15:54:06 RRSAgent has joined #webid 15:54:06 logging to https://www.w3.org/2020/10/29-webid-irc 15:54:08 RRSAgent, make logs Public 15:54:09 Meeting: WebID, a federated SignIn API 15:57:17 mknowles has joined #webid 15:57:32 majidvp has joined #webid 15:58:51 cpn has joined #webid 15:59:41 weiler has joined #webid 16:00:02 jeff has joined #webid 16:00:09 present+ 16:00:18 present+ 16:00:18 Present+ 16:00:29 present+ Chris_Needham 16:00:30 AramZS has joined #webid 16:00:34 tm has joined #webid 16:01:10 lionel_basdevant has joined #webid 16:01:41 present+ 16:01:46 Travis_ has joined #webid 16:01:51 present+ 16:01:54 Rob has joined #webid 16:01:55 Slides: https://docs.google.com/presentation/d/1Kk4WQIAAbkmzzzMGd5LoDnGq9kfpAxE8SNl4guUrUgw/edit 16:01:56 present+ 16:02:01 dmarti has joined #webid 16:02:02 present+ 16:02:08 present+ 16:03:17 present+ 16:03:44 Alan has joined #webid 16:05:37 pl_mrcy has joined #webid 16:05:43 present+ 16:06:17 kris_chapman has joined #webid 16:06:25 yigu has joined #webid 16:09:21 tantek has joined #webid 16:10:10 jyasskin has joined #webid 16:12:37 melanierichards has joined #webid 16:12:44 present+ 16:13:22 pchampin has joined #webid 16:13:53 daniel has joined #webid 16:14:05 Is there a doc that details the extensibility model for the ID types that are exchanged between the browser and entities interacting with the APIs? I want to make sure we can exchange various types of IDs, for example: the upcoming Decentralized Identifiers standard from the W3C 16:14:42 Ken, to what degree are you interested in making it easier for the user to choose an ID not on the list? 16:14:55 s/ID/IDP/ 16:15:44 aschlosser has joined #webid 16:15:48 kazho has joined #webid 16:15:49 present+ 16:15:51 Hirsch_msft has joined #webid 16:16:00 tanvi has joined #webid 16:16:01 goto has joined #webid 16:16:06 John_Bradley has joined #webid 16:16:11 present+ 16:16:56 q+ jordan_mitchell 16:18:52 present+ 16:19:21 present+ 16:20:07 aaronpk has joined #webid 16:20:36 q? 16:22:07 AramZS has joined #webid 16:22:59 present+ 16:23:30 Jemma has joined #webid 16:26:18 alextcone has joined #webid 16:26:46 timc has joined #webid 16:26:56 +q 16:29:09 q- 16:30:37 q+ 16:31:05 Jeff_deA has joined #webid 16:31:50 ack jordan 16:32:20 Daniel_MS: we've been working in the DID community (decentralized identifier) - what you call directed identifier, we call them pairwise identifiers 16:32:44 ... with such a broad name "webid", are we going to make sure this will be extensible and can include other related technologies such as DID? 16:33:13 ... one of the interesting things with DID is not only they're directed, they also contain service endpoints that allow to ask for more information 16:33:14 q+ 16:33:20 ... have you thought about incorporating things like that? 16:33:27 kenb: we're aware of that 16:33:59 ... we're thinking of those use cases and we're trying not to close; this is part of the trade-off we're considering 16:34:16 ... when you're think about the first sort of buckets (permission-based), it's very easy - we're just tunnelling a protocol 16:34:27 ... and we prompt the user - this allows flexibility on the backend 16:34:28 +q 16:34:41 ... it's harder when we do browser mediation, where the browser needs to know what information goes through 16:35:06 q+ to ask to what degree are you interested in making it easier for the user to choose an ID not on the list? 16:35:14 ... when you talk about sign-in vs other use cases - it gets back to the question of what the browser is knowing about what's going on 16:35:28 ... it's useful to get that kind of feedback based on specific user flows 16:35:35 q? 16:35:50 wseltzer has joined #webid 16:35:51 ack daniel 16:36:00 s/ID/IDP/ 16:36:07 Jeff_Jaffe_W3C: as you noted, this is an amazingly complex area with lots of history and use cases 16:36:26 ... at the risk of making it more complex: one use case I'm quite interested in is the area of Web Payments 16:36:36 vq? 16:36:47 ... with the Payment Request API we're enabling browesrs to play a surrogate role managing credentials for users 16:36:47 ack j 16:36:59 ... representing identify through UA is becoming increasingly more important 16:37:11 ... are you looking at these use cases? prioritizing toward them? 16:37:41 DID > lookup DID Doc > query service endpoint for payment details > feed it through browser API 16:37:42 ... webidl solving all ID problems on the Web, it may be intractable; maybe by choosing a relatively new use cases on the Web and prioritizing for those, we could maybe make faster progress 16:37:50 Ken: Good suggestion - don't have an answer for that 16:38:04 ... I interact with the Chrome payments team, been involved with secure payments confirmation 16:38:06 rrsagent, pointer? 