclosure and how they're different... in the VC group, and DID group, we've decided to drop this story... over 21 is too complicated, doesn't always apply, it's problematic. We've gone to university alumni and university degree.
18:52:54 [manu]
Tom: I understand that this is a broader scope - take the claim, moves to higher plain,
18:53:02 [manu]
ChristopherA: We would be happy to share with you on this stuff.
18:53:13 [Zakim]
Zakim has left #auth-id
18:53:22 [manu]
wseltzer: Thank you very much Tom and Mary!
18:54:49 [wseltzer]
[15 min break]
18:54:55 [jillwill01]
jillwill01 has joined #auth-id
18:55:39 [SarahSquire]
SarahSquire has joined #auth-id
19:06:15 [jzcallahan]
jzcallahan has joined #auth-id
19:11:08 [krystian_czesak]
krystian_czesak has joined #auth-id
19:14:07 [manu]
Topic: Avoiding Mistakes and Minefields
19:14:11 [weiler]
scribenick: weiler
19:14:17 [weiler]
me can only do this for a little while
19:14:24 [weiler]
19:14:24 [manu]
s/me can only do this for a little while//
19:14:37 [manu]
rrsagent, draft minutes
19:14:37 [RRSAgent]
I have made the request to generate manu
19:15:08 [Karen]
Karen has joined #auth-id
19:15:22 [weiler]
jeffh: I want to throw out ideas and be provocative.
19:16:24 [wseltzer]
-> JeffH's slides
19:16:46 [weiler]
[protocol & system design time]
19:17:09 [weiler]
... need to carefully define terminology and use it consistently. WebAuthn spent much time on this.
19:17:25 [weiler]
... best to fi this at design time.
19:17:53 [weiler]
... In directory days (95-96 ---> 1998) "names" and "identifiers" were often swapped.
19:18:20 [weiler]
... e.g. names are fungible and non-unique and identifiers are unique and persistent.
19:18:29 [Zakim]
Zakim has joined #auth-id
19:19:18 [weiler]
... In implementing this ina RDMS, we threw out the X.500 idea that DN's are real names. We jammed UUIDs in the DN for people entries. and never revealed it.
19:19:44 [weiler]
... so when users entered a name in a form, we did not map that to a DN and do the lookup - we did searches instead.
19:20:06 [weiler]
... The thing that made this work was that the UMich LDAP implementation was fast.
19:20:25 [weiler]
... At COMPONENT implementation time...
19:20:46 [weiler]
[cites "Most Dangerous Code in the World"]
19:20:50 [wseltzer]
19:21:11 [weiler]
... Much of this has been fixed.
19:21:18 [weiler]
... at DEPLOYMENT time:
19:21:49 [weiler]
.... are underlying techs secure (see above). need a carefully designed deployment architecture.
19:22:33 [weiler]
... I asked advice from deployers of federated systems....
19:22:45 [weiler]
[slide on Deployment Time]
19:22:59 [weiler]
... Failing to check results.
19:23:10 [weiler]
... Assuming that a 'principal name' is an email and not checking it.
19:23:36 [weiler]
... eduPersonAffiliation don't mean the same thing at all sites.
19:24:14 [weiler]
... different sites may have different rules; danger in assuming commonality.
19:24:39 [weiler]
... other federation members may not follow BCP's.
19:24:44 [weiler]
.... users get confused.
19:25:08 [Mitja]
Mitja has joined #auth-id
19:25:12 [weiler]
... Overall: trust does not scale (across arbitrary policy domains)
19:26:18 [weiler]
... SP800-63-3 is an attempt to define these for USG agencies and might be a model for how to have uniform policies across relatively disparate orgs.
19:27:11 [jfontana]
jfontana has joined #auth-id
19:27:22 [kenrb]
kenrb has joined #auth-id
19:27:23 [weiler]
... Consider a simple design with simple use cases, expecting it to evolve.
19:27:41 [weiler]
... Build something malleable. and that has utility.
19:28:13 [weiler]
[slide: flexitility]
19:29:08 [wseltzer]
q+ Jim, Dirk
19:29:15 [weiler]
tony: you said 'take things small' - there is a limit to how small you can go...
19:29:20 [weiler]
jeffh: do something useful.
19:29:30 [weiler]
tony: even small could be useful, but has no context
19:30:01 [weiler]
jeffh: e.g. use U2F - doesn't get rid of passwords. We learned a lot that we took into FIDO2, where we're tryign to satisfy the passwordless case. that's an example.
19:30:14 [weiler]
tony: what if we just defined the message payload, no transports.
19:30:25 [weiler]
jeff: what do you do with that? write an academic paper.
19:30:44 [weiler]
.... I think you start with a basic use case
19:30:50 [wseltzer]
ack Jim
19:30:55 [wseltzer]
q+ MikeJones
19:31:18 [weiler]
jim: re: reference to publication (NIST) - is this something w3c buys into?
19:31:30 [weiler]
jeffh: in commercial world, it's a good example to pay attn to .
19:31:47 [wseltzer]
ack Dirk
19:32:09 [weiler]
dirk: i like the distinction in phases. focusing on spec writing: any juicy examples of terrible specs. and also good examples?
19:32:59 [weiler]
jeffh: OpenID1 is an example of something we learned from. I compare it and SAML in a doc from 2008 - I characterize OpenID1 as a chunk of forged metal.
19:33:10 [weiler]
... you cannot profile it or change it around. It only works one way.
19:33:47 [weiler]
... you learn from that. OAUTHv2, OIDC have many components - they're more like molten metal. a Profile is a mold; you can reshape them to do something new.
19:34:03 [weiler]
Dirk: OpenID1 was concevied by a small set of people. do you need to have a larger group?
19:34:31 [jfontana]
present +jfontana
19:34:32 [weiler]
jeff: as you iterate, you bring new use cases in. if you have something that can be extended (is malleable) to fixe new use case, that's a good thing.
19:35:03 [weiler]
... you're unlikely to be able to satisfy all use cases.
19:35:31 [wseltzer]
ack Mike
19:35:38 [weiler]
mike jones: I agree re: the centrality of iteration as well as "do something small". build the smallest deployable unit, so that you learn.
19:35:53 [weiler]
... if you reach that kernel, like open ID1, which morphed into 2, you learn things.
19:36:18 [weiler]
... most humans are not capable of entering idetifiers as URLs. So you find email addresses, which people understand, despite the downsides.
19:36:30 [weiler]
... I agree re: "have core fucntionaltiy" and have extension points.
19:36:42 [weiler]
e.g. encryption in @@
19:36:43 [burn]
q+ to mention standards as process of attrition
19:37:30 [weiler]
jeffh: identity federation based on HTTP was invented in 10s -100s of different places
19:38:43 [weiler]
... at stanford, we invented one. In 1999 Burton group consultant said "let's get into a room" to merge two competing standards
19:39:13 [weiler]
... In hindsight, that became OASIS security services technical committee. something else became OpenID1.
