Credentials Community Group Telecon

Minutes for 2015-08-25

  1. Recruiting
  2. Standards Implementation Foundation
  3. Update from IMS Global
  4. Capabilities Wrap-up
Action Items
  1. Manu to follow up with Ian about VitalSource as W3C member.
Manu Sporny
Gregg Kellogg
Gregg Kellogg, Manu Sporny, John Tibbetts, Sunny Lee, Richard Varn, Eric Korb, Brendan Benshoof, Brian Sletten, Dave Longley, David I. Lehn, Rob Trainer
Audio Log
Gregg Kellogg is scribing.
Manu Sporny: Need to wrap-up recruiting drive. Need to ping one more time and give them a last opportunity.
… We’re doing pretty well.
… Also need to get back to standards implementaitons.

Topic: Recruiting

Manu Sporny: We’ve had a drop-off in new people signing up. We have about 60 organizations that haven’t responded yet, but we have a good set to show W3C.
John Tibbetts: I’ve sent an update about Vital Source.
Manu Sporny: W3C tries to get larger companies first, but will accept smaller companies.
ACTION: Manu to follow up with Ian about VitalSource as W3C member.
Manu Sporny: W3C staff are having deliberations on when to have a call for us.
… I’m presenting again at the Web Payments F2F in Sapporo Japan.
… a number of members have stepped up and said they want this on the agenda.
Sunny Lee: Are you familiar with the connecting credentials event that’s going on?
Richard Varn: We know about it, and we’re going.
Sunny Lee: A lot of the work is descdribed on their website.
Manu Sporny: How does this dovetail with badges and so forth?
Sunny Lee: Too early to tell how this impacts us, they’re having a meeting in D.C. on Oct. 5.
Richard Varn: There’s a place we can submit things ahead of time. We can add something to their site about what we’re doing.
Manu Sporny: We’ll make it an agenda item for next week, and talk about who should present our work there.

Topic: Standards Implementation Foundation

Manu Sporny: About a year ago we discussed creating a group that would do technical implementaitons of the work we’re doing here.
… This was called the “Open Payments Foundation”, because we thought this would interesect.
… But, in June, the payments group put credentials on the back-burner.
… The foundation would have hired engineers to do open source implementaions of various standards, but the effort fell off.
… We had submitted with the Software Payment Concervancy, but they haven’t gotten back to us.
… We’re not making good enough progress on creating this organization, and it’s important that we do.
Eric Korb: This orginazation is the Foundation, not the Credentials Community Group
Manu Sporny: I had a discussion with a large world-wide technology organization, and they’ve said they’re interested in our work, but they’re planning on basing the hash table work on BitCoin.
… They want to go standards track with their platform. They’re aligned with our goals, but have different ideas on the distributed hash.
… They’re counter argument as that they want to launch in 5 months, and the Blockchain is out there and can be used.
… We should already have an implementation of WebDHT, but we dont. So, organizations are willing to go forward with Blockchain.
Brendan Benshoof: There’s an easy conflation in terms if it’s “a” or “the” Blockchain.
Manu Sporny: “The” Blockchain.
… Problem for us doing this is that noone has put up funding for this yet. It’s a large project which requires the full support of the community to do such implementaitons.
… THey want to collaborate with us, and we should get into a discussion with them about particulars of Blockchain and decentralized ledgers. But, we’re not in a possition as a community to move on this thing. As a result, such a large organization may try to make a de-facto standard, which would be pretty horrible for interoperability.
… For example, Internet of Things devices are too underpowered for the Blockchain. THe easiest counter is to say we have an implementation. But, we’re falling behind.
Brendan Benshoof: +1 Multiple Decentralized Backends
Brian Sletten: Is it not possible to have multiple DiD implementations, and this could be one of 2 or three?
Manu Sporny: Could be, but issues about namespace, and URI schemes.
… This also makes implementaions more complex. We’re trying to keep the complexity down.
Dave Longley: It also creates different levels of trust, depending on what network is used.
Manu Sporny: For example, all mining activity is in China, and they could presumably overwhelm the system and take over ids.
Brian Sletten: It seems like a problem we should be able to handle.
Brendan Benshoof: We could also mirror different systems to create a single namespace.
Dave Longley: We’d rather there be a single popular system and avoid fracture. But, it’s not against the design of the system to have separate systems.
Manu Sporny: There are plenty of decentralized/federated identifier systems that failed because of implementation complexity.
… Or, they could be implemented in non-interoperable ways.
… We allow design flexibility so we can fix things down the road, but there should be “one true way” to implement things which will make it easy for organizations to deploy at a low cost.
Dave Longley: That also allows an open implementation to be used for smaller systems.
Manu Sporny: If anyone can help on funding this effort, please get in touch through email.