16:38:06 See https://www.w3.org/2020/10/29-webid-irc#T16-38-06 16:38:17 (DIDs are kind of like a Rosetta Stone for these use cases, and many others) 16:38:17 ... we're aware that the problems are similar but in different spaces 16:38:23 ... but no answer yet 16:38:29 RRSAgent, draft minutes v2 16:38:29 I have made the request to generate https://www.w3.org/2020/10/29-webid-minutes.html dom 16:38:37 q? 16:38:53 ack alextcone 16:38:55 q+ 16:39:23 alextcone: similar question in the mobile web context where you have OS-based sign-ins (e.g. "log in with Apple") 16:39:39 ... have you looked at that upstreaming of the identity flow when the OS provides support for it? 16:39:58 Ken: good question - so far we haven't really 16:40:13 ... I don't know how appropriate it would be a Web API to be trying 16:40:26 ... making a universal Web API, we have to be careful to tie to specific platform capabilities 16:40:33 vq? 16:40:35 ... I don't know if there is a general from the platforms that could help us there 16:40:55 alextcone: maybe having something around risk mitigation for the browser and the delegation API 16:41:14 ... e.g. if the OS doesn't let you have the mapping between OS and RPs 16:41:41 This alludes to the fact that we need a substrate for user IDs that transcends any UA layer 16:41:44 Ken: this has come up; if we're reimagining how identity works and possibly breaking away from existing protocols, should the platform be a bigger part of this than the UA? 16:41:52 ... there is a case to be made that this would be true 16:42:02 ... we've been focused on shorter term considerations 16:42:03 q+ to ask about power disparities between users, IDPs, RPs and what choices about who should have how much control/power/agency does this design make and/or default to, amplifying (or inverting?) existing disparities 16:42:08 ... it needs to be part of a much broader discussion 16:42:08 q? 16:42:25 weiler: thank you for bringing this up and pushing this 16:42:35 ... I appreciate you're prioritizing RP tracking 16:42:55 ... how prioritized would be IdP choice? this could also help with RP tracking indirectly 16:43:04 weiler is getting at a very good specific example of the power dynamic / disparities that I'm getting at. thank you sam 16:43:11 Ken: we've been making this out of scope (as part of the NASCAR problem) 16:43:18 q+ 16:43:30 ... if you can vary the IdP, that would be another approach 16:43:35 ... I can't say we've looked at that 16:43:44 weiler: I'd like that to be in scope here 16:44:13 ... looking at how sites are dealing with the nASCAR problem, RP are only providing 2 or IdP at the moment, not letting the user pick their own 16:44:14 +1 16:44:26 ack weiler 16:44:26 weiler, you wanted to ask to what degree are you interested in making it easier for the user to choose an ID not on the list? 16:44:27 +1 weiler 16:44:37 daniel: what do you see the intersection with strong auth, fido? 16:44:37 ack daniel 16:44:38 s/ID/IdP/ 16:44:47 ken: they're a little bit orthogonal 16:45:08 ... authentication is only a piece of the flow - you authenticate to the IdP who can then assert they've verified your identity 16:45:13 ... I think they're complementary 16:45:26 ... stronger auth makes the assertion stronger 16:45:52 ... preserving federation helps with adopting stronger auths, since IdP have adopted it and are more likely to do it than RPs 16:46:06 q+ 16:46:20 Dan: we're working with OpenID on DID sign up, for decentralized identity 16:46:29 brent has joined #webid 16:46:41 ... I hope we're working toward a system where users wholly own their identity 16:46:57 tantek: thx for the presentation 16:47:00 +1 to making sure there is support for DID-based solutions 16:47:09 ... people have already touched on important issues, in particular sam's questions 16:47:25 ... I wanted to bring the question of power disparities between users, RPs, IdPs 16:47:44 ... How does the design of Web ID seek to alter these dynamics? who should have agencies over what in your spec? 16:48:02 s/agencies/agency/ 16:48:05 ... if it's not asserting, I would encourage you to look at what dynamics it creates 16:48:26 Ken: we're trying to promoted directed idnetifiers which give users better control of their identifiable information 16:48:50 ... I think you may be asking whether this can be used without a centralized IdP, which we're not really looking at 16:49:09 Tantek: well, one question is what choice users have if only 2 or 3 IdP get offered to the user 16:49:24 ... what agency users have in picking their own IdP to have actual federation? 16:49:34 tantek++ 16:49:36 ... we have to confront the power disparities 16:49:55 ... and have a stance on them, on whether to change or disrupt them 16:50:06 Ken: that's not our explicit goal 16:50:12 To really make this extensible and generative, to take into account what Tantek is talking about, I should be able to have an agent somewhere on my machine that registers an IDP channel with the WebID APIs 16:50:15 1+ 16:50:18 oops 16:50:18 ... it has bearance on some of the trade offs 16:50:19 q+ 16:50:36 ... when we're trying to change the protocols, adopt new paradigms, we should be asking this question 16:50:40 q? 16:50:41 We have long needed to modernize the protocol handler portions of the browser 16:50:49 this may be a good opportunity to do so 16:50:50 ack tan 16:50:50 tantek, you wanted to ask about power disparities between users, IDPs, RPs and what choices about who should have how much control/power/agency does this design make and/or default 16:50:53 ... to, amplifying (or inverting?) existing disparities 16:50:55 ack asch 16:51:10 aschlosser: thanks for the presentation - I think we had a lively discussion on github on the different trade-offs of the various proposals 16:51:25 ... it's going to be challenging, e.g. when you look at cross-device scenarios 16:52:13 ... the aim is also about classifying traffic for IdP from others to provide different primitives to protect from covert tracking 16:52:24 erynrwells has joined #webid 16:52:48 ... would this create a special container for the data that would only be available to the IdP in that specific context, using a SameFrame approach with elevated rights? 