19:39:17 [weiler]
... then OpenID2.
19:39:29 [weiler]
... then OAUTH to authorize services to talk on a users' behalf.
19:39:50 [weiler]
... then MS and Google came in with new use cases and that led to OAUTH2
19:41:23 [weiler]
[draws on paper]
19:41:47 [BartW]
BartW has joined #auth-id
19:41:49 [weiler]
... early rat race, narrow funnel. it's hard to get the planet to decide on one design.
19:42:10 [weiler]
... Best example are automobile controls. that wasn't standardized until 1920s.
19:42:32 [weiler]
... I remember a gas pedal in the middle. Right hand drive.
19:42:40 [SarahSquire]
SarahSquire has joined #auth-id
19:43:15 [wseltzer]
q+ MikeJones
19:43:17 [wseltzer]
ack burn
19:43:17 [Zakim]
burn, you wanted to mention standards as process of attrition
19:43:20 [weiler]
[ ]
19:43:56 [weiler]
dan: standards is a process of attrition. once you build something that is of value to the group, it can be good to declare victory on that piece. at some point you'll find that there aren't enough people to keep going (for now).
19:44:08 [weiler]
... it's easy to overextend on requirements.
19:44:15 [weiler]
... when you don't have agreement.
19:44:27 [weiler]
Jeff: this is an argument for modular design
19:44:56 [weiler]
... other example is LDAP. We aren't working on it any more, but we all use it. It's sedimented. You only mess with them when you need to. e.g. tuning of TCP.
19:44:59 [Jiewen]
Jiewen has joined #auth-id
19:45:09 [pindarhk]
pindarhk has joined #auth-id
19:45:13 [weiler]
... TCP works. Until you find issues, like buffer bloat.
19:45:16 [JoeAndrieu]
19:45:19 [brentz]
brentz has joined #auth-id
19:45:22 [weiler]
... but things sediment down and you don't need to pay attention.
19:45:23 [burn]
19:45:37 [brentz]
present+ Brent_Zundel
19:45:53 [weiler]
mike Jones: I reinforce your story re: independent invention signifying time for a standard. When JWt finished, there were four different
19:46:09 [weiler]
... formats. we took that as a sign that we should talk to each other.
19:46:44 [weiler]
... coming into the present day. there are a bunch of people here working on DIDs and at RWOT there were people saying "I built DIDs" and people
19:46:59 [weiler]
... were asking "how did you represent keys", what use cases did you solve, etc.
19:47:03 [weiler]
... which showed they didn't have interop.
19:47:19 [weiler]
... if you want a DID thing that works, you need to make some choices. Need one way to do X.
19:47:27 [kimhd]
kimhd has joined #auth-id
19:47:29 [kimhd]
19:47:36 [kimhd]
19:47:38 [wseltzer]
ack Mike
19:47:45 [weiler]
... if you want interop. engineerings in bldg 28 next door looked at DIDs and wondered what to build. it's time to do that.
19:48:13 [weiler]
Kim Duffy: i apologize that at RWOT that didn't come across
19:48:42 [weiler]
... in my use cases (educational credentials) we've not been good about getting the message out. we're trying to clarify confusions.
19:48:53 [wseltzer]
ack kim
19:49:07 [weiler]
christopher: there's a distinction between DID itself and @2 and specifics of indivudal methods. different
19:49:18 [weiler]
... companies have chosen different architectures, crypto, curves.
19:49:28 [weiler]
... I heard "given the blockchain you're using, what did you use?".
19:49:47 [weiler]
... another issue had to do with VC, not DIDs - format for signing VCs.
19:50:00 [kimhd]
@weiler -- that's not what I said
19:50:04 [kimhd]
I'll correct
19:50:19 [weiler]
... there has not been consensus because W3C limited scope of WG to data format only.
19:50:39 [wseltzer]
19:50:54 [wseltzer]
q+ daniel
19:50:57 [wseltzer]
q- later
19:51:13 [weiler]
mike: as an outsider, I think it's time to make choices. I think you have to have algo agility, but basic data structures need to be picked.
19:51:48 [weiler]
daniel: to be practical, I think we need to specify how keys are declared. I think we can narrow it down.
19:51:49 [wseltzer]
q+ Peter
19:51:52 [kimhd]
19:51:52 [wseltzer]
q- later
19:52:04 [wseltzer]
q+ re modularity and constraints, utility
19:52:05 [weiler]
... that might be a place we can make progress.
19:52:15 [weiler]
.... resolving them the same will never work.
19:52:35 [weiler]
... since they're constructed for different purposes.
19:52:52 [weiler]
... they don't resolve the same because they're serving differernt purposes.
19:53:20 [weiler]
chris: @4 we are not ready to accept that new academic research.
19:54:00 [weiler]
kim: the proposal for the DID WG has only to do with data model and syntax. The cards were a little misleading. the interop part we want to standardize is the data model and syntax.
19:54:15 [kimhd]
s/ in my use cases (educational credentials) we've not been good about getting the message out/our pre-standards groups have not done a great job communicating the use cases (like educational credentials). We are actively working on that
19:54:25 [kimhd]
^ Correction
19:54:47 [weiler]
wendy: I'm hearing challenges re: the right level of modularity. I heard @4. It needs to be big enough to be useful. I'm hearing from VC WG frustration at scope of charter.
19:55:29 [weiler]
... drawing the right boundaries where we're okay with a group setting a scope - and thinking about other modules we need to build. As we move to next phases of discussion, we have lots of cards to work through.
19:55:47 [weiler]
... I want to do some breakout gardening.
19:56:03 [weiler]
... for our time after lunch.
19:56:47 [weiler]
... on the wall on the R, there are items where confusion has been expressed. We could ask the room if there's confusion you want us to address today.
19:57:13 [weiler]
... there are other places where we have general consensus. and there are cards that show a deep division. would be great
19:57:30 [weiler]
... to address the source of that division. and questions re: chartering of work.
19:57:46 [aaronpk]
scribenick: aaronpk
19:58:05 [aaronpk]
chris: is it possible to go parallel rather than sequential now?
19:58:17 [aaronpk]
... a bunch of ppl are leaving at 4, some sooner, there's a bucnh of momentum around chartering a DID WG
19:58:24 [aaronpk]
... we'd like to address the objections
19:58:40 [aaronpk]
... so spending a lot of time on others is going to stop us from coming to some closure on the DID WG charter
19:58:56 [aaronpk]
wendy: there is a lot of interest in addressing the questions of the DID WG
19:59:11 [aaronpk]
... and i think we want to address the presentation of that
19:59:19 [aaronpk]
... and some of the controversy that came up
19:59:29 [aaronpk]
... the co chaaikrs of the cg result from a confusion of what they are proposing
19:59:43 [aaronpk]
... so it's only fair to let them share what they are proposing if we're asking the group to give input on whether that's a good direction
19:59:57 [aaronpk]
.. .and i know manu is actively listening and participating even though he cuoldn't join us was offering to share some of his input
20:00:11 [aaronpk]
... on the roadmap that the DID proponents have for moving their work forward
20:00:27 [aaronpk]
... unfortunately manu reports his audio can't connect
20:00:36 [kimhd]
it sounds fine
20:00:48 [aaronpk]
manu: so i can't hear what you're saying at all
20:00:54 [wseltzer]
manu, can you speak?