Topic: Update from IMS Global

John Tibbetts: We had several touch points presenting our ideas at the conference.
… We had a dinner where we got together some key decision makers, and it bounced all over the place.
… There’s a realization that the standard creates the plumbing that allows an ecosystem of different systems.
… They’re looking at all kinds of different choices, including Oauth2, JWT, etc.
… There’s a longer-term work that addresses things a trusted pipe doesn’t help.
… It’s important for this group to realize that this is a longer-term project, and not a short-term project.
… I think the IMS is not likelyl to move quickley enough for our needs.
Eric Korb: I did a a machine-to-machine demonstration of a credential using the standard.
… Presentation focused on work we’re doing here. IMS has also endorced the Open Badge Alliance.
… As we start to see our work converge with IMS, there’s a great opportunity. As John pointed out, there’s an even greater opportunity for machine-to-machine authorization.
John Tibbetts: I heard positive feedback. The seeds have been planted, but we’re going to have to keep showing up.
Manu Sporny: Telling W3C membership and management that we’re actively engaged with IMS Global is a positive message.
Eric Korb: There are also issues at IMS regarding authentication and identity. This is a sticky point for us, but it presents and opportunity.
… They keep coming back to identity being a big problem. They compare this with Shibolith.
… OAuth/OpenID is overkill for what they want to do.
Manu Sporny: For machine-machine, the HTTP Signatures stuff comes to mind.
Eric Korb: They need to be educated about this. We need to offer to help with this.
John Tibbetts: We did bring the HTTP Signatures stuff up, and the one objection is that “we can’t go with something that noone uses in production”
Manu Sporny: Several organizations have been using it, as I pointed out.

Topic: Capabilities Wrap-up

Manu Sporny: We’ve been going through this for the last couple of weeks. We’ve shared upcoming blog posts with some people, and one of the founders of the Microsoft Infocard stuff, and the OpenID have reviewed and said they agree about much of what’s in the posts.
Brendan Benshoof: I’ve been focusing on the message, and have folded together some things.
… For example, centraized vocabularies. It’s open enough to let the market decide.
… The converstaion with dlongley was about revocation of certificates. We talk about the provider hosting in some contexts, and in others the issuer.
… We narrowed this down to the provider hosting the certificates, but the issuer maintaining a reference to see if it’s revoked.
… I’m working on a draft to discuss this ^^^
… The next step is to start writing a lot more about it.
Manu Sporny: Link to credentials retrospective.
… The criticisms from OpenID Connect and Infocard are that they’re not sure this is the right way to go. We can tell you about our experience.
… We talk about an extensible data model. They think this is overrated; Infocard was very extensible, but noone extended it. This lead to implementation complexities.
… In OpenID Connect we found a way to do this in a clean way, and we think that was the right way to do it. We’re not claiming that we succeeded.
… If you give them 3 options, you can guaranteed 3 non-interoperable implementations. Otherwise, it’s a failure to standardize.
… For choice of storage, they ended up with a bunch of federations that spoke to each other, but didn’t find at generice ID.
… It’s not designed to be as generic and interoperable as what we’re doing. There’s a question of bias, because of self-selecting the audience.
… I believe we heard in this group that we want generic providers and consumers, but this is at odds with the OpenID Connect experience. There are definite providers and consumers.
… They like the privacy-enhanced bits. Portability isn’t important for them; once people select, they don’t move.
… They were very complimentary, and wanted to participate in the work.