16:53:03 Ken: that's what we're trying to look at indeed 16:53:21 ... whether it is indeed a sealed container is still up in the air, but at the high level, that's how we're thinking about it 16:53:31 ... some of the specifics of that depend on where the primitives go 16:53:46 ... there is a lot of ongoing discussions in how to make the Web more privacy preserving 16:53:57 ... which would impact the particular direction we would need to take 16:54:35 aschlosser: the specifics don't matter to me too much - the overall secured environment for IdP flow is what I think is the key model 16:54:39 jeffh has joined #webid 16:55:00 ack weiler 16:55:15 weiler: going back to fido/webauthn - I think there are more related than you think 16:55:28 ... WebAuthn solves the privacy problem by preventing RP tracking 16:55:33 ... it has its own challenges 16:55:45 ... but maybe to solve RP/IdP problem, we need to move everything to WebAuthn 16:55:57 ... I think we need a clear story for Federated? 16:56:11 aschlosser: WebAuthn still needs an account to authenticate against 16:56:36 ... IdP can use WebAuthn to remove the password 16:56:54 weiler: you can create an accout with just a WebAuthn credential 16:57:04 Ken: this is a bit off our mission - it's a great question though 16:57:11 s/think/described/ 16:57:21 ... would that be ideal world, with no need for federation? 16:57:24 Aside: prior federated identity work at W3C: https://www.w3.org/TR/indieauth/ - adopted and being iterated by the IndieWeb community as a living standard: https://indieauth.spec.indieweb.org/ 16:57:27 DIDs solve for this as well 16:57:35 cpn has joined #webid 16:57:42 ... there are questions about backup for these auths, which lead back to a service to manage this 16:58:03 ... it's possible to envision a future that have these properties 16:58:25 ... signing-in and authenticated have been approached together but they probably benefit from being dealt with separately 16:58:25 q+ JohnBradley 16:58:31 ... but this sounds longer term 16:58:44 ... but in the meantime, federated identity is far superior to have user/password on every web site 16:59:04 ... so we want to see how to make it continue to work as the web is getting more privacy-preserving 16:59:08 +q 16:59:10 ack daniel 16:59:33 Daniel: having the ways for IdP to promote themselves to the RP when they integrate this new flow, this owuld help 16:59:33 stpeter has joined #webid 16:59:47 ack John_Bradley 16:59:51 ack Joh 17:00:05 -q 17:00:10 John_Bradley: as one of the authors of OpenId COnnect, we're looking at self-issued IdP 17:00:27 ... the identifiers for that IdP will be changed to also include DIDs of several flavors, but not exclusively DIDs 17:00:37 ... having lived through the history of account choosers and open@@@ 17:00:52 s/@@@/YOLO/ 17:00:53 Alan has left #webid 17:01:00 rhiaro has joined #webid 17:01:16 ... in order to get around omnidirectional identifiers and do true pairwise identifiers, having @@@ is a requirements so it's disappointing that it's out of scope 17:01:26 Really can't be out of scope, unless we want to engrain the relative status quo 17:01:29 ... for enterprise IDPs, research & education - logging out is actually a harder problem than logging in 17:01:39 ... a solution that doesn't allow for session termination won't be a complete solution 17:01:54 ... I look forward to having more discussions with the Connect WG, the FIDO & WebAuthn WG with this group 17:01:56 I'll put my comment here. We need to be careful with the blanket statement that federation is better in consumer. Yes, at a high level, one highly secure account is better than multiple weak passwords, but we're seeing first hand the impact of a single identity tied back to hardware / software vendors and the potential for having account access restricted or removed for some RPs. 17:02:05 ... to come up with a more fulsome solution 17:02:31 ... Clearly we need better instrumented APIs in the browser to help solve the risks of browsers breaking them as they stop invesive tracking 17:03:11 thank you kenrb for presenting & facilitating 17:03:18 present+ 17:03:23 RRSAgent, draft minutes v2 17:03:23 I have made the request to generate https://www.w3.org/2020/10/29-webid-minutes.html dom 17:07:20 present+ 17:14:54 pchampin has left #webid 18:31:26 erynrwells has left #webid 19:03:47 stpeter has joined #webid 19:08:12 Steven has joined #webid 19:08:27 brent has left #webid 21:04:34 Zakim has left #webid 23:31:31 jeff has joined #webid