20:00:58 [aaronpk]
manu: i'm going to go ahead
20:01:00 [wseltzer]
20:01:20 [aaronpk]
... i wanted to clarify some of the items around the DID WG proposal
20:01:32 [aaronpk]
... for those not aware, the work on DIDs has been happening for about 3 years
20:01:36 [manu]
20:01:43 [aaronpk]
... in the group called the credentials WG
20:01:49 [aaronpk]
20:01:51 [manu]
20:02:04 [Mathias]
Mathias has joined #auth-id
20:02:04 [manu]
20:02:05 [aaronpk]
... we meet weekly, about 30 people, and run experiements around verifiable credentials and things of that nature
20:02:16 [aaronpk]
... about 8 months ago we put together a DID WG charter, highly focused on data models specifically
20:02:33 [aaronpk]
... but as i mentioned, the CCG is front-running that work and doing experiements around protocols and resolutiosn and the open questions
20:02:46 [aaronpk]
... one of the things that became claer over the last year, given we have 15 different DID methosd right now
20:03:02 [aaronpk]
... there's a desire to greate a W3C WG around the data model, that's the small step that we believe is appropriate to take at this point
20:03:16 [aaronpk]
... we did circulate a questionnaire about 4 months ago to the W3C membership and a number of other large organiztaions
20:03:20 [manu]
Member confidential slide deck on DID progress:
20:03:23 [aaronpk]
... this is a member confidential slide deck on DID progress
20:03:27 [manu]
public one here:
20:03:30 [aaronpk]
... there is a public one that i'll also share here
20:03:42 [aaronpk]
... the outcome of this survey, we asked if the charter was appropriate
20:03:47 [aaronpk]
... we got 80 responses, a large sample set
20:03:58 [aaronpk]
... of those 80, we asked how many of them would support and join, not just support, a DID working group
20:04:01 [manu]
20:04:02 [aaronpk]
... that's scoped to the charter we produced
20:04:18 [aaronpk]
... it is data model only. out of 80, 60 said they would join the WG
20:04:29 [aaronpk]
... for those of you who are not familiar with the process, that's well above what is needed to create a WG
20:04:41 [aaronpk]
... this is the primary thing that we're trying to accomplish at the workshop
20:04:47 [wseltzer]
q+ re W3C process
20:04:51 [wseltzer]
ack daniel
20:04:52 [aaronpk]
... to socialize that this charter is out there and has 60+ W3C members in support of it
20:04:53 [wseltzer]
ack Peter
20:04:55 [aaronpk]
... and to socialize it
20:04:56 [wseltzer]
ack kimhd
20:04:57 [wseltzer]
ack ws
20:04:57 [Zakim]
wseltzer, you wanted to discuss modularity and constraints, utility and to discuss W3C process
20:05:03 [aaronpk]
... so it's not a done thing but it's a socialized charter
20:05:09 [kimhd]
ack kimhd
20:05:13 [wseltzer]
q+ re W3C process
20:05:16 [aaronpk]
... there are things not in the charter, we don't talke about DID Auth, we don't talk about DID resolution
20:05:17 [kimhd]
oops, meant to q-
20:05:20 [kimhd]
20:05:25 [aaronpk]
... we're trying to pick a small set of work, then after that go on to the next step
20:05:29 [aaronpk]
... which could be resolution or auth
20:05:33 [aaronpk]
... i'm going to stop there
20:05:37 [burn]
s/oops, meant to q-//
20:05:43 [aaronpk]
wendy: thanks manu
20:05:55 [ChristopherA]
Thanks Manu!
20:05:59 [aaronpk]
... regarding the w3c process, the components are support, willingness to work, lack of formal objections
20:06:05 [ChristopherA]
20:06:11 [kimhd]
20:06:11 [aaronpk]
... or all of the objections to the work have been addressed to the satisfaction of the w3c director
20:06:22 [aaronpk]
... so a goal of socializing the work is to get support and address the concersn that others might have
20:06:25 [will]
will has joined #auth-id
20:06:40 [burn]
20:06:46 [aaronpk]
... so i like the suggestion of breakout and making this more of a discussion, i'd love to find a way to have manu participate in that discussion
20:07:07 [aaronpk]
... but figuring for those who are concerned about this work, or don't think its the right direction, what would help you to address those concerns, and what else do you need to hear
20:07:13 [burn]
20:07:14 [aaronpk]
... if there's an understanding gap or what would need to change
20:07:29 [wseltzer]
20:07:30 [aaronpk]
mike: mike jones microsoft. i want to reflect on some of the excellent observations that jeff made
20:07:39 [aaronpk]
... about the ability to iterate and standardize
20:08:00 [aaronpk]
... at least as the charter was just described by manu, it describes a data structure but doesn't define how to do resolution or authentication
20:08:14 [aaronpk]
... and thinking in terms of minimum deployable unit you need to have all three of those things to have a functionining DID
20:08:27 [aaronpk]
... so it seems counterproductive to define a data structure without defiing how to deploy it in practice
20:08:37 [weiler]
20:08:44 [weiler]
q+ tony
20:08:48 [kimhd_]
kimhd_ has joined #auth-id
20:08:54 [kimhd_]
q+ I have some clarifying questions
20:09:06 [kimhd_]
q+ to ask some clarifying questions
20:09:11 [aaronpk]
kaliya: as a person who can't get into the techinical weeds, one of the things i've continued to hear is we have to scope it so narrowly that what you've said is out of scope and causes problems
20:09:22 [aaronpk]
... so if we can figure out how to expand the scope to address those things that seems like a path forward
20:09:29 [burn]
q+ ChristopherA
20:09:36 [JoeAndrieu]
q+ Daniel Buchner
20:09:40 [aaronpk]
tony: defining a data structure is too small at this point in time
20:09:42 [JoeAndrieu]
q- Buchner
20:09:44 [manu]
q+ JWTs are a data format, that's it -- how is that any different?
20:09:51 [manu]
q+ to say JWTs are a data format, that's it -- how is that any different?
