Credentials Community Group Telecon

Minutes for 2015-06-02

Agenda
https://lists.w3.org/Archives/Public/public-credentials/2015Jun/0000.html
Topics
  1. Credentials WG Charter and WPIG
  2. Recruiting document
  3. Credential Management API update
  4. Use Cases
Organizer
Manu Sporny
Scribe
Dave Longley
Present
Dave Longley, Manu Sporny, Nate Otto, Richard Varn, Tim Holborn, Sunny Lee, Eric Korb, David I. Lehn, Rob Trainer, Victoriano Giralt, Gregg Kellogg
Audio Log
Dave Longley is scribing.
Manu Sporny: We've had a bump in the road in far as the Credentials WG is concerned, so we'll discuss that.
Manu Sporny: Then the other items on the agenda.
Manu Sporny: Any other changes to the agenda?
None

Topic: Credentials WG Charter and WPIG

Manu Sporny: If folks have seen, there have been a number of comments on the Credentials WG charter.
Manu Sporny: The comments to pay attention to in particular are by Ian Jacobs. He's the W3C staff contact. He's in charge of putting together the official charter that will go up for a vote.
Manu Sporny: His mandate seems to be from the W3C CEO and the domain lead. Which is the payments activity domain. It seems to be about making credentials as narrowly focused on payments as possible.
Manu Sporny: At first he said it would be nearly impossible to get anything focused on education, etc. through that didn't mention/focus on payments.
Nate Otto: Thanks for raising those objections, manu & dlongley
Manu Sporny: So we said it's nice that you want a focused charter but the payments folks haven't been the ones doing the work or the deploys of experimental tech or anything today. So writing a charter that's focused on payments and not education, etc. then that would cause a problem with the gruops involved today.
Manu Sporny: Credentials presentation for Web Payments face-to-face in NYC: https://www.w3.org/Payments/IG/wiki/Main_Page/FTF_June2015/Credentials
Manu Sporny: We're trying to figure out the conflict and what the F2F presentation on credentials will be about.
Manu Sporny: I was asked to put together a presentation that focuses primarily on payments credentials to bring the payments group up to speed because they haven't talked credentials at all until like last week. So they are way behind the curve with respect to what we're doing here. They believe that working on credentials for education and healthcare would present an entirely different solution than for payments. So they don't understand the unified tech we've been putting together here.
Manu Sporny: So a lot of education needs to happen.
Manu Sporny: We're trying to figure out a way to get a charter written such that it gets buy in from W3C staff, CEO, and membership that care about payments but also doesn't alienate the education and healthcare sector.
Manu Sporny: What we need from this group is some fairly loud voices... or some fairly strong statements about your organization believes the charter should focus on. Should it focus on education, healthcare, payments, or balance all of those, or what.
Manu Sporny: Right now it's just me saying what I think this group believes in general which has been that the same solution works in all the verticals and we shouldn't just focus on a particular vertical. We have and need a unified solution.
Manu Sporny: But they are just hearing it from me, not from anyone else.
Richard Varn: I always thought this was attractive being inside the payments work. We can lead with payments thinking, but we can do it where there aren't so many players here in other verticals so we can further. We are going to pilot it with education and healthcare and you can see how it would work with web payments more effectively with credentials. I thought that was our pitch?
Manu Sporny: That's exactly right, and that's our pitch.
Richard Varn: Who is pushing back?
Nate Otto: That's a great pitch. The nontraditional education market is ready and itching to experiment.
Manu Sporny: So the pushback is coming from the W3C staff and a couple of folks in the financial industry.
Manu Sporny: I believe it's because they don't understand what we have here, they haven't been keeping themselves up to date with what we've been doing and they don't understand its full impact. And because of that they can't understand how what we're doing in healthcare/education can work in payments.
Manu Sporny: We need you to say that exact same thing from someone who isn't me.
Manu Sporny: They need to hear it from you and from Accreditrust, etc.
Nate Otto: Should we be sharing these comments on that charter document or is there a better place?
