Credentials Community Group Telecon

Minutes for 2015-06-30

Agenda
https://lists.w3.org/Archives/Public/public-credentials/2015Jun/0103.html
Topics
  1. Credentials WG Plan
  2. Introductions of New Members
  3. Recruiting
Organizer
Manu Sporny
Scribe
Gregg Kellogg
Present
Gregg Kellogg, Manu Sporny, Richard Varn, Nate Otto, Eric Korb, Matt Collier, Christoph Dorn, Jim Goodell, Brian Sletten, Sunny Lee, Rob Trainer
Audio Log
Gregg Kellogg is scribing.
Manu Sporny: On agenda, update to WG plan, recruiting, and maybe DIDs discussion.

Topic: Credentials WG Plan

Manu Sporny: I had a discussion with W3C Staff last week, and the payments IG had a discussion on Monday.
… Due to feedback in round-table and W3C got after F2F meeting ,,,
… A number of people came back saying they didn’t intend for it to be struck.
… We have a go-ahead for pitching a WG to W3C.
… W3CM would like to see a list of organizations that are committed to joining the work if it gets started at W3C. We have a list started, but we need more organizations interested.
Manu Sporny: They’ve looked at the list in Credentials CG and would like to see more representatives from a broader set of organizations.
… They’d like to see about 30 organizations before they’re comfortable with proposing a new WG to W3CM.
… There are a number of back-channel discussions working against us, particularly from the security community.
… Unfortunately, they’re not coming here, but are voicing directly to W3CM.
… There are 2 blog posts/papers they’d like to see us put together to counter these arguments.
… 1) What makes this credentials approach different from the last 15 years of approaches that have failed: SAML, OpenID Connect, …
… 2) Define where W3C can add value. Why should the work be done at W3C vs IETF/OASIS/ISO?
… The Payments IG will wait for us to put this strategy together, in concert with some W3C Staff, to put together a proposal that will be a sell to W3CM.
… Also joining will be some banking and finance, where were taken aback by what happened at the Payments IG F2F.
… That puts us in a better possition than a week or so ago, but still not where we want to be.
Richard Varn: What would be the timeline for deciding yes/no, and where?
Nate Otto: Are the concerns shared specifically about security and privacy? Was there anything specific that was critiqued about the suggested technical approach in this CG?
Manu Sporny: The question will be does W3CM feel comfortable proposing a draft charter to the membership in August? That would be the most agressive thing that can happen.
… We may still be able to have our first meeting at TPAC.
… Less agressive would be September, which would be too late for TPAC. We’d probably try to have a meeting there anyway. That would drive more people into the group.
… Or, we can’t do it at all :(
Nate Otto: Were concerns from security and privacy related directly to that?
Manu Sporny: I don’t think the loudest critics really understand what we’re trying to do.
… “I don’t think it’s a good idea to create an identifier that can be used across multiple websites”, for example.
Nate Otto: Oh, like an email address . ;)
… There is privacy push-back; they’d rather see bearer credtitials.
… Also against using an email address.
… I think this group cares very deeply about privacy, and we want to be sure we are as privacy enhancing as possible, without gutting the core use case.
Nate Otto: +1 To being as privacy-enhancing as possible without gutting the core use case.
… The other thing is security: “why aren’t you guys using JOSE for using signatures, why propose a new mechanism?”
… Thinks we’re trying to end-around the security community with LD-Signatures, and trying to go around JOSE.
… It’s not that, but they’re quite focused on JOSE, and don’t have spare-bandwidth to look at LD-Signatures. Clearly we’ll get a good security review.
Nate Otto: Working in the badges community, we have concerns as well. Is it possible to put the genie back in the bottle.
Eric Korb: +1
… Eventually we’ll need a high-level security review, but we could always go back to JOSE if LD-Signatures won’t work. We’ll work with the security community to make sure we have a valid solution.
Manu Sporny: ALso, note that LD-Signatures is not inventing new cryptographic methods. The problem is that the statements are coming from someone who doesn’t understand this. We’re simply re-using RSA, eliptic curve, …
… The new thing is the normalization and message structure of the signature.
… Once security folks at the F2F understood this, they thought it would be straight-forward.
Eric Korb: The idea of signing the credentials, is it critically important, or is it an option?
… The badge aliance is mostly doing hosted credentials, and signing isn’t as important.
… Can we make this optional?
Manu Sporny: Sure, they don’t need to be signed. There can be other ways of validating.
… If an open badges badge has an alternate way of validating, that mechanism could be used.
… Signatures are for hard cases like financial use cases.
Eric Korb: +1
… Other industries don’t have the same high-stakes requirements.
… IF you recieve a signed credential, you don’t even have to validate it.
Eric Korb: An reciever should validate, if it needs to. If it’s not there, and you don’t mind it not being there, you should be able to use it.
Richard Varn: We should probably be exploring a parallel path, in case the W3C doesn’t work out.
Manu Sporny: I have some concerns over sending mixed messages if approaching both W3C and IMS Global.
… We may want to take IMS Global guys aside to discuss them as an alternative.
Eric Korb: I don’t think it’s an either/or, it’s a “please join the work”
Richard Varn: There’s an opportuinty for IMSG to bring some new things to the table. It’s getting them to associate the work they’re going to do anyway with the W3C initiative.
… It could grow into a broader standards effort if we don’t get anywhere with the W3C.
Eric Korb: The project we currrently working on is eTranscript to be demoed at educause
Manu Sporny: This group is focusing on recruiting. I have an action to write up 2 blog posts about what’s different about what we’re doing.

Topic: Introductions of New Members

Eric Korb: IMS Global Project http://www.imsglobal.org/cbe/index.html
Matt Collier: Working with Digital Bazaar on this and authorization.io.
Christoph Dorn: I work independently. My focus is on software tooling. I’m interested in creating an open prototype embodying the specs and staying up to date, and allow people to on-board early.
Jim Goodell: I’m with Quality Information Partners, we’ve been working on common education standards. I’m interested form education- and workforce- credientials cases.
Eric Korb: Welcome all!

Topic: Recruiting

Manu Sporny: I’ll get a list by EOD to eric and richard with W3C members who have not yet responded.
… Last week we had said it might be a better strategy for people to construct their own introductions and try to bring people on board.
… I’d like folks to commit to contact new large W3C members.
Eric Korb: I’ve started on Parchment, but haven’t yet reached out awaiting dodumentation.
… I wanted to be sure we had an agreed upon common message.
Manu Sporny: We’re backing off on that. There’s the executive summary.
Manu Sporny: We’re transitioning over to “hard asks”; you should have everythign you need to make the initial contact/ask.
Manu Sporny: Eric, I have you against Accreditrust, Credly, Scrip-Safe and Iq4.
… (More discussions of assignments captured in document)
Nate Otto: Discendum Oy
Nate Otto: DigitalME
Manu Sporny: What W3C really wants to know is if new organizations will become members. That’s the main thing they need to see.
… Mozilla is in a strange place; the people at the F2F were pretty much opposed to what we’re doing.
… If David Barron doesn’t feel that Mozilla should be involved, they won’t be.
Nate Otto: They’re involved with the Badge Alliance, though.
… They’re committed to supporting badges going forward.
Manu Sporny: The key would be to get that person from Mozilla involved in the work.
… We’ve been hearing from people not involved in the work at Mozilla speaking out.
Manu Sporny: We have the Merchant Advisory Group that said they’d join. The contact person is from Walmart, which is great.
Brian Sletten: Manu, Is NACS on the list?
Manu Sporny: We have strong connects with NACS, Veriphone, and ???