20:09:51 [weiler]
ack tony
20:10:02 [aaronpk]
... trying to understand the cardinatlity of the data structure, how to use the data structure, it will create confusion out there and create more confusion around the use of the data structure
20:10:07 [kimhd_]
20:10:12 [aaronpk]
... so i do belive that there needs to be more discussion on these aspects before moving forward
20:10:15 [daniel]
daniel has joined #auth-id
20:10:25 [craigspi]
craigspi has joined #auth-id
20:10:35 [kimhd_]
q+ to ask clarifying questions in case no one addresses it
20:10:48 [aaronpk]
sam: mike your concerns about just the data structures aren't enough to be deployable... didn't we hear from jeff that we need to pick from those and people can build things around it, and then people can build on that later
20:11:00 [aaronpk]
... it's timely to do the data structure work, and peopel can build things that aren't standard
20:11:19 [aaronpk]
mike: i could be wrong, but i believe that these are interdependent, that you have to understand in these cases how it's going to be used to know what you have to represent
20:11:36 [aaronpk]
... it's sedgwicks' algorithms book that the opening phrase is data structures are algorithms, they imply usage
20:11:37 [weiler]
20:11:39 [weiler]
ack me
20:11:40 [weiler]
ack CHri
20:11:56 [aaronpk]
chris: tho i will be the first to say that i feel overly constrained by the no protocols no crypto in the verifiable claims group, we did come up with something fairly solid
20:12:08 [aaronpk]
... so i would find it acceptable to take that same approach with DIDs and only focus on that side of things
20:12:17 [aaronpk]
... if i were to extend it i wouldn't extend it as far as you've said
20:12:36 [aaronpk]
... i dont like the name DIDAuth, i would like to have a simple two party proof of control as a sort of minimum viable test of a DID
20:12:42 [wseltzer]
q+ re CGs and WGs
20:12:52 [aaronpk]
... i do no t believe we should talk about DID resolution or universal resolving becasuse i think that's going to be up to the marketplace
20:13:05 [aaronpk]
... we already demonstrate that works now, there will be market realities to push people together
20:13:05 [wseltzer]
q+ re sequential standards
20:13:36 [aaronpk]
... definining a minimum viable proof of control will help verifiable claims a bunch, it will demonstrate the DID spec does what we promise, then we will talk with people who will do three party and more complex structures on the back of that as separate future working groups
20:13:48 [aaronpk]
wendy: time check, lunch is coming.
20:14:05 [wseltzer]
20:14:09 [aaronpk]
daniel: in terms of the technical piece, i was curious when you bring up resolution it infers other things
20:14:11 [wseltzer]
ack Dan
20:14:25 [aaronpk]
... resolutions infer other things, we're working on batching that sticks things in bitcoin. other schemes don't do that
20:14:55 [aaronpk]
.. the idea that we standardize resolution, we'll run a plugin that resolves each one, you can't really standardize the resolution steps because they are inherently different just like you can't standardize tthe math in a cryptographic scheme
20:15:08 [aaronpk]
... so that's how you should in your mind associate a DID method's logic and what we can standardize
20:15:13 [weiler]
20:15:20 [weiler]
ack kim
20:15:20 [Zakim]
kimhd_, you wanted to ask clarifying questions in case no one addresses it
20:15:23 [wseltzer]
ack kim
20:15:30 [aaronpk]
kim: one thing that's coming up, i'm hearing what's different rules for what's requiered to make a WG
20:15:36 [daniel]
You're next
20:15:41 [aaronpk]
... you're mentioning some criteria of what i've heard before
20:15:57 [aaronpk]
... christopjher said we need to have a focused data model and syntax. we've been incubating a lot of these standards, we have a roadmap.
20:16:15 [aaronpk]
... one thing that mjight be helpful is to push for some clarity on what we need for working group formation so we dont' feel like we're reacting to what feel like arbitrary rule changes
20:16:39 [wseltzer] W3C Process re charter development
20:16:41 [aaronpk]
mike: i'm not describing rules for WG formation, i'm describing in my experience as a stnadards developer what you need to do to have the work product of the standards output to succeed
20:16:52 [aaronpk]
chris: if we were adding one simple proof of control that everyone could support would that be enough?
20:16:54 [weiler]
zakim, please give manu the last word
20:16:54 [Zakim]
ok, weiler, the speaker queue is closed and cleared
20:16:55 [Zakim]
manu, you wanted to say JWTs are a data format, that's it -- how is that any different?
20:17:02 [aaronpk]
mike: that's a step in the right direction, i don't have preconceived boundaries on what the particulars are
20:17:18 [aaronpk]
... the particulares may be different for all of them but you have to write down one or two of them to have interoperable implementations
20:17:41 [aaronpk]
manu: i'm slightly frustrated with the direction that some of the JWT folks are taking
20:17:46 [aaronpk]
... JWTs are a data model full stop
20:17:55 [aaronpk]
... in that sense, it's strange to me that doing a data model is not enough for a WG
20:18:00 [aaronpk]
... it's a very strange argument
20:18:13 [aaronpk]
... the second thing is there are a number of companies that are building and deploying verifiable creds to real customers today
20:18:25 [craigspi_]
craigspi_ has joined #auth-id
20:18:35 [aaronpk]
... this is not a theoretical exercise, there are organizations involved i nthis work, and i'll note that those taking exception to the WG are not building these systems
20:19:00 [aaronpk]
... so as someone who is leading a company writing this code that having a DID spec in place even if only a data model is going to help greatly that ensuring this market as it's growing has something to build off of
20:19:11 [aaronpk]
... there are other pieces coming in place down the road but we are taking a very staged appropach to what we're doing
20:19:20 [aaronpk]
wendy: we are going to break for lunch
20:19:26 [aaronpk]
... take an hour for lunch and come back at 1:20
20:19:30 [weiler]
rrsagent, draft minutes
20:19:30 [RRSAgent]
I have made the request to generate weiler
20:19:38 [weiler]
zakim, reopen the queue
20:19:38 [Zakim]
ok, weiler, the speaker queue is open
20:19:47 [wseltzer]
[1 hour lunch]
20:21:02 [kenrb]
kenrb has joined #auth-id
20:32:57 [tomj]
tomj has joined #auth-id
20:38:38 [manu]
s/slightly frustrated with the direction/disappointed with the line of argumentation/
20:40:41 [manu]
s/the JWT folks are taking/a vocal minority in the JWT community (mostly from Microsoft) are making... that Working Groups focusing on Data Models only are not useful/
20:40:45 [manu]
rrsagent, draft minutes
20:40:45 [RRSAgent]
I have made the request to generate manu
20:43:19 [jzcallahan]
jzcallahan has joined #auth-id
20:43:25 [manu]
i/there were four different/Topic: Seeking Clarity (around DIDs and other breakout items)
20:43:31 [manu]
i/there were four different/Topic: Seeking Clarity (around DIDs and other breakout items)/
20:43:35 [manu]
rrsagent, draft minutes
20:43:35 [RRSAgent]
I have made the request to generate manu
20:47:42 [manu]
s/we meet weekly/community is composed of 225+ people who meet weekly/
20:48:17 [manu]
s/about 30 people/calls each week are between 20-30 people joining, so healthy and active group/
20:53:13 [aaronpk]
haha thanks
21:12:23 [manu]
rrsagent, draft minutes
21:12:23 [RRSAgent]
I have made the request to generate manu
21:13:28 [achughes]
achughes has joined #auth-id
21:18:13 [SarahSquire]
SarahSquire has joined #auth-id
21:20:19 [Mathias]
Mathias has joined #auth-id
21:22:33 [will]
will has joined #auth-id
21:23:46 [manu]
s/haha thanks//
21:27:43 [brentz]
scribenick: brentz
21:28:03 [brentz]
weiler: we've done some shuffling of the schedule
21:28:06 [jzcallahan]
jzcallahan has joined #auth-id
21:28:15 [kenrb]
kenrb has joined #auth-id
21:28:22 [Karen]
Karen has joined #auth-id
21:28:24 [brentz]
. . .we are thinking of doing the roadmap presentations first
21:28:44 [brentz]
... any objections? No? Good.