Manu Sporny: I thought this group, ETS, Accreditrust, etc. would review a charter doc from Ian and discuss there. But Ian said he doesn't believe we're at the point we can write a charter to even get comments on. He also said he thinks the charter we've put together wouldn't fly at W3C. But I don't think he knows the whole picture yet.
Manu Sporny: I think the wiki page may be one of the places we could do it, I think the credentials W3C charter may be another place to put in feedback.
Tim Holborn: Does the payments use of credentials include a signed digital receipt? ie: capacity to embed information about the purchase?
Manu Sporny: So I'm saying I dont' know where feedback should go right now, but I'm starting to think that we should really have a call between Ian, the staff domain lead for payments, EriK Andersen and Bloomberg, Richard, Eric, Sunny and Nate, put everyone on the call and get them to hear we don't think it's the right direction from someone other than m.e
Manu Sporny: I think that's the best bet later this week or early next week.
Tim Holborn: I’m on IRC
Richard Varn: I think that will work, maybe friday.
Eric Korb: +1 Korb too
Sunny Lee: Works for me
Sunny Lee: Depends on time
Sunny Lee: Though
Tim Holborn: I mean, i haven’t dialed in; but was participating via IRC in anycase. let me know if you’d prefer me to simply observe.
Sunny Lee: Since you have the most experience with the folks at the W3C, could you tell us what the precedence is here... a CG wants to get formalized and W3C pushes back, do a lot of negotations happen?
Manu Sporny: Yes.
Manu Sporny: I want to be very clear, they are listening and they always take a broad set of input into account.
Manu Sporny: W3C wants to make sure that they are demonstrating leadership and whatever they end up chartering will end up successful and quickly.
Manu Sporny: Not drawn out for 5-10 years.
Tim Holborn: If the specification is to apply specifically to payments; what do they consider to be the specified role of credentials; for any form of payments related use-case.
Manu Sporny: That's why they are pushing back.
Tim Holborn: Ie: university degree is economically recgonised by way of a certificate.
Manu Sporny: The best way to make it successful is to tie it to an activity that is moving forward rapidly.
Manu Sporny: They are pushing back because they feel that there is a better way to go about this. They haven't heard from people that aren't payments folks and don't understand the idea of the deploying in education+healthcare sectors first.
Sunny Lee: That makes sense, thank you.
Tim Holborn: I think healthcare is a particularly sensitive field.
Manu Sporny: Everyone should have the expectation of a fairly chaotic call, but should be thought of an educational call.
Tim Holborn: In a WebID-TLS FOAF id for example; FOAF is used to denote a number of references.
Tim Holborn: Webpayments/opencreds would reasaonably require the capacity to provide a verified reciept.
Tim Holborn: Therein; appears like the debate is about ontologies. or have i missed something?
Richard Varn: You're pitching this as an "either-or" and I thought it was a "yes-and". That we'd be riding along with the payments work and it would all be symbiotic. I don't object to someone getting going on payments, I'd rather join their effort than get in the way.
Manu Sporny: If you'd notice there are no payments people in the credentials CG (other than DB)
Manu Sporny: I think we have a minority, but they're loud. I think all the people that really care about this right now are in healthcare and education. We want to say this stuff is really important for payments and also education and healthcare. The first deployments will be in education and healthcare and finance will likely follow.
Eric Korb: Add insurance
Manu Sporny: We have three different market verticals interested, and education/healthcare, ETS, Accreditrust, Badge Alliance, others we're talking to want to move quickly.
Tim Holborn: Is business applications of technology within the scope of specificiations definition?
Manu Sporny: In the finance space, they aren't moving as quickly in that sector because their pain points aren't the same. I think flipping it so payments has to be done first and then education+healthcare is backwards. I think we can come up with the same solution for all the verticals and we can be fairly focused in doing it and the solution is aligned between the industries. If it turns out we're somehow wrong (weren't not) we will have to change what we're doing, but I think we can move forward liek that.