21:29:05 [brentz]
. . . First up will be Christopher Allen
21:29:19 [Jiewen]
Jiewen has joined #auth-id
21:29:21 [brentz]
. . . he is not here. First up will be Matthias
21:29:36 [brentz]
21:29:50 [weiler]
s/Christopher Allen/Mathias Brossard/
21:30:33 [brentz]
Mathias: Currently doing IoT work. What does attestation have to do with EAT?
21:30:35 [wseltzer]
-> Mathias's slides
21:30:59 [brentz]
. . . seems like most of us aren't familiar with attestation
21:31:11 [JoeAndrieu]
JoeAndrieu has joined #auth-id
21:32:05 [brentz]
. . . [describing slide] trying to create building blocks for IoT. One of the services would be for attestation.
21:32:08 [craigspi]
craigspi has joined #auth-id
21:32:33 [kenrb]
kenrb has joined #auth-id
21:32:44 [brentz]
... the attestation is that you are speaking with the device you think you are, iun a way you can trust.
21:33:31 [brentz]
... [slide 2]
21:34:16 [brentz]
... these are not the only attestation suppliers. As in the example of the supply chain, sometimes you need to know the identity of the things you are dealing with.
21:34:38 [brentz]
... There is a working group around RATS, EATS is the container.
21:35:25 [brentz]
... smaller devices may be limited to 64 kB of RAM.
21:35:48 [pindarhk]
pindarhk has joined #auth-id
21:35:51 [brentz]
... [slide 3] different systems have different ways of expressing claims.
21:36:41 [brentz]
... encodings, assigning keys, running sets of PKIs, for the policies that will be validated, these are all part of the trust model.
21:37:19 [brentz]
... my device may be making claims, but we may want those claims aggregated with others.
21:37:57 [brentz]
... when authenticating to a system, the device can attest that it meets the appropriate security level.
21:38:35 [brentz]
... [slide 4] when you are talking ot a 3rd party, can you just trust them? don't you want to go further?
21:39:09 [brentz]
... If they have the proper credentials, but the software has been altered, that is only one possible problem that attestation may address.
21:39:15 [brentz]
21:40:06 [krystian_czesak]
krystian_czesak has joined #auth-id
21:40:11 [brentz]
???: are there any 3rd party audits available? is there a way for outsiders to know that the process for making the chips is secure?
21:40:27 [brentz]
Mathias: there are certifications for that.
21:41:23 [brentz]
ChristopherA: Quick DID and VC architecture roadmap
21:41:44 [brentz]
... two efforts we are tracking [Slide 1]
21:42:11 [wseltzer]
21:42:23 [brentz]
... VCs allow for multiple sources of information. In order for many of the use cases with VCs, we feel we also need DIDs.
21:42:36 [wseltzer]
-> ChristopherA's slides
21:42:42 [brentz]
... Hopefully the VCWG will be wrapping up in a few months.
21:43:12 [brentz]
... There is a need for other things to be incubated [slide 2]
21:43:58 [brentz]
... this is where we allow the flexibility. DID Methods are not ready to move into specification.
21:44:23 [brentz]
... there has been lots of discussion about what should be in or out of the DID Document
21:45:14 [brentz]
... [slide 3] Once we can use VCs with DIDs, there are a lot of use cases and special examples that can be explored.
21:45:56 [brentz]
... there are many questions around protocol and consent that are unanswered.
21:46:29 [brentz]
... Doubt we will get to the bottom few in the next several years.
21:46:40 [kenrb]
kenrb has joined #auth-id
21:46:55 [brentz]
... how do we turn this into a service of value.
21:47:31 [brentz]
... lots of discussion about DID Auth, there is a Rebooting Web of Trust whitepaper that outlines these.
21:48:09 [brentz]
... [slide 4] OCAP solves a number of problems around ambient authority.
21:48:53 [brentz]
... Credential requests and exchanges are out of scope.
21:48:55 [kimhd]
kimhd has joined #auth-id
21:49:02 [kimhd]
21:49:04 [kimhd]
21:49:06 [manu]
q+ to note that all of this is future work once we get DID WG (data model in place) and that all of this stuff isn't happening in a vacuum, we're being very careful of putting the right building blocks in place first.
21:49:58 [brentz]
... cryptographic proofs is a big confusing area, we don't just use signatures anymore.
21:50:21 [brentz]
... zero-knowledge proofs allow for new and exciting things that add real value.
21:50:58 [brentz]
... zkp is tough because it is academically and implementationally challenging.
21:51:22 [brentz]
... [slide 5] giant diagram roadmap
21:52:19 [brentz]
... further down the page are things far in the future.
21:52:50 [brentz]
... one of the tasks of the ccg is to update this roadmap, this will happen in january.
21:52:53 [kenrb]
kenrb has joined #auth-id
21:52:56 [wseltzer]
ack manu
21:52:56 [Zakim]
manu, you wanted to note that all of this is future work once we get DID WG (data model in place) and that all of this stuff isn't happening in a vacuum, we're being very careful
21:52:59 [Zakim]
... of putting the right building blocks in place first.
21:53:29 [brentz]
manu: just to clarify, this is a roadmap, it is future-looking. What we need is a working group specifically for data model and syntax.
21:53:50 [brentz]
... the other thing to note is that therte are a variety of things being worked on in the ccg.
21:54:12 [brentz]
... these things are not happening in a vacuum, a lot of work is going on around these things.
21:55:01 [brentz]
Dirk: how do all of these pieces hang together? the verifiable credentials and DIDs, how do they hang together?
21:55:11 [tantek]
tantek has joined #auth-id
21:55:12 [brentz]
... Would the credential be issued to a DID?
21:55:56 [RRSAgent]
I have made the request to generate tantek
21:55:57 [brentz]
ChristopherA: Yes the claim would be issued to the DID. There are correlation issues with using an identifier this way.
21:56:48 [brentz]
... the process of a verifier getting the information they need during presentation might be iterative, leading to trust between two parties.
21:57:29 [brentz]
Dirk: so, if I only have one DID that satisfies this information, I have to disclose that one?
21:57:40 [JoeAndrieu]
21:57:46 [brentz]
ChristopherA: yes, there is some correlation leakage there.
21:58:17 [JoeAndrieu]
q+ to reiterate that proof of control is just a single factor
21:58:35 [brentz]
... with BTCR there is a very anonymous scenario where DIDs are uses more selectively.
21:59:03 [brentz]
Dirk: If I want to prove my birthdate to two people, do I need to share my DID?
21:59:55 [brentz]
ChristopherA: No, the Sovrin solution allows for pairwise DIDs and zero-knolwedge proofs about the claims you are sharing.
22:00:30 [brentz]
???: how does DID resolution work from an application developer point of view?
22:00:34 [weiler]
s/???/Dalys Sebastian/
22:00:36 [wseltzer]
22:00:54 [kimhd]
q+ on did resolution
22:01:02 [tantek]
present+ weiler
22:01:12 [tantek]
present+ hober
22:01:14 [tantek]
present+ aaronpk
22:01:16 [brentz]
ChristopherA: there are a couple of different approaches. Markus did a resolver that did VeresOne, BTCR, Sovrin DIDs as a first step.
22:01:17 [kimhd]
22:01:30 [brentz]
... it was a plugin architecture that allowed for expansion.
22:02:21 [achughes]
22:02:29 [brentz]
... interoperability between DIDs is difficult between methods because the root of trust for resolution is different for different cases.
22:03:00 [brentz]
... a developer may have a resolver and they would need to choose the plugins they need to use.
22:03:05 [Karen]
present+ Karen
22:03:09 [kimhd]
22:03:27 [brentz]
... you may have a number of credentials from a number of parties.
22:03:28 [wseltzer]
ack joe
22:03:28 [Zakim]
JoeAndrieu, you wanted to reiterate that proof of control is just a single factor
22:04:19 [brentz]
JoeAndrieu: fetishization of proof of control of a DID leads to poor understanding. There is potentially a lot more to a proof than a single attribute.
22:04:41 [weiler]
ack kimhd
22:04:41 [Zakim]
kimhd, you wanted to comment on did resolution
22:04:52 [brentz]
ChristopherA: VCs can only prove that someone said something, not that what they said is true.
22:05:13 [brentz]
kimhd: each DID method must say how to resolve it, along with the CRUD operations.
22:05:17 [shigeya_]
present+ Shigeya Suzuki
22:05:42 [weiler]
22:05:47 [brentz]
ChristopherA: but all of the methods have something in common. With BTCR there is a lot of magic happening on the back end, developers don't care about that.
22:06:01 [brentz]
... they only care that the resolver did the right thing.
22:06:16 [brentz]
... one more thing, these aren't standards yet.
22:06:52 [brentz]
Greg is up and has no slides.
22:07:02 [brentz]
weiler: we are out of time.
22:08:07 [brentz]
greg: i won't take much time. We have lots of money to invest. There needs to be a bridge between standards and implementation.
22:09:16 [brentz]
... one example of our investments is in the Brave token. They need an identity solution or there will be a lot of felonies committed.
22:09:26 [Steven-Google]
Steven-Google has joined #auth-id
22:10:16 [brentz]
... Policy context could serve to guide this work. This is the most political protocol I have ever seen.
22:10:35 [weiler]
topic: 5 Year Roadmap: Authenticators
22:10:41 [brentz]
... encourage you to not be politicized, but be aware that the work you are doing will be weaponized.
22:11:26 [brentz]
John Bradley: Our standards are pretty much wrapped up.
22:11:49 [brentz]
... we are in our initial deployment phase.
22:12:03 [wseltzer]
rrsagent, draft minutes
22:12:03 [RRSAgent]
I have made the request to generate wseltzer
22:12:21 [tantek_]
tantek_ has joined #auth-id
22:12:25 [brentz]
... we now have authenticators out there
22:12:48 [brentz]
... the latest version of Windows 10 has support for the new tech.
22:13:00 [brentz]
... Google and Android support it.
22:13:16 [brentz]
... FIDO is working with them.
22:14:16 [brentz]
... Shout out to the apple folks who just released their initial support.
22:14:34 [brentz]
... our next work is divided between FIDO and Web Authn
22:15:06 [brentz]
... we are looking at additional extensions to better deal with the user experience for lost keys.
22:15:35 [brentz]
... looking at alternative algorithms in the coming years. possibly threshold signatures.
22:16:05 [brentz]
... right now Web Authn is about proving possession of a TLS certificate, once all else is stripped away.
22:16:32 [brentz]
... theoretically this could be extended to be proof control of a DID
22:17:12 [brentz]
... we have a few projects over the coming years, but now we're dealing with deployment issues.
22:17:37 [brentz]
... Web Authn as a first factor for log in can be done with hotmail.
22:18:19 [brentz]
... there may be a version of chrome on a future version of Windows that can use the platform authenticators
22:19:04 [brentz]
... hopefully there will be more sorting out and user experience improvement.
22:19:50 [brentz]
tony: there are many authenticator key companies out there. Were do you see this going in the next 5 years?
22:20:37 [brentz]
John Bradley: there will probably be pressure on those at the lower end of the spectrum due to fingerprinting possibilities.
22:21:18 [brentz]
... roaming authenticators may be more specialized into certain roles for banking, etc.
22:21:44 [brentz]
... a lot of the enterprise smart card stuff should move to external authenticators
22:22:21 [brentz]
... there are shared device use cases that require external authenticators.
22:22:40 [brentz]
... there will be room for multiple vendors in the space.
22:23:46 [brentz]
Mike Jones: ambush question, missed it
22:24:02 [BartW]
BartW has joined #auth-id
22:24:26 [brentz]
John Bradley: there may be some minimal set of things we'd need to decide on using in order to make use of the DID documents as part of Web Authn.
22:24:32 [wseltzer]
s/ambush question, misssed it/you mentioned some gaps in DID for use with WebAuthn
22:24:59 [manu]
22:25:15 [brentz]
... from a standards point of view, even if someone has managed to get it to work, that may not be quite right.
22:25:25 [wseltzer]
ack manu
22:26:00 [brentz]
manu: there is an experiment we did with Web Authn keys in a DID document, using hardware keys to sign.
22:26:18 [brentz]
... we need to start somewhere in a DID working group.
22:26:33 [brentz]
... there are many experiments we could do, but there is a base layer we need to get down.
22:27:04 [brentz]
John Bradley: did you hack the DID into the <tech gable mubo jumbo>?