Richard Varn: I would add to that, in our space there are people who talk about how to advance this and there are proprietary solutions that could move forward, in the financial space they have much bigger players that fight each other and it's harder to get a standard going.
Tim Holborn: What is the W3C's role in defining how the "washer" works (if the analog is talking about the parts for a washer)?
Tim Holborn: Isn't the credential itself just an extensible credential? What it's used for it doesn't really matter. It's a bit like a "washer" you put that on a bolt.
Manu Sporny: Yes, that's right.
Manu Sporny: We believe we have a generic solution that works for financial, healthcare, education.
Dave Longley: We believe we have that solution, but there are people in the Web Payments group that doesn't think that's workable. [scribe assist by Manu Sporny]
Tim Holborn: I want to understand... where is the role of the W3C in defining how a tech may be used for any particular application. This conversation is about whether it be applied for a particular industry.
Manu Sporny: The only reason it matters has to do with how quickly the work will happen. Working Groups need to be very focused and they try to pick an industry that would join the work and deploy the technology. They believe that the financial industry would join the work and deploy the tech. We're saying we're saying maybe to that, but we definitely think the education/healthcare sectors would join the work and deploy the tech.
Manu Sporny: They are trying to create a charter to attract the right participants and to deploy the standard once it's done.
Tim Holborn: In the healthcare market, how does this relate to private healthcare records? In terms of banking or education infrastructure, the risk is far less than the misuse of personal information. I question the use in the healthcare sector.
Tim Holborn: I do question the use of the tech in that market.
Nate Otto: Tim, there are some easier use cases in health care that are particular to public information in the healthcare space, like the licenses of professionals
Manu Sporny: I don't think we're going to healthcare records in version one. We're talking about licenses and workforce much more than patient records.
Manu Sporny: I agree that patient records is a minefield and we don't plan on focusing on that in version one.
Tim Holborn: So it's better defined as professional licensing, etc. than medical.
Dave Longley: We should say something like "it's about professional licensing in healthcare" [scribe assist by Manu Sporny]
Tim Holborn: We acknowledge the sensitivity of medical records and private data. [scribe assist by Manu Sporny]
Richard Varn: Education has areas of privacy as well. Perhaps not equal with medical records. But our security requirements are no different from trying to protect data using HIPAA requirements.
Richard Varn: The security levels that end up getting implemented are very similar.
Nate Otto: Yep, mediaprophet, privacy of records is important to lots of our callers. We're interested in developing credentials that don't leak educational records even as we are using credentials to assert individuals have X or Y qualification or experience.
Tim Holborn: I think someone's degree, providing a verified certificate that says you have a degree is within the realm of public data but going for medical data are very sensitive, private data.
Richard Varn: I think we're coming in at a lower level of risk, I agree, which is why it's a more attractive starting place.
Tim Holborn: There is also legislation and so forth that needs to be considered over time, not just standards, but it may affect decisions.
Manu Sporny: I think this stuff is missing from W3C staff discussions, they need to know we're having these discussions and be aware of their particulars.
Manu Sporny: So we need to move on to other items on the agenda, this was a heads up and we'll get some kind of call so they can hear other voices.
Richard Varn: Inviting them to the tuesday meeting is a backup.
Manu Sporny: Yes, we've invited them many times.
Richard Varn: Tell them "or else"! :)
Nate Otto: +1 Let's add a payments use case; I have an idea for one particularly.
Manu Sporny: One of the points they've made is that they've looked at the credentials use cases and I didn't see many payments use cases. They will not support any kind of initiative that doesn't have more payments use cases. I think we should add them right away.
Manu Sporny: I will go and try to add those in.