22:27:24 [brentz]
manu: no, we did a 10 line change to the google source code.
22:27:43 [SarahSquire]
s/<tech gable mubo jumbo>/RPID
22:27:50 [brentz]
John Bradley: so the RPID was the url you were looking at, not the top level DID.
22:28:19 [brentz]
... other questions?
22:28:57 [brentz]
???: Were the verifier and the issuer of the same origin in web authn?
22:29:16 [wseltzer]
22:29:40 [brentz]
John Bradley: as long as they are in the same origin and have a TLS certificate it may work.
22:30:06 [brentz]
Tony: this is level one, there are things that need to be fixed in level two.
22:30:57 [brentz]
John Bradley: Manu ran into issues with this in web payments, big security problems with iframes in origins. bad things in java script. don't do this.
22:31:07 [pindarhk]
Sorry I will need to be excused in about 30 minutes to head back to HKG. Apologies in advance.
22:31:18 [brentz]
manu: promising experiment, not a good browser to actually use.
22:32:10 [brentz]
jzcallahan: Manu asked us to talk during this session.
22:32:32 [brentz]
.. from Veridium, specializing in biomentric authentication within a company.
22:33:03 [brentz]
... gratified that there has been a separation of discussion between authentication and identity verification
22:33:14 [brentz]
... Gartner says these fields are colliding.
22:33:25 [wseltzer]
-> jzcallahan's Veridium slides
22:33:58 [brentz]
... becoming conflated. We've focused on the enterprise. A platform that supports numerous native and non-native authenticators.
22:34:51 [brentz]
... now, smart phones eliminate the need for special hardware. Coming soon, our devices will get really good at knowing we are use.
22:35:39 [brentz]
... what's coming, in addition to the biometric, need anti-spoofing measures.
22:36:02 [brentz]
... Kaliya doesn't understand the slide
22:36:09 [brentz]
Kaliya doesn't understand the slide
22:36:28 [brentz]
jzcallahan: don't worry about placement.
22:36:51 [brentz]
... It is imperative to add liveness. Biometrics are not passwords.
22:37:17 [brentz]
... an attacker who presents a facsimile should not succeed.
22:37:36 [brentz]
... the context of the biometric authentication is important.
22:37:57 [brentz]
... using different factors: time, common movement, etc.
22:38:28 [brentz]
... [IEEE 2410-2017 slide]
22:39:32 [brentz]
... what we discovered in the marketplace, mobile to mobile mode needed to be updated to support server-side.
22:40:15 [brentz]
... m2m is good for authentication, basically equivalent to FIDO.
22:40:41 [brentz]
... will be FIDO certified in the future.
22:41:34 [brentz]
... In other cases, for account recovery, using Shamir secret sharing with one piece on the device and another on the server, allows server-side protocols to avoid storing the biometric fully on the server.
22:42:19 [manu]
22:42:22 [manu]
q- oh...
22:42:26 [manu]
q- it
22:42:34 [brentz]
... the idea is we want to cover global needs
22:42:57 [brentz]
... instead of going through a KYC process (which may involve biometrics)
22:43:20 [brentz]
... you can do different things [slide: initial onboarding]
22:43:40 [brentz]
... doesn't require subsequent biometric enrollment
22:43:56 [brentz]
... reduce friction but support KYC/AML
22:44:50 [brentz]
... there are places this is required. Once biometric check is done, it can be thrown away.
22:45:09 [brentz]
... there are only a limited number of cases that require central storage.
22:45:31 [brentz]
... SSI Biometrics would allow for roaming KYC.
22:45:49 [brentz]
... make the credentials standard requires SSI
22:45:53 [manu]
q- raises
22:45:56 [manu]
q- a
22:47:11 [brentz]
jzcallahan: how could we do biometric authentication in a Web Authn context.
22:47:32 [brentz]
... [slide: Biometric DID Auth]
22:49:22 [brentz]
... this is a proof of conecpt for how these things could be tied together.
22:49:27 [wseltzer]
jbradley: that's easily phishable
22:49:40 [wseltzer]
... it fails at the QR code
22:49:45 [brentz]
... failed at the QR code
22:50:07 [brentz]
jzcallahan: you have a cloud agent acting on your behalf
22:50:26 [brentz]
... Sovrin and uport could be used on the back end.
22:50:45 [brentz]
... allows KYC vendors to monetize their process.
22:50:59 [kenrb]
kenrb has joined #auth-id
22:51:13 [brentz]
Jill: can your system account for simple dynamic things?
22:51:46 [brentz]
jzcallahan: We don't want to handle the whole VC thing, we want to stay in our lane and provide biometric credentials.
22:52:13 [brentz]
... KYC is the gate, the ongoing AML is where the costs lie.
22:52:26 [burn]
s/whole VC thing/whole KYC thing/
22:52:27 [brentz]
... we are paying close attention to the VC work.
22:53:04 [brentz]
Jill: client onboarding happens first, but you need to update who your customer is, that's what KYC means.
22:53:40 [brentz]
jzcallahan: we don't want to do our own transaciton monitoring, we want to provide the biometric claim that exists as part of the rest of the ecosystem.
22:54:41 [brentz]
Marie: I am from Gemalto, digital strategy team.
22:54:56 [wseltzer]
-> Marie's slides
22:54:58 [brentz]
... PSD2 regulation discussion
22:55:25 [brentz]
... [slide 1] two objectives.
22:55:38 [brentz]
... banks are very protective of their customers and the data
22:56:00 [brentz]
... this is not currently optimally done.
22:56:43 [brentz]
... lots of data breaches and account takeover. goal is to reach same level of assurity with e-commerce as with chip cards.
22:57:15 [brentz]
... [slide 2] European banking organization created SCA
22:57:34 [brentz]
... essentially 2FA
22:57:52 [wseltzer]
Marie: PSD2 takes effect Sept 2019 for any banks or retailers in Europe or doing business in Europe
22:57:53 [brentz]
... but also requires dynamically linked data
22:58:48 [brentz]
... [slide 3] shop authenticates user out of band
22:59:07 [brentz]
... issuer decides everything in this model
22:59:18 [wseltzer]
[slide 4]
22:59:25 [brentz]
... not in line with what retailers need
22:59:37 [brentz]
... retailers want control
23:00:08 [brentz]
... this will affect the bottom line
23:00:09 [wseltzer]
[slide 5]
23:00:18 [brentz]
... they are looking for alternatives
23:00:26 [wseltzer]
[slide 6]
23:00:49 [brentz]
... merchant will authenticate the user.
23:00:56 [jzcallahan]
jzcallahan has joined #auth-id
23:01:14 [brentz]
... and decide at which step this must happen, and where to add the friction.
23:01:46 [brentz]
... credit cards are determining the framework.
23:02:15 [brentz]
... FIDO and Web Authn seem like a good solution.