Topic: Recruiting document

Manu Sporny: We have a recruiting document that is being worked on right now. Brian and Joe have worked on this. Hopefully that's getting fairly close to done.
Manu Sporny: Two weeks ago I sent out the recruiting doc for W3C members, I think I contacted 140 members. We have heard back from definite positives from around 10 of them. We have another 10 that said they will "more than likely" join the work but they have to pass it by legal and corporate.
Manu Sporny: That easily puts us at the 5% support we need to get a WG. This is for our charter.
Manu Sporny: These members said they were happy to support it.
Manu Sporny: This just means we've met the minimum bar. So out of 140 only 20 responded ... the others didn't for one reason or another. I want to hand those others off to people in the group and ask them to do follow up.
Manu Sporny: So we can say "Hey, we need your feedback"
Manu Sporny: One downside is that W3C corporate contacts are generally overworked and they have a hard time responding to email.
Manu Sporny: Richard, Eric, if you have someone who can do some follow up that would be great.
Eric Korb: Me or Rob and do that.
Manu Sporny: We might take like 20 orgs and divvy those out to each group.
Richard Varn: I have like two or three people who volunteered to do some of that work. I have people, I'll assign it to a few.
Manu Sporny: Fantastic.
Manu Sporny: Anyone have anything else on recruiting?
Tim Holborn: There's some interest in the Melbourne market.
Manu Sporny: If you could make sure they fill out the questionnaire that would be fantastic, we need them to do that to show it to W3C management to show support.
Tim Holborn: I haven't had time yet, if we can get analysis of their business problems we can do that.
Manu Sporny: We have some of those documents already, the thing we're missing right now are orgs saying "Yes I will join the work or W3C to help with credentials" If we don't have that we won't have a group.

Topic: Credential Management API update

Nate Otto: Some of the Australian universities (Curtin, UQ, ANU, Deakin) might be interested.
Manu Sporny: We have been talking with the webappsec group, the email thread is up to 132 emails going back and forth on various things. The chair stepped in and said they don't feel it's worth pursuing. The type of credential exchange we're outlining is far more involved and delicate than they wanted to touch. So speaking in his chair capacity he didn't see a resolution.
Manu Sporny: The editor of the specification, came in and asked us for a further set of changes to the WebIDL (which is the interface definition language, what developers would program to)
Manu Sporny: We've been saying the changes are minimal to that, to align with what we're doing. And he kind of contradicted what the chair was saying, and then the chair backpedaled a bit and said if we're making progress keep going.
Manu Sporny: We have said "You've said your API is extensible, we have tried it and it's a problem." And they've said, it is, but not in the way you want. And we've said, take out the extensibility part then because we don't see how it's going to be useful to extend it if it can't do, for example, the kind of thing we want to do. Then we've asked what the real benefit is for their API at all if it can't do credentials stuff, only pass word management.
Manu Sporny: The good thing is that they're not staking a claim on credentials, we could come to a conclusion where we rename their API to some login/password manager API, if we must.

Topic: Use Cases

Manu Sporny: The end result for us is that we were hoping to chop a year and a half of work off by reusing an API, but they aren't chartered to work on the type of credentials we're working on here and it may not work out.
Nate Otto: Sunny, Kerri, and I all looked at the doc over the past week. I accepted a good handful of changes I thought were non-controversial. I added a few more. I took a stab at writing up one of those sections about "credentials in the real world", I went through a workforce training scenario and the different phases. I found that the payments stuff put a note when a particular phase wasn't used.
Nate Otto: Should we do that here?
Manu Sporny: Yes.
Nate Otto: Some of the phases are slightly out of order, ... they depend on the type of use case. Endorsing/Consuming may happen in different orders, phases may happen at different times. Maybe in other scenarios farther down the page they would appear in different orders.
Dave Longley: I thought we had renamed phases to operations because the order can change. [scribe assist by Manu Sporny]
Nate Otto: That's right [scribe assist by Manu Sporny]
Dave Longley: I think it's fine if it happens in a different order, that's how credentials work. [scribe assist by Manu Sporny]
Manu Sporny: Great work, very helpful.
Nate Otto: I think in some places expiration/revoking were conflated/confusing.
Manu Sporny: I saw that, so to clarify, you split those into two separate things?
Nate Otto: One issue is resolved, and with the approval of the group we'll resolve the other remaining one.
Nate Otto: Can we talk about web payments use cases to integrate?
Nate Otto: I thought the operation around confirming the person whose identifier the credential is about is important for KYC.
Nate Otto: I didn't know if it that was a step in the consuming operation or what.
Manu Sporny: A step in the consuming operation, yes. When you transfer a credential to monster.com, etc. you counter sign it, as the recipient. That establishes that you, the recipient, one, authorize the transmission, and, two, you have a private key associated with the identity that received the credential.
Manu Sporny: So that's a step in the operation.
Tim Holborn: How about digital receipts? You purchase and get a digital receipt with warranty operation.
Manu Sporny: In the web payments group we're not thinking of receipts as credentials, just other kinds of signed documents, so no overlap there. In the payments stuff, coupons and loyalty cards are credentials.
Eric Korb: +1 Expiration and Revoking are separate items
Nate Otto: +1 Add loyalty Credentials in the Real World use case
Tim Holborn: There's loyalty and coupons... two payments use cases we need in the document.
Manu Sporny: Yes, we need to add those.
Richard Varn: I thought there was associating a credential with a recipient, meta data with a credential, etc. all of these things were going to be spec'd out.
Manu Sporny: Yes.
Tim Holborn: How about things that require licenses, like guns, cars, etc.?
Manu Sporny: Yes, those are also payments use cases.
Manu Sporny: Other web payments use cases: https://web-payments.org/specs/source/use-cases/
Nate Otto: Let's illustrate those items in the Credentials in the Real World section, I think, showing how things like identity equivalence and composition can work.
Manu Sporny: Nate, there are more payments use cases in a really old doc. I'll get you a link.
Manu Sporny: Credentials / payments use cases: http://opencreds.org/specs/source/use-cases/
Tim Holborn: Another one might be someone pitching a creative work, they might want to present a credential related around acceptance.
Manu Sporny: That is a use of a credential to establish ownership over intellectual property during commerce, which is good.
Manu Sporny: The feedback we got from the payments people was that they didn't see enough payments use cases in the document and adding these will help fix that.
Sunny Lee: We used https://web-payments.org/specs/source/use-cases/ as a foundation and built off of that for current use cases doc
Eric Korb: That would be good for creds
Nate Otto: I'm going to have to drop off the audio in just a couple minutes. Looks like we have a good foundation to now flesh out to cover a number of these other cases.
Eric Korb: Ownership
Manu Sporny: Eric, those things will require credentials.
Manu Sporny: If you're sending a lot of money overseas, you need a number of credentials, trading stocks, etc. same thing.
Eric Korb: Transfer of ownership
Eric Korb: All creds
Nate Otto: Manu, dlongley : I want to follow up with you on that "prove-you-are-the-credential-recipient" step in the consuming operation.
Manu Sporny: This is mostly for Nate, Sunny, Kerri, we need to integrate those things into our use cases document.
Sunny Lee: I wanted to say I'm half working with Nate and Kerri on the use cases document, but while we'll look at those links you provided we should have someone with payments experience to be involved.
Manu Sporny: Excellent point, why don't I do that ... I'll take the action to migrate those things into the document.
Manu Sporny: Would that work better?
Sunny Lee: Yes, absolutely.
Tim Holborn: I can help where I can.
Manu Sporny: Thanks, Tim. You can suggest changes in the google doc.
Tim Holborn: Is there anything about buying a car?
Manu Sporny: No.
Nate Otto: Cool. Thanks all. Dropping off audio now.
Eric Korb: Cars in US is Title
Eric Korb: Known as "Title"
Tim Holborn: You've got gov't control over it and you can enter credentials to make that purchase easier.
Manu Sporny: The other thing to make sure people understand with the use cases is that we don't have to implement *all* of them in version 1, we can implement some in other versions, but it's good to have them all.
Manu Sporny: Any other questions/concerns about the use cases?
Eric Korb: US Titles are controlled by State
Tim Holborn: Ie: purchasing a motor vehicle and using credentials to support the transferral of license and motor vehicle ownership information with the relevent agency.
Manu Sporny: I'm going to schedule the call with W3C folks for friday. Hopefully a number of us will chat again with them then.
Manu Sporny: Thanks all!
Sunny Lee: Thanks all!