23:02:45 [pamela]
pamela has joined #auth-id
23:03:14 [pindarhk]
I'm sorry that I didn't get to personally meet everyone. If you come by Hong Kong, please do drop me a line at :)
23:03:18 [brentz]
... thanks to FIDO, there is a standard that anyone can verify
23:03:35 [brentz]
John Bradley: not everyone can verify the signature
23:04:22 [manu]
23:04:32 [brentz]
Marie: This may not be doable today, but this presentation is about the 5 year road map
23:05:16 [brentz]
@wseltzer: possibly a gap in the standards if that can't be solved.
23:05:16 [weiler]
rrsagent, draft minutes
23:05:16 [RRSAgent]
I have made the request to generate weiler
23:06:40 [brentz]
John Bradley: I was just in France. Once we get the capabilities in the iframe, using the web payments API, that will use the bank as the RPID so the key that is registered can be validated.
23:07:30 [brentz]
Marie: the point of those slides is to introduce the PSD2.
23:08:03 [wseltzer]
q+ with a preview
23:08:03 [brentz]
John Bradley: yes, I think we can make good progress here, but there are privacy issues.
23:08:07 [wseltzer]
23:09:10 [brentz]
@wseltzer: we have been working at W3C on this question between the Web Authn and Web Payments WGs, we are sending a charter for joint participation in this work.
23:09:25 [manu]
ack wseltzer
23:09:43 [brentz]
Marie: Is there a 3d Secure implementation in the Web Payments group?
23:09:46 [brentz]
John Bradley: yes
23:10:04 [brentz]
Pam: One question about your diagram. Who's directory server is it?
23:10:11 [wseltzer]
s/participation in/discussion of/
23:10:16 [brentz]
Marie: Visa, mastercard.
23:10:34 [brentz]
Pam: there may be a missing participant, where is the payment processor?
23:10:43 [wseltzer]
q+ Greg
23:10:43 [brentz]
Marie: it is connected to the directory server.
23:11:21 [brentz]
tomj: should a relying party be required to accept authorizarions from unrelated parties?
23:11:29 [brentz]
... this could create a real problem for this group.
23:11:50 [weiler]
tonj: banks need to be fiduciaries for the customer, not the merchant
23:12:11 [brentz]
Greg: I was in Paris with Visa, just talking about this. banks need to be fiduciaries for their customers.
23:12:25 [brentz]
... in Europe this is different than in the US.
23:12:52 [brentz]
... with PSD2, privacy rights are treated like human rights, in US they are contract rights.
23:14:14 [brentz]
... the contract orientation and the elevation of terms of use means it is very difficult for self sovereign identity to triumph.
23:14:52 [brentz]
@wseltzer: thank you Marie. There are snacks. let's break. we will reconvene after the break. maybe some breakouts. not much time left.
23:15:23 [kenrb]
kenrb has joined #auth-id
23:31:23 [jzcallahan]
jzcallahan has joined #auth-id
23:31:45 [brentz]
@wseltzer: only a half hour left. mostly for breakout groups.
23:32:02 [brentz]
topic: final remarks and breakouts
23:32:24 [manu]
s/final remarks and breakouts/Final Remarks and Breakouts/
23:32:32 [manu]
rrsagent, draft minutes
23:32:32 [RRSAgent]
I have made the request to generate manu
23:32:46 [brentz]
@wseltzer: we have smart people and a lot of work to do. possibly not a good sense of exactly what is next.
23:33:09 [manu]
23:33:11 [manu]
rrsagent, draft minutes
23:33:11 [RRSAgent]
I have made the request to generate manu
23:33:13 [kenrb]
kenrb has joined #auth-id
23:33:34 [brentz]
... lots of interest in interop, a DIDWG charter, etc.
23:34:06 [brentz]
... we can continue the discussion with the mailing list from this workshop.
23:34:17 [manu]
-1 on new CG for DIDs
23:34:29 [manu]
-1 on another workshop :) (except continuing work in RWoT, CCG, etc.)
23:34:31 [brentz]
... we want to continue to develop solutions to these hard problems.
23:34:43 [brentz]
weiler: limited time available
23:34:58 [brentz]
... looking for 2 to 4 conversations.
23:35:19 [brentz]
... who wants to choose a topic?
23:35:26 [manu]
23:35:44 [wseltzer]
q- Greg
23:35:51 [brentz]
... vote for confusion resolution
23:35:58 [manu]
23:36:02 [brentz]
... open ID connect DID?
23:36:06 [brentz]
... 2
23:36:20 [brentz]
... translator for Ethereuem openid?
23:36:23 [brentz]
... no
23:36:35 [brentz]
... a login with DID button?
23:36:37 [brentz]
... no
23:36:48 [brentz]
... Selective permissionless delegation?
23:36:50 [brentz]
... no
23:37:15 [brentz]
... these are not giving us discussion ideas.
23:37:50 [brentz]
... the ones with the most agree and disagree are the chartering discussions
23:38:15 [brentz]
... one of the breakouts is the DID WG chartering.
23:38:25 [brentz]
... who doesn't want to go to that one?
23:38:47 [brentz]
Dirk: we've talked a lot about solutions, not sure what problems we are trying to solve.
23:39:06 [brentz]
weiler: chartering and use cases, is there a third?
23:39:29 [brentz]
ChristopherA: is there anybody else interested in the true anonymous use cases?
23:39:38 [brentz]
weiler: that's three.
23:40:16 [kenrb]
kenrb has joined #auth-id
23:42:53 [wseltzer]
rrsagent, draft minutes
23:42:53 [RRSAgent]
I have made the request to generate wseltzer
23:44:06 [tantek]
tantek has joined #auth-id
23:51:11 [wseltzer]
chair: Wendy_Seltzer
23:51:44 [wseltzer]
[breakouts, followed by adjournment. We'll capture outputs and report back on the participants' list.]
23:51:49 [wseltzer]
rrsagent, draft minutes
23:51:49 [RRSAgent]
I have made the request to generate wseltzer
23:57:14 [achughes]
achughes has joined #auth-id
00:03:09 [kenrb]
kenrb has joined #auth-id
00:09:48 [kenrb]
kenrb has joined #auth-id
00:14:41 [Pindartravel]
Pindartravel has joined #Auth-id
00:15:26 [Pindarhk]
Pindarhk has joined #auth-id
00:20:44 [Karen]
Karen has joined #auth-id
00:20:53 [PindarHK_]
PindarHK_ has joined #auth-id
01:13:07 [BartW]
BartW has joined #auth-id
01:20:34 [jzcallahan]
jzcallahan has joined #auth-id
01:58:17 [jzcallahan]
jzcallahan has joined #auth-id
02:05:38 [Zakim]
Zakim has left #auth-id
02:12:51 [aaronpk]
Goodbye Zakim we'll miss you